Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎04-07-2025 11:52 PM Edited on ‎04-08-2025 01:18 AM

Cannot connect to FortiAP using 'WPA3 Enterprise Only'

Hi,

I have created on Fortigate SSID with WPA3 Enterprise Only, on the client (Windows 11) is created manually wifi profile with security type 'WPA3 - Enterprise' and encryption type 'AES'.

The client wifi card Intel AX201 support such authentications:

netsh wlan show drivers

Interface name: Wi-Fi

    Driver                    : Intel(R) Wi-Fi 6 AX201 160MHz
    Vendor                    : Intel Corporation
    Provider                  : Intel
    Date                      : 2025-01-02
    Version                   : 23.110.0.5
    INF file                  : oem163.inf
    Type                      : Native Wi-Fi Driver
    Radio types supported     : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax
    FIPS 140-2 mode supported : Yes
    802.11w Management Frame Protection supported : Yes
    Hosted network supported  : No
    Authentication and cipher supported in infrastructure mode:
                                Open             None
                                Open             WEP-40bit
                                Open             WEP-104bit
                                Open             WEP
                                WPA-Enterprise   TKIP
                                WPA-Enterprise   CCMP
                                WPA-Personal     TKIP
                                WPA-Personal     CCMP
                                WPA2-Enterprise  TKIP
                                WPA2-Enterprise  CCMP
                                WPA2-Personal    TKIP
                                WPA2-Personal    CCMP
                                Open             Vendor defined
                                WPA3-Personal    CCMP
                                Vendor defined   Vendor defined
                                WPA3-Enterprise 192 Bits GCMP-256
                                OWE              CCMP
                                WPA3-Enterprise  CCMP
    Number of supported bands : 2
                                2.4 GHz [ 0 MHz - 0 MHz]
                                5 GHz   [ 0 MHz - 0 MHz]
    IHV service present       : Yes
    IHV adapter OUI           : [00 00 00], type: [00]
    IHV extensibility DLL path: C:\WINDOWS\system32\IntelIHVRouter10.dll
    IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}
    IHV diagnostics CLSID     : {00000000-0000-0000-0000-000000000000}
    Wireless Display Supported: Yes (Graphics Driver: Yes, Wi-Fi Driver: Yes)

But the connection is not working, on the fortigate system events wifi logs I have such logs:

date=2025-04-08 time=08:13:03 id=7490821468477980776 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043679 type="event" subtype="wireless" level="notice" action="assoc-resp" msg="AP sent association response frame to client a4:b8:f1:e5:5f:72" logdesc="Association response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982944568 authserver="NPS" remotewtptime="2702.669215" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980775 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043717 type="event" subtype="wireless" level="notice" action="layer3-roaming-rehome" msg="AP received association request frame from client a4:b8:f1:e5:5f:72" logdesc="Wireless client layer3 roaming rehome" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982936887 authserver="NPS" remotewtptime="2702.669136" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980774 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043676 type="event" subtype="wireless" level="notice" action="auth-resp-WPA3" msg="AP sent WPA3(non-SAE) authentication response frame to client a4:b8:f1:e5:5f:72" logdesc="Authentication response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982929072 authserver="NPS" remotewtptime="2702.669055" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980773 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043675 type="event" subtype="wireless" level="notice" action="auth-req-WPA3" msg="AP received WPA3(non-SAE) authentication request frame from client a4:b8:f1:e5:5f:72" logdesc="Authentication request from wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982921295 authserver="NPS" remotewtptime="2702.668941" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980772 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043679 type="event" subtype="wireless" level="notice" action="assoc-resp" msg="AP sent association response frame to client a4:b8:f1:e5:5f:72" logdesc="Association response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982913245 authserver="NPS" remotewtptime="2702.668851" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980771 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043717 type="event" subtype="wireless" level="notice" action="layer3-roaming-rehome" msg="AP received association request frame from client a4:b8:f1:e5:5f:72" logdesc="Wireless client layer3 roaming rehome" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982905028 authserver="NPS" remotewtptime="2702.668771" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980770 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043676 type="event" subtype="wireless" level="notice" action="auth-resp-WPA3" msg="AP sent WPA3(non-SAE) authentication response frame to client a4:b8:f1:e5:5f:72" logdesc="Authentication response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982896162 authserver="NPS" remotewtptime="2702.668672" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821468477980769 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043675 type="event" subtype="wireless" level="notice" action="auth-req-WPA3" msg="AP received WPA3(non-SAE) authentication request frame from client a4:b8:f1:e5:5f:72" logdesc="Authentication request from wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982879792 authserver="NPS" remotewtptime="2702.668547" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821464183013523 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043679 type="event" subtype="wireless" level="notice" action="assoc-resp" msg="AP sent association response frame to client a4:b8:f1:e5:5f:72" logdesc="Association response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005136936 authserver="NPS" remotewtptime="2701.381718" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821464183013522 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043717 type="event" subtype="wireless" level="notice" action="layer3-roaming-rehome" msg="AP received association request frame from client a4:b8:f1:e5:5f:72" logdesc="Wireless client layer3 roaming rehome" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005128242 authserver="NPS" remotewtptime="2701.381610" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821464183013521 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043676 type="event" subtype="wireless" level="notice" action="auth-resp-WPA3" msg="AP sent WPA3(non-SAE) authentication response frame to client a4:b8:f1:e5:5f:72" logdesc="Authentication response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005119286 authserver="NPS" remotewtptime="2701.378759" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT"
date=2025-04-08 time=08:13:03 id=7490821464183013520 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043675 type="event" subtype="wireless" level="notice" action="auth-req-WPA3" msg="AP received WPA3(non-SAE) authentication request frame from client a4:b8:f1:e5:5f:72" logdesc="Authentication request from wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005096788 authserver="NPS" remotewtptime="2701.378633" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT"

So we have in logs such order for this connection:

1. auth-req-WPA3

2.auth-resp-WPA3

3.layer3-roaming-rehome

4.assoc-resp

and this procedure repeat three times, it will not even proceed to 4-way handshake.

 

Once I change the authentication type on Fortigate and the client to WPA3 SAE - the connection is working.

Once I change the authentication type to WPA2 Enterprise - the connection is also working.

How could I troubleshoot this?

 

Labels:
470
0 Kudos
4 REPLIES 4
Stephen_G
Moderator
Moderator

Created on ‎04-10-2025 10:33 AM

Hello Tutek,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
152
joshbergm
New Contributor II

Created on ‎04-11-2025 01:22 AM

Hi,

In the NPS profile on the Windows Server, do you have EAP-TLS or EAP-TTLS enabled?

133
0 Kudos
Tutek
Contributor

Created on ‎04-22-2025 01:23 AM

Yes, NPS is on windows server with EAP-TLS enabled (based on certificates) and with WPA2-Enterprise the connection is working. But once I set WPA3-Enterprise the connection is not even forwarded to the NPS server (I don't see any logs in the event viewer) but stops at the authorization stage in Fortigate/AP.

44
0 Kudos
ebilcari
Staff
Staff

Created on ‎04-22-2025 04:24 AM

Are the firmware of the FAP and FGT in the compatible/recommended versions? Check the FortiAP and FortiOS Compatibility Matrix document and choose the recommended firmware.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
31
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.