Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
grithnir
New Contributor II

How to turn ON the WPA3 SAE-PK feature of FortiAP 231F

Hello there!

 

related link:

wpa3-enhancements-to-support-h2e-only-and-sae-pk-7-2-1 

 

I have recently purchased Fortigate 40F together with FortiAP 231F, to set up a WLAN environment in my laboratory to test iot equipments. What I am interested in is "SAE public key" as introduced as part of WPA3 R3 spec, and it is introduced as a new feature since FortiOS 7.2.0.

 

My question is:

Has anyone ever tried to associate a SAE-PK-capable STA with a FortiAP(7.2.1 or newer) that support SAE-PK? If so, is there any tutorial simple enough to guide us through the first integration with regard to this SAE-PK authentication. For example, how to configure wpa_supplicant and what is the wireless sniffer capture like?

 

P.S:

Whenever I unclick the local standalone option, the SSID turns OFF automatically.

Somehow there is a rule between the "SAE-PK authentication" and "local standalone" parameter?

However, it can be found nowhere in any document.

 

Thank you very much, experts.

1 Solution
grithnir
New Contributor II

Through days of debugging and testing, it comes to a happy ending.

The story can be told in brief:

1. the latest fortiOS 7.2.4 has newly introduced a feature to check your SAE password and SAE-PK private Key at runtime, YOU SHALL NOT PASS unless you input the valid SAE password and SAE-PK private key PAIR.

grithnir_0-1676022951874.png

 

 

Unfortunately, there's no such check and remind mechanism back in 7.2.3, so that

a wrong configuration will be activated down to FortiAp, leading to the FortiAP ending up

 with malfunctional BSS. That's why I have seen radio LED OFF.

2. How to generate these two attributes? Please refer to the github page https://github.com/vanhoefm/hostap-wpa3/

 

3. TAC fella said there will be updates in documents to deal with this stuff.

 

Cheers, Experts!

View solution in original post

8 REPLIES 8
adambomb1219
Contributor III

WPA3-SAE is just a PSK.  You should only need to configure that PSK on the WPA3 capable device.

grithnir

Sorry, It's "SAE-PK" or "SAE public key"  , not PSK, as known as pre shared key.

 

adambomb1219

But it still uses a PSK, and, if I understand correctly, happens automatically through the WPA3 spec: https://www.wi-fi.org/beacon/thomas-derham-nehru-bhandaru/wi-fi-certified-wpa3-december-2020-update-...

grithnir
New Contributor II

Whatever so-called "PSK" understanding is, WPA3 spec tells, that's it.

 

Anyone had a go with SAE-PK? Yes or no? Of course, transition disabled.

 

 

 

 

 

grithnir
New Contributor II

And whenever I unclick the "local standalone" option while SAE-PK is enabled under SSID setting, the FortiAP radio LED is sure to go off with this radio turned off.

Do you know what is the trick here? Is there any documents carrying this fact?

 

Screen Shot 2023-02-06 at 10.56.06.png

 

 

grithnir
New Contributor II

update.

grithnir
New Contributor II

Through days of debugging and testing, it comes to a happy ending.

The story can be told in brief:

1. the latest fortiOS 7.2.4 has newly introduced a feature to check your SAE password and SAE-PK private Key at runtime, YOU SHALL NOT PASS unless you input the valid SAE password and SAE-PK private key PAIR.

grithnir_0-1676022951874.png

 

 

Unfortunately, there's no such check and remind mechanism back in 7.2.3, so that

a wrong configuration will be activated down to FortiAp, leading to the FortiAP ending up

 with malfunctional BSS. That's why I have seen radio LED OFF.

2. How to generate these two attributes? Please refer to the github page https://github.com/vanhoefm/hostap-wpa3/

 

3. TAC fella said there will be updates in documents to deal with this stuff.

 

Cheers, Experts!

CK_admin

So how is this done in the Windows world? I'm pretty new to all of this and haven't been able to figure out how to generate a password out of a private key. Thank you!

Top Kudoed Authors