FortiAP Management – Support for WPA3 on FAP

Support for WPA3 on FAP

This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in 2018.

The Wi-Fi Alliance defines three areas for improvement:

  • Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to improve security in such networks.
  • WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE). l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

Configuration

  1. WPA3 OWE
    1. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.

config wireless-controller vap

edit “80e_owe”

set ssid “80e_owe” set security owe set pmf enable set schedule “always”

next end

  1. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open SSID.

config wireless-controller vap

edit “80e_open” set ssid “80e_open” set security open set owe-transition enable set owe-transition-ssid “wpa3_open” set schedule “always” next edit “wpa3_owe_tr” set ssid “wpa3_open” set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid “80e_open” set schedule “always” next

  1. WPA3 SAE
  2. WPA3 SAE: Client with WPA3 support can connect with the SSID.

config wireless-controller vap

edit “80e_sae” set ssid “80e_sae” set security wpa3-sae set pmf enable set schedule “always” set sae-password 12345678

next end

  1. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if passphrase is used. Client will connect with WPA3 SAE if sae-password is used.

config wireless-controller vap

edit “80e_sae-tr” set ssid “80e_sae-transition” set security wpa3-sae-transition

set pmf optional set passphrase 11111111 set schedule “always” set sae-password 22222222

next end

  1. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication or local user authentication.

config wireless-controller vap edit “80e_wpa3” set ssid “80e_wpa3” set security wpa3-enterprise

set pmf enable set auth radius

set radius-server “wifi-radius” set schedule “always” next

edit “80e_wpa3_user” set ssid “80e_wpa3_user” set security wpa3-enterprise

set pmf enable set auth usergroup set usergroup “usergroup” set schedule “always”

next end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU