Support for WPA3 on FAP
This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in 2018.
The Wi-Fi Alliance defines three areas for improvement:
- Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to improve security in such networks.
- WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE). l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.
All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.
Configuration
- WPA3 OWE
- WPA3 OWE only: only Client which support WPA3 can connect with this SSID.
config wireless-controller vap
edit “80e_owe”
set ssid “80e_owe” set security owe set pmf enable set schedule “always”
next end
- WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open SSID.
config wireless-controller vap
edit “80e_open” set ssid “80e_open” set security open set owe-transition enable set owe-transition-ssid “wpa3_open” set schedule “always” next edit “wpa3_owe_tr” set ssid “wpa3_open” set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid “80e_open” set schedule “always” next
- WPA3 SAE
- WPA3 SAE: Client with WPA3 support can connect with the SSID.
config wireless-controller vap
edit “80e_sae” set ssid “80e_sae” set security wpa3-sae set pmf enable set schedule “always” set sae-password 12345678
next end
- WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if passphrase is used. Client will connect with WPA3 SAE if sae-password is used.
config wireless-controller vap
edit “80e_sae-tr” set ssid “80e_sae-transition” set security wpa3-sae-transition
set pmf optional set passphrase 11111111 set schedule “always” set sae-password 22222222
next end
- WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication or local user authentication.
config wireless-controller vap edit “80e_wpa3” set ssid “80e_wpa3” set security wpa3-enterprise
set pmf enable set auth radius
set radius-server “wifi-radius” set schedule “always” next
edit “80e_wpa3_user” set ssid “80e_wpa3_user” set security wpa3-enterprise
set pmf enable set auth usergroup set usergroup “usergroup” set schedule “always”
next end