FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
  - Captive Portal Security
  - WPA2 Security
    - Configuring WPA2-Personal security
    - Configuring WPA2-Enterprise SSID
  - WPA3 Security
    - Generating SAE-PK private key and password
  - Adding a MAC filter
  - Limiting the number of clients
  - Enabling multicast enhancement
  - Replacing WiFi certificate
  - Configuring WiFi with WSSO using Windows NPS and user groups
- Defining SSID groups
- Configuring dynamic user VLAN assignment
  - VLAN assignment by RADIUS
  - VLAN assignment by Name Tag
  - VLAN assignment by FortiAP group
  - VLAN assignment by VLAN pool
- Configuring wireless NAC support
- Configuring user authentication
  - Custom RADIUS NAS-ID
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
  - Operations Profiles Entry
  - Connectivity Profiles Entry
  - Protection Profiles Entry
  - Advanced SSID options
  - Advanced WiFi Settings options
- Configuring UNII-4 5GHz radio bands
- Configuring Agile Multiband Operation
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
  - Configure automatic AP reboot
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
- Configure FortiAP MIMO values
- Configure Fortinet external antenna parameters for specific FortiAPs
- Configure third-party antennas in select FortiAP models
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
WiFi network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling console port access
- Configuring 802.1X supplicant on LAN
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
- Enabling AP scan channel lists to optimize foreground scanning
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- Configuring a FortiWiFi unit as a wireless client
- Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
- Configuring WPA3 security modes on FortiWiFi units operating in client mode
WiFi maps
Bluetooth Low Energy scan
- Pole Star NAO Cloud service integration
- Eddystone BLE beacon profile integration
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.4.2 FortiWiFi and FortiAP Configuration Guide

7.4.2

WPA3 Security

For full WPA3 support, we recommend you update your FortiGate and FortiAP devices to the latest supported firmware version.

FortiGate devices running FortiOS 7.0.0 and later.
FortiAP devices running 6.4.3 and later.
FortiAP-S and FortiAP-W2 devices running 6.4.3 and later.
FortiAP-U devices running 6.2.2 and later.

For more precise support information between FortiGate and FortiAP firmware versions, see each model's release notes.

You can configure the following WPA3 security modes:

WPA3 Enterprise 192-bit
WPA3 Enterprise Only
WPA3 Enterprise Transition
WPA3 Simultaneous Authentication of Equals (SAE)
WPA3 SAE Transition
Opportunistic Wireless Encryption (OWE)
OWE Transition

To configure WPA3 on an SSID - GUI:

Go to WiFi Controller > SSID.
Create a new SSID, or edit a current one.
In the WiFi Settings section, set the Security Mode to a WPA3 option.
Configure the relevant security settings as needed.

If you set the security mode to either WPA3-SAE or WPA3-SAE-Transition, you can enable Hash-to-Element (H2E) only or Simultaneous Authentication of Equals Public Key (SAE-PK).
- H2E only: Use hash-to-element-only mechanism for PWE derivation.
- SAE-PK: Enable or disable WPA3 SAE-PK.
  
  When SAE-PK authentication option is enabled, the SAE-PK private key is mandatory. The private key can be generated by FortiOS (for information on how to generate the SAE-PK password and private key, see Generating SAE-PK private key and password) or through a third-party tool. FortiOS will verify the private key and reject invalid input.
Click OK.

Configuring WPA3 OWE - CLI

To configure WPA3 OWE only:

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
    next
end

To configure WPA3 OWE Transition:

Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.

config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enable
        set owe-transition-ssid "wpa3_open"
        set schedule "always"
    next
    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enable
        set owe-transition-ssid "80e_open"
        set schedule "always"
    next
end

Configuring WPA3 SAE - CLI

To configure WPA3 SAE:

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password ********
    next
end

To configure WPA3 SAE Transition:

There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase ********
        set schedule "always"
        set sae-password ********
    next
end

To configure WPA3 SAE and enable H2E only:

config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end

To configure WPA3 SAE and enable SAE-PK:

config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-pk enable
    set sae-private-key "*******"
    set sae-password ENC *
    set schedule "always"
  next
end

Note: The private key can be generated by FortiOS (see Generating SAE-PK private key and password) or through a third-party tool. FortiOS will verify the private key and reject invalid input.

Configuring WPA3 Enterprise - CLI

When using the following WPA3 Enterprise options, you can select the auth type to use either RADIUS authentication or local user authentication. When using RADIUS authentication, you can enable accounting interim updates to integrate with Cisco's Identity Services Engine (ISE).

To configure WPA3 Enterprise 192-bit:

By default, this option is not show in the GUI. When you configure this SSID from the CLI, the GUI will list the security option as WPA3 Enterprise 192-bit.

Using this option, you can set the security mode to wpa3-enterprise to use 192-bit encryption with PMF mandatory.

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end

To configure WPA3 Enterprise Only:

Using this option, you can set the security mode to wpa3-only-enterprise to use WPA3 Enterprise with PMF mandatory.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-only-enterprise
    set pmf enable
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end

To configure WPA3 Enterprise Transition:

Using this option, you can set the security mode to wpa3-enterprise-transition to use WPA3 Enterprise with PMF optional. A WPA3-Enterprise STA shall negotiate PMF when associating with an AP using WPA3-Enterprise transition mode.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-enterprise-transition
    set pmf optional
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end

To configure WPA3 Enterprise SSID to integrate with Cisco ISE:

Enable accounting interim updates to integrate with Cisco's ISE session stitching feature. When a wireless client roams between FortiAPs, the FortiGate creates an "Interim-Update" accounting message with the same "Acct-Session-Id" value to avoid interrupting the ISE session.

Create a RADIUS server with an accounting server:

config user radius
  edit "peap"
    set server "172.18.56.104"
      set secret ENC
      set nas-ip 192.168.1.10
      set nas-id-type custom
      set nas-id "FWF-61F-AUTH"
      set acct-interim-interval 300
      set radius-coa enable
      set password-renewal disable
      config accounting-server
        edit 1
          set status enable
          set server "172.18.56.104"
          set secret ENC
      next
    end
  next
end

Create a WPA3 Enterprise SSID with the authentication method set to radius and the radius server set to the example you previously configured (peap).

config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa3-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
  next
end

Enable roaming-acct-interim-update.

config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa3-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
    set roaming-acct-interim-update enable
  next
end

Apply this SSID to the FortiAPs you want to roam between.

roaming-acct-interim-update can only be enabled when the security mode is set to a WPA2 or WPA3 Enterprise type.

For full WPA3 support, we recommend you update your FortiGate and FortiAP devices to the latest supported firmware version.

FortiGate devices running FortiOS 7.0.0 and later.
FortiAP devices running 6.4.3 and later.
FortiAP-S and FortiAP-W2 devices running 6.4.3 and later.
FortiAP-U devices running 6.2.2 and later.

For more precise support information between FortiGate and FortiAP firmware versions, see each model's release notes.

You can configure the following WPA3 security modes:

WPA3 Enterprise 192-bit
WPA3 Enterprise Only
WPA3 Enterprise Transition
WPA3 Simultaneous Authentication of Equals (SAE)
WPA3 SAE Transition
Opportunistic Wireless Encryption (OWE)
OWE Transition

To configure WPA3 on an SSID - GUI:

Go to WiFi Controller > SSID.
Create a new SSID, or edit a current one.
In the WiFi Settings section, set the Security Mode to a WPA3 option.
Configure the relevant security settings as needed.

If you set the security mode to either WPA3-SAE or WPA3-SAE-Transition, you can enable Hash-to-Element (H2E) only or Simultaneous Authentication of Equals Public Key (SAE-PK).
- H2E only: Use hash-to-element-only mechanism for PWE derivation.
- SAE-PK: Enable or disable WPA3 SAE-PK.
  
  When SAE-PK authentication option is enabled, the SAE-PK private key is mandatory. The private key can be generated by FortiOS (for information on how to generate the SAE-PK password and private key, see Generating SAE-PK private key and password) or through a third-party tool. FortiOS will verify the private key and reject invalid input.
Click OK.

Configuring WPA3 OWE - CLI

To configure WPA3 OWE only:

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
    next
end

To configure WPA3 OWE Transition:

Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.

config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enable
        set owe-transition-ssid "wpa3_open"
        set schedule "always"
    next
    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enable
        set owe-transition-ssid "80e_open"
        set schedule "always"
    next
end

Configuring WPA3 SAE - CLI

To configure WPA3 SAE:

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password ********
    next
end

To configure WPA3 SAE Transition:

There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase ********
        set schedule "always"
        set sae-password ********
    next
end

To configure WPA3 SAE and enable H2E only:

config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end

To configure WPA3 SAE and enable SAE-PK:

config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-pk enable
    set sae-private-key "*******"
    set sae-password ENC *
    set schedule "always"
  next
end

Note: The private key can be generated by FortiOS (see Generating SAE-PK private key and password) or through a third-party tool. FortiOS will verify the private key and reject invalid input.

Configuring WPA3 Enterprise - CLI

To configure WPA3 Enterprise 192-bit:

By default, this option is not show in the GUI. When you configure this SSID from the CLI, the GUI will list the security option as WPA3 Enterprise 192-bit.

Using this option, you can set the security mode to wpa3-enterprise to use 192-bit encryption with PMF mandatory.

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end

To configure WPA3 Enterprise Only:

Using this option, you can set the security mode to wpa3-only-enterprise to use WPA3 Enterprise with PMF mandatory.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-only-enterprise
    set pmf enable
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end

To configure WPA3 Enterprise Transition:

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-enterprise-transition
    set pmf optional
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end

To configure WPA3 Enterprise SSID to integrate with Cisco ISE:

Create a RADIUS server with an accounting server:

config user radius
  edit "peap"
    set server "172.18.56.104"
      set secret ENC
      set nas-ip 192.168.1.10
      set nas-id-type custom
      set nas-id "FWF-61F-AUTH"
      set acct-interim-interval 300
      set radius-coa enable
      set password-renewal disable
      config accounting-server
        edit 1
          set status enable
          set server "172.18.56.104"
          set secret ENC
      next
    end
  next
end

Create a WPA3 Enterprise SSID with the authentication method set to radius and the radius server set to the example you previously configured (peap).

config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa3-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
  next
end

Enable roaming-acct-interim-update.

config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa3-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
    set roaming-acct-interim-update enable
  next
end

Apply this SSID to the FortiAPs you want to roam between.

roaming-acct-interim-update can only be enabled when the security mode is set to a WPA2 or WPA3 Enterprise type.