Configure Wireless Security (WPA2/WPA3)

Picking the right security mode for an SSID is most of "doing wireless right." Use modern modes, avoid open networks except for guests-with-captive-portal.

Security Modes

In order of preference:

• WPA3-Only (Personal/Enterprise) — newest, most secure. Some old devices don't support.
• WPA3-WPA2 transition — accepts both; for migration period.
• WPA2-Only (Personal/Enterprise) — fine as of 2026, deprecate when fleet supports WPA3.
• WPA-WPA2 — accepts old WPA1 too. Avoid; WPA1 is broken.
• WEP — broken. Never use.
• Open — no encryption. Only use for guests with captive portal.

Personal = pre-shared key. Enterprise = 802.1X auth against a RADIUS server.

Steps

In SSID config (see Create an SSID):

WPA2/WPA3 Personal (PSK)

1. Security Mode — WPA2 Personal or WPA3 SAE.
2. Pre-shared Key — strong, 12+ chars, mix of letters/numbers/symbols.
3. PMF (Protected Management Frames) — Enabled (WPA3 requires it).
4. OK.

WPA2/WPA3 Enterprise (802.1X)

1. Security Mode — WPA2 Enterprise / WPA3 Enterprise.
2. Authentication — choose:
   • Local — FortiGate's local users.
   • RADIUS — external RADIUS server.
3. RADIUS Server — if RADIUS, pick the server (see RADIUS Auth).
4. User Groups — which user groups can connect.
5. OK.

User connects with their username + password (LDAP / RADIUS credentials).

Open + Captive Portal

For guest Wi-Fi:

1. Security Mode — Captive Portal.
2. Authentication Portal — pick or create:
   • Local — FortiGate-hosted login page.
   • External — redirect to your own captive portal.
3. User Groups — which users (often guest accounts).
4. OK.

See Set Up a Captive Portal.

📸 Screenshot needed

SSID Security Mode dropdown showing all options, plus the PSK input field for WPA2/3 Personal.

CLI Equivalent

# WPA2 Personal:
config wireless-controller vap
edit "corp-wifi-ssid"
    set security wpa2-only-personal
    set passphrase ENC ...
next
end

# WPA2 Enterprise:
config wireless-controller vap
edit "corp-wifi-ssid"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "RADIUS-NPS"
next
end

PMF Notes

• PMF Disabled — no protected management frames; vulnerable to deauth attacks.
• PMF Capable — uses if both sides support.
• PMF Required — mandatory; WPA3 requires.

Modern devices support PMF; set to Capable for compatibility, Required for WPA3-only.

Verify

Connect a client. Check:

diagnose wireless-controller wlac -c sta

Lists connected clients with auth method used. Verify the encryption matches what you set.

Common Issues

• Some old devices can't connect. WPA3 not supported on the client. Use WPA3-WPA2 transition or WPA2 only.
• Auth fails on Enterprise. RADIUS server unreachable, or shared secret wrong.
• Frequent disconnects. PMF misconfig with old clients; try setting to "Capable" instead of "Required."

Related Pages

• Create an SSID
• RADIUS Authentication
• Set Up a Captive Portal