Configure WIFI Network with WPA3 Security with Aruba Instant AP
Steps to configure WIFI Network with WPA3 Security with Aruba Instant AP
WPA3 (Wi-Fi Protected Access) security improvements include:
-
Simultaneous Authentication of Equals (SAE)—Replaces WPA2-PSK with password-based authentication that is resistant to dictionary attacks
-
WPA3-Enterprise 192-Bit Mode—Brings Suite-B 192-bit security suite that is aligned with Commercial National Security Algorithm (CNSA) for enterprise network
Windows 10 version 1903 and above with Intel® Wireless Adapters support WPA3-Personal (aka WPA3-SAE) and WPA3- Enterprise
Define DHCP Pool for Virtual Controller
Internal DHCP Pool used by Virtual Controller to assign IP Address to WIFI Client when VLAN GUEST is selected
IAP315 (config) # ip dhcp pool
subnet 172.16.10.0
subnet-mask 255.255.255.0
dns-server 192.168.1.230
domain-name aventislab.com
lease-time 60
WIFI Network with WPA3 Security (WIFI Profile)
- Opmode wpa3-sae-aes – WPA3 Personal
- vlan guest – Client IP Assignment managed by Virtual Controller
IAP315 (config) # wlan ssid-profile WPA3
enable
type employee
essid WPA3
wpa-passphrase 0ad9ca4e493fa6c43d3268d0247c2d909fef6eba09abdfb5
opmode wpa3-sae-aes
vlan guest
Client connected to VLAN GUEST will accesing Internet via the NATed IP (192.168.1.125 VLAN3333) of br0 interface
IAP315# show ip interface brief
Interface IP Address / IP Netmask Admin Protocol
br0 192.168.1.125 / 255.255.255.0 up up
br0.3333 172.16.10.1 / 255.255.255.0 up up
IAP315# show datapath route
Route Table Entries
-------------------
Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop, U - Use Default Gateway, G - PPPoE/3G/4G Gateway
IP Mask Gateway Cost VLAN Flags
--------------- --------------- --------------- ---- ---- -----
0.0.0.0 0.0.0.0 192.168.1.1 0 0
172.16.10.0 255.255.255.0 172.16.10.1 0 3333 D
192.168.1.0 255.255.255.0 192.168.1.125 0 1 L
192.168.1.240 255.255.255.255 192.168.1.240 0 1 LP
IAP315# show datapath nat-pool
Datapath NAT Pool Entries
-------------------------
ID Begin Source IP End Source IP Destination IP Flags
-- --------------- ------------- -------------- -----
0 192.168.1.125 192.168.1.125 192.168.1.125 -
63 172.16.10.2 172.16.10.2 172.16.10.1 -
64 192.168.1.125 192.168.1.125 0.0.0.0 -
81 192.168.1.240 192.168.1.240 192.168.1.240 -
IAP315# show datapath session
Source IP Destination IP Prot SPort Dport Cntr Prio ToS Age Destination TAge Packets Bytes Flags Offload flags
---------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------- ----- ------ -------------
172.16.10.194 40.100.18.18 6 55056 443 0 0 0 27 dev25 84c 0 0 SC
172.16.10.194 54.196.137.11 6 55203 443 0 0 0 1 dev25 18 1 29 SC
Using existing DHCP Server
Existing DHCP Server in our FortiGate 60E can be used to assign IP to WIFI Client by using VLAN 10
Refer to the diagram below for more information
IAP315 (config) # wlan ssid-profile WPA3
enable
type employee
essid WPA3
wpa-passphrase 0ad9ca4e493fa6c43d3268d0247c2d909fef6eba09abdfb5
opmode wpa3-sae-aes
vlan 10
User Role for the new WIFI Profile
Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts.
Default Access Rule for a new WIFI Profile is DENY all outgoing traffic
wlan access-rule WPA3
rule any any match any any any deny
Change to Unrestricted Full Access by adding a new rule with full access and delete the default DENY All
IAP315 (config) # wlan access-rule WPA3
rule any any match any any any permit
no rule any any match any any any deny
Bandwidth Contract per SSID or Users
Bandwidth Contract per SSID
IAP315 (config) # wlan access-rule WPA3
bandwidth-limit downstream 1024
bandwidth-limit upstream 1024
Bandwidth Contract per User
IAP315 (config) # wlan access-rule WPA3
bandwidth-limit peruser downstream 1024
bandwidth-limit peruser upstream 1024
Windows 10 version 1909 is connected to WIFI with WPA3 and accessing Internet now
Reference link