PMKID attack on WPA/WPA2 WiFi networks
Makers of popular wifi hacking tool hashcat have discovered a way to improve WPA/WPA2 password brute-forcing: Leveraging the PMKID served by Access Points in WPA/WPA2 enabled WiFi networks, attackers gain knowledge of a Pre-shared Key hash, which can be used to brute-force the WPA/WPA2 password.
This however requires a set of conditions to work:
o WPA/WPA2 must be "Personal security (Pre-shared Key)". Other types (eg: Enterprise) are not vulnerable
o The PMKID must be included in the first EAPOL message of the 4 way handshake
o 802.11r and PMKID caching must be enabled
FortiOS supports WPA/WPA2 WiFi and is only affected under special configurations 
FortiAP supports WPA/WPA2 WiFi and is only affected under special configurations 
FortiAnalyzer is not affected
FortiSwitch is not affected
 when 802.11r/fast-bss-transition is enabled and security is set to wpa2-only-personal.
Since this is a protocol level attack facilitating brute-force cracking, there exists mitigation to disable it altogether, or drastically lower its practical feasibility:
1. When enabling the 801.11r/fast-bss-transition feature on FortiOS/FortiAP, avoid using wpa2-only-personal security, and use wpa2-only-enterprise instead. This effectively prevents the attack completely.
2. If the above is not acceptable given the environment, a minimum of 12 high-entropy random ASCII characters should be used as the password (with 20 characters being preferable). This renders the attack unpractical in the current state of computing power available for brute-force cracking.