Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Campus WLAN Architecture Guide

    Home FortiAP / FortiWiFi 7.0.0 Campus WLAN Architecture Guide
    7.0.0
    7.0.0

    Guest User Management

    Guest User Management

    Guest users are temporary users of the network, without pre-existing identities associated with a specific person. Organizations can have a wide variety of needs for guest users, with greater or lesser needs for access control. The FortiGate WiFi controller supports multiple options and many of those options can be combined.

    Firewall policies and traffic shaping

    Firewall policies can be used for traffic shaping as well as resource access. In most cases, guest traffic will be limited to Internet only, and possibly more restricted. Additionally, when guest access is a courtesy that is a lower priority than authorized user traffic, a traffic shaping policy should be added. Traffic shaping policies are very similar to firewall policies and are found in their own table under policy and objects.

    The preceding example sets traffic on the guest interfaces to a lower priority. The traffic policies can be configured as per IP/device or for SSID-wide, by priority, or by a maximum allowed bandwidth.

    Captive Portal

    Captive portals are browser-based authentication screens and are the most common restriction used with guest access SSIDs. Wi-Fi itself is a layer 2 technology with three access control options—RADIUS, PSK/SAE, and Open (unrestricted). Captive Portals operate on a higher layer, after the Wi-Fi device has connected to the network and received a DHCP address in order to reach the web authentication screen. Until authenticated by the web page, no other traffic is allowed.

    Captive Portals are most commonly used with open networks, but can optionally be used in Wi-Fi networks that apply Pre-Shared Key as layer 2 security. This option is useful for reducing casual use of the network by neighbors when the portal is a disclaimer only.

    Captive portal options integrated into the FortiGate WiFi Controller include a simple disclaimer display, or a disclaimer with authentication. When authentication is enabled, a user name and password must be provided by an admin to the guest.

    Guest users

    A guest user group can be created in the FortiGate, as well as an on-site guest administrator. The Guest Admin is an account on the FortiGate with rights limited to creating guest users.

    The following example is a FortiGate administrator that is restricted to only managing and provisioning guest user accounts.

    Users can be created on the fly, or batches can be made up ahead of time. With batch creation, the account can be created, printed out, and handed out as needed without access to the FortiGate. The advantage of having a Guest Admin is that they can capture additional guest info, such as email, phone number, and etc.

    The following example is a Guest User group setup page showing options that can be configured for the group.

    The following example from User & Authentication > Guest Management is another location where a new Guest user can be manually added.

    There are a lot of varieties in guest access, whether pre-generated and pre-printed user/password, on the fly registration with a lobby administrator, or simply open with a disclaimer. The latter may be entirely reasonable with bandwidth limitations and constraints. The method for managing guest access should be well thought out ahead of time to align with business needs.

    To learn more about Guest Management:

    Previous
    Next

    Guest User Management

    Guest User Management

    Guest users are temporary users of the network, without pre-existing identities associated with a specific person. Organizations can have a wide variety of needs for guest users, with greater or lesser needs for access control. The FortiGate WiFi controller supports multiple options and many of those options can be combined.

    Firewall policies and traffic shaping

    Firewall policies can be used for traffic shaping as well as resource access. In most cases, guest traffic will be limited to Internet only, and possibly more restricted. Additionally, when guest access is a courtesy that is a lower priority than authorized user traffic, a traffic shaping policy should be added. Traffic shaping policies are very similar to firewall policies and are found in their own table under policy and objects.

    The preceding example sets traffic on the guest interfaces to a lower priority. The traffic policies can be configured as per IP/device or for SSID-wide, by priority, or by a maximum allowed bandwidth.

    Captive Portal

    Captive portals are browser-based authentication screens and are the most common restriction used with guest access SSIDs. Wi-Fi itself is a layer 2 technology with three access control options—RADIUS, PSK/SAE, and Open (unrestricted). Captive Portals operate on a higher layer, after the Wi-Fi device has connected to the network and received a DHCP address in order to reach the web authentication screen. Until authenticated by the web page, no other traffic is allowed.

    Captive Portals are most commonly used with open networks, but can optionally be used in Wi-Fi networks that apply Pre-Shared Key as layer 2 security. This option is useful for reducing casual use of the network by neighbors when the portal is a disclaimer only.

    Captive portal options integrated into the FortiGate WiFi Controller include a simple disclaimer display, or a disclaimer with authentication. When authentication is enabled, a user name and password must be provided by an admin to the guest.

    Guest users

    A guest user group can be created in the FortiGate, as well as an on-site guest administrator. The Guest Admin is an account on the FortiGate with rights limited to creating guest users.

    The following example is a FortiGate administrator that is restricted to only managing and provisioning guest user accounts.

    Users can be created on the fly, or batches can be made up ahead of time. With batch creation, the account can be created, printed out, and handed out as needed without access to the FortiGate. The advantage of having a Guest Admin is that they can capture additional guest info, such as email, phone number, and etc.

    The following example is a Guest User group setup page showing options that can be configured for the group.

    The following example from User & Authentication > Guest Management is another location where a new Guest user can be manually added.

    There are a lot of varieties in guest access, whether pre-generated and pre-printed user/password, on the fly registration with a lobby administrator, or simply open with a disclaimer. The latter may be entirely reasonable with bandwidth limitations and constraints. The method for managing guest access should be well thought out ahead of time to align with business needs.

    To learn more about Guest Management:

    Previous
    Next