Fortinet black logo

Campus WLAN Deployment Guide

Home FortiAP / FortiWiFi 7.0.0 Campus WLAN Deployment Guide
7.0.0
7.0.0

Guest Users SSID with Preconfigured Username and Password

Guest Users SSID with Preconfigured Username and Password

The FortiGate WiFi Controller enables multiple options for Guest networking. For this topic, we will cover predefined guest users that can be printed out and handed to a visitor who checks in at the front desk.

Create a Guest Group

  1. Go to User & Authentication > User Groups.

  2. Click Create New.

    The New User Group window loads.

  3. Enter a group Name.
  4. In Type, select Guest.
  5. Enable Batch Guest Account Creation.
  6. For Start Countdown select After First Login.

  7. Adjust Time to match your campus network policies. The default is 4 hours.

  8. Click OK.

  9. The new user group is saved and added to the list of user groups.

Create Multiple Preconfigured Guest Users

  1. Go to User & Authentication > Guest Management.

  2. Click Create New and select Multiple Users.

    The Create User screen loads.

  3. In the Create User screen:

    1. Enter the Number of Accounts you want to create.
    2. Optionally, adjust the Expiration time.
    3. Optionally, add any Comments.
    4. Click OK.

  4. Once the users are generated, select the group and click Print.

Depending on print options, the print output may look like the following example, with the auto-generated usernames and passwords.

Add a Guest Administrator to the WiFi Controller

You can increase the flexibility of guest administration and registration by adding one or more guest administrators.

  1. Go to System > Administrators.
  2. Click Create New and select Administrator.
  3. Enter a Username.
  4. Choose the Type.
  5. Add a Password or other type dependent information.
  6. Enable Restrict admin to guest account provisioning only.

  7. Assign the Guest Group.

  8. Click OK.

Create the Guest SSID with Captive Portal

  1. Go to WiFi & Switch Controller > SSIDs.
  2. Click Create New and select SSID.

  3. Name the interface.

    All SSIDs are also interfaces on the FortiGate WiFi Controller.

  4. Set the IP Address/Netmask.

  5. Enable the DHCP Server, adjust settings.

  6. Configure the following under WiFi Settings:

    1. Name the SSIDs – this is the over-the-air name of the WLAN.
    2. For Security Mode select Captive Portal.
    3. For Portal Type choose either Authentication or Disclaimer + Authentication.
    4. For Authentication portal, select Local.
    5. In User Groups, select the group you previously created.

  7. Click OK.

The Guest SSID is now broadcasting, but the NGFW of the FortiGate will not pass traffic that is not specifically allowed. Firewall Policies must be added, as above for the authorized user WLAN. As a guest WLAN, it makes sense for this to be more restricted. The following example shows a limited, Internet specific service set. More restrictions are possible, but beyond the scope of this document.

Add Firewall Policies for the Guest Users SSID

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

    The New Policy screen appears.

  3. Configure the following:
    1. Enter a Name for the policy.

    2. Select the Incoming Interface.

      The Incoming Interface is the Guest SSID Interface. FortiGate WiFi Controller automatically creates an address object.

    3. Following the above example configurations, the Outgoing Interface is the WLAN-uplink interface.
    4. For simplicity, configure the Source and Destination fields as all.
    5. Click Services and scroll to the Services Group category to select the following:
      • Email Access
      • Exchange Server
      • Web Access
      • Windows AD

    6. Leave the other fields with the default settings.
    7. Ensure that NAT is enabled.

    8. Click OK.

      Guest Access is now fully enabled.

The FortiGate WiFi Controller remains very versatile and can support a great deal of customization of Guest Access. See https://docs.fortinet.com/product/fortigate/7.0 for more options.

As configured, the guest user will need one of the generated username/password combinations from above. When opening a browser, they will be presented with disclaimer screen to click through, and then an authentication page in order to access the Internet.

Previous
Next

Guest Users SSID with Preconfigured Username and Password

The FortiGate WiFi Controller enables multiple options for Guest networking. For this topic, we will cover predefined guest users that can be printed out and handed to a visitor who checks in at the front desk.

Create a Guest Group

  1. Go to User & Authentication > User Groups.

  2. Click Create New.

    The New User Group window loads.

  3. Enter a group Name.
  4. In Type, select Guest.
  5. Enable Batch Guest Account Creation.
  6. For Start Countdown select After First Login.

  7. Adjust Time to match your campus network policies. The default is 4 hours.

  8. Click OK.

  9. The new user group is saved and added to the list of user groups.

Create Multiple Preconfigured Guest Users

  1. Go to User & Authentication > Guest Management.

  2. Click Create New and select Multiple Users.

    The Create User screen loads.

  3. In the Create User screen:

    1. Enter the Number of Accounts you want to create.
    2. Optionally, adjust the Expiration time.
    3. Optionally, add any Comments.
    4. Click OK.

  4. Once the users are generated, select the group and click Print.

Depending on print options, the print output may look like the following example, with the auto-generated usernames and passwords.

Add a Guest Administrator to the WiFi Controller

You can increase the flexibility of guest administration and registration by adding one or more guest administrators.

  1. Go to System > Administrators.
  2. Click Create New and select Administrator.
  3. Enter a Username.
  4. Choose the Type.
  5. Add a Password or other type dependent information.
  6. Enable Restrict admin to guest account provisioning only.

  7. Assign the Guest Group.

  8. Click OK.

Create the Guest SSID with Captive Portal

  1. Go to WiFi & Switch Controller > SSIDs.
  2. Click Create New and select SSID.

  3. Name the interface.

    All SSIDs are also interfaces on the FortiGate WiFi Controller.

  4. Set the IP Address/Netmask.

  5. Enable the DHCP Server, adjust settings.

  6. Configure the following under WiFi Settings:

    1. Name the SSIDs – this is the over-the-air name of the WLAN.
    2. For Security Mode select Captive Portal.
    3. For Portal Type choose either Authentication or Disclaimer + Authentication.
    4. For Authentication portal, select Local.
    5. In User Groups, select the group you previously created.

  7. Click OK.

The Guest SSID is now broadcasting, but the NGFW of the FortiGate will not pass traffic that is not specifically allowed. Firewall Policies must be added, as above for the authorized user WLAN. As a guest WLAN, it makes sense for this to be more restricted. The following example shows a limited, Internet specific service set. More restrictions are possible, but beyond the scope of this document.

Add Firewall Policies for the Guest Users SSID

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

    The New Policy screen appears.

  3. Configure the following:
    1. Enter a Name for the policy.

    2. Select the Incoming Interface.

      The Incoming Interface is the Guest SSID Interface. FortiGate WiFi Controller automatically creates an address object.

    3. Following the above example configurations, the Outgoing Interface is the WLAN-uplink interface.
    4. For simplicity, configure the Source and Destination fields as all.
    5. Click Services and scroll to the Services Group category to select the following:
      • Email Access
      • Exchange Server
      • Web Access
      • Windows AD

    6. Leave the other fields with the default settings.
    7. Ensure that NAT is enabled.

    8. Click OK.

      Guest Access is now fully enabled.

The FortiGate WiFi Controller remains very versatile and can support a great deal of customization of Guest Access. See https://docs.fortinet.com/product/fortigate/7.0 for more options.

As configured, the guest user will need one of the generated username/password combinations from above. When opening a browser, they will be presented with disclaimer screen to click through, and then an authentication page in order to access the Internet.

Previous
Next