Fortinet black logo

FortiGate Cloud WLAN Deployment Guide

Home FortiAP / FortiWiFi 7.0.0 FortiGate Cloud WLAN Deployment Guide
7.0.0
7.0.0

Guest WLAN - Captive Portal SSID with Pre-configured Guest Passes

Guest WLAN - Captive Portal SSID with Pre-configured Guest Passes

FortiGate enables multiple options for Guest Networking. This section covers how to secure the Guest WLAN using predefined guest users passes that can be pre-printed and handed out to visitors after checking in with an admin.

One option is to create an SSID, as covered inSSIDs for Authorized Users with WPA2/WPA3 Enterprise Security Mode. Select WPA 2 Personal or WPA3 SAE (if the clients can support it), and then fill the SAE Password or Pre-shared Key field. The key can then be shared with guests as needed.

The disadvantage to this option is that it only provides appropriate security for very small organizations, and Fortinet does not recommend this approach. While the security isolation inherent in Fortinet Security Driven Networking may be sufficient to offset much of the risk, it is better to make full use of the FortiGates capabilities.

Instead, Fortinet recommends creating guest passes that are unique to each guest user and of limited duration. We also recommend creating a guest pass administrator who can be on-site. There are four steps to set up this type of guest access:

  1. Create a guest group.
  2. Create guest users.
  3. Create a guest administrator who can create more passes.
  4. Create the Captive Portal SSID.
To create a Guest User Group:
  1. From the Management tab for the FortiGate you want to configure:

    1. Navigate to Config > User & Device > Users & Groups.

    2. Click Create New > User Group.

      The New User Group page loads.

  2. From the New User Group page, complete the following fields:

    1. In the Name field, enter a name for the User Group.

    2. In the Type field, select Guest User Group.

      The available configuration options change.

    3. Enable Batch Guest Account Creation.

      The available configuration options change.

    4. For Expire Type, select After First Login.
    5. Set Default Expire Time as appropriate. The default is 4 hours
    6. When you are finished, click Save.

To add a Guest Administrator:

The flexibility of guest administration and registration can be increased by adding one or more guest administrators, who can be local to the FortiGate site. That is, a front desk admin who can issue the guest passes.

  1. From the Management tab for the FortiGate you want to configure:

    1. Navigate to Config > System > Administrator.

    2. Click Create New.

      The New Administrator page loads.

  2. From the New Administrator page, complete the following fields:

    1. In the Name field, enter a name for the Guest Administrator.

    2. In the Type field, select Local User.

    3. Enter a Password

    4. Scroll down and check Restrict admin to guest account provisioning only.

    5. Choose the Guest Group

    6. When you are finished, click Save.

  3. Deploy the changes to the FortiGate.

    Once the changes have been deployed, the Guest Administrator can log in locally to the FortiGate and generate guest passes.

Using a Guest Administrator Account

After the Guest Administrator logs into the FortiGate locally via a web browser (using https and the local IP address of the FortiGate), they are presented with a restricted screen showing existing guest accounts.

  • From the FortiGate GUI, they can double-click on any guest user to edit.

  • They can also click Create New to create a new user.

    • Depending on the specifics of the user group, fields for additional information (such as sponsor or email address) may be optional or required.

    • Click OK to create the Guest User

Other administrative tasks can be performed from this page.

  • To print out guest passes, select one or more guest users and click Print, or right-click and select Print from the context menu.

  • To revoke a guest pass early, select one or more guest users and then right-click and select Expire from the context menu.

An example of a Guest Pass printout:

Create a Guest SSID with Captive Portal

  1. From the Management tab for the FortiGate you want to configure:

    1. Navigate to Config > FortiAP > SSIDs.

    2. Click Create New > SSID.

      The New SSID page loads.

  2. From the New SSID page, complete the following fields:

    1. Enter an Interface Name.

    2. Set Traffic mode to Tunnel.

    3. Enter the interface IP Address and set the Subnet Mask.

      This is the address of the FortiGate on this subnet, and will also be the gateway address for the subnet

    4. There is no need to select any of the Administrative Access options.

      Administrative access options allow access to the FortiGate via this SSID. There should be no need for this when the FortiGate is managed via FortiCloud

    5. Enable DHCP Server.

    6. Set or adjust the DHCP Address Range.

  3. In the same New SSID page, scroll down to complete the following WIFI SETTING fields:

    1. Name the SSIDs.

      This is the over-the-air network name.

    2. In Security Mode, select Captive Portal.

    3. In Portal Type, select Disclaimer + Authentication.

    4. In Authentication Portal, select Local.

    5. In the User Groups field, select the Guest Group you created earlier.

    6. When you are finished, click Save.

Add Firewall Policies for the guest SSID

Once the newly configure SSID is deployed, the FortiAPs begin broadcasting the guest SSID and clients can connect to the WLAN at a Layer 2 level, but the traffic is isolated to the FortiGate WiFi Controller. The Fortinet Security Driven Networking model allows only traffic explicitly allowed via firewall policies. Firewall policies must be added to allow Internet or other network access.

To add a policy for Internet access:
  1. From the Management tab for the FortiGate you want to configure:
    1. Navigate to Policy & Objects > Firewall Policy.

    2. Click Create New.

      The New Policy page loads.

  2. From the New Policy page, complete the following fields:

    1. Name the policy.

    2. In the Incoming Interface field, select the SSID you previously defined.

      As a new interface, the FortiGate WiFi Controller created an address object.

    3. In the Outgoing Interface field, select the WAN interfaces.

    4. Set Source to all.

    5. Set Destination to all.

    6. Set Schedule to always.

    7. Set Service to a more limited set of services, under the assumption that Guest networking is for Internet access only

    8. Set Action to Accept.

    9. For all other fields, keep the default settings.

      • Inspection mode is Flow-based.

      • NAT is enabled.

    10. Other settings are beyond the scope of this guide, to learn more, you can refer to the FortiGate Documentation.

    11. Click Save.

    This is a very simple, single rule Firewall Policy set. Keep in mind, the FortiGate WiFi Controller is a full featured Next Generation Firewall (NGFW), and Firewall Policies can be as detailed as needed.

  3. Click Deploy to deploy the configuration changes.

    Once deployed, the SSID will broadcast and clients that connect to it will be able to reach the Internet.

Guest Access is now fully enabled. The FortiGate WiFi Controller remains very versatile and can support a great deal of customization of Guest Access. See https://docs.fortinet.com/product/fortigate/7.2 for more options.

As configured, the guest user will need one of the generated username/password combinations from above. When opening a browser, they will be presented with disclaimer screen to click through, and then an authentication page in order to access the Internet.

Previous
Next

Guest WLAN - Captive Portal SSID with Pre-configured Guest Passes

FortiGate enables multiple options for Guest Networking. This section covers how to secure the Guest WLAN using predefined guest users passes that can be pre-printed and handed out to visitors after checking in with an admin.

One option is to create an SSID, as covered inSSIDs for Authorized Users with WPA2/WPA3 Enterprise Security Mode. Select WPA 2 Personal or WPA3 SAE (if the clients can support it), and then fill the SAE Password or Pre-shared Key field. The key can then be shared with guests as needed.

The disadvantage to this option is that it only provides appropriate security for very small organizations, and Fortinet does not recommend this approach. While the security isolation inherent in Fortinet Security Driven Networking may be sufficient to offset much of the risk, it is better to make full use of the FortiGates capabilities.

Instead, Fortinet recommends creating guest passes that are unique to each guest user and of limited duration. We also recommend creating a guest pass administrator who can be on-site. There are four steps to set up this type of guest access:

  1. Create a guest group.
  2. Create guest users.
  3. Create a guest administrator who can create more passes.
  4. Create the Captive Portal SSID.
To create a Guest User Group:
  1. From the Management tab for the FortiGate you want to configure:

    1. Navigate to Config > User & Device > Users & Groups.

    2. Click Create New > User Group.

      The New User Group page loads.

  2. From the New User Group page, complete the following fields:

    1. In the Name field, enter a name for the User Group.

    2. In the Type field, select Guest User Group.

      The available configuration options change.

    3. Enable Batch Guest Account Creation.

      The available configuration options change.

    4. For Expire Type, select After First Login.
    5. Set Default Expire Time as appropriate. The default is 4 hours
    6. When you are finished, click Save.

To add a Guest Administrator:

The flexibility of guest administration and registration can be increased by adding one or more guest administrators, who can be local to the FortiGate site. That is, a front desk admin who can issue the guest passes.

  1. From the Management tab for the FortiGate you want to configure:

    1. Navigate to Config > System > Administrator.

    2. Click Create New.

      The New Administrator page loads.

  2. From the New Administrator page, complete the following fields:

    1. In the Name field, enter a name for the Guest Administrator.

    2. In the Type field, select Local User.

    3. Enter a Password

    4. Scroll down and check Restrict admin to guest account provisioning only.

    5. Choose the Guest Group

    6. When you are finished, click Save.

  3. Deploy the changes to the FortiGate.

    Once the changes have been deployed, the Guest Administrator can log in locally to the FortiGate and generate guest passes.

Using a Guest Administrator Account

After the Guest Administrator logs into the FortiGate locally via a web browser (using https and the local IP address of the FortiGate), they are presented with a restricted screen showing existing guest accounts.

  • From the FortiGate GUI, they can double-click on any guest user to edit.

  • They can also click Create New to create a new user.

    • Depending on the specifics of the user group, fields for additional information (such as sponsor or email address) may be optional or required.

    • Click OK to create the Guest User

Other administrative tasks can be performed from this page.

  • To print out guest passes, select one or more guest users and click Print, or right-click and select Print from the context menu.

  • To revoke a guest pass early, select one or more guest users and then right-click and select Expire from the context menu.

An example of a Guest Pass printout:

Create a Guest SSID with Captive Portal

  1. From the Management tab for the FortiGate you want to configure:

    1. Navigate to Config > FortiAP > SSIDs.

    2. Click Create New > SSID.

      The New SSID page loads.

  2. From the New SSID page, complete the following fields:

    1. Enter an Interface Name.

    2. Set Traffic mode to Tunnel.

    3. Enter the interface IP Address and set the Subnet Mask.

      This is the address of the FortiGate on this subnet, and will also be the gateway address for the subnet

    4. There is no need to select any of the Administrative Access options.

      Administrative access options allow access to the FortiGate via this SSID. There should be no need for this when the FortiGate is managed via FortiCloud

    5. Enable DHCP Server.

    6. Set or adjust the DHCP Address Range.

  3. In the same New SSID page, scroll down to complete the following WIFI SETTING fields:

    1. Name the SSIDs.

      This is the over-the-air network name.

    2. In Security Mode, select Captive Portal.

    3. In Portal Type, select Disclaimer + Authentication.

    4. In Authentication Portal, select Local.

    5. In the User Groups field, select the Guest Group you created earlier.

    6. When you are finished, click Save.

Add Firewall Policies for the guest SSID

Once the newly configure SSID is deployed, the FortiAPs begin broadcasting the guest SSID and clients can connect to the WLAN at a Layer 2 level, but the traffic is isolated to the FortiGate WiFi Controller. The Fortinet Security Driven Networking model allows only traffic explicitly allowed via firewall policies. Firewall policies must be added to allow Internet or other network access.

To add a policy for Internet access:
  1. From the Management tab for the FortiGate you want to configure:
    1. Navigate to Policy & Objects > Firewall Policy.

    2. Click Create New.

      The New Policy page loads.

  2. From the New Policy page, complete the following fields:

    1. Name the policy.

    2. In the Incoming Interface field, select the SSID you previously defined.

      As a new interface, the FortiGate WiFi Controller created an address object.

    3. In the Outgoing Interface field, select the WAN interfaces.

    4. Set Source to all.

    5. Set Destination to all.

    6. Set Schedule to always.

    7. Set Service to a more limited set of services, under the assumption that Guest networking is for Internet access only

    8. Set Action to Accept.

    9. For all other fields, keep the default settings.

      • Inspection mode is Flow-based.

      • NAT is enabled.

    10. Other settings are beyond the scope of this guide, to learn more, you can refer to the FortiGate Documentation.

    11. Click Save.

    This is a very simple, single rule Firewall Policy set. Keep in mind, the FortiGate WiFi Controller is a full featured Next Generation Firewall (NGFW), and Firewall Policies can be as detailed as needed.

  3. Click Deploy to deploy the configuration changes.

    Once deployed, the SSID will broadcast and clients that connect to it will be able to reach the Internet.

Guest Access is now fully enabled. The FortiGate WiFi Controller remains very versatile and can support a great deal of customization of Guest Access. See https://docs.fortinet.com/product/fortigate/7.2 for more options.

As configured, the guest user will need one of the generated username/password combinations from above. When opening a browser, they will be presented with disclaimer screen to click through, and then an authentication page in order to access the Internet.

Previous
Next