Fortinet black logo

Administration Guide

Guest portals

Guest portals

The following section describes how to configure custom guest portals on a per customer or per AP/controller basis.

The portals are assigned RADIUS clients and profiles, can permit certain pre-login and post-login services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured.

Portals

Guest portal configuration is available under Authentication > Guest Portals > Portals.

To configure a guest portal:
  1. Select Create New to configure settings for a new guest portal.
  2. Enter the following information:
    Name A name to identify the guest portal.
    URL

    The URL of the guest portal, in the format of:

    https://<FortiAuthenticator IP/FQDN>/guests

    Description Optionally, enter information about the guest portal.
    MAC device HTTP parameter

    Select one of the HTTP parameters available to use for this guest portal:

    • usermac
    • apmac
    • apip
    • userip
    • ssid
    • apname
    • bssid
    • server_ip
    • station_mac
    • station_ip
    • apid
    • ap_nodeid
    • ap_location
    • ap_floor
    • ap_building
    • ap_mac
    • grant_url

    This field must be configured if this portal's Authentication type is set to Device only (MAC address).

    Profile Configuration Assign one or more RADIUS clients and profiles to the portal.
    General Assign an SMS gateway for self-registered users.
    Authentication

    Select either User credentials or Device only (MAC address) as the authentication type:

    User credentials: Selected by default, this option requires either local or remote user account credentials, or with social site credentials:

    • Account login: Authentication with local or remote user account credentials.
    • Social login: Authentication with social site credentials (OAUTH), phone number or email. If RADIUS client is a FortiWLC controller, appropriate firewall pinholes should be added under Authentication > Guest Portals > General > FortiWLC.
      When enabled, you can optionally determine whether the social account expires after a certain amount of time (measure in minutes, hours, days, weeks, or months). In addition, various social login platforms become available within which you can enter their respective Key and Secret, including Facebook, Google, Twitter, LinkedIn, or with phone number or email address.
      After a social login is successfully completed on the guest portal by OAUTH, email, or SMS, a social login user account is created under Authentication > User Management > Social Login Users.

    Device only (MAC address): When this option is enabled, the "MAC device HTTP parameter" must also be configured.
    When using device only authentication, the endpoint will not be presented with the login page. Instead, the FortiAuthenticator will only use the endpoint device's MAC address for authentication purposes.
    If the RADIUS client profile associated has MAC device filtering enabled, the MAC address is authenticated according to those settings. If MAC device filtering is disabled, any MAC address is accepted.

    Optionally, you can determine whether the device account expires after a certain amount of time. To configure, enable Device account expires after, enter a value, and select either minute(s), hour(s), day(s), week(s), or month(s).

    Pre-login Services Configure various pre-login services to permit to users.
    Disclaimer

    Enable or disable the appearance of a disclaimer to the end-user that must be accepted before proceeding to the login page.

    To configure the disclaimer, edit the Login Disclaimer Page replacement message under Authentication > Guest Portals > Replacement Messages.

    Password Reset Enable or disable pre-login password reset link.
    Account Registration

    Select to configure various user account registration options:

    • Require administrator approval: Enable/disable whether the user requires administrator approval. If enabled, select whether to send admin approval emails to freeform addresses or to selected user groups.
    • Account expires after: Enable/disable account expiration. If enabled, enter the number of hours, days, months, or years the account remains expired from the dropdown menu.
    • Use mobile number as username: Determine whether to require the user's mobile number as their username.
    • Place registered users into a group: Determine whether to place registered users into a group from the dropdown menu.
    • Password creation: Determine whether the user's password is user-defined or randomly generated.
    • Enforce contact verification: Enable/disable whether to enforce contact verification. If enabled, select whether to verify the user's email address or mobile number, or allow the user to decide between email address or mobile number.
    • New user is automatically logged-in after successful contact verification: Enable to allow newly registered users to access the guest network without having to enter their credentials. Disable to require users to enter their credentials to access the guest network after successful registration. This option is enabled by default.
      Note that this option is not available if Enforce contact verification is disabled.
    • Account delivery options available to the user: Determine whether the user's account information is sent to them by SMS, email, or displayed on the browser page. If more than one option is selected, the self-registering user decides which account delivery method to use. If Require administrator approval is enabled, Display on browser page is disabled.
    • Required field configuration: Configure the available fields required by the user to enter (First name, Last name, Email address, and Mobile number are enabled by default).
    Token Revocation

    Select to revoke tokens based on various conditions:

    • Allow users to report a lost token to the Administrator at this email address
    • Allow users to temporarily use SMS token authentication if a mobile number was pre-configured
    • Allow users to temporarily use email token authentication if an email was pre-configured
    • Allow users to re-provision their FortiToken Mobile
    Usage Extension Notifications Allow users who exceeded their time and/or data usage to request an extension via an email notification.
    Post-login Services Configure various post-login services to permit to users.
    Profile Select to determine whether authenticated users can view/edit their account information.
    Password Change Select to determine whether local and/or remote users have the ability to change their passwords after they log in.
    Token Registration Select to configure FortiToken Mobile self-provisioning privileges.
    Smart Connect Select to assign a Smart Connect profile. See Smart Connect Profiles for more information.
    Device Tracking and Management Select to require users to register their devices after they log in.
  3. Select OK to add the new guest portal.

Token self-revocation

Token self-provisioning is offered as a pre-login service for guest portals.

When the token self-revocation feature is enabled (Authentication > Self-service Portal > Token self-provisioning), the guest portal's token verification page will have an additional Lost my token link. Clicking this link provides access to the token self-revocation service page that includes the following options:

  • Re-provision my FortiToken Mobile
  • Switch to email token authentication
  • Disable my account

Post-login device tracking

When the post-login service option Device Tracking and Management is enabled, the administrator must specify into which device group to put the self-registered devices, as well as specify the Maximum number of devices per user (up to 20; 3 by default). When enabled, users have access to a post-login interface where they can add/edit/delete their list of devices. If enabled but the device is not registered, the FortiAuthenticator presents a device registration page after account credential validation.

If the user reaches their device limit, they must select an existing device to replace. If the MAC address is currently associated with a different user, it is re-assigned to this newly logged-in user with the following warning message:

"Your device had previously been registered by another user. Ownership has now been changed to your account."

Rules

Portal rule configuration is available under Authentication > Guest Portals > Rules.

To configure portal rules:
  1. Select Create New to configure new portal rules.
  2. Enter the following information:
    note icon Note that the Conditions section is only available for configuring after the rule is created.
    General Configure the portal rule's general information, including its name and action.
    Name A name to identify the portal rule.
    Description Optionally, enter information about the portal rule.
    Action Determine the action to take for the rule: assign a guest portal or assign no portal for the rule.
  3. Select OK to add the new portal rule.

Replacement messages

Guest portal replacement message mappings are available under Authentication > Guest Portals > Replacement Messages.

The replacement messages are split into four categories: Authentication, Password Reset, User Registration, and Post-Login.

Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.

Selecting Toggle Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.

To edit a replacement message:
  1. Select a message in the replacement message list.
  2. Edit the plain text or HTML code in the lower right pane, or select Open in new window to edit the message in a new browser window.
  3. To insert custom images into the replacement message, see Manage Images.

  4. When you are finished editing the message, select Save to save your changes.
  5. If you have made an error when editing the message, select Restore Default to restore the message to its default value.

Manage Images

Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.

To add an image:
  1. From the Manage Images window, select Create New to open the Create New Image window.
  2. In the Name field, enter a name for the image.
  3. Select Choose File, find the GIF, JPEG, or PNG image file that you want to add, and then select Open.
  4. Note: The maximum image size is 1000 kB.

  5. Select OK to add the image.
  6. To insert the image into a replacement message, add the following HTML code:

    <img src={{:image/<image_name>}}>

    Where <image_name> is the name entered for the image. For example, the HTML code for an image named Acme_logo is <img src={{:image/Acme_logo}}>

To delete an image:
  1. From the Manage Images window, select an image, then select Delete.
  2. Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:

In the manage images screen, select an image, then select Edit.

  1. From the Manage Images window, select an image, then select Edit.
  2. In the Edit Image window, edit the image name and file as required.
  3. Select OK to apply your changes.

Smart Connect profiles

Smart Connect profiles are available under Authentication > Guest Portals > Smart Connect Profiles.

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) from the FortiAuthenticator guest portal.

When configured, the Smart Connect feature will show up as a new button on the guest portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS, Android, Windows, and Linux. A device ID can also be entered too, however this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID is used to generate the end-user certificate.

To configure a Smart Connect profile:
  1. Select Create New to start the profile configuration wizard.
  2. Enter a Name and select Next (you cannot configure a different Connect type other than Wireless).
  3. Enter an SSID and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.
  4. You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.

  5. Enter a Pre-shared Key, then select Next.
  6. You will see the Review All Settings page, where you can review and change any of the previously set options, and define more settings, as shown below:
  7. Select OK to apply your options and finish the configuration.

When created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).

Smart Connect for Windows

The Smart Connect for Windows feature provides an executable file that adds specific network settings to an end-user's Windows device. The Smart Connect profile settings are the same as the ones implemented for iOS and macOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices.

Self-service URL

When using the device tracking feature, users are no longer redirected by the FortiGate after initial device registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the guest portal name (under Authentication > Guest Portals > Portals).

When the end user navigates to the self-service URL, they must provide valid credentials to get network access, but the login does not trigger the call to the FortiGate device's API.

note icon Note that special characters must be encoded in the self-service URL.
caution icon

Firmware upgrade

When upgrading from a previous release, as a result of the device tracking feature, the following occurs:

  • MAB Unauthorized devices are set to Deny access by default for existing RADIUS clients.
  • MAB Blocked groups are set to empty by default for existing RADIUS clients.
  • Device tracking and device management are disabled by default for existing guest portals.
  • Existing replacement messages are left unchanged for existing guest portals.
  • New (default) replacement messages are added to existing guest portals.

Guest portals

The following section describes how to configure custom guest portals on a per customer or per AP/controller basis.

The portals are assigned RADIUS clients and profiles, can permit certain pre-login and post-login services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured.

Portals

Guest portal configuration is available under Authentication > Guest Portals > Portals.

To configure a guest portal:
  1. Select Create New to configure settings for a new guest portal.
  2. Enter the following information:
    Name A name to identify the guest portal.
    URL

    The URL of the guest portal, in the format of:

    https://<FortiAuthenticator IP/FQDN>/guests

    Description Optionally, enter information about the guest portal.
    MAC device HTTP parameter

    Select one of the HTTP parameters available to use for this guest portal:

    • usermac
    • apmac
    • apip
    • userip
    • ssid
    • apname
    • bssid
    • server_ip
    • station_mac
    • station_ip
    • apid
    • ap_nodeid
    • ap_location
    • ap_floor
    • ap_building
    • ap_mac
    • grant_url

    This field must be configured if this portal's Authentication type is set to Device only (MAC address).

    Profile Configuration Assign one or more RADIUS clients and profiles to the portal.
    General Assign an SMS gateway for self-registered users.
    Authentication

    Select either User credentials or Device only (MAC address) as the authentication type:

    User credentials: Selected by default, this option requires either local or remote user account credentials, or with social site credentials:

    • Account login: Authentication with local or remote user account credentials.
    • Social login: Authentication with social site credentials (OAUTH), phone number or email. If RADIUS client is a FortiWLC controller, appropriate firewall pinholes should be added under Authentication > Guest Portals > General > FortiWLC.
      When enabled, you can optionally determine whether the social account expires after a certain amount of time (measure in minutes, hours, days, weeks, or months). In addition, various social login platforms become available within which you can enter their respective Key and Secret, including Facebook, Google, Twitter, LinkedIn, or with phone number or email address.
      After a social login is successfully completed on the guest portal by OAUTH, email, or SMS, a social login user account is created under Authentication > User Management > Social Login Users.

    Device only (MAC address): When this option is enabled, the "MAC device HTTP parameter" must also be configured.
    When using device only authentication, the endpoint will not be presented with the login page. Instead, the FortiAuthenticator will only use the endpoint device's MAC address for authentication purposes.
    If the RADIUS client profile associated has MAC device filtering enabled, the MAC address is authenticated according to those settings. If MAC device filtering is disabled, any MAC address is accepted.

    Optionally, you can determine whether the device account expires after a certain amount of time. To configure, enable Device account expires after, enter a value, and select either minute(s), hour(s), day(s), week(s), or month(s).

    Pre-login Services Configure various pre-login services to permit to users.
    Disclaimer

    Enable or disable the appearance of a disclaimer to the end-user that must be accepted before proceeding to the login page.

    To configure the disclaimer, edit the Login Disclaimer Page replacement message under Authentication > Guest Portals > Replacement Messages.

    Password Reset Enable or disable pre-login password reset link.
    Account Registration

    Select to configure various user account registration options:

    • Require administrator approval: Enable/disable whether the user requires administrator approval. If enabled, select whether to send admin approval emails to freeform addresses or to selected user groups.
    • Account expires after: Enable/disable account expiration. If enabled, enter the number of hours, days, months, or years the account remains expired from the dropdown menu.
    • Use mobile number as username: Determine whether to require the user's mobile number as their username.
    • Place registered users into a group: Determine whether to place registered users into a group from the dropdown menu.
    • Password creation: Determine whether the user's password is user-defined or randomly generated.
    • Enforce contact verification: Enable/disable whether to enforce contact verification. If enabled, select whether to verify the user's email address or mobile number, or allow the user to decide between email address or mobile number.
    • New user is automatically logged-in after successful contact verification: Enable to allow newly registered users to access the guest network without having to enter their credentials. Disable to require users to enter their credentials to access the guest network after successful registration. This option is enabled by default.
      Note that this option is not available if Enforce contact verification is disabled.
    • Account delivery options available to the user: Determine whether the user's account information is sent to them by SMS, email, or displayed on the browser page. If more than one option is selected, the self-registering user decides which account delivery method to use. If Require administrator approval is enabled, Display on browser page is disabled.
    • Required field configuration: Configure the available fields required by the user to enter (First name, Last name, Email address, and Mobile number are enabled by default).
    Token Revocation

    Select to revoke tokens based on various conditions:

    • Allow users to report a lost token to the Administrator at this email address
    • Allow users to temporarily use SMS token authentication if a mobile number was pre-configured
    • Allow users to temporarily use email token authentication if an email was pre-configured
    • Allow users to re-provision their FortiToken Mobile
    Usage Extension Notifications Allow users who exceeded their time and/or data usage to request an extension via an email notification.
    Post-login Services Configure various post-login services to permit to users.
    Profile Select to determine whether authenticated users can view/edit their account information.
    Password Change Select to determine whether local and/or remote users have the ability to change their passwords after they log in.
    Token Registration Select to configure FortiToken Mobile self-provisioning privileges.
    Smart Connect Select to assign a Smart Connect profile. See Smart Connect Profiles for more information.
    Device Tracking and Management Select to require users to register their devices after they log in.
  3. Select OK to add the new guest portal.

Token self-revocation

Token self-provisioning is offered as a pre-login service for guest portals.

When the token self-revocation feature is enabled (Authentication > Self-service Portal > Token self-provisioning), the guest portal's token verification page will have an additional Lost my token link. Clicking this link provides access to the token self-revocation service page that includes the following options:

  • Re-provision my FortiToken Mobile
  • Switch to email token authentication
  • Disable my account

Post-login device tracking

When the post-login service option Device Tracking and Management is enabled, the administrator must specify into which device group to put the self-registered devices, as well as specify the Maximum number of devices per user (up to 20; 3 by default). When enabled, users have access to a post-login interface where they can add/edit/delete their list of devices. If enabled but the device is not registered, the FortiAuthenticator presents a device registration page after account credential validation.

If the user reaches their device limit, they must select an existing device to replace. If the MAC address is currently associated with a different user, it is re-assigned to this newly logged-in user with the following warning message:

"Your device had previously been registered by another user. Ownership has now been changed to your account."

Rules

Portal rule configuration is available under Authentication > Guest Portals > Rules.

To configure portal rules:
  1. Select Create New to configure new portal rules.
  2. Enter the following information:
    note icon Note that the Conditions section is only available for configuring after the rule is created.
    General Configure the portal rule's general information, including its name and action.
    Name A name to identify the portal rule.
    Description Optionally, enter information about the portal rule.
    Action Determine the action to take for the rule: assign a guest portal or assign no portal for the rule.
  3. Select OK to add the new portal rule.

Replacement messages

Guest portal replacement message mappings are available under Authentication > Guest Portals > Replacement Messages.

The replacement messages are split into four categories: Authentication, Password Reset, User Registration, and Post-Login.

Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.

Selecting Toggle Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.

To edit a replacement message:
  1. Select a message in the replacement message list.
  2. Edit the plain text or HTML code in the lower right pane, or select Open in new window to edit the message in a new browser window.
  3. To insert custom images into the replacement message, see Manage Images.

  4. When you are finished editing the message, select Save to save your changes.
  5. If you have made an error when editing the message, select Restore Default to restore the message to its default value.

Manage Images

Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.

To add an image:
  1. From the Manage Images window, select Create New to open the Create New Image window.
  2. In the Name field, enter a name for the image.
  3. Select Choose File, find the GIF, JPEG, or PNG image file that you want to add, and then select Open.
  4. Note: The maximum image size is 1000 kB.

  5. Select OK to add the image.
  6. To insert the image into a replacement message, add the following HTML code:

    <img src={{:image/<image_name>}}>

    Where <image_name> is the name entered for the image. For example, the HTML code for an image named Acme_logo is <img src={{:image/Acme_logo}}>

To delete an image:
  1. From the Manage Images window, select an image, then select Delete.
  2. Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:

In the manage images screen, select an image, then select Edit.

  1. From the Manage Images window, select an image, then select Edit.
  2. In the Edit Image window, edit the image name and file as required.
  3. Select OK to apply your changes.

Smart Connect profiles

Smart Connect profiles are available under Authentication > Guest Portals > Smart Connect Profiles.

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) from the FortiAuthenticator guest portal.

When configured, the Smart Connect feature will show up as a new button on the guest portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS, Android, Windows, and Linux. A device ID can also be entered too, however this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID is used to generate the end-user certificate.

To configure a Smart Connect profile:
  1. Select Create New to start the profile configuration wizard.
  2. Enter a Name and select Next (you cannot configure a different Connect type other than Wireless).
  3. Enter an SSID and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.
  4. You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.

  5. Enter a Pre-shared Key, then select Next.
  6. You will see the Review All Settings page, where you can review and change any of the previously set options, and define more settings, as shown below:
  7. Select OK to apply your options and finish the configuration.

When created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).

Smart Connect for Windows

The Smart Connect for Windows feature provides an executable file that adds specific network settings to an end-user's Windows device. The Smart Connect profile settings are the same as the ones implemented for iOS and macOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices.

Self-service URL

When using the device tracking feature, users are no longer redirected by the FortiGate after initial device registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the guest portal name (under Authentication > Guest Portals > Portals).

When the end user navigates to the self-service URL, they must provide valid credentials to get network access, but the login does not trigger the call to the FortiGate device's API.

note icon Note that special characters must be encoded in the self-service URL.
caution icon

Firmware upgrade

When upgrading from a previous release, as a result of the device tracking feature, the following occurs:

  • MAB Unauthorized devices are set to Deny access by default for existing RADIUS clients.
  • MAB Blocked groups are set to empty by default for existing RADIUS clients.
  • Device tracking and device management are disabled by default for existing guest portals.
  • Existing replacement messages are left unchanged for existing guest portals.
  • New (default) replacement messages are added to existing guest portals.