Fortinet white logo
Fortinet white logo

Administration Guide

Smart Connect profiles

Smart Connect profiles

Smart Connect profiles are available under Authentication > Portals > Smart Connect Profiles.

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) from the FortiAuthenticator portal.

When configured, the Smart Connect feature will show up as a new button on the portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS/MacOS, Windows, and Android. A device ID can also be entered, however, this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID is used to generate the end-user certificate.

To configure a Smart Connect profile:
  1. Select Create New to start the profile configuration wizard.
  2. Enter a Name and select Next (you cannot configure a different Connect type other than Wireless).
  3. Enter an SSID, and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.
  4. You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.

  5. Enter a Pre-shared Key, then select Next.
  6. You can edit the profile to review and change any of the previously set options, and define additional settings, as shown below:
  7. Select OK to apply your options and finish the configuration.

    When created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).

Smart Connect for Windows

The Smart Connect for Windows feature provides an executable file that adds specific network settings to an end-user's Windows device. The Smart Connect profile settings are the same as the ones implemented for iOS and macOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices.

Self-service URL

When using the device tracking feature, users are no longer redirected by the FortiGate after initial device registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the guest portal name (under Authentication > Portals > Portals).

When the end user navigates to the self-service URL, they must provide valid credentials to get network access, but the login does not trigger the call to the FortiGate device's API.

note icon Note that special characters must be encoded in the self-service URL.
caution icon

Firmware upgrade

When upgrading from a previous release, as a result of the device tracking feature, the following occurs:

  • MAB Unauthorized devices are set to Deny access by default for existing RADIUS clients.
  • MAB Blocked groups are set to empty by default for existing RADIUS clients.
  • Device tracking and device management are disabled by default for existing guest portals.
  • Existing replacement messages are left unchanged for existing guest portals.
  • New (default) replacement messages are added to existing guest portals.

Smart Connect profiles

Smart Connect profiles

Smart Connect profiles are available under Authentication > Portals > Smart Connect Profiles.

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) from the FortiAuthenticator portal.

When configured, the Smart Connect feature will show up as a new button on the portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS/MacOS, Windows, and Android. A device ID can also be entered, however, this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID is used to generate the end-user certificate.

To configure a Smart Connect profile:
  1. Select Create New to start the profile configuration wizard.
  2. Enter a Name and select Next (you cannot configure a different Connect type other than Wireless).
  3. Enter an SSID, and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.
  4. You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.

  5. Enter a Pre-shared Key, then select Next.
  6. You can edit the profile to review and change any of the previously set options, and define additional settings, as shown below:
  7. Select OK to apply your options and finish the configuration.

    When created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).

Smart Connect for Windows

The Smart Connect for Windows feature provides an executable file that adds specific network settings to an end-user's Windows device. The Smart Connect profile settings are the same as the ones implemented for iOS and macOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices.

Self-service URL

When using the device tracking feature, users are no longer redirected by the FortiGate after initial device registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the guest portal name (under Authentication > Portals > Portals).

When the end user navigates to the self-service URL, they must provide valid credentials to get network access, but the login does not trigger the call to the FortiGate device's API.

note icon Note that special characters must be encoded in the self-service URL.
caution icon

Firmware upgrade

When upgrading from a previous release, as a result of the device tracking feature, the following occurs:

  • MAB Unauthorized devices are set to Deny access by default for existing RADIUS clients.
  • MAB Blocked groups are set to empty by default for existing RADIUS clients.
  • Device tracking and device management are disabled by default for existing guest portals.
  • Existing replacement messages are left unchanged for existing guest portals.
  • New (default) replacement messages are added to existing guest portals.