Smart Connect profiles

Smart Connect profiles are available under Authentication > Portals > Smart Connect Profiles.

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) from the FortiAuthenticator portal.

When configured, the Smart Connect feature will show up as a new button on the portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS/MacOS, Windows, and Android. A device ID can also be entered, however, this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID is used to generate the end-user certificate.

To configure a Smart Connect profile:

1. Select Create New to start the profile configuration wizard.
2. Enter a Name.
3. In Connect type, either select Wireless or Certificate (for certificates-only installs), and select Next.
4. When the Connect type is Wireless:
   1. Enter an SSID, and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.

      You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.

   2. When the Auth method is WPA2 Personal, enter a Pre-shared Key, then select Next.

      When the Auth method is WPA2 Enterprise, enter the following information, then select Next:

      EAP Type	Select an EAP type: TLS TTLS PEAP
      Signing CA	From the dropdown, select a local CA certificate to sign certificates for EAP/TLS connection. Note: The option is only available when the EAP Type is TLS.
      Anonymous Identity	Select either Anonymous or Username. If Username is selected, select a format from Username Format. Do not send username over unencrypted communication. Note: The option is not available when EAP Type is TLS.
      Username Format	Select from the following formats: username username@realm realm\username realm/username
      Phase 2 Authentication	From the following options, select an authentication protocol: PAP CHAP MSCHAP MSCHAPv2 Note: The option is only available when the EAP Type is TTLS.
      Include user credentials in configuration file	Enable to include username/password in configuration files/executables that users can download. Note: The option is only available when the EAP Type is TTLS or PEAP.

   3. In the CA Installation Settings window:
      1. In Install local CA certificates, from the list of available local CA certificates, select CA certificates and move them to the Chosen Install Local CA Certificates list.

         The selected CA certificates are installed on the client devices.

      2. In Install trusted CA certificates, from the list of trusted CA certificates, select trusted CA certificates and move them to the Chosen Install Trusted CA Certificates list.
      3. From the Windows code sign certificate dropdown, select a certificate or select the default Default-Server-Certificate.

         Note: The option is only available when editing a Smart Connect profile.

   4. Click Save.
   5. You can edit the profile to review and change any of the previously set options, and define additional settings, as shown below:

      

   6. Click Save to apply your options and finish the configuration.

      When created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).

5. When the Connect type is Certificate:
   1. In Signing CA dropdown, select the local CA certificate to sign the client certificates issued by the Smart Connect profile, and select Next.
   2. In the CA Installation Settings window:
      1. In Install local CA certificates, from the list of available local CA certificates, select CA certificates and move them to the Chosen Install Local CA Certificates list.

         The selected CA certificates are installed on the client devices.

      2. In Install trusted CA certificates, from the list of trusted CA certificates, select trusted CA certificates and move them to the Chosen Install Trusted CA Certificates list.
      3. From the Windows code sign certificate dropdown, select a certificate or select the default Default-Server-Certificate.

         Note: The option is only available when editing a Smart Connect profile.

   3. Click Save.

Smart Connect for Windows

The Smart Connect for Windows feature provides an executable file that adds specific network settings to an end-user's Windows device. The Smart Connect profile settings are the same as the ones implemented for iOS and macOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices.

Self-service URL

When using the device tracking feature, users are no longer redirected by the FortiGate after initial device registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the guest portal name (under Authentication > Portals > Portals).

When the end user navigates to the self-service URL, they must provide valid credentials to get network access, but the login does not trigger the call to the FortiGate device's API.

Note that special characters must be encoded in the self-service URL.

Firmware upgrade When upgrading from a previous release, as a result of the device tracking feature, the following occurs: MAB Unauthorized devices are set to Deny access by default for existing RADIUS clients. MAB Blocked groups are set to empty by default for existing RADIUS clients. Device tracking and device management are disabled by default for existing guest portals. Existing replacement messages are left unchanged for existing guest portals. New (default) replacement messages are added to existing guest portals.