Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Managing guest access

Managing guest access

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a large event such as a conference, you might need to create many such temporary accounts. The FortiOS Guest Management feature is designed for this purpose.

A guest user account User ID can be the user’s email address, a randomly generated string, or an ID that the administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.

You can create many guest accounts at once using randomly-generated User IDs and passwords. This reduces administrator workload for large events.

User’s view of guest access

  1. The user receives an email, SMS message, or printout from a FortiOS administrator listing a User ID and password.
  2. The user logs onto the network with the provided credentials.
  3. After the expiry time, the credentials are no longer valid.

Administrator’s view of guest access

  1. Create one or more guest user groups.
    All members of the group have the same characteristics: type of User ID, type of password, information fields used, type and time of expiry.
  2. Create guest accounts using Guest Management.
  3. Use captive portal authentication and select the appropriate guest group.

To add an SMS service

If you plan on sending SMS notifications to guest users, you can use the following command to add an email to SMS service to your FortiGate.

config system sms-server

edit <server-name>

set mail-server <server-name>

end

Configuring guest user access

To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally, you can create a guest management administrator whose only function is the creation of guest accounts in specific guest user groups. Otherwise, any administrator can do guest management.

Creating guest management administrators

To create a guest management administrator

  1. Go to System > Administrators and create a regular administrator account.
  2. Select Restrict to Provision Guest Accounts.
  3. In Guest Groups, add the guest groups that this administrator manages.

Creating guest user groups

The guest group configuration determines the fields that are provided when you create a guest user account.

To create a guest user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information:
  3. Name Enter a name for the group.
    Type Guest
    Enable Batch Account Creation Create multiple accounts automatically. When this is enabled:
    • User ID and Password are set to Auto-Generate.
    • The user accounts have only User ID, Password, and Expiration fields. Only the Expiration field is editable. If the expiry time is a duration, such as “8 hours”, this is the time after first login.
    • You can print the account information. Users do not receive email or SMS notification.
    See To create multiple guest user accounts automatically.
    User ID Select one of:
    • Email — User’s email address
    • Specify — Administrator assigns user ID
    • Auto-Generate — FortiGate unit creates a random user ID
    Password Select one of:
    • Specify — Administrator assigns user ID
    • Auto-Generate — FortiGate unit creates a random password
    • Disable — no password
    Expire Type Choose one of:
    • Immediately — expiry time is counted from creation of account
    • After first login — expiry time is counted from user’s first login
    Default Expire Time Set the expire time. The administrator can change this for individual users.
    Enable Name If enabled, user must provide a name.
    Enable Sponsor If enabled, user form has Sponsor field. Select Required if required.
    Enable Company If enabled, user form has Company field. Select Requiredif required.
    Enable Email If enabled, user is notified by email.
    Enable SMS If enabled, user is notified by SMS. Select whether FortiGuard Messaging Service or a another SMS provider is used.

Creating guest user accounts

Guest user accounts are not the same as local user accounts created in User & Device > User Definition. Guest accounts are not permanent; they expire after a defined time period. You create guest accounts in User & Device > Guest Management.

To create a guest user account
  1. Go to User & Device > Guest Management.
  2. In Guest Groups, select the guest group to manage.
  3. Select Create New and fill in the fields in the New User form.
    Fields marked Optional can be left blank. The guest group configuration determines the fields that are available.
  4. Select OK.
To create multiple guest user accounts automatically
  1. Go to User & Device > Guest Management.
  2. In Guest Groups, select the guest group to manage.
    The guest group must have the Enable Batch Guest Account Creation option enabled.
  3. Select Create New > Multiple Users.
    Use the down-pointing caret to the right of Create New.
  4. Enter Number of Accounts.
  5. Optionally, change the Expiration.
  6. Select OK.

Guest management account List

Go to User & Device > Guest Management to create, view, edit or delete guest user accounts.

Create New Creates a new guest user account.
Edit Edit the selected guest user account.
Delete Delete the selected guest user account.
Purge Remove all expired accounts from the list.
Send Send the user account information to a printer or to the guest. Depending on the group settings and user information, the information can be sent to the user by email or SMS.
Refresh Update the list.
Guest Groups Select the guest group to list. New accounts are added to this group.
User ID The user ID. Depending on the guest group settings, this can be the user’s email address, an ID that the administrator specified, or a randomly-generated ID.
Expires Indicates a duration such as “3 hours”. A duration on its own is relative to the present time. Or, the duration is listed as “after first login.”

Guest access in a retail environment

Some retail businesses such as coffee shops provide free WiFi Internet access for their customers. For this type of application, the FortiOS guest management feature is not required; the WiFi access point is open and customers do not need logon credentials. However, the business might want to contact its customers later with promotional offers to encourage further patronage. Using an Email Collection portal, it is possible to collect customer email addresses for this purpose. The security policy grants network access only to users who provide a valid email address.

The first time a customer’s device attempts to use the WiFi connection, FortiOS requests an email address, which it validates. The customer’s subsequent connections go directly to the Internet without interruption.

Creating an email harvesting portal

The customer’s first contact with your network will be with a captive portal which presents a web page requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.

To create the email collection portal:
  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Set Security Mode to Captive Portal.
  3. Set Portal Type to Email Collection.
  4. Optionally, in Customize Portal Messages select Email Collection.

You can change the portal content and appearance. See Customizing captive portal pages.

To create the email collection portal - CLI:

In this example the freewifi WiFi interface is modified to present an email collection captive portal.

config wireless-controller vap

edit freewifi

set security captive-portal

set portal-type email-collect

end

Creating the security policy

You need configure a security policy that allows traffic to flow from the WiFi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.

To create the security policy:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:
  3. Incoming Interface freewifi
    Source Address all
    Source Device Type Collected Emails
    Outgoing Interface wan1
    Destination Address all
    Schedule always
    Service ALL
    Action ACCEPT
    NAT On
  4. Select OK.
To create the authentication rule - CLI:

config firewall policy

edit 3

set srcintf "freewifi"

set dstintf "wan1"

set srcaddr "all"

set action accept

set devices collected-emails

set nat enable

set schedule "always"

set service "ALL"

end

Checking for harvested emails

In the GUI, go to User & Device > Device Inventory. In the CLI you can use the diagnose user device list command. For example,

FGT-100D # diagnose user device list

hosts

vd 0 d8:d1:cb:ab:61:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int

ip 10.0.2.101 ip6 fe80::dad1:cbff:feab:610f

type 2 'iPhone' src http c 1 gen 29

os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1

email 'yo@yourdomain.com'

vd 0 74:e1:b6:dd:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int

ip 10.0.2.100 ip6 fe80::76e1:b6ff:fedd:69f9

type 1 'iPad' src http c 1 gen 5

os 'iPad' version 'iOS 6.0' src http id 293 c 1

host 'Joes’s-iPad' src dhcp

email 'you@fortinet.com'

Fall-through authentication policies

User authentication policies have an implicit fall-through feature that intentionally causes policy matching to fall through to a policy lower on the list that can also match the traffic. In other words the first user policy that is matched in the policy list, based on standard policy criteria, isn’t the only policy that can be matched.

Fall-through is intended to match users in different user groups with different policies. For example, consider an organization with two user groups where one group requires a web filtering profile, while the other requires virus scanning. In this example, you would edit two basic Internet access policies: policy 1 assigning User Group A with a Web Filtering profile, and policy 2 assigning User Group B with an AntiVirus profile. Both policies are also assigned to the same internal subnet, named subnet1.

In this configuration, all users from subnet1 will see an authentication prompt. If the user is found in User Group A, the traffic is accepted by policy 1 and is filtered by the Web Filtering profile. If the user is found in User Group B, the traffic is accepted by policy 2 and is virus scanned.

The fall-through feature is required for users to be matched with policy 2. Without the fall-through feature, traffic would never be matched with policy 2.

Managing guest access

Managing guest access

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a large event such as a conference, you might need to create many such temporary accounts. The FortiOS Guest Management feature is designed for this purpose.

A guest user account User ID can be the user’s email address, a randomly generated string, or an ID that the administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.

You can create many guest accounts at once using randomly-generated User IDs and passwords. This reduces administrator workload for large events.

User’s view of guest access

  1. The user receives an email, SMS message, or printout from a FortiOS administrator listing a User ID and password.
  2. The user logs onto the network with the provided credentials.
  3. After the expiry time, the credentials are no longer valid.

Administrator’s view of guest access

  1. Create one or more guest user groups.
    All members of the group have the same characteristics: type of User ID, type of password, information fields used, type and time of expiry.
  2. Create guest accounts using Guest Management.
  3. Use captive portal authentication and select the appropriate guest group.

To add an SMS service

If you plan on sending SMS notifications to guest users, you can use the following command to add an email to SMS service to your FortiGate.

config system sms-server

edit <server-name>

set mail-server <server-name>

end

Configuring guest user access

To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally, you can create a guest management administrator whose only function is the creation of guest accounts in specific guest user groups. Otherwise, any administrator can do guest management.

Creating guest management administrators

To create a guest management administrator

  1. Go to System > Administrators and create a regular administrator account.
  2. Select Restrict to Provision Guest Accounts.
  3. In Guest Groups, add the guest groups that this administrator manages.

Creating guest user groups

The guest group configuration determines the fields that are provided when you create a guest user account.

To create a guest user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information:
  3. Name Enter a name for the group.
    Type Guest
    Enable Batch Account Creation Create multiple accounts automatically. When this is enabled:
    • User ID and Password are set to Auto-Generate.
    • The user accounts have only User ID, Password, and Expiration fields. Only the Expiration field is editable. If the expiry time is a duration, such as “8 hours”, this is the time after first login.
    • You can print the account information. Users do not receive email or SMS notification.
    See To create multiple guest user accounts automatically.
    User ID Select one of:
    • Email — User’s email address
    • Specify — Administrator assigns user ID
    • Auto-Generate — FortiGate unit creates a random user ID
    Password Select one of:
    • Specify — Administrator assigns user ID
    • Auto-Generate — FortiGate unit creates a random password
    • Disable — no password
    Expire Type Choose one of:
    • Immediately — expiry time is counted from creation of account
    • After first login — expiry time is counted from user’s first login
    Default Expire Time Set the expire time. The administrator can change this for individual users.
    Enable Name If enabled, user must provide a name.
    Enable Sponsor If enabled, user form has Sponsor field. Select Required if required.
    Enable Company If enabled, user form has Company field. Select Requiredif required.
    Enable Email If enabled, user is notified by email.
    Enable SMS If enabled, user is notified by SMS. Select whether FortiGuard Messaging Service or a another SMS provider is used.

Creating guest user accounts

Guest user accounts are not the same as local user accounts created in User & Device > User Definition. Guest accounts are not permanent; they expire after a defined time period. You create guest accounts in User & Device > Guest Management.

To create a guest user account
  1. Go to User & Device > Guest Management.
  2. In Guest Groups, select the guest group to manage.
  3. Select Create New and fill in the fields in the New User form.
    Fields marked Optional can be left blank. The guest group configuration determines the fields that are available.
  4. Select OK.
To create multiple guest user accounts automatically
  1. Go to User & Device > Guest Management.
  2. In Guest Groups, select the guest group to manage.
    The guest group must have the Enable Batch Guest Account Creation option enabled.
  3. Select Create New > Multiple Users.
    Use the down-pointing caret to the right of Create New.
  4. Enter Number of Accounts.
  5. Optionally, change the Expiration.
  6. Select OK.

Guest management account List

Go to User & Device > Guest Management to create, view, edit or delete guest user accounts.

Create New Creates a new guest user account.
Edit Edit the selected guest user account.
Delete Delete the selected guest user account.
Purge Remove all expired accounts from the list.
Send Send the user account information to a printer or to the guest. Depending on the group settings and user information, the information can be sent to the user by email or SMS.
Refresh Update the list.
Guest Groups Select the guest group to list. New accounts are added to this group.
User ID The user ID. Depending on the guest group settings, this can be the user’s email address, an ID that the administrator specified, or a randomly-generated ID.
Expires Indicates a duration such as “3 hours”. A duration on its own is relative to the present time. Or, the duration is listed as “after first login.”

Guest access in a retail environment

Some retail businesses such as coffee shops provide free WiFi Internet access for their customers. For this type of application, the FortiOS guest management feature is not required; the WiFi access point is open and customers do not need logon credentials. However, the business might want to contact its customers later with promotional offers to encourage further patronage. Using an Email Collection portal, it is possible to collect customer email addresses for this purpose. The security policy grants network access only to users who provide a valid email address.

The first time a customer’s device attempts to use the WiFi connection, FortiOS requests an email address, which it validates. The customer’s subsequent connections go directly to the Internet without interruption.

Creating an email harvesting portal

The customer’s first contact with your network will be with a captive portal which presents a web page requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.

To create the email collection portal:
  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Set Security Mode to Captive Portal.
  3. Set Portal Type to Email Collection.
  4. Optionally, in Customize Portal Messages select Email Collection.

You can change the portal content and appearance. See Customizing captive portal pages.

To create the email collection portal - CLI:

In this example the freewifi WiFi interface is modified to present an email collection captive portal.

config wireless-controller vap

edit freewifi

set security captive-portal

set portal-type email-collect

end

Creating the security policy

You need configure a security policy that allows traffic to flow from the WiFi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.

To create the security policy:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:
  3. Incoming Interface freewifi
    Source Address all
    Source Device Type Collected Emails
    Outgoing Interface wan1
    Destination Address all
    Schedule always
    Service ALL
    Action ACCEPT
    NAT On
  4. Select OK.
To create the authentication rule - CLI:

config firewall policy

edit 3

set srcintf "freewifi"

set dstintf "wan1"

set srcaddr "all"

set action accept

set devices collected-emails

set nat enable

set schedule "always"

set service "ALL"

end

Checking for harvested emails

In the GUI, go to User & Device > Device Inventory. In the CLI you can use the diagnose user device list command. For example,

FGT-100D # diagnose user device list

hosts

vd 0 d8:d1:cb:ab:61:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int

ip 10.0.2.101 ip6 fe80::dad1:cbff:feab:610f

type 2 'iPhone' src http c 1 gen 29

os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1

email 'yo@yourdomain.com'

vd 0 74:e1:b6:dd:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int

ip 10.0.2.100 ip6 fe80::76e1:b6ff:fedd:69f9

type 1 'iPad' src http c 1 gen 5

os 'iPad' version 'iOS 6.0' src http id 293 c 1

host 'Joes’s-iPad' src dhcp

email 'you@fortinet.com'

Fall-through authentication policies

User authentication policies have an implicit fall-through feature that intentionally causes policy matching to fall through to a policy lower on the list that can also match the traffic. In other words the first user policy that is matched in the policy list, based on standard policy criteria, isn’t the only policy that can be matched.

Fall-through is intended to match users in different user groups with different policies. For example, consider an organization with two user groups where one group requires a web filtering profile, while the other requires virus scanning. In this example, you would edit two basic Internet access policies: policy 1 assigning User Group A with a Web Filtering profile, and policy 2 assigning User Group B with an AntiVirus profile. Both policies are also assigned to the same internal subnet, named subnet1.

In this configuration, all users from subnet1 will see an authentication prompt. If the user is found in User Group A, the traffic is accepted by policy 1 and is filtered by the Web Filtering profile. If the user is found in User Group B, the traffic is accepted by policy 2 and is virus scanned.

The fall-through feature is required for users to be matched with policy 2. Without the fall-through feature, traffic would never be matched with policy 2.