Retail environment guest access
Businesses such as coffee shops provide free Internet access for customers. In this scenario, you do not need to configure guest management, as customers can access the WiFi access point without logon credentials.
However, consider that the business wants to contact customers with promotional offers to encourage future patronage. You can configure an email collection portal to collect customer email addresses for this purpose. You can configure a security policy to grant network access only to users who provide a valid email address. The first time a customer’s device attempts WiFi connection, FortiOS requests an email address, which it validates. The customers' subsequent connections go directly to the Internet without interruption.
This configuration consists of the following steps:
Creating an email collection portal
The customer’s first contact with your network is a captive portal that presents a webpage requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.
This example modifies the
freewifi WiFi interface to present an email collection captive portal.
To create an email collection portal:
config wireless-controller vap edit freewifi set security captive-portal set portal-type email-collect next end
Creating a security policy
You must configure a security policy that allows traffic to flow from the WiFi SSID to the internet interface only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.
To create a security policy:
config firewall policy edit 3 set srcintf "freewifi" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set email-collect enable next end
Checking for harvested emails
To check for harvested emails in the GUI:
- Go to Dashboard > Users & Devices.
- Hover over the Device Inventory widget and click Expand to Full Screen.
To check for harvested emails in the CLI:
# diagnose user device list hosts vd 0 d8:d1:aa:aa:69:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int ip 10.0.2.101 ip6 fe80::dad2:cbff:feab:610f type 2 'iPhone' src http c 1 gen 29 os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1 email 'email@example.com' vd 0 74:e1:bb:bb:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int ip 10.0.2.100 ip6 fe80::76e2:b6ff:fedd:69f9 type 1 'iPad' src http c 1 gen 5 os 'iPad' version 'iOS 6.0' src http id 293 c 1 host 'Joes’s-iPad' src dhcp email 'firstname.lastname@example.org'