Authorization Profiles
The authorization profiles enable different levels of access to different accounts. For example, to assign different RADIUS attributes or to only allow access to users from certain IP address ranges. You can Clone the authorization profile to reuse configurations.
- Navigate to Network Access Policies > Authorization Profiles and enter a Name and Description for your profile.
- An authorization profile implements various restrictions and attributes for a user account. Configure the following in your authorization profile.
RADIUS Attributes
FortiGuest sends these RADIUS attributes to the enforcement device. If a user authenticates using a RADIUS client device such as a FortiGate controller, then for each role you can define additional vendor specific RADIUS attributes that are sent upon successful authentication. Click New and select a Vendor to add an Attribute-Value pair.
Note: IETF and Fortinet are displayed as the suggested vendors for RADIUS attributes.
IP Filtering
If a user authenticates using a RADIUS client device, then you can specify from which IP address ranges the user is allowed to authenticate for each profile. This enables you to specify profiles based upon location so that users assigned to a specific profile can only log in from locations that you specify. Enter the IPv4/IPv6 network address with the appropriate prefix length, the host addresses must be specified using a /32 prefix for IPv4.
Note: This feature only works when the RADIUS client sends the user IP address in the RADIUS authentication and the IP address is contained in the Framed-IP-Address attribute.
Notification Settings
You can configure to send an email and SMS notifications upon user account log in and expiry.
- SMS Notification Settings - Enable SMS notifications for user account log in and then specify how often you wish to send notifications. Leave the field empty to send an SMS at every log in.
- Email Notification Settings - Enable email notifications for user account log in and then specify how often you wish to send notifications. Leave the field empty to send an email at every log in.
- Specify the Language template to use for email and SMS notifications.
Device Restrictions
You can configure the user profile to restrict log in to a certain amount of permissible users/devices within a specific time period.
- Enter the Max devices per user to configure the maximum number of devices allowed per users. Leave the field empty to allow an unlimited number of devices per user.
- Enter the Max users per device to configure the maximum number of users to access a device. Leave the field empty to allow an unlimited number of users per device.
- The Duration is the period for which these restrictions apply. For example, if the maximum limit is 2 devices per user then this limit applies only for the time period configured in the Duration field.
Note: FortiGuest enforces device restrictions only if Radius Accounting is enabled with interim updates on the NAS server, and the Accounting-interim-update attribute is added in the RADIUS client.
Auto MAC Registration
You can enable this setting to register MAC addresses, so that when a device is used to login it is remembered on the network. If this is enabled, a device account is automatically created for a user device when they login via a portal. Automatic device registration is subject to the limit set in Policy Settings > Account Groups. Select the Account Group and Usage Profile used to create the device.