Fortinet black logo

Control Manager

Manage guests in a FortiNAC Control Manager environment

Copy Link
Copy Doc ID c0e495af-7299-11e9-81a4-00505692583a:197962
Download PDF

Manage guests in a FortiNAC Control Manager environment

When using Guest Manager in an environment where two or more FortiNAC appliances are managed by a central FortiNAC Control Manager appliance, guest accounts are not centrally located. Guest accounts can be created on any FortiNAC appliance, but are not replicated to other FortiNAC appliances. When guests arrive, they may connect to the network in a location managed by an appliance other than the one where their accounts were created. When a guest connects to the network and tries to register, the FortiNAC appliance to which the guest is connected checks its own database for the guest's account. If the guest account exists on that FortiNAC appliance, the guest can proceed with the registration process. If the guest account does not exist, the FortiNAC Control Manager checks the other FortiNAC appliances it manages until it finds the guest account. The FortiNAC Control Manager copies the guest account from the appliance on which it was created to the appliance where the guest is attempting to connect to the network. Then the guest can continue the registration process.

Since guest records are copied and are not centrally located there are some limitations.

  • Guest accounts are only copied from one appliance to another as needed and are not synchronized at any time.
  • When a guest user account is copied from one appliance to another, FortiNAC Control Manager checks the status of the Propagate Hosts setting on the user account. If this setting is enabled, hosts associated with the guest are copied with the guest user account.
  • If a guest account is manually deleted on one FortiNAC appliance, it is not deleted from all appliances automatically.
  • Because all appliances are not kept in sync, Guest reports on FortiNAC appliance A may not show the same information as a guest report on FortiNAC appliance B. The guest may have been created on appliance A, but registered and authenticated on appliance B. A report on appliance A will not reflect the changes made to appliance B.
  • Guest accounts cannot be limited to a particular appliance or set of appliances, which would subsequently limit access to a subset of the network.
  • There is no central location where all guest records can be viewed. A best practice would be to use the same FortiNAC appliance to create all guest accounts.
  • If the FortiNAC Control Manager is not running, guests will not be able to register on any appliance that does not already contain their guest accounts.
  • Guest users display under Users > User License. If a Guest User is deleted on the FortiNAC Control Manager, the Guest User and corresponding host are also deleted on all the managed FortiNAC appliances. However, the Guest Account is not deleted. This account remains in the database of the managed FortiNAC appliance until it expires or is deleted. This allows a Guest User to re-register or in the case of conference accounts, allows new guests to be assigned those accounts.

Manage guests in a FortiNAC Control Manager environment

When using Guest Manager in an environment where two or more FortiNAC appliances are managed by a central FortiNAC Control Manager appliance, guest accounts are not centrally located. Guest accounts can be created on any FortiNAC appliance, but are not replicated to other FortiNAC appliances. When guests arrive, they may connect to the network in a location managed by an appliance other than the one where their accounts were created. When a guest connects to the network and tries to register, the FortiNAC appliance to which the guest is connected checks its own database for the guest's account. If the guest account exists on that FortiNAC appliance, the guest can proceed with the registration process. If the guest account does not exist, the FortiNAC Control Manager checks the other FortiNAC appliances it manages until it finds the guest account. The FortiNAC Control Manager copies the guest account from the appliance on which it was created to the appliance where the guest is attempting to connect to the network. Then the guest can continue the registration process.

Since guest records are copied and are not centrally located there are some limitations.

  • Guest accounts are only copied from one appliance to another as needed and are not synchronized at any time.
  • When a guest user account is copied from one appliance to another, FortiNAC Control Manager checks the status of the Propagate Hosts setting on the user account. If this setting is enabled, hosts associated with the guest are copied with the guest user account.
  • If a guest account is manually deleted on one FortiNAC appliance, it is not deleted from all appliances automatically.
  • Because all appliances are not kept in sync, Guest reports on FortiNAC appliance A may not show the same information as a guest report on FortiNAC appliance B. The guest may have been created on appliance A, but registered and authenticated on appliance B. A report on appliance A will not reflect the changes made to appliance B.
  • Guest accounts cannot be limited to a particular appliance or set of appliances, which would subsequently limit access to a subset of the network.
  • There is no central location where all guest records can be viewed. A best practice would be to use the same FortiNAC appliance to create all guest accounts.
  • If the FortiNAC Control Manager is not running, guests will not be able to register on any appliance that does not already contain their guest accounts.
  • Guest users display under Users > User License. If a Guest User is deleted on the FortiNAC Control Manager, the Guest User and corresponding host are also deleted on all the managed FortiNAC appliances. However, the Guest Account is not deleted. This account remains in the database of the managed FortiNAC appliance until it expires or is deleted. This allows a Guest User to re-register or in the case of conference accounts, allows new guests to be assigned those accounts.