Guest Manager is implemented at several levels. The initial setup is done by a FortiNAC administrator. Guest and Contractor Accounts are created and managed by an administrative user called a sponsor. Finally, Guests and Contractors themselves follow a login process. The initial setup of Guest Manager can be done using the Quick Start wizard under System > Quick Start. This section of the documentation outlines the implementation process in the order in which it should be done if you are implementing Guest Manager without using the wizard or enabling additional features not configured by the wizard.
Administrators have full rights to all parts of the FortiNAC system and can fully implement Guest Manager without needing a sponsor user to create accounts. However, in most organizations these responsibilities are divided up.
- Make sure that e-mail settings for your FortiNAC server
or control serverhave been configured. If they are not configured you will not be able to send email to guests with their account credentials.
- If you intend to use Endpoint Compliance Policies and scan guest/contractor's computers, set up the policies before creating templates.
- Each guest account that is created must be associated with a template that controls configuration details about that account, such as, how long the account is valid or when the guest can access the network. Guest account types include Guest, Contractor, Conference and Self-Registered Guest. See Guest/contractor templates.
- Guest Manager templates allow you to limit guest access to the network based on time of day or day of week. During the time that the guest is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any template, the following requirements must be met:
- You must have a quarantine or remediation VLAN on your network.
- Under System > Settings > Control > Quarantine, enable the Quarantine VLAN option.
- Ports through which a guest would connect must be in the Forced Remediation Group (applies only to wired ports).
- The Model Configuration for all switches to which guests connect must have an entry for the Quarantine VLAN. This applies to both wired and wireless switches and access points.
- Admin User Profiles control what administrative users can do when they are working in FortiNAC. If you intend to have an administrative user create and manage guest accounts you must create an Admin User Profile to provide that user with the appropriate permissions. Sponsors profiles determine whether the sponsor can manage Guest accounts
, Kiosk Accountsor Self-Registered Guest accounts.
- Create any administrative users or sponsors that will be responsible for creating and managing guests.
Administrative users can also be created and associated with an Administrative User Profile automatically based on users and groups in your Directory.
- To force guests and contractors to register and/or authenticate when they connect to the network, the ports to which they connect must be in a controlled access group such as Forced Registration.
- When guests or contractors connect to the network they are presented with a registration page. This page can be set up
either by editing the existing registration pages directly (Portal V1) orusing the Portal Configuration Content Editor (Portal V2).
- If you would like to provide guests with badges containing their login credentials, you must make sure the printer is set up correctly.
- If you would like to send guests their login credentials via an SMS message, enable any necessary Mobile Providers. See Mobile providers. For guest account type Self-Registered Guest, SMS messages are enabled by default and requires that you enable Mobile Providers.
- If you decide to use Network Access Policy features of FortiNAC you must configure User/Host Profiles that correspond to guests. Then map a User/Host Profile to a Network Access Configuration using a Network Access Policy. See Network access policies for additional information.
Sponsors have the following responsibilities. Administrators can perform these functions also.
- When all of the preliminary setup steps have been completed, either the Sponsor or the Administrator can create guest/contractor accounts.
- If Self-Registration Requests permission has been granted, sponsors can also approve or deny account requests for accounts from guests using the Self-Registration feature. See or .
- To facilitate your guests connection to the network you must give them information about their login credentials.
- If you are managing a large group of guests or contractors, you can use the Locate feature to find and manage guests. See Locate.
Sponsors with management permissions in their Admin Profile can locate guests, contractors, registered hosts, and other sponsors.
Sponsors who are limited in their Admin User Profile to managing their own hosts, can not search for any other hosts. The Sponsor field in the Locate screen is automatically filled in with the sponsor’s name and can not be changed.