Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Create templates

Use this option to create multiple templates for each of the Guest, Contractor, Conference and self-registered guest visitor types with a variety of permissions. Data fields allow you to collect data from your guests and store it in User Properties. If you are a FortiNAC administrator you have access to all templates and can assign any template of the correct type to any guest, contractor or conference user when you create their accounts. If you choose to create a sponsor user who is responsible for creating visitor accounts, the sponsor must be assigned a set of templates through the administrator profile. When the sponsor creates visitor accounts, he can only choose templates from the list you have assigned.

  1. Click Users > Guest/Contractor Templates.
  2. The Templates window appears. Click Add.
  3. The Add Guest/Contractor Template window appears. Enter the information in the Required Fields tab as described in Create templates.
  4. Click the Data Fields tab to determine which fields will be required when a guest logs onto the network.
  5. Click the Note tab to add a note to the printed access information to give the guest/contractor special login instructions or an SSID. See Provide login information.
  6. Click OK to create the template and add it to the list of templates.
Settings

All possible fields are included in this table. The fields shown on your screen will vary depending on the Visitor Type you select.

Field

Definition

Template Name

Type a descriptive name for the template. Sponsors use this name when they select a template to create accounts.

Visitor Type

User type for the template. Corresponds to the account types of Guest and Contractor so that the correct view is presented to the user. See Visitor types.

Use A Unique Role Based On This Template Name

Creates a role based on the template name and assigns that role to guests with accounts created using this template. Using the template name as a role allows you to limit network access based on the guest template by using the new role as a filter in a user/host profile. See User/host profiles.

When using the Wireless Security feature to configure SSID mappings, the name of the guest template selected is used to create the appropriate user/host profile allowing you to limit SSID access based on guest template.

Select Role

Role is an attribute added to the user and the host. Roles can be used in user/host profiles as a filter. Note that these roles must first be configured in the Role Management view. If they are not configured, no role-based restrictions apply. Any additional roles you have configured are also listed here. The available default options are Contractor, Guest and NAC-Default. If you have not configured a Guest or Contractor role, any Host you register has the NAC-Default common role applied to it.

See Visitor types. For more on Roles see Role management.

Security & Access Value

Enter a value, such as Guest or Visitor. This field is added to each guest user account that is created based on this template and can be used as a filter. When creating user/host profiles, you can filter for the contents of the Security & Access Value field to control which endpoint compliance policy is used to scan guest hosts.

Send Email

For Conference accounts, email cannot be sent until a guest has registered or you have modified the account via the User View > Modify option to enter an email address.

Select this check box if you want a sponsor with this template to be able to send an e-mail confirmation to the guest’s/contractor’s email address. If not selected (default) guest or contractor credentials need to be printed or sent via SMS.

For self-registered guest accounts this option is automatically checked and cannot be disabled.

Send SMS

For Guest or Contractor accounts, select this check box if you want a sponsor with this template to be able to send an SMS confirmation to the guest’s/contractor’s mobile phone. If not selected guest or contractor credentials need to be e-mailed or printed.

For self-registered guest accounts this option is automatically checked and cannot be disabled.

Requires that the guest or contractor provide both a mobile number and the mobile provider. These fields default to Required in the Data Fields tab.

Max Number Of Accounts

Only available when Visitor Type is set to Conference. Typically used when generating a large number of accounts for a conference. Limits the total number of accounts that can be created on the Conference Account window when this template is selected.

To limit accounts, enable the check box and enter the maximum number of accounts that can ever be created using this template.

For an unlimited number of accounts, leave the check box empty.

Password Length

Between 5 and 64 characters. Passwords that are automatically generated by guest manager contain at least one capital letter, one lower case letter, one alphanumeric character, and one symbol. If you have characters listed in Password Exclusions, those characters will not be used.

Note that for Conference accounts, once a template has been created, the sponsor may specify the individual different passwords for attendees when the sponsor creates the conference account. See Conference accounts.

Note

FortiNAC does not recognize or restrict system-generated passwords that may be offensive.

Password Exclusions

List of characters that will not be included in generated passwords.

Use Mobile Friendly
Exclusions

Removes any existing entries and then populates the Password Exclusions field with a list of symbols that are typically difficult to enter on a mobile device. Modify the list of characters as needed. Characters include:

!@#$%^&*()_+~{}|:"<>?-=[]\;',/

Reauthentication Period (hours)

Specify the number of hours the guest or contractor can access the network before reauthentication is required. To specify a reauthentication period you must first select the check box. Next fill in the reauthentication period in hours. If you do not select this check box, you will not have to specify a reauthentication period for guests or contractor accounts created with this template.

Authentication Method

Specify where authentication occurs:

  • Local: User name and password credentials are stored in the local database.

    Note

    For Conference accounts, authentication is Local only.

  • LDAP: The email of the user is required, and is what guests and contractors use to log in. The email address maps to the created Guest user. When the email address is located in the LDAP directory, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.
  • RADIUS: Checks your RADIUS server for the email address (required) in the user's created account. If a match is found, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.

Account Duration

Select the check box to specify the duration of the account in hours.

For all guests except those with shared conference accounts: The duration governs how long from creation the account remains in the database, regardless of the end date that is entered when creating the guest account.

For shared conference accounts: The duration governs how long from guest Login the account remains in the database, regardless of the end date that is entered when creating the conference.

For self-registered guest accounts this option is automatically checked and cannot be disabled. You must enter a duration.

There are two methods that work together for determining the length of time a guest account is active. The shortest duration of the two is the one that is used to remove a guest account from the database.

  • Account Duration (Hours): Option included in the guest template to limit the time a guest account created with this template remains in the database. If this is blank, the guest account end date is used. The Account Duration starts only when the guest user first logs in. For example, you could create a guest account with a date range that spans one week and if the account duration was 24 hours, they would be able to log in for one 24 hour period any time during that week
  • Account End Date: Option included on the Add Guest Account dialog to determine the date on which the guest account expires. This field is required when a guest account is created.

Propagate Hosts

Controls whether the Propagate Hosts setting is enabled or disabled on the user record for guest users created with this template. If enabled, the record for the host owned by the guest user is copied to all managed FortiNAC appliances. This field is only displayed if the FortiNAC server is managed by a FortiNAC Control Manager.

Login Availability

Select when guests or contractors with this template can login to the network. Login Availability is within the timeframe you specify for the Account Duration.

The available options are:

  • Always
  • Specify Time: If you select this option, a window displays in which you specify the time range and select the days of the week. Click OK.

Guests created using this template are marked "At Risk" for the Guest No Access admin scan during the times they are not permitted to access the network.

URL for Acceptable Use Policy

Optional. Directs the guest or contractor to the page you specify with the network policies when they login.

Resolve URL

Click to acquire the IP addresses for the URLs for Acceptable Use Policy and Successful Landing page. If the URL is not reachable, specify the IP address in the IP address field.

Portal version 1 settings

URL for Successful
Landing Page

Directs the guest or contractor to a certain page when they have successfully logged into the network and passed the scan in an endpoint compliance policy. This field is optional and is used only if you have Portal V1 enabled in portal configuration.

If you are using the portal pages included with FortiNAC and controlled by the content editor in the portal configuration, this field is ignored.

Login availability time

This option allows you to limit network access for a guest or contractor based on the time of day and the day of the week. Any guest associated with a template, can only access the network as specified in the Login Availability field for the template.

If you set times for Login Availability, FortiNAC periodically checks the access time for each guest associated with the template. When the guest is not allowed to access the network the host associated with the guest is marked "At Risk" for the Guest No Access admin scan. When the time is reached that the guest is allowed to access the network, the "At Risk" state is removed from the host. These changes in state occur on the guest host record whether the guest is connected to the network or not. If the guest host connects to the network outside its allowed timeframe, a web page is displayed with the following message: "Your network access has been disabled. You are outside of your allowed time window. To regain network access call the help desk.".

Data fields

Specify which pieces of data will appear on the form the guest or contractor will be required to fill out in the captive portal. For self-registered guests this information is filled out with the request for an account. For Guests with an existing account, this information is filled out after they enter their user name and password on the login page. If the field has a corresponding database field, it is stored there and displayed on the User Properties window. If the field does not have a corresponding database field, it is stored and displayed in the Notes tab of the User Properties window and the Host Properties window. Hover over the field name to display a tool tip indicating where the data entered by the guest will be stored.

  • Required: The data in this field must be entered in order for the guest or contractor to log in.
  • Optional: Appears on the form, but is not required data from the guest or contractor.
  • Ignored: Will not appear on the form.

The E-mail field is required. The fields listed below are default fields that are included with the original setup of guest manager. Field names can be modified by typing over the original name. Therefore, the fields on your template window may not match any of the fields in this list. If you rename a field, the data entered into that field by the guest is still stored in its original location. For example, if you modify the title of the Last Name field to say Mother's Maiden Name, the data is still stored in the Last Name field on the User Properties window.

Field

Definition

Last Name

Maximum length 50 characters. Stored in the Last Name field.

First Name

Maximum length 50 characters. Stored in the First Name field.

Address

Maximum length 50 characters. Stored in the Address field.

City

Maximum length 50 characters. Stored in the City field.

State
(or Province/County)

Standard two-letter state abbreviation, or up to 50 characters. Stored in the State field.

Country

Maximum length 50 characters. Stored on the Notes tab.

Zip or Postal Code

Maximum length of 16. Stored in the Zip Code field.

Email

Email address of the guest or contractor. Stored in the E-mail field.

Note

This field can be modified however FortiNAC expects the contents of the field to be an email address. This field tests for a valid email address and will not allow the user to proceed without one. If the label is something other than email and other types of data are entered, the guest account may not be able to be created.

Phone

Telephone number including international country codes (for example, +1, +44). Maximum length 16. Stored in the Phone field.

Mobile Phone

Mobile Telephone number. Maximum length 16. Stored in the Add/Modify User window.

Mobile Provider

The name of the company that provides the guest with Mobile service. The guest is provided with a list of possible providers. Stored in the Add/Modify User window.

Asset

Text field for computer serial numbers, manufacturer’s name and model number, or any other asset identifier of the guest’s or contractor’s computing platform. Stored in the Serial Number field. Max.length 80 characters.

Reason

The reason for the guest’s or contractor’s visit. Max. length 80 characters. Stored on the Notes tab.

Person Visiting

Maximum length 50 characters. Stored on the Notes tab.

Buttons

Add Field

Click to add new data fields to track additional guest or contractor data, such as license plate numbers or demo equipment details. Maximum length 80 characters.

Type the name of the field in the pop-up window. Select whether to make the field required or optional.

Once new fields have been added they are stored in the Notes tab of the user’s account. To see these fields go to the User Properties window.

Delete Field

Delete a data field from the list. Only those fields that have been created by an administrator can be deleted. System fields can be set to Ignore so they do not display, but cannot be deleted from the template.

Reorder Fields

Changes the order of the fields as they appear in the Guest or Contractor Form. Click this button to reorder account information fields. In the pop-up window, click Move Up or Move Down and OK.

Notes

The Notes tab on the template creation window allows you to provide additional information to guests and contractors. After you have created a Guest or Contractor account, you may want to provide that user with his login information. Login information can be printed, viewed on the screen, sent via text message to a mobile telephone or included in an amalgamate text added on the Notes tab is appended to the guest information included in the printout, email or text message. See Provide login information for additional information.

Create templates

Use this option to create multiple templates for each of the Guest, Contractor, Conference and self-registered guest visitor types with a variety of permissions. Data fields allow you to collect data from your guests and store it in User Properties. If you are a FortiNAC administrator you have access to all templates and can assign any template of the correct type to any guest, contractor or conference user when you create their accounts. If you choose to create a sponsor user who is responsible for creating visitor accounts, the sponsor must be assigned a set of templates through the administrator profile. When the sponsor creates visitor accounts, he can only choose templates from the list you have assigned.

  1. Click Users > Guest/Contractor Templates.
  2. The Templates window appears. Click Add.
  3. The Add Guest/Contractor Template window appears. Enter the information in the Required Fields tab as described in Create templates.
  4. Click the Data Fields tab to determine which fields will be required when a guest logs onto the network.
  5. Click the Note tab to add a note to the printed access information to give the guest/contractor special login instructions or an SSID. See Provide login information.
  6. Click OK to create the template and add it to the list of templates.
Settings

All possible fields are included in this table. The fields shown on your screen will vary depending on the Visitor Type you select.

Field

Definition

Template Name

Type a descriptive name for the template. Sponsors use this name when they select a template to create accounts.

Visitor Type

User type for the template. Corresponds to the account types of Guest and Contractor so that the correct view is presented to the user. See Visitor types.

Use A Unique Role Based On This Template Name

Creates a role based on the template name and assigns that role to guests with accounts created using this template. Using the template name as a role allows you to limit network access based on the guest template by using the new role as a filter in a user/host profile. See User/host profiles.

When using the Wireless Security feature to configure SSID mappings, the name of the guest template selected is used to create the appropriate user/host profile allowing you to limit SSID access based on guest template.

Select Role

Role is an attribute added to the user and the host. Roles can be used in user/host profiles as a filter. Note that these roles must first be configured in the Role Management view. If they are not configured, no role-based restrictions apply. Any additional roles you have configured are also listed here. The available default options are Contractor, Guest and NAC-Default. If you have not configured a Guest or Contractor role, any Host you register has the NAC-Default common role applied to it.

See Visitor types. For more on Roles see Role management.

Security & Access Value

Enter a value, such as Guest or Visitor. This field is added to each guest user account that is created based on this template and can be used as a filter. When creating user/host profiles, you can filter for the contents of the Security & Access Value field to control which endpoint compliance policy is used to scan guest hosts.

Send Email

For Conference accounts, email cannot be sent until a guest has registered or you have modified the account via the User View > Modify option to enter an email address.

Select this check box if you want a sponsor with this template to be able to send an e-mail confirmation to the guest’s/contractor’s email address. If not selected (default) guest or contractor credentials need to be printed or sent via SMS.

For self-registered guest accounts this option is automatically checked and cannot be disabled.

Send SMS

For Guest or Contractor accounts, select this check box if you want a sponsor with this template to be able to send an SMS confirmation to the guest’s/contractor’s mobile phone. If not selected guest or contractor credentials need to be e-mailed or printed.

For self-registered guest accounts this option is automatically checked and cannot be disabled.

Requires that the guest or contractor provide both a mobile number and the mobile provider. These fields default to Required in the Data Fields tab.

Max Number Of Accounts

Only available when Visitor Type is set to Conference. Typically used when generating a large number of accounts for a conference. Limits the total number of accounts that can be created on the Conference Account window when this template is selected.

To limit accounts, enable the check box and enter the maximum number of accounts that can ever be created using this template.

For an unlimited number of accounts, leave the check box empty.

Password Length

Between 5 and 64 characters. Passwords that are automatically generated by guest manager contain at least one capital letter, one lower case letter, one alphanumeric character, and one symbol. If you have characters listed in Password Exclusions, those characters will not be used.

Note that for Conference accounts, once a template has been created, the sponsor may specify the individual different passwords for attendees when the sponsor creates the conference account. See Conference accounts.

Note

FortiNAC does not recognize or restrict system-generated passwords that may be offensive.

Password Exclusions

List of characters that will not be included in generated passwords.

Use Mobile Friendly
Exclusions

Removes any existing entries and then populates the Password Exclusions field with a list of symbols that are typically difficult to enter on a mobile device. Modify the list of characters as needed. Characters include:

!@#$%^&*()_+~{}|:"<>?-=[]\;',/

Reauthentication Period (hours)

Specify the number of hours the guest or contractor can access the network before reauthentication is required. To specify a reauthentication period you must first select the check box. Next fill in the reauthentication period in hours. If you do not select this check box, you will not have to specify a reauthentication period for guests or contractor accounts created with this template.

Authentication Method

Specify where authentication occurs:

  • Local: User name and password credentials are stored in the local database.

    Note

    For Conference accounts, authentication is Local only.

  • LDAP: The email of the user is required, and is what guests and contractors use to log in. The email address maps to the created Guest user. When the email address is located in the LDAP directory, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.
  • RADIUS: Checks your RADIUS server for the email address (required) in the user's created account. If a match is found, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.

Account Duration

Select the check box to specify the duration of the account in hours.

For all guests except those with shared conference accounts: The duration governs how long from creation the account remains in the database, regardless of the end date that is entered when creating the guest account.

For shared conference accounts: The duration governs how long from guest Login the account remains in the database, regardless of the end date that is entered when creating the conference.

For self-registered guest accounts this option is automatically checked and cannot be disabled. You must enter a duration.

There are two methods that work together for determining the length of time a guest account is active. The shortest duration of the two is the one that is used to remove a guest account from the database.

  • Account Duration (Hours): Option included in the guest template to limit the time a guest account created with this template remains in the database. If this is blank, the guest account end date is used. The Account Duration starts only when the guest user first logs in. For example, you could create a guest account with a date range that spans one week and if the account duration was 24 hours, they would be able to log in for one 24 hour period any time during that week
  • Account End Date: Option included on the Add Guest Account dialog to determine the date on which the guest account expires. This field is required when a guest account is created.

Propagate Hosts

Controls whether the Propagate Hosts setting is enabled or disabled on the user record for guest users created with this template. If enabled, the record for the host owned by the guest user is copied to all managed FortiNAC appliances. This field is only displayed if the FortiNAC server is managed by a FortiNAC Control Manager.

Login Availability

Select when guests or contractors with this template can login to the network. Login Availability is within the timeframe you specify for the Account Duration.

The available options are:

  • Always
  • Specify Time: If you select this option, a window displays in which you specify the time range and select the days of the week. Click OK.

Guests created using this template are marked "At Risk" for the Guest No Access admin scan during the times they are not permitted to access the network.

URL for Acceptable Use Policy

Optional. Directs the guest or contractor to the page you specify with the network policies when they login.

Resolve URL

Click to acquire the IP addresses for the URLs for Acceptable Use Policy and Successful Landing page. If the URL is not reachable, specify the IP address in the IP address field.

Portal version 1 settings

URL for Successful
Landing Page

Directs the guest or contractor to a certain page when they have successfully logged into the network and passed the scan in an endpoint compliance policy. This field is optional and is used only if you have Portal V1 enabled in portal configuration.

If you are using the portal pages included with FortiNAC and controlled by the content editor in the portal configuration, this field is ignored.

Login availability time

This option allows you to limit network access for a guest or contractor based on the time of day and the day of the week. Any guest associated with a template, can only access the network as specified in the Login Availability field for the template.

If you set times for Login Availability, FortiNAC periodically checks the access time for each guest associated with the template. When the guest is not allowed to access the network the host associated with the guest is marked "At Risk" for the Guest No Access admin scan. When the time is reached that the guest is allowed to access the network, the "At Risk" state is removed from the host. These changes in state occur on the guest host record whether the guest is connected to the network or not. If the guest host connects to the network outside its allowed timeframe, a web page is displayed with the following message: "Your network access has been disabled. You are outside of your allowed time window. To regain network access call the help desk.".

Data fields

Specify which pieces of data will appear on the form the guest or contractor will be required to fill out in the captive portal. For self-registered guests this information is filled out with the request for an account. For Guests with an existing account, this information is filled out after they enter their user name and password on the login page. If the field has a corresponding database field, it is stored there and displayed on the User Properties window. If the field does not have a corresponding database field, it is stored and displayed in the Notes tab of the User Properties window and the Host Properties window. Hover over the field name to display a tool tip indicating where the data entered by the guest will be stored.

  • Required: The data in this field must be entered in order for the guest or contractor to log in.
  • Optional: Appears on the form, but is not required data from the guest or contractor.
  • Ignored: Will not appear on the form.

The E-mail field is required. The fields listed below are default fields that are included with the original setup of guest manager. Field names can be modified by typing over the original name. Therefore, the fields on your template window may not match any of the fields in this list. If you rename a field, the data entered into that field by the guest is still stored in its original location. For example, if you modify the title of the Last Name field to say Mother's Maiden Name, the data is still stored in the Last Name field on the User Properties window.

Field

Definition

Last Name

Maximum length 50 characters. Stored in the Last Name field.

First Name

Maximum length 50 characters. Stored in the First Name field.

Address

Maximum length 50 characters. Stored in the Address field.

City

Maximum length 50 characters. Stored in the City field.

State
(or Province/County)

Standard two-letter state abbreviation, or up to 50 characters. Stored in the State field.

Country

Maximum length 50 characters. Stored on the Notes tab.

Zip or Postal Code

Maximum length of 16. Stored in the Zip Code field.

Email

Email address of the guest or contractor. Stored in the E-mail field.

Note

This field can be modified however FortiNAC expects the contents of the field to be an email address. This field tests for a valid email address and will not allow the user to proceed without one. If the label is something other than email and other types of data are entered, the guest account may not be able to be created.

Phone

Telephone number including international country codes (for example, +1, +44). Maximum length 16. Stored in the Phone field.

Mobile Phone

Mobile Telephone number. Maximum length 16. Stored in the Add/Modify User window.

Mobile Provider

The name of the company that provides the guest with Mobile service. The guest is provided with a list of possible providers. Stored in the Add/Modify User window.

Asset

Text field for computer serial numbers, manufacturer’s name and model number, or any other asset identifier of the guest’s or contractor’s computing platform. Stored in the Serial Number field. Max.length 80 characters.

Reason

The reason for the guest’s or contractor’s visit. Max. length 80 characters. Stored on the Notes tab.

Person Visiting

Maximum length 50 characters. Stored on the Notes tab.

Buttons

Add Field

Click to add new data fields to track additional guest or contractor data, such as license plate numbers or demo equipment details. Maximum length 80 characters.

Type the name of the field in the pop-up window. Select whether to make the field required or optional.

Once new fields have been added they are stored in the Notes tab of the user’s account. To see these fields go to the User Properties window.

Delete Field

Delete a data field from the list. Only those fields that have been created by an administrator can be deleted. System fields can be set to Ignore so they do not display, but cannot be deleted from the template.

Reorder Fields

Changes the order of the fields as they appear in the Guest or Contractor Form. Click this button to reorder account information fields. In the pop-up window, click Move Up or Move Down and OK.

Notes

The Notes tab on the template creation window allows you to provide additional information to guests and contractors. After you have created a Guest or Contractor account, you may want to provide that user with his login information. Login information can be printed, viewed on the screen, sent via text message to a mobile telephone or included in an amalgamate text added on the Notes tab is appended to the guest information included in the printout, email or text message. See Provide login information for additional information.