Fortinet black logo

Administration Guide

Guest/contractor templates

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:145401
Download PDF

Guest/contractor templates

As an administrator, you control guest, contractor, conference, and self registration accounts by creating templates for each account type. The templates include privileges you specify, such as account duration, and credential requirements. Each time a visitor account is created one of these templates must be applied.

The templates you define:

  • Restrict or allow certain privileges for the sponsors who create guest, contractor, and conference accounts.
  • Ensure that sponsors set up appropriate accounts for guests and contractors.
  • Define the number of characters in the automatically generated passwords.
  • Make sure data from the guest or contractor is provided to the sponsor.

You may grant sponsor privileges to an administrator who uses the templates to create and manage temporary guest and contractor accounts. Sponsors may also provide account details to guests by email, SMS message or printout. The entire process, from account creation to guest network access, is stored for audit and reporting.

From the Guest/Contractor Templates window you can add, delete, modify or copy templates.

Settings

Field

Definition

Name

Descriptive name for the template. Sponsors use this name when they select a template to create accounts.

Visitor Type

User type for the template. Corresponds to the account types of Guest and Contractor so that the correct view is presented to the user.

Role

Role is an attribute added to the user and the host. Roles can be used in user/host profiles as a filter. Note that these roles must first be configured in the Role Management view. If they are not configured, no role-based restrictions apply. Any additional roles you have configured are also listed here. The available default options are Contractor, Guest and NAC-Default. If you have not configured a Guest or Contractor role, any Host you register has the NAC-Default common role applied to it.

See Visitor types. For more on roles, see Role management.

Authentication

Indicates type of authentication used for Guests or Contractors associated with this template. Options include:

Local: User name and password credentials are stored in the local database.

Note

For Conference accounts, authentication is Local only.

LDAP: The email of the user is required, and is what guests and contractors use to log in. The email address maps to the created Guest user. When the email address is located in the LDAP directory, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.

RADIUS: Checks your RADIUS server for the email address (required) in the user's created account. If a match is found, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.

Login Availability

Indicates when guests or contractors with this template can login to the network. Login Availability is within the timeframe you specify for the Account Duration. The available options are:

  • Always
  • Time range

Guests created using this template are marked "At Risk" for the Guest No Access admin scan during the times they are not permitted to access the network.

Password Length

Required length of guest or contractor passwords. Must be between 5 and 64 characters.

Account Duration

There are two methods that work together for determining the length of time a guest account is active. The shortest duration of the two is the one that is used to remove a guest account from the database.

Account Duration (Hours): Option included in the guest template to limit the time a guest account created with this template remains in the database. If this is blank, the guest account end date is used. The Account Duration starts only when the guest user first logs in. For example, you could create a guest account with a date range that spans one week and if the account duration was 24 hours, they would be able to log in for one 24 hour period any time during that week

Account End Date: Option included on the Add Guest Account dialog to determine the date on which the guest account expires. This field is required when a guest account is created.

Reauth Period (hours)

Number of hours the guest or contractor can access the network before reauthentication is required.

Security & Access Value

User specified text associated with guests created using this template that can be used as a filter. Used to assign a policy to a guest by filtering for this value.

Password Exclusions

List of characters that will not be included in generated passwords.

Last Modified By

User name of the last user to modify the template.

Last Modified Date

Date and time of the last modification to this template.

Right click menu options

Export

Exports data to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Copy

Copy the selected Template to create a new record.

Delete

Deletes the selected Template. Accounts that were created with the template prior to deletion are still valid and retain the data that was in the template.

Modify

Opens the Modify Guest/Contractor Template window for the selected template.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Used By

Display a list of users by administrator profile that are associated with the selected template. Click on a specific administrator profile to see the associated users. To select more than one profile use the Ctrl key.

Guest/contractor templates

As an administrator, you control guest, contractor, conference, and self registration accounts by creating templates for each account type. The templates include privileges you specify, such as account duration, and credential requirements. Each time a visitor account is created one of these templates must be applied.

The templates you define:

  • Restrict or allow certain privileges for the sponsors who create guest, contractor, and conference accounts.
  • Ensure that sponsors set up appropriate accounts for guests and contractors.
  • Define the number of characters in the automatically generated passwords.
  • Make sure data from the guest or contractor is provided to the sponsor.

You may grant sponsor privileges to an administrator who uses the templates to create and manage temporary guest and contractor accounts. Sponsors may also provide account details to guests by email, SMS message or printout. The entire process, from account creation to guest network access, is stored for audit and reporting.

From the Guest/Contractor Templates window you can add, delete, modify or copy templates.

Settings

Field

Definition

Name

Descriptive name for the template. Sponsors use this name when they select a template to create accounts.

Visitor Type

User type for the template. Corresponds to the account types of Guest and Contractor so that the correct view is presented to the user.

Role

Role is an attribute added to the user and the host. Roles can be used in user/host profiles as a filter. Note that these roles must first be configured in the Role Management view. If they are not configured, no role-based restrictions apply. Any additional roles you have configured are also listed here. The available default options are Contractor, Guest and NAC-Default. If you have not configured a Guest or Contractor role, any Host you register has the NAC-Default common role applied to it.

See Visitor types. For more on roles, see Role management.

Authentication

Indicates type of authentication used for Guests or Contractors associated with this template. Options include:

Local: User name and password credentials are stored in the local database.

Note

For Conference accounts, authentication is Local only.

LDAP: The email of the user is required, and is what guests and contractors use to log in. The email address maps to the created Guest user. When the email address is located in the LDAP directory, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.

RADIUS: Checks your RADIUS server for the email address (required) in the user's created account. If a match is found, it is compared with the given password for the user. If it matches, the guest or contractor’s credentials are accepted and they are granted access.

Login Availability

Indicates when guests or contractors with this template can login to the network. Login Availability is within the timeframe you specify for the Account Duration. The available options are:

  • Always
  • Time range

Guests created using this template are marked "At Risk" for the Guest No Access admin scan during the times they are not permitted to access the network.

Password Length

Required length of guest or contractor passwords. Must be between 5 and 64 characters.

Account Duration

There are two methods that work together for determining the length of time a guest account is active. The shortest duration of the two is the one that is used to remove a guest account from the database.

Account Duration (Hours): Option included in the guest template to limit the time a guest account created with this template remains in the database. If this is blank, the guest account end date is used. The Account Duration starts only when the guest user first logs in. For example, you could create a guest account with a date range that spans one week and if the account duration was 24 hours, they would be able to log in for one 24 hour period any time during that week

Account End Date: Option included on the Add Guest Account dialog to determine the date on which the guest account expires. This field is required when a guest account is created.

Reauth Period (hours)

Number of hours the guest or contractor can access the network before reauthentication is required.

Security & Access Value

User specified text associated with guests created using this template that can be used as a filter. Used to assign a policy to a guest by filtering for this value.

Password Exclusions

List of characters that will not be included in generated passwords.

Last Modified By

User name of the last user to modify the template.

Last Modified Date

Date and time of the last modification to this template.

Right click menu options

Export

Exports data to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Copy

Copy the selected Template to create a new record.

Delete

Deletes the selected Template. Accounts that were created with the template prior to deletion are still valid and retain the data that was in the template.

Modify

Opens the Modify Guest/Contractor Template window for the selected template.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Used By

Display a list of users by administrator profile that are associated with the selected template. Click on a specific administrator profile to see the associated users. To select more than one profile use the Ctrl key.