Fortinet black logo

Administration Guide

Implementation

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:49859
Download PDF

Implementation

Guest manager is implemented at several levels. The initial setup is done by a FortiNAC administrator. Guest and contractor accounts are created and managed by an administrator called a sponsor. Finally, guests and contractors themselves follow a login process.

Administrators

Administrators have full rights to all parts of the FortiNAC system and can fully implement guest manager without needing a sponsor user to create accounts. However, in most organizations these responsibilities are divided up.

  • Make sure that e-mail settings for your FortiNAC server or control server have been configured. If they are not configured you will not be able to send email to guests with their account credentials.
  • If you intend to use endpoint compliance policies and scan guest's and contractor's computers, set up the policies before creating templates.
  • Each guest account that is created must be associated with a template that controls configuration details about that account, such as, how long the account is valid or when the guest can access the network. Guest account types include guest, contractor, conference, and self registered guest. See Guest/contractor templates.
  • Guest manager templates allow you to limit guest access to the network based on time of day or day of week. During the time that the guest is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any template, the following requirements must be met:
    • You must have a quarantine or remediation VLAN on your network.
    • Under System > Settings > Quarantine, enable the quarantine VLAN option.
    • Ports through which a guest would connect must be in the Forced Remediation Group (applies only to wired ports).
    • The Model Configuration for all switches to which guests connect must have an entry for the quarantine VLAN. This applies to both wired and wireless switches and access points.
  • Administrator profiles control what administrators can do when they are working in FortiNAC. If you intend to have an administrator create and manage guest accounts you must create an administrator profile to provide that user with the appropriate permissions. Sponsors profiles determine whether the sponsor can manage guest accounts, Kiosk Accounts, or self-registered guest accounts.
  • Create any administrators or sponsors that will be responsible for creating and managing guests. Administrators can also be created and associated with an administrator profile automatically based on users and groups in your directory.
  • To force guests and contractors to register and/or authenticate when they connect to the network, the ports to which they connect must be in a controlled access group such as Forced Registration.
  • When guests or contractors connect to the network they are presented with a registration page. This page can be set up either by editing the existing registration pages directly (Portal V1) or using the portal configuration content editor (Portal V2).
  • If you would like to provide guests with badges containing their login credentials, you must make sure the printer is set up correctly.
  • If you would like to send guests their login credentials via an SMS message, enable any necessary Mobile Providers. See Mobile providers. For guest account, enter Self Registered Guest. SMS messages are enabled by default and requires that you enable Mobile Providers.
  • If you decide to use network access policy features of FortiNAC you must configure user/host profiles that correspond to guests. Then map a user/host profile to a network access configuration using a network access policy. See Network access policies for additional information.

Sponsors

Sponsors have the following responsibilities. Administrators can perform these functions also.

  • When all of the preliminary setup steps have been completed, either the sponsor or the Administrator can create guest/contractor accounts.
  • If self registration requests permission has been granted, sponsors can also approve or deny account requests for accounts from guests using the self registration feature.
  • To facilitate your guests connection to the network you must give them information about their login credentials.
  • If you are managing a large group of guests or contractors, you can use the Locate feature to find and manage guests. See Locate.

Sponsors with management permissions in their administrator profile can locate guests, contractors, registered hosts, and other sponsors.

Sponsors who are limited in their administrator profile to managing their own hosts, can not search for any other hosts. The Sponsor field in the Locate screen is automatically filled in with the sponsor’s name and can not be changed.

Implementation

Guest manager is implemented at several levels. The initial setup is done by a FortiNAC administrator. Guest and contractor accounts are created and managed by an administrator called a sponsor. Finally, guests and contractors themselves follow a login process.

Administrators

Administrators have full rights to all parts of the FortiNAC system and can fully implement guest manager without needing a sponsor user to create accounts. However, in most organizations these responsibilities are divided up.

  • Make sure that e-mail settings for your FortiNAC server or control server have been configured. If they are not configured you will not be able to send email to guests with their account credentials.
  • If you intend to use endpoint compliance policies and scan guest's and contractor's computers, set up the policies before creating templates.
  • Each guest account that is created must be associated with a template that controls configuration details about that account, such as, how long the account is valid or when the guest can access the network. Guest account types include guest, contractor, conference, and self registered guest. See Guest/contractor templates.
  • Guest manager templates allow you to limit guest access to the network based on time of day or day of week. During the time that the guest is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any template, the following requirements must be met:
    • You must have a quarantine or remediation VLAN on your network.
    • Under System > Settings > Quarantine, enable the quarantine VLAN option.
    • Ports through which a guest would connect must be in the Forced Remediation Group (applies only to wired ports).
    • The Model Configuration for all switches to which guests connect must have an entry for the quarantine VLAN. This applies to both wired and wireless switches and access points.
  • Administrator profiles control what administrators can do when they are working in FortiNAC. If you intend to have an administrator create and manage guest accounts you must create an administrator profile to provide that user with the appropriate permissions. Sponsors profiles determine whether the sponsor can manage guest accounts, Kiosk Accounts, or self-registered guest accounts.
  • Create any administrators or sponsors that will be responsible for creating and managing guests. Administrators can also be created and associated with an administrator profile automatically based on users and groups in your directory.
  • To force guests and contractors to register and/or authenticate when they connect to the network, the ports to which they connect must be in a controlled access group such as Forced Registration.
  • When guests or contractors connect to the network they are presented with a registration page. This page can be set up either by editing the existing registration pages directly (Portal V1) or using the portal configuration content editor (Portal V2).
  • If you would like to provide guests with badges containing their login credentials, you must make sure the printer is set up correctly.
  • If you would like to send guests their login credentials via an SMS message, enable any necessary Mobile Providers. See Mobile providers. For guest account, enter Self Registered Guest. SMS messages are enabled by default and requires that you enable Mobile Providers.
  • If you decide to use network access policy features of FortiNAC you must configure user/host profiles that correspond to guests. Then map a user/host profile to a network access configuration using a network access policy. See Network access policies for additional information.

Sponsors

Sponsors have the following responsibilities. Administrators can perform these functions also.

  • When all of the preliminary setup steps have been completed, either the sponsor or the Administrator can create guest/contractor accounts.
  • If self registration requests permission has been granted, sponsors can also approve or deny account requests for accounts from guests using the self registration feature.
  • To facilitate your guests connection to the network you must give them information about their login credentials.
  • If you are managing a large group of guests or contractors, you can use the Locate feature to find and manage guests. See Locate.

Sponsors with management permissions in their administrator profile can locate guests, contractors, registered hosts, and other sponsors.

Sponsors who are limited in their administrator profile to managing their own hosts, can not search for any other hosts. The Sponsor field in the Locate screen is automatically filled in with the sponsor’s name and can not be changed.