Fortinet black logo

Administration Guide

Roaming guests

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:789859
Download PDF

Roaming guests

Use roaming guests to configure a list of local domains for your local network users. Users who connect and attempt to authenticate with a fully qualified domain name that is NOT on this list are treated as roaming guests. This feature was developed to accommodate organizations that meet at each other's sites frequently, such as an educational consortium or a business development group. Supports Eduroam for participating universities.

This feature can only be used for wireless 802.1x connections.

Note

The hierarchy consists of RADIUS servers at the participating institutions, national RADIUS servers run by the National Roaming Operators and regional top-level RADIUS servers for individual world regions. When a user A, from institution B, in country C with two-letter country-code top-level domain xy, visits institution P in country Q, A's mobile device presents his credentials to the RADIUS server of institution P. That RADIUS server discovers that it is not responsible for the Institution_B.xy realm and proxies the access request to the national RADIUS server of country Q. If C and Q are different countries, it is in turn proxied to the regional top-level RADIUS server, and then to the national RADIUS server of country C, which has a complete list of the participating eduroam institutions in that country. That national server forwards the credentials to the home institution B, where they are verified. The 'acknowledge' travels back over the proxy-hierarchy to the visited institution P and the user is granted access.

RADIUS configuration

Configure your 3rd party RADIUS server local to the site with the remote RADIUS servers to which it should proxy authentication requests for users who are not part of one of your local domains.

Note: The FortiNAC Local RADIUS Server feature introduced in 8.8 does not support the Roaming Guests feature. A 3rd party RADIUS server must be used.

Model configuration

Modify the Model Configuration of any wireless device to which your roaming guests will connect. Specific treatment can be configured for roaming guests in the Model Configuration. This controls network access, such as the VLAN in which the host is placed, or access can be denied for roaming guests on a particular device. See the information for the Host State field in Model configuration.

Roaming guests cannot be controlled at the SSID level only at the device level.

Local domains

Configure the list of local domains. This allows FortiNAC to distinguish between local users and roaming guests. See Add Local Domains below for instructions.

Notes

  • Roaming guests may require a supplicant for the wireless connection. This supplicant cannot be configured by FortiNAC. Easy Connect Supplicant Policies cannot be used for roaming guests because roaming guests are placed in a special network based on the settings in the Model Configuration before the host could be evaluated and assigned a Supplicant Policy.
  • Device profiler automatic registration settings are suspended for roaming guests.
  • Roaming guests age out of the database in 24 hours.
  • If a Roaming Guest logs into a host registered to a local user, the host is treated like a Roaming Guest.
  • If a Roaming Guest logs into an existing Roaming Guest host, they are treated as a Roaming Guest.
  • If a Roaming Guest has a Persistent Agent installed on their host from their own FortiNAC system, there is no impact on your FortiNAC server.

Connection process

When a Roaming Guest connects to the network, the process is as follows:

  1. FortiNAC proxies the request to a local corporate RADIUS server.
  2. The local RADIUS server queries the appropriate remote RADIUS server for the domain name contained in the login information. The remote RADIUS servers must be configured within your corporate RADIUS server to allow the authentication request to be proxied to the correct server.
  3. The remote RADIUS server replies to the local corporate RADIUS server.
  4. That reply is sent to FortiNAC.
  5. FortiNAC registers the host in the database as a device and allows the user to connect to the network. The user is shown as a logged in user.
  6. Users are placed in a special group called Roaming Guest Users.
  7. Hosts are placed in a special group called Roaming Guest Hosts.

Add local domains

  1. Click System > Settings.
  2. Expand the Authentication folder.
  3. Select Roaming Guests from the tree.
  4. Click Add.
  5. Enter a domain name.
  6. Click OK.

Roaming guests

Use roaming guests to configure a list of local domains for your local network users. Users who connect and attempt to authenticate with a fully qualified domain name that is NOT on this list are treated as roaming guests. This feature was developed to accommodate organizations that meet at each other's sites frequently, such as an educational consortium or a business development group. Supports Eduroam for participating universities.

This feature can only be used for wireless 802.1x connections.

Note

The hierarchy consists of RADIUS servers at the participating institutions, national RADIUS servers run by the National Roaming Operators and regional top-level RADIUS servers for individual world regions. When a user A, from institution B, in country C with two-letter country-code top-level domain xy, visits institution P in country Q, A's mobile device presents his credentials to the RADIUS server of institution P. That RADIUS server discovers that it is not responsible for the Institution_B.xy realm and proxies the access request to the national RADIUS server of country Q. If C and Q are different countries, it is in turn proxied to the regional top-level RADIUS server, and then to the national RADIUS server of country C, which has a complete list of the participating eduroam institutions in that country. That national server forwards the credentials to the home institution B, where they are verified. The 'acknowledge' travels back over the proxy-hierarchy to the visited institution P and the user is granted access.

RADIUS configuration

Configure your 3rd party RADIUS server local to the site with the remote RADIUS servers to which it should proxy authentication requests for users who are not part of one of your local domains.

Note: The FortiNAC Local RADIUS Server feature introduced in 8.8 does not support the Roaming Guests feature. A 3rd party RADIUS server must be used.

Model configuration

Modify the Model Configuration of any wireless device to which your roaming guests will connect. Specific treatment can be configured for roaming guests in the Model Configuration. This controls network access, such as the VLAN in which the host is placed, or access can be denied for roaming guests on a particular device. See the information for the Host State field in Model configuration.

Roaming guests cannot be controlled at the SSID level only at the device level.

Local domains

Configure the list of local domains. This allows FortiNAC to distinguish between local users and roaming guests. See Add Local Domains below for instructions.

Notes

  • Roaming guests may require a supplicant for the wireless connection. This supplicant cannot be configured by FortiNAC. Easy Connect Supplicant Policies cannot be used for roaming guests because roaming guests are placed in a special network based on the settings in the Model Configuration before the host could be evaluated and assigned a Supplicant Policy.
  • Device profiler automatic registration settings are suspended for roaming guests.
  • Roaming guests age out of the database in 24 hours.
  • If a Roaming Guest logs into a host registered to a local user, the host is treated like a Roaming Guest.
  • If a Roaming Guest logs into an existing Roaming Guest host, they are treated as a Roaming Guest.
  • If a Roaming Guest has a Persistent Agent installed on their host from their own FortiNAC system, there is no impact on your FortiNAC server.

Connection process

When a Roaming Guest connects to the network, the process is as follows:

  1. FortiNAC proxies the request to a local corporate RADIUS server.
  2. The local RADIUS server queries the appropriate remote RADIUS server for the domain name contained in the login information. The remote RADIUS servers must be configured within your corporate RADIUS server to allow the authentication request to be proxied to the correct server.
  3. The remote RADIUS server replies to the local corporate RADIUS server.
  4. That reply is sent to FortiNAC.
  5. FortiNAC registers the host in the database as a device and allows the user to connect to the network. The user is shown as a logged in user.
  6. Users are placed in a special group called Roaming Guest Users.
  7. Hosts are placed in a special group called Roaming Guest Hosts.

Add local domains

  1. Click System > Settings.
  2. Expand the Authentication folder.
  3. Select Roaming Guests from the tree.
  4. Click Add.
  5. Enter a domain name.
  6. Click OK.