In this example, you will create guest accounts that can connect to your FortiGate’s WiFi network for a limited amount of time after authenticating using a captive portal. To make management easier, you will also create a separate administrative account that can only be used to create and manage guest accounts.
In this example, a FortiAP in Tunnel mode is used to provide WiFi access to guests.
Find this recipe for other [glossary_exclude]FortiOS[/glossary_exclude] versions
5.2 | 5.4
1. Creating a WiFi guest user group
|
Go to User & Device > User Groups and create a new group.
Set Type to Guest. Set User ID to Email, Password to Auto-Generate, and Expire Type to After first login. Leave Default Expire Time set to 4 Hours.
|
|
2. Creating a guest SSID that uses Captive Portal
|
Go to WiFi & Switch Controller > SSID and create a new SSID.
Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP server.
|
|
Under WiFi Settings, set Security Mode to Captive Portal and User Groups to the WiFi guest user group.
|
|
Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile used by the FortiAP.
Set Radio 1 to broadcast the new SSID.
|
|
3. Creating a security policy for WiFi guests
|
Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a name that identifies its use.
Set Incoming Interface to the guest SSID, Source User(s) to the WiFi guest user group, Outgoing Interface to your Internet-facing interface, and Service to ALL.
Enable NAT.
|
|
4. Creating a restricted admin account for guest user management
|
To simply guest account creation, an admin account can be made that is only used for guest user management. This allows new accounts to be made as needed without requiring full administrative access to the FortiGate. In this example, the account is made for use by reception staff.
|
Go to System > Administrators and create a new account.
Set a User Name and Password for the account. Set Type to Local User. Select Restrict admin to guest account provisioning only and set Guest Group to the WiFi guest user group.
|
|
Sign in to the FortiGate using the new admin account. You will only be able to see the menu for Guest User Management. |
|
5. Creating a guest user account
|
Using the reception account, create a guest account.
Set Email to the user’s email address (in the example, ballen@example.com). To test the account, set Expiration to 5 Minutes.
|
|
After you select OK, a User Created Successfully notice appears that shows the new account’s Password. This password can then be printed or emailed to the guest user. |
|
6. Results
|
On a PC, connect to the guest SSID and attempt to browse the Internet.
When the authentication screen appears, log in using the guest user’s credentials.
After the account is authenticated, you can connect to the Internet.
|
|
Five minutes after the initial login, the guest user account will expire and you will no longer be able to log in using those credentials. |
Use the reception account to log on to the FortiGate. The guest account is listed as Expired. |
|
For further reading, check out Managing Guest Access in the FortiOS 5.4 Handbook.
The post Guest WiFi accounts appeared first on Fortinet Cookbook.