Guest WiFi accounts


In this example, a guest user account will be created to allow temporary wireless access to the Internet. Access will only be allowed using HTTP, HTTPS, and DNS protocols.

In this example, a FortiAP in Tunnel mode is used to provide wireless access to guests.


1. Creating a WiFi guest user group

Go to User & Device > User > User Groups and create a new group.

Set Type to Guest. Set User ID to Email, ensure that Password is set to Auto-Generate, and set Expiry Type to After first login. Leave Default Expiry Time set to 4 Hours.


2. Creating a guest SSID that uses Captive Portal

Go to Wireless Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP server. Under WiFi Settings, set Security Mode to Captive Portal and User Group(s) to the WiFi guest user group.

Go to Wireless Controller > WiFi Network > FortiAP Profiles and edit the profile for your FortiAP model (in the example, FortiAP-11C).

Set the FortiAP to broadcast the new SSID.


3. Creating a security policy for WiFi guests

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the guest SSID, Source User(s) to the WiFi guest user group, the Outgoing Interface to your Internet-facing interface, and Service to HTTP, HTTPS, and DNS.


4. Creating a guest user account

Go to User & Device > User > Guest Management and create a new account.

Set Email to the user’s email address (in the example, To test the account, set Expiration to 5 Minutes.

After you select OK, a User Created Successfully notice will appear, listing the generated Password. This password can then be printed or emailed to the guest user.  

(Optional) 5. Creating a restricted admin account for guest user management

To make it easier for guest accounts to be created, an admin account can be made that is only used for guest user management. In this example, the account is made for use by the receptionist.
Go to System > Admin > Administrators and create a new account.

Set Type to Regular and set a Password. Select Restrict to Provision Guest Accounts and set Guest Groups to the WiFi guest user group.

Sign in to the FortiGate using this account. You will only be able to see the menu for Guest User Management.  

6. Results

On a PC, connect to the guest SSID. When the authentication screen appears, log in using the guest user’s credentials. You will be able to connect to the Internet.  
Five minutes after the initial login, the user account will expire and you will no longer be able to log in using those credentials.  

For further reading, check out Managing Guest Access in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you have not already set up a wireless network, see Adding a WiFi network with a FortiAP.
  • rafa

    Is there any way to keep a history log fo credentials (and its metadata like email, comments, etc…) that were used?

    • Victoria Martin

      Hi rafa,

      Sorry for the delayed response. There is no way to create a log specifically like the one you’re looking for.

  • Giovani

    Good Morning,

    created the user groups to release a specific time in the guest
    network, but when the receptionist will create the user appears the
    option to change the expiration time.

    Can I block the default expiration time of the password?

    • Victoria Martin

      Hi Giovani,

      Unfortunately, there does not seem to be any way to do this.

  • Joaquin Armando Vazquez Guerre

    how can i setup this captive portal without a FortiAP?

    • Victoria Martin

      A captive portal can be configured on any interface by going to Network > Interfaces, editing the interface, and setting Security Mode to Captive Portal. Once this is done, any traffic hitting this interface will be sent to the portal.

  • peter716

    Can I set unlimited time for guest WIFI ?

    • Victoria Martin

      No, all guest accounts require an expiration period to be set.

  • Chris

    I’d like to set a maximum time limit on the user account, this is to prevent guest account creation admins from giving their buddies access for 300 days! Is that possible?

    • Victoria Martin

      Hi Chris,

      Unfortunately, there does not seem to be any way to do this.

  • hesham

    I want to limit to 2 devices for each user credential I give to the WiFi guest !! how can i do it !

    • Judith Haney

      Hello, You can go through the CLI and use the commands “config system global” and “set policy-auth-concurrent ” to limit the number of concurrent logins from the same user. This would impact all of the users on your network, not just the guests. If you only want to impose this limit on guest users, then you should consider managing guest users in a VDOM. If you need further assistance with configuring this, Fortinet Support is a terrific resource. Be sure to read this document before contacting them: — Hope this helps.

  • ibrahim gad

    how to create mutiple users in gust group in 1 step i cant find this otion i have 300c firmware v5.2.3,build670 (GA)

    • Judith Haney

      Hello Ibrahim, Can you be more specific about which option you cannot find? Are you able to get to User & Device > Users > User Groups? Do you see “Create New” next to the plus sign in the green circle? — If you can provide more specifics, it would be very helpful.

  • rafa

    Can I limit the number of devices that each credential will allow to connect to the SSID?. I mean, I want to limit to 2 devices for each credential I give to the users in order to control, kinda, people that will use our WiFi and the load that will support my AP’s

    • Victoria Martin

      Hi Rafa,

      You can configure the user group to only allow a certain number of concurrent logins. This is done using the following syntax:

      config user group
      set auth-concurrent-override enable
      set auth-concurrent-value

      You can set the value to anything between 1 and 100. If you set it for 0, there will be no limit.

      I hope that helps!

  • Alex Morales

    Hi Victoria, thanks for the input,

    My question is: because when the group is created select an expiry time of 1 hour and to create the guest user we put 5 minutes expiration?

    The expiry time user will be above the expiry time of the group?

    Thank you

    Alex Morales

    • Victoria Martin

      Hello Alex,

      When the guest group is created, you are asked to set a default expiry time. So if you set that time to 1 hour, when you make a new guest user, the account will automatically be set to expire after 1 hour. You can, however, change it to a different time. If the default expiry time and the guest account’s expiry time are different, the time on the guest account will be used.

      • Alex Morales

        Thanks very successful Victoria your answer, I understood the point.

  • Bruno Almeida

    Hi Victoria,

    Is it possible to edit the email message that will be send to guest user?

    Thank you,

    Bruno Almeida.

    • Victoria Martin

      Hi Bruno,

      Yes, you can. Go to System > Config > Replacement Messages and select the Extended View. Under Authentication, you’ll find the Guest User Email Template, which you can then edit.

  • Ahmed Wattar

    Dear Victoria

    Lets say i am covering the whole company with wifi other than FortiAp but am setting the guest SSID to obtain on a cretin range of VLAN IPs that is separate for ex(10.1.x.x) and already configured the route for internet to be the Fortigate box and under policies instate of using (All) for source i used this VLAN scope and setup the users to the guest group would it work ?

  • Robert Haddad

    Can I do this using an AP other than fortinet?

    • Victoria Martin

      Hi Robert,

      FortiGates are only able to manage FortiAPs, so a FortiGate with FortiAP or a FortiWiFi is required for this recipe.

      • jitu

        Hi I am using ruckus wi-fi access point, can you let me know how to manage guest users with different access point

        • Victoria Martin

          Hi jitu,

          As I mentioned to Robert, a FortiGate can only manage FortiAPs, so a FortiGate will not be able to manage an AP made by Ruckus.