Guest WiFi accounts

In this example, a guest user account will be created to allow temporary wireless access to the Internet. Access will only be allowed using HTTP, HTTPS, and DNS protocols.

In this example, a FortiAP in Tunnel mode is used to provide wireless access to guests.


1. Creating a WiFi guest user group

Go to User & Device > User > User Groups and create a new group.

Set Type to Guest. Set User ID to Email, ensure that Password is set to Auto-Generate, and set Expiry Type to After first login. Leave Default Expiry Time set to 4 Hours.


2. Creating a guest SSID that uses Captive Portal

Go to Wireless Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP server. Under WiFi Settings, set Security Mode to Captive Portal and User Group(s) to the WiFi guest user group.

Go to Wireless Controller > WiFi Network > FortiAP Profiles and edit the profile for your FortiAP model (in the example, FortiAP-11C).

Set the FortiAP to broadcast the new SSID.


3. Creating a security policy for WiFi guests

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the guest SSID, Source User(s) to the WiFi guest user group, the Outgoing Interface to your Internet-facing interface, and Service to HTTP, HTTPS, and DNS.


4. Creating a guest user account

Go to User & Device > User > Guest Management and create a new account.

Set Email to the user’s email address (in the example, To test the account, set Expiration to 5 Minutes.

After you select OK, a User Created Successfully notice will appear, listing the generated Password. This password can then be printed or emailed to the guest user.  

(Optional) 5. Creating a restricted admin account for guest user management

To make it easier for guest accounts to be created, an admin account can be made that is only used for guest user management. In this example, the account is made for use by the receptionist.
Go to System > Admin > Administrators and create a new account.

Set Type to Regular and set a Password. Select Restrict to Provision Guest Accounts and set Guest Groups to the WiFi guest user group.

Sign in to the FortiGate using this account. You will only be able to see the menu for Guest User Management.  

6. Results

On a PC, connect to the guest SSID. When the authentication screen appears, log in using the guest user’s credentials. You will be able to connect to the Internet.  
Five minutes after the initial login, the user account will expire and you will no longer be able to log in using those credentials.  

For further reading, check out Managing Guest Access in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

If you have not already set up a wireless network, see Adding a WiFi network with a FortiAP.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Robert Haddad

    Can I do this using an AP other than fortinet?

    • Victoria Martin

      Hi Robert,

      FortiGates are only able to manage FortiAPs, so a FortiGate with FortiAP or a FortiWiFi is required for this recipe.

      • jitu

        Hi I am using ruckus wi-fi access point, can you let me know how to manage guest users with different access point

        • Victoria Martin

          Hi jitu,

          As I mentioned to Robert, a FortiGate can only manage FortiAPs, so a FortiGate will not be able to manage an AP made by Ruckus.

  • Ahmed Wattar

    Dear Victoria

    Lets say i am covering the whole company with wifi other than FortiAp but am setting the guest SSID to obtain on a cretin range of VLAN IPs that is separate for ex(10.1.x.x) and already configured the route for internet to be the Fortigate box and under policies instate of using (All) for source i used this VLAN scope and setup the users to the guest group would it work ?

  • Bruno Almeida

    Hi Victoria,

    Is it possible to edit the email message that will be send to guest user?

    Thank you,

    Bruno Almeida.

    • Victoria Martin

      Hi Bruno,

      Yes, you can. Go to System > Config > Replacement Messages and select the Extended View. Under Authentication, you’ll find the Guest User Email Template, which you can then edit.

  • Alex Morales

    Hi Victoria, thanks for the input,

    My question is: because when the group is created select an expiry time of 1 hour and to create the guest user we put 5 minutes expiration?

    The expiry time user will be above the expiry time of the group?

    Thank you

    Alex Morales

    • Victoria Martin

      Hello Alex,

      When the guest group is created, you are asked to set a default expiry time. So if you set that time to 1 hour, when you make a new guest user, the account will automatically be set to expire after 1 hour. You can, however, change it to a different time. If the default expiry time and the guest account’s expiry time are different, the time on the guest account will be used.

      • Alex Morales

        Thanks very successful Victoria your answer, I understood the point.

  • rafa

    Can I limit the number of devices that each credential will allow to connect to the SSID?. I mean, I want to limit to 2 devices for each credential I give to the users in order to control, kinda, people that will use our WiFi and the load that will support my AP’s

    • Victoria Martin

      Hi Rafa,

      You can configure the user group to only allow a certain number of concurrent logins. This is done using the following syntax:

      config user group
      set auth-concurrent-override enable
      set auth-concurrent-value

      You can set the value to anything between 1 and 100. If you set it for 0, there will be no limit.

      I hope that helps!

  • ibrahim gad

    how to create mutiple users in gust group in 1 step i cant find this otion i have 300c firmware v5.2.3,build670 (GA)

    • Judith Haney

      Hello Ibrahim, Can you be more specific about which option you cannot find? Are you able to get to User & Device > Users > User Groups? Do you see “Create New” next to the plus sign in the green circle? — If you can provide more specifics, it would be very helpful.

  • hesham

    I want to limit to 2 devices for each user credential I give to the WiFi guest !! how can i do it !

    • Judith Haney

      Hello, You can go through the CLI and use the commands “config system global” and “set policy-auth-concurrent ” to limit the number of concurrent logins from the same user. This would impact all of the users on your network, not just the guests. If you only want to impose this limit on guest users, then you should consider managing guest users in a VDOM. If you need further assistance with configuring this, Fortinet Support is a terrific resource. Be sure to read this document before contacting them: — Hope this helps.

  • Chris

    I’d like to set a maximum time limit on the user account, this is to prevent guest account creation admins from giving their buddies access for 300 days! Is that possible?

    • Victoria Martin

      Hi Chris,

      Unfortunately, there does not seem to be any way to do this.