Guest WiFi accounts

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, a guest user account will be created to allow temporary wireless access to the Internet. Access will only be allowed using HTTP, HTTPS, and DNS protocols.

In this example, a FortiAP in Tunnel mode is used to provide wireless access to guests.

 

1. Creating a WiFi guest user group

Go to User & Device > User > User Groups and create a new group.

Set Type to Guest. Set User ID to Email, ensure that Password is set to Auto-Generate, and set Expiry Type to After first login. Leave Default Expiry Time set to 4 Hours.

 

2. Creating a guest SSID that uses Captive Portal

Go to Wireless Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP server. Under WiFi Settings, set Security Mode to Captive Portal and User Group(s) to the WiFi guest user group.

 
Go to Wireless Controller > WiFi Network > FortiAP Profiles and edit the profile for your FortiAP model (in the example, FortiAP-11C).

Set the FortiAP to broadcast the new SSID.

 

3. Creating a security policy for WiFi guests

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the guest SSID, Source User(s) to the WiFi guest user group, the Outgoing Interface to your Internet-facing interface, and Service to HTTP, HTTPS, and DNS.

 

4. Creating a guest user account

Go to User & Device > User > Guest Management and create a new account.

Set Email to the user’s email address (in the example, ballen@example.com). To test the account, set Expiration to 5 Minutes.

 
After you select OK, a User Created Successfully notice will appear, listing the generated Password. This password can then be printed or emailed to the guest user.  

(Optional) 5. Creating a restricted admin account for guest user management

To make it easier for guest accounts to be created, an admin account can be made that is only used for guest user management. In this example, the account is made for use by the receptionist.
Go to System > Admin > Administrators and create a new account.

Set Type to Regular and set a Password. Select Restrict to Provision Guest Accounts and set Guest Groups to the WiFi guest user group.

 
Sign in to the FortiGate using this account. You will only be able to see the menu for Guest User Management.  

6. Results

On a PC, connect to the guest SSID. When the authentication screen appears, log in using the guest user’s credentials. You will be able to connect to the Internet.  
Five minutes after the initial login, the user account will expire and you will no longer be able to log in using those credentials.  

For further reading, check out Managing Guest Access in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you have not already set up a wireless network, see Adding a WiFi network with a FortiAP.