BYOD for a user with multiple wireless devices

In this example, you will make a FortiOS security policy that requires both user and device authentication, so that known users can only access the network when they are using known devices.

Using a combination of user and device authentication improves security in BYOD environments. Any authenticated user can connect through wireless, using any wireless device that is included in the device group specified in the policy. Thus, the BYOD policy can even support a user with multiple devices.

 1. Create users and a user group

Go to User & Device > User > User Definition and create a Local user.

Create additional users as needed. You can use any authentication method.

 
 

Go to User & Device > User > User Groups.

Create a user group for employees and add the new user(s) to the group.

 

2. Create devices and a device group

Go to User & Device > Device > Device Definitions and enter the user’s device information.  
Go to User & Device > Device > Device Groups. Create a device group and add user’s devices to it.  
 

3. Configure WiFi security

Go to WiFi Controller > WiFi Network > SSID and configure your wireless network for WPA-Enterprise authentication using the employees user group.  
 

4. Create the security policy

Go to Policy & Objects > Policy > IPv4 and create a policy to enable traffic from the WiFi interface to the Internet (in the example, wan1) and office LAN (in the example, Internal) interfaces.

Restrict the policy to allow only the employees user group and device group.

 
 

5. Results

User rgreen can connect to the Internet using the rgreen tablet that belongs to the staff devices group.

Go to Policy & Objects > Monitor > Policy Monitor to see the security policy in use.

 

Attempts to access the Internet fail if any of the following are true:

  • the user does not belong to the employees user group
  • the device does not belong to the staff devices group

For further reading, check out Deploying Wireless Networks in the FortiOS 5.2 Handbook.