FortiOS 6.0 WiFi Issue: Guest WiFi accounts

In this recipe, you create temporary guest accounts that can connect to your WiFi network after authenticating using a captive portal. To make management easier, you also create a separate administrative account that can only be used to manage guest accounts.This example uses a FortiAP in Tunnel mode to provide WiFi access to guests. 

1. Creating a WiFi guest user group

To create a guest user group, go to User & Device > User Groups and create a new group.

Set Type to Guest and set User ID to Email.

Under Guest Details, enable Require Email, enable Password, and set the password to Auto Generated.

Under Expiration, set Start Countdown to After First Login and set Time to 5 minutes for testing purposes.

2. Creating a guest SSID that uses captive portal

To create an SSID for guest users, go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP Server.

Under WiFi Settings, set the following:

• Security Mode to Captive Portal
• Portal Type to Authentication
• User Groups to the guest user group

To broadcast the new SSID, go to WiFi & Switch Controller > FortiAP Profiles and edit the profile used by the FortiAP.

Under Radio 1 set SSIDs to include the new SSID.

3. Creating a security policy for WiFi guests

To allow WiFi guest users to access the Internet, go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the guest SSID and set Outgoing Interface to your Internet-facing interface. Select Source and set Address to all and User to the guest user group.  Set Service to ALL.

Enable NAT.

4. Creating a restricted admin account for guest user management

To simplify guest account creation, you can create an admin account that is only used for guest user management. This allows new accounts to be made as needed without requiring full administrative access to the FortiGate. In this example, the account is made for use by receptionist.

To create the guest management account, go to System > Administrators and create a new account.

Set a User Name and set Type to Local User. Set and confirm a Password.

Enable Restrict admin to guest account provisioning only and set Guest Group to the WiFi guest user group.

Sign in to the FortiGate using the new admin account. You will only be able to see the menu for Guest User Management.

5. Creating a guest user account

Using the receptionist account, create a guest account.

Set Email to the user’s email address (in the example, ballen@example.com). To test the account, set Expiration to 5 Minutes.

After you select OK, a User Created Successfully notice appears that shows the new account’s Password. This password can then be printed or emailed to the guest user. You can also view the password by editing the user account.

6. Results

On a PC, connect to the guest SSID and attempt to browse the Internet.

When the authentication screen appears, log in using the guest user’s credentials.

After the account is authenticated, you can connect to the Internet.

Five minutes after the initial login, the guest user account will expire and you will no longer be able to log in using those credentials.

Use the reception account to log on to the FortiGate. The guest account is listed as Expired.