Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Guest Portals

The following section describes how to configure custom guest portals on a per customer or per AP/Controller basis.

The portals are assigned RADIUS clients and profiles, can permit certain pre-login and post-login services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured.

Portals

Guest portal configuration is available under Authentication > Guest Portals > Portals.

To configure a guest portal:
  1. Select Create New to configure settings for a new guest portal.

  1. Enter the following information:
Name A name to identify the guest portal.
URL

The URL of the Guest portal, in the format of:

https://<FAC IP/FQDN>/guests

Description Optionally, enter information about the guest portal.
MAC device HTTP parameter

Select one of the HTTP parameters available to use for this guest portal:

  • usermac
  • apmac
  • apip
  • userip
  • ssid
  • apname
  • bssid
  • server_ip
  • station_mac
  • station_ip
  • apid
  • ap_nodeid
  • ap_location
  • ap_floor
  • ap_building
  • ap_mac
  • grant_url

This field must be configured if this portal's Authentication type is set to Device only (MAC address).
Profile Configuration Assign one or more RADIUS clients and profiles to the portal.
General Assign an SMS gateway for self-registered users.
Authentication

Select either User credentials or Device only (MAC address) as the authentication type:

User credentials: Selected by default, this option requires either local or remote user account credentials, or with social site credentials:

  • Account login: Authentication with local or remote user account credentials.
  • Social login: Authentication with social site credentials (OAUTH), phone number or email. If RADIUS client is a FortiWLC controller, appropriate firewall pinholes should be added under Authentication > Captive Portal > General > FortiWLC Wireless Controller.
    Once enabled, you can optionally determine whether the social account expires after a certain amount of time (measure in minutes, hours, days, weeks, or months). In addition, various social login platforms become available within which you can enter their respective Key and Secret, including Facebook, Google, Twitter, LinkedIn, or with phone number or email address.
    Once a social login has been successfully completed on the guest portal via OAUTH, email, or SMS, a social login user account is created under Authentication > User Management > Social Login Users.

Device only (MAC address): When this option is enabled, the "MAC device HTTP parameter" must also be configured.
When using device only authentication, the endpoint will not be presented with the login page. Instead, the FAC will only use the endpoint device's MAC address for authentication purposes.
If the RADIUS client profile associated has MAC device filtering enabled, the MAC address is authenticated according to those settings. If MAC device filtering is disabled, any MAC address is accepted.

Optionally, you can determine whether the device account expires after a certain amount of time. To configure, enable the checkbox, enter a value, and select either minute(s), hour(s), day(s), week(s), or month(s).
Pre-login Services Configure various pre-login services to permit to users.
  Disclaimer

Enable or disable the appearance of a disclaimer to the end-user that must be accepted before proceeding to the login page.

To configure the disclaimer, edit the Login Disclaimer Page replacement message under Authentication > Guest Portals > Replacement Messages.
  Password Reset Enable/disable pre-login password reset link.
  Account Registration

Select to configure various user account registration options:

  • Require administrator approval: Enable/disable whether the user requires administrator approval. If enabled, select whether to send admin approval emails to freeform addresses or to specific email accounts.
  • Account expires after: Enable/disable account expiration. If enabled, enter the number of hours, days, months, or years the account remains expired from the dropdown menu.
  • Use mobile number as username: Determine whether to require the user's mobile number as their username.
  • Place registered users into a group: Determine whether to place registered users into a group from the dropdown menu.
  • Password creation: Determine whether the user's password is user-defined or randomly generated.
  • Send account information via: Determine whether the user's account information is sent to them by SMS or email.
  • Required field configuration: Configure the available fields required by the user to enter (First name, Last name, Email address, and Mobile number are enabled by default).
  Usage Extension Notifications Allow users who exceeded their time and/or data usage to request an extension via an email notification.
Post-login Services Configure various post-login services to permit to users.
  Profile Select to determine whether authenticated users can view/edit their account information.
  Password Change Select to determine whether local and/or remote users have the ability to change their passwords once logged in.
  Token Registration Select to configure FortiToken Mobile self-provisioning privileges.
  Smart Connect Select to assign a Smart Connect profile. See Smart Connect Profiles for more information.
  1. Select OK to add the new guest portal.

Rules

Portal rule configuration is available under Authentication > Guest Portals > Rules.

To configure portal rules:
  1. Select Create New to configure new portal rules.
  2. Enter the following information:
note icon Note that the Conditions section is only available for configuring once the rule has already been created by selecting OK.
General Configure the portal rule's general information, including its name and action.
  Name A name to identify the portal rule.
  Description Optionally, enter information about the portal rule.
  Action Determine the action to take for the rule: assign a guest portal or assign no portal for the rule.
Conditions

Select Add Condition to configure portal rule attributes.

Note that these attributes can be defined to either match the following settings below or to not match the following settings (see the Not checbox).
  Parameter Select and/or define new Uniform Resource Identifier (URI) parameters.
  Operator Select an operator for the portal rule attribute.
  Value Enter a portal rule attribute value.
  1. Select OK to add the new portal rule.

Replacement Messages

Guest portal replacement message mappings are available under Authentication > Guest Portals > Replacement Messages.

The replacement messages are split into four categories: Authentication, Password Reset, User Registration, and Post-Login.

Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.

Selecting Toggle Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.

To edit a replacement message:
  1. Select a message in the replacement message list.
  2. Edit the plain text or HTML code in the lower right pane, or select the open in new window icon to edit the message in a new browser window.
  3. When you are finished editing the message, select Save to save your changes.
  4. If you have made an error when editing the message, select Restore Default to restore the message to its default value.

Manage Images

Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.

To add an image:
  1. In the manage images screen, select Create New to open the Create New Image window.
  2. Enter a name for the image in the Name field.
  3. Select Browse..., find the GIF, JPEG, or PNG image file that you are adding, and then select Open.

    4. The maximum image size is 65kB.

  4. Select OK to add the image.
To delete an image:
  1. In the manage images screen, select an image, then select Delete.
  2. Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:

In the manage images screen, select an image, then select Edit.

  1. In the Edit Image window, edit the image name and file as required.
  2. Select OK to apply your changes.

Smart Connect Profiles

Smart Connect profiles are available under Authentication > Guest Portals > Smart Connect Profiles.

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) via the FAC's guest portal. In this initial release, iOS and Mac OS are supported.

Once configured, the Smart Connect feature will show up as a new button on the guest portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS, Android, Windows, and Linux. A Device ID can also be entered too, however this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID will be used to generate the end-user certificate.

To configure a Smart Connect profile:
  1. Select Create New to start the profile configuration wizard.
  2. Enter a Name and select Next (you cannot configure a different Connect type other than Wireless).
  3. Enter an SSID and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.

You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.

  1. Enter a Pre-shared Key, then select Next.
  2. You will see the Review All Settings page, where you can review and change any of the previously set options, and define more settings, as shown below:

  1. Select OK to apply your options and finish the configuration.

Once created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy