Chapter 3 Authentication for FortiOS 5.0 : Managing Guest Access : Guest access in a retail environment : Implementing email harvesting
  
Implementing email harvesting
The customer’s first contact with your network will be with a captive portal which presents a web page requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.
You need configure a device policy that allows traffic to flow from the WiFi SSID to the Internet interface. Within that policy, you need an authentication rule to allow members of the Collected Emails device group to access the Internet. This rule must be listed first. Unknown devices are not members of the Collected Emails device group, so they don’t match the rule.
You also need to select Prompt E-mail collection Portal for all devices.
To create the device policy
1. Go to Policy > Policy > Policy and select Create New.
2. Enter the following information:
Policy Type
Firewall
Policy Subtype
Device Identity
Incoming Interface
wifi
Source Address
all
Outgoing Interface
wan1
Enable NAT
Enable.
You are now ready to create the authentication rule.
To create the authentication rule - web-based manager
1. In Configure Authentication Rules, select Create New and enter:
Destination Address
all
Device
Collected Emails
Compliant with Endpoint Profile
not selected
Schedule
always
Service
ALL
Action
ACCEPT
2. Select OK.
3. If asked, confirm that you accept FortiOS will enable device identification on the source interface.
4. In Device Policy Options, select Prompt E-mail Collection Portal for all devices.
5. Optionally, customize authentication messages.
6. Select OK to complete configuration of the security policy.
To create the authentication rule - CLI
config firewall policy
edit 3
set srcintf "wifi"
set dstintf "wan1"
set srcaddr "all"
set action accept
set email-collection-portal enable
set identity-based enable
set identity-from device
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set dstaddr "abc"
set service "ALL"
set devices "collected-emails"
end
end