Managing Guest Users in Fortigate Firewalls

Sometime, a company may want to create guest users for wireless or wired connections.  Additionally, companies may want to have administrators with limitedv access to ONLY create guest accounts.

Use Case:

Receptionist greets guests of your organization.  These guests will require Internet access.  The receptionist will collect business cards from the guests and use the information contained therein to create the account.

Steps we will take:

1. Define a group
2. Define a restricted administrator
3. Configure SSID or Wired Captive Portal

Here we go….

Step 1 – Creating the Guest User Group

 

Let’s start by going to User & Device then choose User Group.

1. Give the group a descriptive name.
2. Choose the pre-defined Guest type.
3. User ID – You can choose Email Address , Auto Generated and Specify.  I have found email is the simplest.
4. Required Fields – You can optionally require the administrators to enter name and email.
5. Password – You can either have the Fortigate autogenerate or you can specify.  I have found the Autogenerated is much easier.
6. Sponsor Information – You can set the information for Sponsor Name and Company as either Optional or Required.
7. Start Countdown – You can start the countdown either after the creation or after the first login.
8. Time – This will define what the default will be when they create a user.

Step 2 – Creating the Limited Administrator

Now we will need to create a restricted administrator that will only be allowed to manage guest accounts.

Go to System then Administrators.

1. Provide a name for the administrator
2. Choose the Restrict admin to guest account provisioning only radio button.
3. Choose the Guest Group we create above.
4. Optionally, you can restrict this user to a Trusted Host.

Step 3 –  Logging in as restricted administrator

Now we will log into the Fortigate Firewall using the restricted administrator we created in Step 2

Step 4 – Portal View

You will notice upon logging in, that there are limited options.  Let’s choose Create New to create a new guest account.

Step 5 – Creating the guest user

We can see the guest user I am creating.  It contains the Name, Sponsor, Company, my eMail, and the default suggested expiration time.

Step 6 – Sending out credentials

Once you create the user, you will have the option to either Print or Email the user information.  I will choose the Email option.

Step 7 – Receiving the email

As you can see in the email screenshot, we can see that the following information is provided:

User ID=manny@infosecmonkey.com
Password=skd3maf5
Expires=-14400 seconds after first successful login
User Name=Manny Fernandez
Mobile Phone=none
Sponsor=Tony Stark
Company=InfoSec Monkey
Email=manny@infosecmonkey.com

This is provided to the guest user.

Step 8 – Using what we just created

Step 8 A – Wireless SSID

When you create the SSID, you have the option to change the Security Mode to Captive Portal.  Then you can define what User Group can use this SSID.

Step 8 B – Wired Portal

When you modify the interface, you have the option to change the Security Mode to Captive Portal.  Then you can define what User Group can use this Authentication.

Hope this helps