Description
This article describes how to set up configuration to collect email addresses for guest access.
Scope
FortiGate.
Solution
Public areas provide free Internet access for customers.
In this scenario, configuring guest management is not necessary, as customers can access the Wi-Fi access point without logon credentials.
However, consider a scenario where the business wants to contact customers with promotional offers to encourage future patronage.
Configuring an email collection portal to collect customer email addresses is possible for this purpose, and configuring a security policy to grant network access only to users who provide a valid email address is also possible.
The first time a customer’s unit attempts Wi-Fi connection, FortiOS requests an email address, which it validates.
The customer’s subsequent connections go directly to the Internet without interruption.
1. Create an email collection portal.
The customer’s first contact with the network is a captive portal that presents a webpage requesting an email address.
When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected emails device group.
To create an email collection portal using the GUI:
- Go to WiFi & Switch Controller -> SSID and edit the SSID.
- From the Security Mode dropdown list, select 'Captive Portal'.
- For portal type, select 'Email Collection'.
- (Optional) In 'Customize Portal Messages', select 'Email Collection'.
Note:
By default this option is hidden and needs to be enabled under System -> Feature Visibility -> Additional Features.
To create an email collection portal using the CLI:
This example modifies the freewifi WiFi interface to present an email collection captive portal.
config wireless-controller vap
edit freewifi
set security captive-portal
set portal-type email-collect
end
2. Create a security policy.
Configure a security policy that allows traffic to flow from the Wi-Fi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.
To create a security policy using the GUI:
- Go to Policy & Objects -> IPv4 Policy and select 'Create New'.
- Configure the policy as follows:
Incoming Interface : freewifi
Source Address : all
Source Device Type: Collected Emails
Outgoing Interface : wan1
Destination Address: all
Service : ALL
Action :ACCEPT
NAT :On
To create a security policy using the CLI, run the following:
config firewall policy
edit 3
set srcintf "freewifi"
set dstintf "wan1"
set srcaddr "all"
set action accept
set devices collected-emails
set nat enable
set schedule "always"
set service "ALL"
next
end
Note: 'set devices' is no longer available as of 6.2.x. Instead, use the following in the CLI:
configure firewall policy
edit <policy_id>
set email-collect enable
next
end
Note: If you failed to get the captive portal page might be HTTP request coming from it. Therefore, it requires to enable HTTP redirect under User & Authentication <> Authentication Settings
3. Check for harvested emails.
To check for harvested emails using the GUI, go to User & Device -> Device Inventory.
To check for harvested emails using the CLI, run the following:
diagnose user device list hosts
vd 0 d8:d1:cb:ab:61:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int
ip 10.0.2.101 ip6 fe80::dad1:cbff:feab:610f
type 2 'iPhone' src http c 1 gen 29
os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1
email 'yo@yourdomain.com'
vd 0 74:e1:b6:dd:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int
ip 10.0.2.100 ip6 fe80::76e1:b6ff:fedd:69f9
type 1 'iPad' src http c 1 gen 5
os 'iPad' version 'iOS 6.0' src http id 293 c 1
host 'Joes’s-iPad' src dhcp
email 'you@fortinet.com'
For FortiOS 6.4.7 and above, use the following command:
diagnose firewall auth mac list
