Description
This article describes how to configure Captive Portal with Guest Management in two ways: Policy-based Captive Portal and Interface-based Captive Portal.
Scope
FortiGate.
Solution
Step 1: Creation of Guest User Group:
In order to create guest users, a guest user group will first be needed as this is a prerequisite in Guest Management.
To start, go to User & Authentication -> User Groups then create a User Group (type : Guest).
There will be an option to do Batch Guest Account Creation where you can set the ‘x’ amount of users who will be given credentials.
For this guide, the option chosen is the users should use their registered email address and enable guest details of the choice.
The expiration for the guest account can also be set whether the countdown timer starts upon account creation or after login of the guest user account.
Step 2: Managing Guest Users:
Upon successful creation of the guest user group, it is then possible to start to manage the guest users. Select Guest Management -> Create New, then create a guest user. Make sure that chosen the newly created user group has been choosen in the top-right part of this page.
Lastly, fill up the necessary details, and once done, it is either possible to select 'Print' to get the credentials or send them via email.
Below are some sample outputs of how the guest credentials will look like:
- Option - 'Print':
- Option - Send to email (Gmail):
Step 3: Configuring Captive Portal:
There are two options that can be done for Guest Captive Portal authentication depending on the requirements needed.
- Policy-based Captive Portal.
With Policy-based Captive Portal, a guest user will only be allowed to use a specific firewall policy upon successful authentication.
To configure, it is basically necessary to add the guest user group and their assigned IP address in the 'Source' tab in the specific firewall policy. In the configuration below, authenticated guest users will be allowed to access the Internet but will not be able to access other internal resources.
- Interface-based Captive Portal.
With an Interface-based Captive Portal, the incoming traffic to the specified interface will only be allowed upon successful authentication by the user.
To configure, edit the interface configuration where the users will connect and enable Security Mode -> Captive Portal. Specify the user group that needs to be authenticated which in this case will be the guest user group - 'guest-grp'. In the configuration below, the captive portal was configured in the internal interface (port2) where the guest users are connected. Firewall policies will still be needed to allow access to the Internet and other internal resources.
Step 4: Verification of results:
- Before authentication.
- After successful authentication.
To monitor the authenticated guest users, add the 'Firewall User Monitor' widget in the GUI Dashboard.
This page will also show how long the user has been authenticated and their IP address. There will be an option to de-authenticate the user by selecting the username and then pressing 'Deauthenticate'.
