The following section describes how to configure custom guest portals on a per customer or per AP/controller basis.
The portals are assigned RADIUS clients and profiles, can permit certain pre-login and post-login services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured.
Guest portal configuration is available under Authentication > Guest Portals > Portals.
- Select Create New to configure settings for a new guest portal.
- Enter the following information:
Name A name to identify the guest portal. URL
The URL of the guest portal, in the format of:
Description Optionally, enter information about the guest portal. MAC device HTTP parameter
Select one of the HTTP parameters available to use for this guest portal:
This field must be configured if this portal's Authentication type is set to Device only (MAC address).
Profile Configuration Assign one or more RADIUS clients and profiles to the portal. General Assign an SMS gateway for self-registered users. Authentication
Select either User credentials or Device only (MAC address) as the authentication type:
User credentials: Selected by default, this option requires either local or remote user account credentials, or with social site credentials:
- Account login: Authentication with local or remote user account credentials.
Social login: Authentication with social site credentials (OAUTH), phone number or email. If RADIUS client is a FortiWLC controller, appropriate firewall pinholes should be added under Authentication > Guest Portals > General > FortiWLC.
When enabled, you can optionally determine whether the social account expires after a certain amount of time (measure in minutes, hours, days, weeks, or months). In addition, various social login platforms become available within which you can enter their respective Key and Secret, including Facebook, Google, Twitter, LinkedIn, or with phone number or email address.
After a social login is successfully completed on the guest portal by OAUTH, email, or SMS, a social login user account is created under Authentication > User Management > Social Login Users.
Device only (MAC address): When this option is enabled, the "MAC device HTTP parameter" must also be configured.
When using device only authentication, the endpoint will not be presented with the login page. Instead, the FortiAuthenticator will only use the endpoint device's MAC address for authentication purposes.
If the RADIUS client profile associated has MAC device filtering enabled, the MAC address is authenticated according to those settings. If MAC device filtering is disabled, any MAC address is accepted.
Optionally, you can determine whether the device account expires after a certain amount of time. To configure, enable Device account expires after, enter a value, and select either minute(s), hour(s), day(s), week(s), or month(s).
Pre-login Services Configure various pre-login services to permit to users. Disclaimer
Enable or disable the appearance of a disclaimer to the end-user that must be accepted before proceeding to the login page.
To configure the disclaimer, edit the Login Disclaimer Page replacement message under Authentication > Guest Portals > Replacement Messages.
Password Reset Enable or disable pre-login password reset link. Account Registration
Select to configure various user account registration options:
- Require administrator approval: Enable/disable whether the user requires administrator approval. If enabled, select whether to send admin approval emails to freeform addresses or to selected user groups.
- Account expires after: Enable/disable account expiration. If enabled, enter the number of hours, days, months, or years the account remains expired from the dropdown menu.
- Use mobile number as username: Determine whether to require the user's mobile number as their username.
- Place registered users into a group: Determine whether to place registered users into a group from the dropdown menu.
- Password creation: Determine whether the user's password is user-defined or randomly generated.
- Enforce contact verification: Enable/disable whether to enforce contact verification. If enabled, select whether to verify the user's email address or mobile number, or allow the user to decide between email address or mobile number.
New user is automatically logged-in after successful contact verification: Enable to allow newly registered users to access the guest network without having to enter their credentials. Disable to require users to enter their credentials to access the guest network after successful registration. This option is enabled by default.
Note that this option is not available if Enforce contact verification is disabled.
- Account delivery options available to the user: Determine whether the user's account information is sent to them by SMS, email, or displayed on the browser page. If more than one option is selected, the self-registering user decides which account delivery method to use. If Require administrator approval is enabled, Display on browser page is disabled.
- Required field configuration: Configure the available fields required by the user to enter (First name, Last name, Email address, and Mobile number are enabled by default).
Select to revoke tokens based on various conditions:
- Allow users to report a lost token to the Administrator at this email address
- Allow users to temporarily use SMS token authentication if a mobile number was pre-configured
- Allow users to temporarily use email token authentication if an email was pre-configured
- Allow users to re-provision their FortiToken Mobile
Usage Extension Notifications Allow users who exceeded their time and/or data usage to request an extension via an email notification. Post-login Services Configure various post-login services to permit to users. Profile Select to determine whether authenticated users can view/edit their account information. Password Change Select to determine whether local and/or remote users have the ability to change their passwords after they log in. Token Registration Select to configure FortiToken Mobile self-provisioning privileges. Smart Connect Select to assign a Smart Connect profile. See Smart Connect Profiles for more information. Device Tracking and Management Select to require users to register their devices after they log in.
- Select OK to add the new guest portal.
Token self-provisioning is offered as a pre-login service for guest portals.
When the token self-revocation feature is enabled (Authentication > Self-service Portal > Token self-provisioning), the guest portal's token verification page will have an additional Lost my token link. Clicking this link provides access to the token self-revocation service page that includes the following options:
- Re-provision my FortiToken Mobile
- Switch to email token authentication
- Disable my account
When the post-login service option Device Tracking and Management is enabled, the administrator must specify into which device group to put the self-registered devices, as well as specify the Maximum number of devices per user (up to 20; 3 by default). When enabled, users have access to a post-login interface where they can add/edit/delete their list of devices. If enabled but the device is not registered, the FortiAuthenticator presents a device registration page after account credential validation.
If the user reaches their device limit, they must select an existing device to replace. If the MAC address is currently associated with a different user, it is re-assigned to this newly logged-in user with the following warning message:
"Your device had previously been registered by another user. Ownership has now been changed to your account."
Portal rule configuration is available under Authentication > Guest Portals > Rules.
- Select Create New to configure new portal rules.
- Enter the following information:
Note that the Conditions section is only available for configuring after the rule is created. General Configure the portal rule's general information, including its name and action. Name A name to identify the portal rule. Description Optionally, enter information about the portal rule. Action Determine the action to take for the rule: assign a guest portal or assign no portal for the rule.
- Select OK to add the new portal rule.
Guest portal replacement message mappings are available under Authentication > Guest Portals > Replacement Messages.
The replacement messages are split into four categories: Authentication, Password Reset, User Registration, and Post-Login.
Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.
- Select a message in the replacement message list.
- Edit the plain text or HTML code in the lower right pane, or select Open in new window to edit the message in a new browser window.
- When you are finished editing the message, select Save to save your changes.
- If you have made an error when editing the message, select Restore Default to restore the message to its default value.
To insert custom images into the replacement message, see Manage Images.
- From the Manage Images window, select Create New to open the Create New Image window.
- In the Name field, enter a name for the image.
- Select Choose File, find the GIF, JPEG, or PNG image file that you want to add, and then select Open.
- Select OK to add the image.
To insert the image into a replacement message, add the following HTML code:
<image_name> is the name entered for the image. For example, the HTML code for an image named Acme_logo is
- From the Manage Images window, select an image, then select Delete.
- Select Yes, I’m sure in the confirmation window to delete the image.
In the manage images screen, select an image, then select Edit.
- From the Manage Images window, select an image, then select Edit.
- In the Edit Image window, edit the image name and file as required.
- Select OK to apply your changes.
Smart Connect profiles are available under Authentication > Guest Portals > Smart Connect Profiles.
This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable (depending on the endpoint's OS) from the FortiAuthenticator guest portal.
When configured, the Smart Connect feature will show up as a new button on the guest portal's post-login main page:
When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS type of their choice, including iOS, Android, Windows, and Linux. A device ID can also be entered too, however this is only available if the Smart Connect profile uses EAP-TLS. If entered, the ID is used to generate the end-user certificate.
- Select Create New to start the profile configuration wizard.
- Enter a Name and select Next (you cannot configure a different Connect type other than Wireless).
- Enter an SSID and select the Auth method to use: WPA2 Personal or WPA2 Enterprise.
- Enter a Pre-shared Key, then select Next.
- You will see the Review All Settings page, where you can review and change any of the previously set options, and define more settings, as shown below:
- Select OK to apply your options and finish the configuration.
You can optionally enable or disable Hidden SSID to show or hide the SSID. When finished, select Next.
When created, a Smart Connect profile can be associated with a guest portal and be available as a post-login service (see Post-login Services under Portals).
The Smart Connect for Windows feature provides an executable file that adds specific network settings to an end-user's Windows device. The Smart Connect profile settings are the same as the ones implemented for iOS and macOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices.
When using the device tracking feature, users are no longer redirected by the FortiGate after initial device registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the guest portal name (under Authentication > Guest Portals > Portals).
When the end user navigates to the self-service URL, they must provide valid credentials to get network access, but the login does not trigger the call to the FortiGate device's API.
|Note that special characters must be encoded in the self-service URL.|
When upgrading from a previous release, as a result of the device tracking feature, the following occurs: