Fortinet black logo

User Guide

Home FortiGuest 1.2.0 User Guide
1.2.0
1.2.0
1.1.0
1.0.0

Usage Profiles

Usage Profiles

The Usage Profiles allow you to provide levels of time access/data usage to different user accounts. For example, you can assign a usage profile that allows access during a working week day and not on a weekend. After usage profiles are created, you must change the sponsor user group to allow sponsors in that group to be able to provision accounts to the appropriate usage profiles created. Navigate to Network Access Policies > Usage Profiles and update the following configurations. You can Clone the usage profile to reuse configurations.

Time Usage

Configure the time usage profile for user accounts access restrictions.

  1. Enter the Name and Description of the new time profile; select the Timezone to which any account restrictions apply.

  2. Select any of the following available Account type options.
  • Start End - Allows sponsors to define start and end times for account durations, from when the user first logs in.
    Note: Do not use the Start End usage profile for any accounts that are created on the fly, such as, accounts created against a backend authentication like AD/LDAP/RADIUS/AUTH/SAML and accounts created via captive portal like Self Service/CC BILLING/PMS BILLING/CLICK THROUGH/AUTO LOGIN. Use the Start End only for user accounts created by admin/sponsor.
  • From First Login - Allows sponsors to define a length of time for user access from their first login.
  • From Creation - Allows sponsors to define a length of time for user access from the moment of account creation.
  • Time Used - Allows sponsors to create a time period during which the user can log in. For example, account can be valid for 2 hours and usable for any time within 24 hours from first log in. The following fields are additionally required to configure this option. See User Scenario.

    • Duration - The time for which a guest user can log in within the specified Allowed Window.

    • Allowed Window - This parameter should be greater than or equal to Duration.

    • Repeat - The number of times the configured Allowed Window and Duration parameters are repeated.

  • Unlimited - Unlimited time profiles.
  • The Expire if inactive for option allows the admin to specify the time period after which an account with this usage profile should be considered inactive.

    • Note: In case of a usage profile with the account type as Start End, ensure that the time zone defined here is the same as that in the account creation page that is associated with this profile.

    User Scenario

    Consider the following use cases for configuring the time usage profile and how it works with FortiGuest. In the following example, Duration is set to 2 hours, the Allowed Window is 24 hours, and Repeat cycle is 2 times.

    With this usage profile, the account is valid for 2 hours and usable for any time within 24 hours from the first user login. Since the Repeat is set to 2, the account end time is 72 hours from the first login; during which a user can log in for 2 hours, in a window of 24 hours and this cycle can be repeated twice.

    Now, consider the following use cases.

    • Use Case 1 - When a user logs in for the first time, FortiGuest grants a session timeout of 2 hours, based on the configured Duration of 2 hours. If the user disconnects after 1 hour and logs in again within the same 24 hour window, then the session timeout is only for the remaining 1 hour.
      Note: User can re-connect any number of times. The timeout is based on the configured duration and allowed window.

    • Use Case 2 - Consider that the user logs for the first time within the allowed window, that is expiring in 30 minutes, then the user is granted access for 2 hours and 30 minutes. This includes 30 minutes of the remaining allowed window and 2 hours from the next allowed window (since Repeat is set to 2).

    • Use Case 3 - If the user logs in at the end of the last allowed window. For example, if the user logs in when the last allowed window is expiring in 30 minutes, then FortiGuest grants access for just 30 minutes, the allowed window expires after that.

    Time Restrictions

    You can implement account restrictions in the Time Restrictions section. Guests cannot log in or are logged out during these periods.

    Select the week day and specify the Start and End time to restrict guest access.

    Data Usage

    You can also add data usage restriction on the account based on time periods. The data restriction is configured either for a lifetime or is periodic.

    • Lifetime - This restriction applies to the full lifetime of the account, after which the account expires. A user cannot connect back until the admin revives the account.

    • Periodic - This restriction applies to a set period of time, after which the account access is restricted until the next time period begins. A user can connect back again only after the current restriction for data is over and the new time period begins.

      • Daily - This restriction applies as per the user's time zone, that depends on the usage profile that is applied.

      • Weekly - This restriction applies from Monday-Sunday, as per the user's time zone.

      • Monthly - This restriction applies from the 1st of a month to its last day, as per the user's time zone.

    From the available options, determine whether to apply the following.

    • Data Up - Apply a data usage up restriction to your profile in KB, MB or GB.
    • Data Down - Apply a data usage down restriction to your profile in KB, MB or GB.
    • Total Up & Down - Apply a total data usage restriction to your profile in KB, MB or GB.

    Note: FortiGuest enforces these restrictions only if Radius Accounting is enabled with interim updates on the NAS server, and the Accounting-interim-update attribute is added in the RADIUS client.

    Previous
    Next

    Usage Profiles

    The Usage Profiles allow you to provide levels of time access/data usage to different user accounts. For example, you can assign a usage profile that allows access during a working week day and not on a weekend. After usage profiles are created, you must change the sponsor user group to allow sponsors in that group to be able to provision accounts to the appropriate usage profiles created. Navigate to Network Access Policies > Usage Profiles and update the following configurations. You can Clone the usage profile to reuse configurations.

    Time Usage

    Configure the time usage profile for user accounts access restrictions.

    1. Enter the Name and Description of the new time profile; select the Timezone to which any account restrictions apply.

    2. Select any of the following available Account type options.
    • Start End - Allows sponsors to define start and end times for account durations, from when the user first logs in.
      Note: Do not use the Start End usage profile for any accounts that are created on the fly, such as, accounts created against a backend authentication like AD/LDAP/RADIUS/AUTH/SAML and accounts created via captive portal like Self Service/CC BILLING/PMS BILLING/CLICK THROUGH/AUTO LOGIN. Use the Start End only for user accounts created by admin/sponsor.
    • From First Login - Allows sponsors to define a length of time for user access from their first login.
    • From Creation - Allows sponsors to define a length of time for user access from the moment of account creation.
    • Time Used - Allows sponsors to create a time period during which the user can log in. For example, account can be valid for 2 hours and usable for any time within 24 hours from first log in. The following fields are additionally required to configure this option. See User Scenario.

      • Duration - The time for which a guest user can log in within the specified Allowed Window.

      • Allowed Window - This parameter should be greater than or equal to Duration.

      • Repeat - The number of times the configured Allowed Window and Duration parameters are repeated.

    • Unlimited - Unlimited time profiles.
  • The Expire if inactive for option allows the admin to specify the time period after which an account with this usage profile should be considered inactive.

    • Note: In case of a usage profile with the account type as Start End, ensure that the time zone defined here is the same as that in the account creation page that is associated with this profile.

    User Scenario

    Consider the following use cases for configuring the time usage profile and how it works with FortiGuest. In the following example, Duration is set to 2 hours, the Allowed Window is 24 hours, and Repeat cycle is 2 times.

    With this usage profile, the account is valid for 2 hours and usable for any time within 24 hours from the first user login. Since the Repeat is set to 2, the account end time is 72 hours from the first login; during which a user can log in for 2 hours, in a window of 24 hours and this cycle can be repeated twice.

    Now, consider the following use cases.

    • Use Case 1 - When a user logs in for the first time, FortiGuest grants a session timeout of 2 hours, based on the configured Duration of 2 hours. If the user disconnects after 1 hour and logs in again within the same 24 hour window, then the session timeout is only for the remaining 1 hour.
      Note: User can re-connect any number of times. The timeout is based on the configured duration and allowed window.

    • Use Case 2 - Consider that the user logs for the first time within the allowed window, that is expiring in 30 minutes, then the user is granted access for 2 hours and 30 minutes. This includes 30 minutes of the remaining allowed window and 2 hours from the next allowed window (since Repeat is set to 2).

    • Use Case 3 - If the user logs in at the end of the last allowed window. For example, if the user logs in when the last allowed window is expiring in 30 minutes, then FortiGuest grants access for just 30 minutes, the allowed window expires after that.

    Time Restrictions

    You can implement account restrictions in the Time Restrictions section. Guests cannot log in or are logged out during these periods.

    Select the week day and specify the Start and End time to restrict guest access.

    Data Usage

    You can also add data usage restriction on the account based on time periods. The data restriction is configured either for a lifetime or is periodic.

    • Lifetime - This restriction applies to the full lifetime of the account, after which the account expires. A user cannot connect back until the admin revives the account.

    • Periodic - This restriction applies to a set period of time, after which the account access is restricted until the next time period begins. A user can connect back again only after the current restriction for data is over and the new time period begins.

      • Daily - This restriction applies as per the user's time zone, that depends on the usage profile that is applied.

      • Weekly - This restriction applies from Monday-Sunday, as per the user's time zone.

      • Monthly - This restriction applies from the 1st of a month to its last day, as per the user's time zone.

    From the available options, determine whether to apply the following.

    • Data Up - Apply a data usage up restriction to your profile in KB, MB or GB.
    • Data Down - Apply a data usage down restriction to your profile in KB, MB or GB.
    • Total Up & Down - Apply a total data usage restriction to your profile in KB, MB or GB.

    Note: FortiGuest enforces these restrictions only if Radius Accounting is enabled with interim updates on the NAS server, and the Accounting-interim-update attribute is added in the RADIUS client.

    Previous
    Next