60

1. Authorize the FortiAP over the DMZ interface

2. Add wi guest users
3. Create an SSID using a captive portal
4. Add rewall addresses
5. Add security policies
6. Add a limited administrative role for the receptionist
7. Results
Setting up guest wif users with a captive portal
In this example, a FortiGate unit provides your offce with wired networking,
but guest users use laptops and mobile devices. These devices need secure
WiFi access to both the offce network and the Internet. Guest users use
web applications and authenticate through a portal using a web browser. The
receptionist for the company is provided a limited access admin account to
distribute temporary password access to the wireless network.
FortiGate
Wireless network
10.10.10.1/24
FortiAP
Internet
WAN 1
172.20.120.23
DMZ
10.10.80.99/24
Internal
192.168.1.99/24
Internal network
61
Step One: Authorize the FortiAP over
the DMZ interface
Step Two: Add wif guest users
Go to System > Network > Interface.
Set the DMZ interface to be dedicated to
FortiAP connections.
Go to User & Device > User > User
Group.
Create guest wif users group.
Connect the FortiAP to the DMZ interface
and go to WiFi Controller > Managed
Access Points > Managed FortiAP to
authorize the FortiAP.
62
Step Three: Create an SSID using a
captive portal
Step Four: Add frewall addresses
Go to WiFi Controller > WiFi Network >
SSID.
Create new SSID using captive portal.
Go to Firewall Objects > Address >
Address.
Create addresses for internal wired
network and guest wif users.
63
Step Five: Add security policies
Go to Policy > Policy > Policy.
Create a security policy allowing wif guest
users accessing the internal network.
Create a security policy allowing wif guest
users accessing the Internet.
64
Step Six: Add a limited administrative
role for the receptionist
Go to System > Admin > Admin Profle.
Create a limited admin profle allowing the
receptionist to create new guest users.
Go to System > Admin > Administrators.
Create a new admin account for the
receptionist using the new limited profle.
65
Results
When a guest requires access to the
wireless network, the company receptionist
logs into the FortiGate unit with their
account. The administrator needs to create
guest user names on the FortiGate unit.
Once logged in, they go to User & Device
> User > Guest Management and create
new user id.
The FortiGate unit generates a password
for the user. This password is only valid for
four hours.
Once this information is provided to the
guest user, they can log in through the
captive portal on the authentication page.
66
To verify that guest user logged in
successfully, go to WiFi Controller >
Monitor > Client Monitor.
Once authenticated, guest users can
surf on the internet and can also access
resources in the internal wired network.
Go to Policy > Monitor > Policy Monitor
and verify active sessions.
Select one of the bars for more
information.