Technical Tip: Guest access expiration and automated device cleanup in FortiNAC-F

Description

This article describes how to configure guest access expiration and automated device cleanup in FortiNAC-F using global aging settings, user expiration controls, and host aging policies.

Guest and BYOD environments can generate large numbers of temporary users and endpoint records. Without proper aging policies, stale guest users and inactive hosts may remain in the database indefinitely, resulting in increased database size, stale endpoint visibility, and additional administrative overhead.

Scope

• FortiNAC-F.

• Guest access deployments.

• BYOD environments.

• Captive portal deployments.

Solution

Typical workflow:

• Guest registers through captive portal or sponsor workflow.

• Temporary network access is granted.

• Guest account expires after the configured duration.

• Host becomes inactive.

• Aging policies remove stale users and hosts automatically.

Configure global aging settings:

Global aging settings determine how long host and user records remain in the FortiNAC-F database.

Navigate to System -> Settings -> User/Host Management -> Aging.

Steps:

1. Select System -> Settings.

2. Expand User/Host Management.

3. Select Aging.

4. Configure the required settings.

5. Select Save Settings.

Aging settings:

Important aging behavior:

• Leaving aging fields empty disables global aging.

• Setting aging values to 0 removes the record during the next server poll cycle.

• Existing records with manually assigned expiration dates are not modified by global aging changes.

• Administrator accounts never expire automatically and must be removed manually.

Recommended aging examples:

Note: Fortinet recommends staggering large-scale aging operations to avoid processing spikes caused by simultaneous endpoint re-registration.

Guest expiration behavior.

Guest expiration is controlled by:

• Account Duration settings,

• User expiration settings,

• Global aging policies.

Important behavior:

• Guest users can age out automatically.

• Associated registered hosts can also be removed automatically.

• Host inactivity aging and user expiration aging operate independently.

• Host age timers are evaluated every 10 minutes.

• The user inactivity timer starts when all hosts registered to a user are seen as offline.

• When a host is seen as connected again, the inactivity timer is cleared.

• The inactivity timer is also cleared when the user logs into FortiNAC.

Configure host expiration manually:

Navigate to Users & Hosts -> Hosts.

Steps:

1. Select the host.

2. Right-click the host.

3. Select Set Host Expiration Date.

Available options:

• Specify Date

• Days Valid From Now

• Days Valid From Creation

• Days Inactive

• No Expiration

• Default Expiration

Configure user expiration manually:

Navigate to Users & Hosts -> User Accounts.

Steps:

1. Select the user.

2. Right-click the user.

3. Select Set User Expiration Date.

Available options:

• Specify Date.

• Days Valid From Now.

• Days Inactive.

• No Expiration.

• Delete Registered Hosts.

Configure group-based host aging.

FortiNAC-F supports group-based aging policies for host groups.

Navigate to System -> Groups.

Steps:

1. Right-click the host group.

2. Select Set Aging.

3. Configure:

   • Days Valid

   • Days Inactive

This allows separate aging policies for the following:

• Guest devices.

• Rogue hosts.

• Temporary devices.

• Department-specific groups.

Important behavior:

• If a host belongs to multiple groups, the aging policy applied is based on the last group to which the host was added or the last group whose aging settings were modified.

• Group-based aging applies only to host groups and does not apply to user groups.

Verify host and user aging:

Navigate to:

• Users & Hosts -> Hosts.

• Users & Hosts -> User Accounts.

Review:

• Expiration date.

• Inactivity date.

• Last login/logout.

• Delete hosts when user expires.

Troubleshooting tips:

Guest accounts are not expiring:

Verify:

• Account Duration settings.

• User aging settings.

• User expiration values.

Guest hosts are not removed:

Check:

• Days inactive settings.

• Delete hosts registered to the user upon expiration option.

• Host inactivity timestamps.

Hosts are removed too quickly:

Review:

• Days Valid values.

• Days Inactive values.

• Group-based aging settings.

Important:

• Adding aging settings to older records may immediately remove them if the calculated expiration date is already in the past.

• Setting aging values to 0 removes the record during the next server poll cycle.

Large database growth:

Review:

• Rogue host retention.

• Guest aging policies.

• Long-term inactive hosts.

• Host inactivity configuration.

Best practices:

• Use short expiration periods for guest devices.

• Enable inactive host aging.

• Review rogue host retention regularly.

• Use group-based aging where appropriate.

• Periodically review stale guest accounts and inactive hosts.

• Avoid setting aging values to 0 unless immediate removal is intended.

Conclusion:

Guest and BYOD environments can rapidly increase database growth in FortiNAC-F deployments.

Using:

• Global aging settings,

• User expiration controls,

• Host inactivity aging,

• Group-based aging policies,

Helps maintain:

• Accurate endpoint visibility,

• Reduced database overhead,

• Faster GUI responsiveness,

• Improved operational stability.

Related articles:

• FortiNAC-F 7.6.0 Administration Guide

• Technical Tip: FortiNAC Guest Captive portal configuration and workflow

• Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)