Skip to main content
Thonno
Thonno
Explorer II
March 5, 2026
Question

FortiNAC - Allowed Host

  • March 5, 2026
  • 4 replies
  • 452 views

Hello everyone,

I’m working on a FortiNAC 7.2 deployment and I’m trying to enforce a restriction specifically for guest users.

Goal
Allow each guest user to authenticate and access the network from only one device, preventing the same credentials from being used simultaneously on multiple devices.

Current context

We are using:

  • Guest Registration / Guest Self-Registration

  • Captive Portal authentication

  • Standard FortiNAC host registration

In Settings → User/Host Management there is a global parameter called “Allowed Hosts”, which defines how many devices a user can register.

Additionally, the same parameter exists at the individual user level, where it can be manually overridden per user account.

Problem

The global setting applies to all users, which is not ideal in our scenario.

What we would like to achieve instead is:

  • Allowed Hosts = 1 only for users created through Guest or Guest Self-Registration

  • Internal or managed users should not be affected by this limitation.

Questions

  1. Is there a way in FortiNAC 7.2 to apply the Allowed Hosts restriction only to specific user types, such as Guest / Guest Self-Registration users?

  2. Can this be enforced through Guest Portal configuration or registration templates?

  3. Alternatively, is it possible to automate this using a custom script, scheduler task, so that every newly created guest account automatically gets Allowed Hosts = 1?

The objective is to ensure that once a guest registers and authenticates, the credentials can only be used by the first device registered, preventing multiple devices from using the same account.

If anyone has implemented a similar control or has recommendations on the best approach, I would greatly appreciate your suggestions.

Thanks in advance.

4 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 8, 2026

Hello Thonno, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 9, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 10, 2026

Hello again Thonno,

 

I found this answer, can you tell us if it helps, please?

 

To achieve your goal of restricting guest users to authenticate and access the network from only one device, you can consider the following approaches:

 

1. Guest Registration and Self-Registration Configuration

  • Guest Templates: You can create specific guest templates that define the allowed number of hosts. For guest or self-registered users, set the Allowed Hosts parameter to 1. This ensures that each guest account created through these templates is restricted to a single device.

  • Portal Configuration: In the portal configuration, ensure that the registration templates used for guest self-registration have the Allowed Hosts parameter set to 1. This can be done by editing the registration page settings in the Portal Configuration Content Editor.

 

2. Custom Script or Automation

Automation: While FortiNAC does not natively support scripting within the interface, you can use external automation tools to interact with FortiNAC's API. You can create a script that automatically sets the Allowed Hosts parameter to 1 for any new guest account created. This script can be scheduled to run at regular intervals or triggered by specific events.

 

3. User/Host Management Settings

Global Settings: As you mentioned, the global Allowed Hosts setting applies to all users. However, by using guest-specific templates and portal configurations, you can override this setting for guest users.

 

4. Manual Override

Individual User Settings: For any guest accounts that need to be adjusted manually, you can override the Allowed Hosts setting at the individual user level. This can be done through the User/Host Management interface.

 

Recommendations

  • Use Guest Templates: The most straightforward approach is to use guest templates with the Allowed Hosts parameter set to 1. This ensures consistency and reduces the need for manual intervention.

  • Consider Automation: If you have a large number of guest accounts and need to ensure compliance, consider using automation tools to enforce the Allowed Hosts setting.

 

Follow-ups and Clarification Questions

  • Have you configured guest templates in your current setup? This will help determine if the template-based approach is feasible.

  • Are you familiar with using FortiNAC's API for automation purposes? This will help assess the viability of using scripts for automation.

  • Do you have any specific constraints or requirements for the guest registration process? Understanding these can help tailor the solution to your needs.

 

If you have further questions or need additional assistance, feel free to ask!

Jean-Philippe - Fortinet Community Team
Thonno
ThonnoAuthor
Explorer II
March 12, 2026

Hello,
there is no option in the SelfRegistration Guest template to specify how many hosts to allow, nor in the portal under Portal Configuration → Registration → Self Registration Login.

I would need help setting up the automation/scripting.

ebilcari
Staff
ebilcari
Staff
March 10, 2026

Currently this is enforced by default only for guest type 'Conference':

guest-conference.PNG

Emirjon
Thonno
ThonnoAuthor
Explorer II
March 12, 2026

Hello,
unfortunately, we need this option to be valid for guest users of the Self-registration type.

ebilcari
Staff
ebilcari
Staff
March 14, 2026

It seems that this option is not currently available in FNAC, and implementing it through scripting also appears to be quite challenging. The required attributes can be found on the user records:

 

fnac76:~$ dumpuserrecords -first aa
UserRecord:
Landscape = 452891056385 00:69:72:69:19:01
ID = 1434461008015378
Role = GuestSelfRegistration
Type = Guest
Admin Profile DBID = 0
Directory Policy = null
DN = null
Machine Authentication = false
User Authentication = false
Position = Guest
Email Address = aa@aa.aa
First Name = aa
Last Name = aa
User ID = aa@aa.aa
notes =
Creation Time = Tue Mar 10 15:35:45 CET 2026
Expiration Date = Sun Mar 29 23:59:59 CEST 2026
Inactivity Days = Not Configured
Inactivity Date = Not Configured
Last Login Date = Never
Last Modified Date = 2026-03-10 15:37:49.0
Last Modified By = admin
Status = Disconnected
Security Access Value = null
locale = en_US
Address = null
City = null
State = null
Zip = null
Country = US
Organization = null
Organizational Unit = null
Phone = null
Country Code = null
Mobile Number = null
Mobile Provider =
Propagate Hosts = true
Is API Admin = false
API Access Token = null
Trusted Hosts = null
MFA Method = 0
Extra Info =
Attribute: UserExpirationDeleteRegHosts = true
Attribute: Asset Tag = null
Attribute: Sponsor = admin
Attribute: ImageType = Guest
Attribute: VisitorType = 0
Attribute: AuthenticateType = CM
Attribute: RegistrationCount = 1
Attribute: LogonCount = 2

 

or fnac76 # diagnose user list first aa

 

If you think this feature is needed in FNAC, kindly submit a New Feature Request (NFR) over your local Fortinet Sales representative to add this as a feature on next releases.

 

Emirjon
Terms & ConditionsAccessibility statement