FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mzainuddinahm
Article Id 189478

Description

 

This article describes how to set up configuration to collect email addresses for guest access.
 
Scope
 
FortiGate.


Solution

 

Public areas provide free Internet access for customers. 
In this scenario, configuring guest management is not necessary, as customers can access the Wi-Fi access point without logon credentials. 
 
However, consider a scenario where the business wants to contact customers with promotional offers to encourage future patronage.
 
Configuring an email collection portal to collect customer email addresses is possible for this purpose, and configuring a security policy to grant network access only to users who provide a valid email address is also possible.
 
The first time a customer’s unit attempts Wi-Fi connection, FortiOS requests an email address, which it validates.
The customer’s subsequent connections go directly to the Internet without interruption.
 
  1. Create an email collection portal.

    The customer’s first contact with the network is a captive portal that presents a webpage requesting an email address.
    When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected emails device group.

    To create an email collection portal using the GUI:

 

  • Go to WiFi & Switch Controller -> SSID and edit the SSID.
  • From the Security Mode dropdown list, select 'Captive Portal'.
  • For portal type, select 'Email Collection'.
  • (Optional) In 'Customize Portal Messages', select 'Email Collection'.

 

Note:

By default this option is hidden and needs to be enabled under System -> Feature Visibility -> Additional Features.


To create an email collection portal using the CLI:
This example modifies the freewifi WiFi interface to present an email collection captive portal.

 

config wireless-controller vap
    edit freewifi
        set security captive-portal
        set portal-type email-collect
end

 

 Note: The email-collect option is not supported in bridge SSID.

 

  1. Create a security policy.

    Configure a security policy that allows traffic to flow from the Wi-Fi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.

    To create a security policy using the GUI:

     

    • Go to Policy & Objects -> IPv4 Policy and select 'Create New'.
    • Configure the policy as follows:

    Incoming Interface :       freewifi
    Source Address      :  all
    Source Device Type:       Collected Emails
    Outgoing Interface :      wan1
    Destination Address:        all
    Service                  : ALL
    Action                    :ACCEPT
    NAT                       :On

     
    • Select 'OK'.

     

    To create a security policy using the CLI, run the following:

     

    config firewall policy
        edit 3
            set srcintf "freewifi"
            set dstintf "wan1"
            set srcaddr "all"
            set action accept
            set devices collected-emails
            set nat enable
            set schedule "always"
            set service "ALL"
        next
    end

     

    Note: 'set devices' is no longer available as of 6.2.x. Instead, use the following in the CLI:

     

    configure firewall policy
        edit <policy_id>
            set email-collect enable
        next

    end

     

    Note: If it is impossible to get the captive portal page, it might be an HTTP request coming from it. Therefore, it requires to enable HTTP redirect under User & Authentication <> Authentication Settings.

     

     

  2. Check for harvested emails.

    To check for harvested emails using the GUI,
    go to User & Device -> Device Inventory.

    To check for harvested emails using the CLI, run the following:

     

    diagnose user device list hosts
    vd 0 d8:d1:cb:ab:61:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int
    ip 10.0.2.101 ip6 fe80::dad1:cbff:feab:610f
    type 2 'iPhone' src http c 1 gen 29
    os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1
    email 'yo@yourdomain.com'
    vd 0 74:e1:b6:dd:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int
    ip 10.0.2.100 ip6 fe80::76e1:b6ff:fedd:69f9
    type 1 'iPad' src http c 1 gen 5
    os 'iPad' version 'iOS 6.0' src http id 293 c 1
    host 'Joes’s-iPad' src dhcp
    email 'you@fortinet.com'

     

    For FortiOS 6.4.7 and above, use the following command:

     

    diagnose firewall auth mac list