FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.


This articles describes how to set up a Guest Registration portal with Sponsor approval in FortiNAC.




A standard setup would include following products: FortiSwitch, FortiGate and FortiNAC.

This article only discusses the flow and steps to configure the portal on FortiNAC.


It is expected the customer has already performed integration of FortiNAC and FortiGate using respective documentation:


It is also expected that FortiNAC is deployed and configured with the isolation subnet where Rogue devices will be initially moved and presented the Eth1 captive interface.

On FortiNAC, it is necessary DHCP scopes in order for FortiNAC to assign isolation IP to the connecting Rogue devices.


Other needed elements:

-DHCP helper address pointing to the ETH1 interface of FortiNAC.

-In the VLANs routed interface,  an L3 ACL is necessary in order to route everything to ETH1 of FortiNAC.




Operation flow is as follows:


1) Host connects to the network.

2) Switch sends MAC Notification trap to FortiNAC.

3) FortiNAC puts the port to Isolation and presents the portal to the user.

4) User completes form and sends request to FortiNAC.

5) Request is sent to Sponsor (who needs to approve).

6) After approval then FortiNACsend (User+password information) to the Guest.

7) User logins with credentials. (Post sent to FortiNAC).

8) FortiNAC changes port access from Isolation VLAN to Guest VLAN.

9) User has network access through FortiGate Policies.


Before proceeding to the Portal and guest templates, the following will be necessary:


- Guest VLAN configured on the FortiSwitch.

- Logical network created for the Guest VLAN in FortiNAC.

- Network access configuration/policy in FortiNAC matching the Guest_VLAN logical network.

- Guest VLAN logical network is enforced and assigned an access value in FortiGate model. configuration.


Step 1. Create role and Template for Guests.


Go to Policy and Objects -> Roles.

Select GuestSelfRegistration.

Edit in case it will be necessary groups to be added to this Role.




Step 2. Configure the Template for Guests.

Go to User & Devices and select 'Role: GuestSelfRegistration' from previous step.




Edit the Data fields.




Step 3. Create user host profile named 'Gues'  to associate with the network access policy

Add the Who/what attribute to Role:GuestSelfRegistration




Step 4. Create network access policy matching the previously created User/host profile and Network access configuration.

The network access configuration should specify the Guest_Vlan logical network.




Step 5. Enable the self registration guest login:




Step 6. Enter Sponsor email in case sponsor approval for Guests is enabled.




Edit the 'Require sponsor approval' to 'Any User' and enable additional features if needed as below:






Step 7. Configure the email server and verify the Sponsors Email address in Users View by modifying the user entry and configuring the email address.




In Settings -> System Communication, go to Email settings and configure the Email server as needed.




Step 8. Put the Port where the host connects to the 'Force Registration' and 'Role Based Access' groups.

These are system groups which will provide enforcement to all ports that are marked as members.


- Force Registration - Enforces isolation when unregistered hosts connect.

- Role Based Access - Enforces Network access policies on the member ports and port groups.


In order to do this either include all the needed ports in a port group and then make this group a member of both system groups above.

For a simple test with one port, it is possible to go to the Network device in Inventory view, select the port and select Group Membership.

Enable membership for both system groups.


Other related KB articles: