Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SaschaH
New Contributor

Captive Portal - creating Guest-Users by script

Hello, now that i successfully set up a Fortigate 60D together with some FortiAP 210B, i need to create a Guest-WiFi with Captive Portal. My problem is the creation of the Guest-Users, because this should be done by the desk-clerk and i dont want him to log on to my 60D, because i cant' t limit him to just the " Guest Management" -function. Is there any way (like http-GET with a PHP script), to generate a Guest-User and retrieve the credentials needed? Regards Sascha
3 REPLIES 3
Dave_Hall
Honored Contributor

Is there a reason for not creating a guest management only administrator on the Fortigate? Setting up WPA/WPA2-Enterprise authentication, which uses a RADIUS server may be closest to your request, as there are web-based GUI frontends for managing RADIUS users, but setting it up can be a hassle. A simple solution would be to use the fgt device' s built-in WPA/WPA2-Enterprise solution, created about 20 generic user IDs and rotate/hand those out to guests, and every now and then just reset the passwords to those IDs. Edit: one caveat about setting up WPA/WPA2-Enterprise authentication is it can be tedious to set up on a client computer.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
SaschaH
New Contributor

Yes, there is the reason, that the company already has user-management for things like that. We use LDAP for authentication and i don' t want to create a local admin user on the 60D for managing guests on the wifi. RADIUS and WPA-Enterprise with 20 IDs is no option here, because this actually is just a " first productivity test" . We plan to roll this out to all our plants worldwide. I have to find a solution, that is as easy as possible to use. My idea was, to have an URL like " https://MYFWIP/?generateguest=1&firstname=John&lastname=Doe&company=Pineapple" that asks for authentication (LDAP backend), creates the guest-account with a fixed timelimit and just replies the credentials. When you have 10 different people, talking 4 different languages, living in 3 different timezones... you have to make it as easy as possible ;)
Dave_Hall
Honored Contributor

Perhaps an open wifi guest AP with user authentication (via LAP) performed in a firewall policy.  However, review this post by Andrea Soliva and the followups, especially the one by Sean Toomey.

 

https://forum.fortinet.com/FindPost/106108

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors