Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jackchenwork
New Contributor III

FortiAuthenticator guest portal like McDonald

I would like to setup FortiAuthenticator and Fortigate to provide McDonald like WIFI access, when you connect, it pop up a disclaim page, and once user clicked "I accept", it grant the user access directly.

 

Is this doable ?

 

I have tried to use Portal policy with MAC authentication ( but doesn't really restrict any MAC ), it looks like FortiAuthenticator does send Access-Accept  to Fortigate, but there is no Fortinet-Group-Name radius attributes. 

 

If I don't enable "Account registration" in Guest portal, there are new "social login users" created, but they can't be automatically added into a user group. Tried MAC group with device tracking enabled on guest portal, also no luck ( turn on device tracking doesn't add new social login user's MAC into the chosen MAC group. ).

 

 

 

 

 

1 Solution
Markus_M
Staff
Staff

Hi Jackchenwork,

 

yes it is doable. The FAC has the portal policy option of the pre-login services with "Disclaimer".

 

However please clarify what exactly you are trying to do. If you have these type of guest users, you cannot get them to be in a user group, let alone get them permission sets.

 

There might not be a need for the FAC even as the FGT itself supports a disclaimer in a policy. The user will be added to the firewall user list with IP and the flag "disclaimer".

If your user logs off, the user can be removed from the firewall user list.

 

This is maybe better documented here:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/182001/per-policy-disclaimer-messages

 

Best regards,

 

Markus

View solution in original post

4 REPLIES 4
Markus_M
Staff
Staff

Hi Jackchenwork,

 

yes it is doable. The FAC has the portal policy option of the pre-login services with "Disclaimer".

 

However please clarify what exactly you are trying to do. If you have these type of guest users, you cannot get them to be in a user group, let alone get them permission sets.

 

There might not be a need for the FAC even as the FGT itself supports a disclaimer in a policy. The user will be added to the firewall user list with IP and the flag "disclaimer".

If your user logs off, the user can be removed from the firewall user list.

 

This is maybe better documented here:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/182001/per-policy-disclaimer-messages

 

Best regards,

 

Markus

Jackchenwork

Yes I created the portal with Disclaimer.  the requirement is to have minimum management tasks and give guest user WIFI access to Internet.  So the ideal result is Guests see Disclaimer/Terms and Conditions, click accept, then they are connected to Internet. 

 

I don't want to ask users to register since this is just free WIFI for guest's convenience. No need to collect user name/email ( most time they are fake if we don't validate email anyway, and if we do validate email, then they need to have Internet access first).  There is also GDPR, so ideally just let the user use free WIFI like McDonald.

 

 

 

 

Now I see one

 

 

 

 

Jackchenwork
New Contributor III

The issue is without registration, even I choose MAC authentication, the user doesn't belong to any user group on FAC and his MAC doesn't belong to MAC group, so FAC doesn't send a group to FGT and FGT won't allow user access.

 

OK now I see if I just use FGT, I can choose "Disclaimer" only , that could be one option.

 

The other option is I still use FAC but on FAC's disclaimer page, I provide a guest user and password.

 

Markus_M
Staff
Staff

Correct, FAC will only send user information back, like memberships, if the user is known in its userDB.

 

FAC will need to have one configured (be it devices or local, remote users). For simple disclaimers, the FGT will do. Its replacement messages can be adapted, so you can display something fancy to the guests.

 

Additional info that might be interesting: You can supply DHCP options to the wifi users in which you can offer them a landing page like option 114 or 160.

To stay with the example: the menu ordering page of McDonalds. After accepting the disclaimer you get redirected to that page.