Yes, that's exactly what I want. API available as a 3rd party tool

I don't think that it can be done within FNAC logic, a similar behavior can be achieved from MDM integrations, but this case there is no MDM involved.

In theory (I don't know the exact details), if you are familiar with API you can use the external tool also to do API calls to FNAC.

Through API you can try to change the role of the guest accounts that are valid. So for example, you can use two roles: the default guest role after a standard registration and a new role updated after the API call. Than create a access policy that allows network access only for the valid guest user role. More information for the API can be found Fortinet Developer Network.

---

@ebilcari wrote:

I don't think that it can be done within FNAC logic, a similar behavior can be achieved from MDM integrations, but this case there is no MDM involved.

In theory (I don't know the exact details), if you are familiar with API you can use the external tool also to do API calls to FNAC.

Through API you can try to change the role of the guest accounts that are valid. So for example, you can use two roles: the default guest role after a standard registration and a new role updated after the API call. Than create a access policy that allows network access only for the valid guest user role. More information for the API can be found Fortinet Developer Network.

---

So, if I write a registration interface program myself, get the necessary information from the user and if there is verification, how do I add the user to the fortinac database? More precisely, is there a way to add a user to the guest profile without a web interface?

You can also do it in that way, the guest account can be created through API from the link I shared above:

I wrote an API software. When the user enters the required information, it performs a verification process. If the verification is successful, the API you provide works and adds the user as a fortinac guest account, everything is as I want so far, but I have 2 problems.

1. I created a registration page but I don't know how to log in.

I couldn't find an API for login.

2. The person who connects to the wireless network normally enters the nac interface and verifies the guest user here. I want it to go to the site I wrote and not to the nac interface. How can I do this? 

After guest creation there is also a host registration process that happens in background. It creates a host record (based on the MAC address of the host) and ties it to the guest account. When the host tries to access the network, its MAC address is used to move it to the guest VLAN. So basically the guest register its host once and will be able to join the network automatically without any login until the account is still valid.

So theoretically I can think of two possibilities:

- use API to create the guest account also the host account, than the guest will be automatically moved to the guest VLAN.

- use API to create guest account and after creation redirect the browser to the registration page in FNAC so the user can finish host registration through FNAC portal with existing credentials.

The web page used for API should be added in allowed domains in order for the isolated hosts to reach it.

FNAC allows including JS scripts in the page content as shown below:

That should be the SSL certificate used for the portal page. For security reason, in later version of FNAC using a valid SSL certificate is mandatory:

To avoid issues in guest hosts this certificate should be publicly signed and trusted.

The redirection can be done through a JS script inserted in "Left Column Content:" in portal configuration pages as described on my previous reply.