I have a Fortinac Guest network. I want the Citizenship number from the user in the guest network. There is an API where I can query this number. I want to include the user's name and surname in the network when it matches the citizenship number. how can I do this?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I solved the problem by writing my own portal. The user authenticates with this portal. I will open a different topic for other problems.
So, If I get it right, you want to let the guest self register and on the required data fields you will require them to fill their Citizenship number. You already have a 3rd party tool that can correlate the Name/Surname with this number and want to allow access only if they match and are valid, is this correct?
Yes, that's exactly what I want. API available as a 3rd party tool
I don't think that it can be done within FNAC logic, a similar behavior can be achieved from MDM integrations, but this case there is no MDM involved.
In theory (I don't know the exact details), if you are familiar with API you can use the external tool also to do API calls to FNAC.
Through API you can try to change the role of the guest accounts that are valid. So for example, you can use two roles: the default guest role after a standard registration and a new role updated after the API call. Than create a access policy that allows network access only for the valid guest user role. More information for the API can be found Fortinet Developer Network.
@ebilcari wrote:I don't think that it can be done within FNAC logic, a similar behavior can be achieved from MDM integrations, but this case there is no MDM involved.
In theory (I don't know the exact details), if you are familiar with API you can use the external tool also to do API calls to FNAC.
Through API you can try to change the role of the guest accounts that are valid. So for example, you can use two roles: the default guest role after a standard registration and a new role updated after the API call. Than create a access policy that allows network access only for the valid guest user role. More information for the API can be found Fortinet Developer Network.
So, if I write a registration interface program myself, get the necessary information from the user and if there is verification, how do I add the user to the fortinac database? More precisely, is there a way to add a user to the guest profile without a web interface?
You can also do it in that way, the guest account can be created through API from the link I shared above:
I wrote an API software. When the user enters the required information, it performs a verification process. If the verification is successful, the API you provide works and adds the user as a fortinac guest account, everything is as I want so far, but I have 2 problems.
1. I created a registration page but I don't know how to log in.
I couldn't find an API for login.
2. The person who connects to the wireless network normally enters the nac interface and verifies the guest user here. I want it to go to the site I wrote and not to the nac interface. How can I do this?
After guest creation there is also a host registration process that happens in background. It creates a host record (based on the MAC address of the host) and ties it to the guest account. When the host tries to access the network, its MAC address is used to move it to the guest VLAN. So basically the guest register its host once and will be able to join the network automatically without any login until the account is still valid.
So theoretically I can think of two possibilities:
- use API to create the guest account also the host account, than the guest will be automatically moved to the guest VLAN.
- use API to create guest account and after creation redirect the browser to the registration page in FNAC so the user can finish host registration through FNAC portal with existing credentials.
The web page used for API should be added in allowed domains in order for the isolated hosts to reach it.
FNAC allows including JS scripts in the page content as shown below:
Well, actually, I have this problem.
Firstly, I created an open wireless network.
I opened a dynamic vlan and included it in fortinac.
When the user joins the network, he must first verify the certificate. However, there is no certificate request when connecting to the network.
My 2nd problem is that when the user connects to the network, I want the user to go directly to the registration page I created, but it goes to fortinac's interface, how can I fix this?
That should be the SSL certificate used for the portal page. For security reason, in later version of FNAC using a valid SSL certificate is mandatory:
To avoid issues in guest hosts this certificate should be publicly signed and trusted.
The redirection can be done through a JS script inserted in "Left Column Content:" in portal configuration pages as described on my previous reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.