Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zone3-TI
New Contributor

Created on ‎12-20-2022 08:01 AM

Wifi user with limited access

Hi everyone,

I would like to know what is the best way to limit a user access within wifi network.

I want to create a user that can only reach Internet and some PCs. This user will be used for screen casting. I already have a public network but the PC used for screen casting are not reachable from this network. 

 

Thanks for your help.

Labels:
1842
1 Solution
Markus_M
Staff
Staff
In response to gfleming

Created on ‎12-21-2022 01:45 PM

As noted by Graham and in addition to:

What are the requirements and options? The "best way" does not exist, it will depend on what you have available and what your target and also target users are. Managed clients can be handled very different than unmanaged guest users.

 

- If you have a RADIUS server with authentication, it will actually be very easy - return the isolated VLAN after user/host/MAC authentication.

- If have no such thing, you can use FortiGates NAC feature (ForitOS 7+). The known static (requires to disable MAC randomization on these known clients) MAC addresses or whatever known criteria can have some elevated access (assigning the respective VLAN), unknown ones go to the guest VLAN.

 

 

Best regards,

 

Markus

View solution in original post

1823
3 REPLIES 3
gfleming
Staff
Staff

Created on ‎12-20-2022 11:29 AM

So you just want to restrict one user/device on an exisiting wifi network and keep everyone else's access the same?

 

You could use L2 address object for that device and create a restrictive policy for it. However, restricting access to only some devices on the same network is going to be very difficult.

 

What's your ultimate end goal here and what are the reasons for restrictions? Can you shed more details on the requirements?

Cheers,
Graham
1833
Markus_M
Staff
Staff
In response to gfleming

Created on ‎12-21-2022 01:45 PM

As noted by Graham and in addition to:

What are the requirements and options? The "best way" does not exist, it will depend on what you have available and what your target and also target users are. Managed clients can be handled very different than unmanaged guest users.

 

- If you have a RADIUS server with authentication, it will actually be very easy - return the isolated VLAN after user/host/MAC authentication.

- If have no such thing, you can use FortiGates NAC feature (ForitOS 7+). The known static (requires to disable MAC randomization on these known clients) MAC addresses or whatever known criteria can have some elevated access (assigning the respective VLAN), unknown ones go to the guest VLAN.

 

 

Best regards,

 

Markus

1824
Zone3-TI
New Contributor

Created on ‎01-13-2023 12:01 PM

Thank you Markus

1789
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.