Managing Guest Access


Guest access in a retail environment

Some retail businesses such as coffee shops provide free Wi-Fi Internet access for their customers. For this type of application, the FortiOS guest management feature is not required; the Wi-Fi access point is open and customers do not need logon credentials. However, the business might want to contact its customers later with promotional offers to encourage further patronage. Using an Email Collection portal, it is possible to collect customer email addresses for this purpose. The security policy grants network access only to users who provide a valid email address.

The first time a customer’s device attempts to use the Wi-Fi connection, FortiOS requests an email address, which it validates. The customer’s subsequent connections go directly to the Internet without interruption.


Creating an email harvesting portal

The customer’s first contact with your network will be with a captive portal which presents a web page requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.


To create the email collection portal:

1. Go to WiFi & Switch Controller > WiFi Network > SSID and edit your SSID.

2. Set Security Mode to Captive Portal.

3. Set Portal Type to Email Collection.

4. Optionally, in Customize Portal Messages select Email Collection.

You can change the portal content and appearance. See Customizing captive portal pages on page 516.



To create the email collection portal – CLI:

In this example the freewifi Wi-Fi interface is modified to present an email collection captive portal.

config wireless-controller vap edit freewifi

set security captive-portal set portal-type email-collect



Creating the security policy

You need configure a security policy that allows traffic to flow from the Wi-Fi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.


To create the security policy:

1. Go to Policy & Objects > Policy > IPv4 and select Create New.

2. Enter the following information:

Incoming Interface                   freewifi

Source Address                        all

Source Device Type                 Collected Emails

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

NAT                                             On

3. Select OK.

One thought on “Managing Guest Access

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.