How to Set Up a Secure Guest WiFi Portal with FortiGate and FortiAP

Are you looking to provide safe and controlled internet access to visitors in your office, café, or other public space? In this guide, we walk you through creating a secure guest WiFi portal using FortiGate and FortiAP. From setting up VLANs and SSIDs to customizing a captive portal and configuring firewall policies, we cover every step to ensure your guest network is both user-friendly and secure. Learn how to manage bandwidth, restrict internal network access, and monitor guest activity with ease. Perfect for IT admins and business owners alike!

FORTINET

11/26/20242 min read

1. Prerequisites

Before configuring the Guest Portal, ensure:

  • You have a functioning FortiGate firewall and at least one FortiAP.

  • FortiAPs are properly connected to the FortiGate and managed via the Wireless Controller feature.

  • The FortiGate is configured to provide internet access

  • A dedicated VLAN or SSID for guest users is configured

2. Configure a Separate VLAN for Guests

a) Create a VLAN Interface:

  • Go to Network > Interfaces.

  • Click Create New > Interface.

  • Assign a name (e.g., Guest_VLAN), VLAN ID, and the physical interface the AP is connected to.

  • Configure a DHCP Server on this interface if required.

  • Assign the VLAN to a specific zone if applicable.


b) Tag the VLAN to the FortiAP:

  • Ensure the FortiAP supports VLAN tagging, and the port to which it is connected is configured to pass the guest VLAN.

  • Click Create New > SSID.

  • Enter a name for the SSID (e.g., Guest_WiFi).

  • Set the Type to Guest or WiFi.


3. Configure a Wireless SSID for Guests

a) Create the SSID:

  • Go to WiFi & Switch Controller > SSID.

  • Click Create New > SSID.

  • Enter a name for the SSID (e.g., Guest_WiFi).

  • Set the Type to Guest or WiFi.


b) Assign VLAN to the SSID:

  • Under the Security Mode, configure WPA2/3 if you want encryption.

  • Set the VLAN ID to the guest VLAN created earlier.

  • Enable Captive Portal under Authentication Settings.

4. Configure the Captive Portal

a) Enable Captive Portal on the Guest VLAN:

  • Go to Network > Interfaces.

  • Edit the Guest VLAN interface.

  • Enable Captive Portal.

  • Select the authentication type (e.g., User Authentication, Pre-shared Key, or Email Registration).


b) Customize the Captive Portal:

  • Go to Authentication > Portal Pages.

  • Customize the portal page for branding, terms of service, or user instructions.


c) Create Guest User Accounts (Optional):

  • Go to User & Authentication > User Definition.

  • Add new guest users if using username-password-based authentication.


5. Configure Firewall Policies for Guests

a) Create a Policy for Internet Access:

  • Go to Policy & Objects > Firewall Policy.

  • Create a policy allowing traffic from the Guest VLAN or SSID to the WAN.

  • Configure bandwidth control or QoS as needed.


b) Restrict Access to Internal Networks:

  • Add policies to block traffic from the guest VLAN to internal networks.

6. Test the Setup

  • Connect a device to the Guest SSID.

  • Ensure the device receives an IP address from the correct VLAN.

  • Open a browser and verify that the captive portal appears.

  • Complete the authentication and check internet access.

Additional Enhancements

  • Bandwidth Management: Limit bandwidth per user to ensure fair usage.

  • Expiration Policies: Configure session expiration times for guests.

  • Analytics: Use FortiAnalyzer to monitor guest usage and activity logs.

Knowledge

Expertise in business consulting services

Consulting

contact@thessog.com

Write us :

© 2024. All rights reserved.