DAT Fortinet Connect

Fortinet Connect
Simplified Guest Access, BYOD Onboarding and Policy Management

Fortinet Connect allows network administrators to

quickly and easily provide Wireless Guest Access.

It also gives tools to enable role and policy

management and reporting throughout the

BYOD life-cycle.

§ Role (visitor, temporary user, employee) and device based policy management

§ Enterprise-strength authentication

For any user on any network with any device

Packaged in a simple, wizard driven application, all facets of managing IT
workload in deploying BYOD are addressed effectively:

§ Onboarding for web and 802.1X authentications, abstracted across multiple OSs
and devices (laptops, smart phones, tablets) with iOS, Android™, Microsoft®
Windows®, Apple® MacOS X®, Linux®

§ Wired and wireless network vendor-agnostic user access, device onboarding,

policy and access management

§ Integrated reporting and auditing

§ Integration across vertical-specific applications (property management systems,

payment gateways) for ease of deployment

§ Retrieval and verification of identity and group based policies across multiple
identity stores (LDAP, RADIUS, social networking identities, other databases)

§ Integrated policy and reporting across specialized policy enforcement devices

like firewalls

compliance

running VMWare

§ Integration with leading MDM vendors to define policies based on device

§ Enterprise grade clustering for scalability and high-availability

§ Tailored to run on Fortinet Service Appliances or virtualized environments

Highlights

§ Seamless integration with multi-

vendor network infrastructure and
client platforms

§ Policy and role-based provisioning
of wireless/wired network access

§ Optimized for ease-of-use for both

IT staff and end users

and encryption

§ Dramatically reduces IT workload

§ Supports existing infrastructure and

employee devices

§ Protects the network and

sensitive data

§ Enterprise-strength 802.IX

authentication

§ Integrated RADIUS server for
quick and easy deployment of
AAA services

§ Dynamic network access control

with RADIUS CoA

DATA SHEET DATA SHEET | Fortinet Connect

Highlights

USER ROLES

Employee (trusted)

Contractor (trusted)

Guest / Visitor (untrusted)

(patients, ticketed audience, parents etc.)

Fortinet Connect looks at a variety of device and role trust relationships to provide unique access across common scenarios found in

enterprises, schools, universities, hotels and other common places of business. They can be summarized as follows:

DEVICE TYPES

CORPORATE OWNED (TRUSTED)

EMPLOYEE OWNED (UNTRUSTED)

(hotel managers, engineers, doctors, nurses, teachers, faculty)

Trusted access; Tightly controlled corporate identity server (AD, LDAP),
Fully MDM controlled. Full access to resources allowed by role.

Onboarding required; restricted access based on policy, MDM registered.
Possibly, restricted access to resources allowed by role.

(consultants, temporary workers, vendors at event, students,
conference staff)

Trusted access; Tightly controlled corporate identity server (AD, LDAP),
Fully MDM controlled. Full access to resources allowed by role.

Onboarding required; restricted access based on policy, MDM registered.
Possibly, restricted access to resources.

Untrusted access – Self provisioning or sponsored visitor access.
Internet only access.

Fortinet Connect addresses the above scenarios via built in services to integrate user end-to-end access and to securely onboard

employees with personal or corporate devices under policy management.

Network Diagram

Controller

Firewall

Wireless

Wired

Out-of-Band
Deployment

Username: guestname
IP Address: 192.168.X.X
Login Time: 11:30
Logout Time: 12:15

Fortinet Connect is deployed
out-of-band on a Fortinet service
appliance or as a VM-ware-ready
virtual appliance.

Fortinet
Connect

2

Fortinet Connect supports
any OS, any mobile
device, and any network —
regardless of vendor.

ANY OS

Apple Mac OS X
and iOS

Android

Windows

ANY MOBILE DEVICE

iPad, iPod, iPhone,
and Mac

Android phone
and tablet

Windows phone
and PC

ANY NETWORK

Wireless

Wired

DATA SHEET | Fortinet Connect

Highlights

Simplify user access for any OS on any network

Introduction
User access is no longer a nice-to-have feature in an enterprise.

kiosk or email creating a perfect

experience for the user.

Wired and WLAN user access is mandatory and web authentication

Administrators can also provide

due to its simplicity and ease of deployment has become the

a variety of portals for visitors

prevalent user access mechanism. User access creates a strong

logging into their networks

brand presence and in some verticals, such as hospitality and

based on their location,

event management, has direct revenue and customer satisfaction

language as well as whether or

consequences. To address the myriad of user access requirements

not they are using a traditional

associated with different businesses, the user access service in

laptop, smartphone or tablet.

Guest access on tablets

Fortinet Connect provides administrators, sponsors and users a full

Fortinet Connect supports 35+

toolset of services to provision and manage guest accounts and

languages out of the box for customizing the user and sponsor

their activity on the network with appropriate role-based policies.

portal to every locale that the business caters to.

Fortinet Connect Walkthrough: User Access
User access offers both sponsor and self provisioned user/visitor

Of paramount concern with networks is the enforcement of

appropriate policies for visiting users. Administrator-defined

account creation. Multiple accounts can be easily created by

individual, group, or general policies can have customized time-

uploading of account information into Fortinet Connect or bulk

based access, usage based access, or location based access.

creating accounts with random usernames and passwords.

Access to specific resources as well as bandwidth usage

Engaging IT staff for managing user accounts is neither practical

restrictions may be placed on the user accounts as well.

nor economic. In some cases such as hospitals or in event centers

or arenas, handing this duty to non-IT staff such as security

personnel or event coordinators is cumbersome and tedious. In the

carpeted enterprise, particularly security conscious enterprises,

however, sponsors (such as employees hosting meetings with

guests) are required to invite users and manage their accounts for

full audit management. Account management functions —

One of the major complaints against user access through a web

portal is the need for users to reenter their credentials after their

devices “wake up” from the power-save induced (for saving on

battery life) sleep mode. Fortinet Connect securely addresses this

concern to reconnect without having to enter credentials and still be

under the same policy guidelines that you set up for the user profile.

creation, updates, password changes, notifications, deletion and

User access is optimized for ease-of-use, for both administrators

reports; are all customizable based on a variety of types of

sponsors (self-sign, front desk at a hotel, front desk at a carpeted

enterprise, security at a company etc.)

and end users. It is client platform agnostic and supports any
platform with a web browser, including iOS, Android™, Microsoft®
Windows®, Apple® MacOS X®, Linux® and more.

Brand presence management is catered to through the fully

Using social identity (Twitter or Facebook accounts) for network

customizable, mobile-adaptable login portal and walled garden.

access is becoming a larger trend for unpaid access. This creates a

User account notification can be managed through SMS, self-service

win-win for the provider and the subscriber. Capturing the identity is

PUBLIC VLAN

Internet Only

Parents/Guests

Access
Point

STUDENT VLAN

Out of Band

Controller

Fortinet Connect

Access to Apps by Policy

Username: student1
IP Address: 192.168.1.1
Login Time: 11:30
Logout Time: 12:15

Students

Internal Applications

RADIUS

Active Directory

Fortinet Connect makes it easy to authorize internal sponsors to create guest
accounts. You can also enable guests to securely self-provision.

investments.

a great marketing asset for service providers lead targeted marketing

campaigns for the users and for users it provides exchanging your

Facebook “likes” for unpaid access to the WiFi network.

Businesses large and small are moving their IT services (email, file

shares, archiving, identity services etc.) to the cloud to providers

such as Google. Fortinet Connect integrates with Google Apps to

authenticate users and guests to onboard them on the network

with appropriate policies.

Fortinet Connect supports networking switches, APs (and

controllers) from most major vendors. Such vendor agnostic

interoperability means the ability to leverage your existing

3

Businesses have existing authentication, billing and network infrastructure. Fortinet Connect integrates with these business systems
seamlessly to avoid duplication of data, maximize appropriate use of these resources and provide a single view into reporting and policies
associated with the usage.

DATA SHEET | Fortinet Connect

Business Systems Integration

Hospitality

In a traditional hospitality setting at a hotel, lodge, or resort, guest
access is often considered a value add for individual customers.
Integration with existing property management systems makes the
guest experience seamless — hotel guests can gain access to the
wireless network using their room number and name and if it is a
paid service, charge it to the room. Due to integration with a variety
of leading PMS (Property Management Systems), centralized
billing and account management is easy through Fortinet Connect
using either front desk provisioning or self-registration. Guests with
valid accounts can get online as soon as they are in range of the
wireless network without entering their credentials to have a better
guest experience.

User access provides the ability to not only address all of these
situations but also provide tiered access. For example, provide
free internet access for a short duration of time, based on the
user sharing their Facebook account name vs. providing a higher
bandwidth account on a paid service.

Tiered services (e.g. paid vs. free network services, or higher
bandwidth vs. restricted bandwidth network services) may also
be provided by checking on a guest account’s “status” against
a loyalty program. Authentications can be performed not only
against a local database but also against other databases such as
standards-based SQL or RADIUS or LDAP identity stores.

Fortinet Connect supports a wide variety of transport-related
scenarios as well, such as wireless network services for cruise
ships, buses, trains and airplanes. Passengers can readily gain

Education
The eduroam initiative allows secure, worldwide roaming access
for the research and education community. Eduroam allows
students, researchers and staff from participating institutions to
obtain Internet connectivity across campus and when visiting other
participating institutions by simply opening their laptop. Fortinet
Connect supports eduroam for authentication of visiting faculty,
students and scholars.

User access for parent-teacher meetings, homecoming or other
special events can be easily arranged using dedicated per-user
self-registration or open access along with policy management
across both wired and wireless networks. Bulk users can be
created by importing a list of visitors or creating random usernames
and passwords.

4

access to the wireless network
using their transportation ticket
information or pay for it using a
variety of payment processing
systems. Other options include
charging to a loyalty program,
cruise ship cabin room, etc.
Transportation staff can gain access to additional network, business
system & IT resources based on their assigned roles and privileges.

For conventions and conferences, hotels, or convention centers
typically want to associate a specific event with an event code to
track the users and associate policy based on the tiered service
they offer. Fortinet Connect provides a simple and efficient means
for such cases.

Arenas, stadiums, and other public spaces require a different set of
access means. While most of these are public spaces, the access
to the network could be one of:
§ A simple click-though acknowledging the terms of use
§ Providing some information (email address or mobile phone

number) to subscribe to the network

§ Logging on to the network using social media credentials such

as your Facebook or Twitter account

§ Paid service using credit card or PayPal based payment for
network access. A full PCI report is available through the
Fortinet Connect interface for all credit card based transactions.

User access, through security
policies set by the enterprise or
through government regulations,
requires tracking and maintaining
audit information regarding the
user account from its creation,
activation, usage (including details on what websites/applications
were accessed) through its expiry and deletion or reactivation in the
system.

User access provides integrated, exportable reports at both
the administrator as well as the sponsor level. Auditing reports
are generated by correlating user information across network
infrastructure against the account information in Fortinet Connect.

DATA SHEET | Fortinet Connect

Healthcare

With the growing demand for better care for patient and their

out of the box and with little

visitors in healthcare institutions outside of medical treatment,

customization can be used for a

providing WiFi access has become a norm. However, with

variety of patients from different

legitimate security and bandwidth management concerns,

ethnicities to make them feel at

providing reliable, auditable and self-serviced or free internet

home and comfortable.

access is possible with Fortinet Connect.

Features & benefits

User access combines the ability to self-service the user

§ Automated wireless/wired user management — optimized for

creation process via its highly customizable web portal. It also

ease-of-use

allows the administrator to automatically provision and enforce

§ Seamless integration with multi-vendor network infrastructure

a preset bandwidth and/or data limit to each individual user so

and client platforms

as to keep the network available for other more mission critical

§ Fully customizable guest portal

usage. For longer duration guests, devices and usernames can

§ Comprehensive activity monitoring and reporting

be remembered using a “remember me” feature to make the

§ Simplifies secure user access to dramatically reduce IT workload

user experience better while still keeping the network secure.

§ Supports existing infrastructure and visitor devices

Customization of portals and creation of a sophisticated walled

§ Promotes your brand and ensures an outstanding end-user

garden provides the ability to provide additional information to

experience on any client

visitors as well as manage the branding and marketing for the

§ Restricts guest access to authorized users only

institute. User access portals are available in 30+ languages

§ Ensures appropriate use and supports audit requirements

Simplify BYOD Provisioning for any OS on any Network

Fortinet Connect Walkthrough: Device Onboarding

Step 1
Authenticate using
Web authentication

Step 2
Download an applet
to configure 802.1X

Step 3
Automatically connect
with 802.1X

Fortinet Connect also provides employees

and other trusted users a way to onboard

their trusted and untrusted devices

on the secure network. It provides the

administrator with flexibility to decide on

the correct level of policy for the untrusted

devices being brought onto the network

by the trusted user.

Onboarding refers to auto-provisioning of

corporate- or employee-owned devices

to use the secure (typically 802.1X

authenticated) networks. This could be

true of wireless or wired infrastructures.

Smart Connect makes it easy for employees to self-provision their devices

Fortinet Connect provides a set sequence of events for non-

the web portal network and reconnected to the secure network

technical employees and contractors to setup their devices with

using the new secure settings. All of the steps are done without

appropriate 802.1X settings for accessing the wired or wireless

the need for a client agent residing on the device thus providing

network. A standard web portal (different from the secure network)

ease of deployment and scale. This workflow is very intuitive for the

is initially presented for the user to enter their corporate credentials.

end users and removes their dependence on IT to onboard their

Once a device connects, its type is detected; the credentials

devices. Also, from an IT perspective, since the settings are done

verified against a backend device and based on the administrator’s

centrally, policies can be set effectively and uniformly based on

configuration appropriate secure network access settings are

both the user role, device role, and the device type.

downloaded to the device. The device is then disconnected from

Encrypted

Access Point

5