Guest Account Provisioning

marcy · ‎03-27-2018

Hello,

is it possible to add new guest accounts for wifi via rest api or cli without using the admin username?

we want to add guest accounts via our intranet solutions.

emnoc · ‎03-27-2018

I would guess yes but never seen this done in that fashion, but have you looked at email-harvest and self-enrollment? This is what you can do and allow the users to publish a email-address. I believe no expiration can be set via this method but it requires no admin or guestuser-admin. A hotel WiFi would deploy something like this.

Ken

PCNSE

NSE

StrongSwan

xsilver_FTNT · ‎03-27-2018

Hello,

AFAIK adding guest account to the FGT via CLI/REST-API/GUI is not possible without admin or guest-admin account.

Same on FAC where you can use REST-API as minimalist option but you would still need an account with enabled "Web service access" and so associated REST Api access key/token.

Admin managed guest access gives you plenty of control over the users of your service (I would prefer this, but your service design might require a different approach).

If you need lazy access with less control over it, you can use mail-collector as emnoc mentioned.

And if you set it to deliver access password over email/SMS then you gain at least some control and verification that provided data are not completely falsified.

Still keep in mind that user can utilize some short term temporary mail services like 10minutemail to hide his identity almost completely while still being able to get access to your site/service. So if your local law/regulation require you to be able to track the user, then email verification is not an option, and SMS verification might be option only if users can't legally get anonymous SIM cards or SMS services to hide their identity.

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

marcy · ‎03-27-2018

xsilver wrote:
Hello,

AFAIK adding guest account to the FGT via CLI/REST-API/GUI is not possible without admin or guest-admin account.

Hello,

this is no problem - but i need some examples how to i can create via rest api the user guest account(s).

regards

marcy · ‎03-28-2018

Nobody some idea?

marcy · ‎04-09-2018

Up, nobody some idea?

Baptiste · ‎04-09-2018

Hi,

If you need some help with API, you should go to https://fndn.fortinet.net

you will find some docs and examples and a dedicated forum for API

2 FGT 100D + FTK200

3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E

marcy · ‎04-09-2018

Yes, i know - but i cant create an Account for FNDN without Sponsor IDs, alright?

ftristao · ‎01-17-2021

Anyone got a solution? i also need implement in our intranet this option. I tried with api_admin and the guest admin, but in both i got an error: "Failed dependency"...

Jan_Lukele · ‎02-09-2021

Few hours of trying and console debugging and I have a working solution:

Requirements:

Guest group created with name GuestGroup (included in URL in examples below)

HTTP call:

URL: /api/v2/cmdb/user/group/GuestGroup/guest

Method: POST

Body (JSON):

{ "user-id": "user123456", "password": "psw123", "expiration": "2021-02-09 18:55:00" }

Working example in Powershell:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12

$FGRESTAPIKey = "cNQnrg6mq0sj91c0pn3hykjs31ydrr" # Replace with your own API key

$FGURL = "https://FG40.domain.local" # Replace with your FG URL (HTTPS required, trusted certificate required)

$FGHeaders = @{Authorization="Bearer $FGRESTAPIKey";Accept="application/json";"cache-control"="no-cache"}

$FGGuest = @{"user-id"="user123456";password="psw123";"expiration"="2021-02-09 18:55:00"} # Example

$FGresult = Invoke-WebRequest -Uri $($FGURL + "/api/v2/cmdb/user/group/GuestsGroup/guest") -Method POST -Verbose -Headers $FGHeaders -Body $($FGGuest | ConvertTo-Json)

I hope it helps...