Fortinet Connect Data Sheet

Fortinet Connect Data Sheet
Fortinet Connect
Simplified Guest Access, BYOD Onboarding and Policy Management
Fortinet Connect allows network administrators to
quickly and easily provide Wireless Guest Access.
It also gives tools to enable role and policy
management and reporting throughout the
BYOD life-cycle.
For any user on any network with any device
Packaged in a simple, wizard driven application, all facets of
managing IT workload in deploying BYOD are addressed effectively:
§§ Onboarding for web and 802.1X authentications, abstracted across
multiple OSs and devices (laptops, smart phones, tablets) with
iOS, Android™, Microsoft® Windows®, Apple® MacOS X®, Linux®
§§ Wired and wireless network vendor-agnostic user access, device
onboarding, policy and access management
§§ Role (visitor, temporary user, employee) and device based
policy management
§§ Integrated reporting and auditing
§§ Integration across vertical-specific applications (property management
systems, payment gateways) for ease of deployment
Highlights
§§ Seamless integration with multi-vendor
network infrastructure and client platforms
§§ Policy and role-based provisioning of
wireless/wired network access
§§ Optimized for ease-of-use for both IT
staff and end users
§§ Enterprise-strength authentication
and encryption
§§ Simplifies device onboarding
§§ Dramatically reduces IT workload
§§ Retrieval and verification of identity and group based policies
across multiple identity stores (LDAP, RADIUS, social networking
identities, other databases)
§§ Supports existing infrastructure and
employee devices
§§ Integrated policy and reporting across specialized policy
enforcement devices like firewalls
§§ Enterprise-strength 802.IX authentication
§§ Integration with leading MDM vendors to define policies based on
device compliance
§§ Enterprise grade clustering for scalability and high-availability
§§ Protects the network and sensitive data
§§ Integrated RADIUS server for quick and
easy deployment of AAA services
§§ Dynamic network access control with
RADIUS CoA
§§ Tailored to run on Fortinet Service Appliances or virtualized
environments running VMWare
DATA SHEET
Fortinet Connect
HIGHLIGHTS
Fortinet Connect looks at a variety of device and role trust relationships to provide unique access across common scenarios found in
enterprises, schools, universities, hotels and other common places of business. They can be summarized as follows:
DEVICE TYPES
USER ROLES
CORPORATE OWNED (TRUSTED)
EMPLOYEE OWNED (UNTRUSTED)
Trusted access; Tightly controlled corporate identity server (AD, LDAP),
Fully MDM controlled. Full access to resources allowed by role.
Onboarding required; restricted access based on policy, MDM registered.
Possibly, restricted access to resources allowed by role.
Trusted access; Tightly controlled corporate identity server (AD, LDAP),
Fully MDM controlled. Full access to resources allowed by role.
Onboarding required; restricted access based on policy, MDM registered.
Possibly, restricted access to resources.
Employee (trusted)
(hotel managers, engineers, doctors, nurses, teachers, faculty)
Contractor (trusted)
(consultants, temporary workers, vendors at event, students,
conference staff)
Guest / Visitor (untrusted)
(patients, ticketed audience, parents etc.)
Untrusted access – Self provisioning or sponsored visitor access.
Internet only access.
Fortinet Connect addresses the above scenarios via built in services to integrate user end-to-end access and to securely onboard
employees with personal or corporate devices under policy management.
Network Diagram
Firewall
Controller
Wireless
Wired
Fortinet Connect is deployed
out-of-band on a Fortinet service
appliance or as a VM-ware-ready
virtual appliance.
Out-of-Band
Deployment
Username: guestname
IP Address: 192.168.X.X
Login Time: 11:30
Logout Time: 12:15
Fortinet
Connect
ANY OS
Fortinet Connect supports
any OS, any mobile
device, and any network —
regardless of vendor.
Apple Mac OS X
and iOS
Android
Windows
ANY MOBILE DEVICE
iPad, iPod, iPhone,
and Mac
Android phone
and tablet
Windows phone
and PC
ANY NETWORK
Wireless
2
Wired
www.fortinet.com
Fortinet Connect
HIGHLIGHTS
Simplify user access for any OS on any network
Introduction
User access is no longer a nice-to-have feature in an enterprise.
Wired and WLAN user access is mandatory and web authentication
due to its simplicity and ease of deployment has become the
prevalent user access mechanism. User access creates a strong
brand presence and in some verticals, such as hospitality and
event management, has direct revenue and customer satisfaction
consequences. To address the myriad of user access requirements
associated with different businesses, the user access service in
Fortinet Connect provides administrators, sponsors and users a full
toolset of services to provision and manage guest accounts and
their activity on the network with appropriate role-based policies.
kiosk or email creating a perfect
experience for the user.
Administrators can also provide
a variety of portals for visitors
logging into their networks
based on their location,
language as well as whether or
not they are using a traditional
laptop, smartphone or tablet.
Guest access on tablets
Fortinet Connect supports 35+
languages out of the box for customizing the user and sponsor
portal to every locale that the business caters to.
Fortinet Connect Walkthrough: User Access
User access offers both sponsor and self provisioned user/visitor
account creation. Multiple accounts can be easily created by
uploading of account information into Fortinet Connect or bulk
creating accounts with random usernames and passwords.
Engaging IT staff for managing user accounts is neither practical
nor economic. In some cases such as hospitals or in event centers
Of paramount concern with networks is the enforcement of
appropriate policies for visiting users. Administrator-defined
individual, group, or general policies can have customized timebased access, usage based access, or location based access.
Access to specific resources as well as bandwidth usage
restrictions may be placed on the user accounts as well.
or arenas, handing this duty to non-IT staff such as security
personnel or event coordinators is cumbersome and tedious. In the
carpeted enterprise, particularly security conscious enterprises,
however, sponsors (such as employees hosting meetings with
guests) are required to invite users and manage their accounts for
full audit management. Account management functions —
creation, updates, password changes, notifications, deletion and
reports; are all customizable based on a variety of types of
sponsors (self-sign, front desk at a hotel, front desk at a carpeted
enterprise, security at a company etc.)
Brand presence management is catered to through the fully
customizable, mobile-adaptable login portal and walled garden.
User account notification can be managed through SMS, self-service
PUBLIC VLAN
Internet Only
Parents/Guests
Out of Band
Access
Point
Controller
Fortinet Connect
Username: student1
IP Address: 192.168.1.1
Login Time: 11:30
Logout Time: 12:15
RADIUS
Active Directory
STUDENT VLAN
Access to Apps by Policy
Students
Internal Applications
Fortinet Connect makes it easy to authorize internal sponsors to create guest
accounts. You can also enable guests to securely self-provision.
One of the major complaints against user access through a web
portal is the need for users to reenter their credentials after their
devices “wake up” from the power-save induced (for saving on
battery life) sleep mode. Fortinet Connect securely addresses this
concern to reconnect without having to enter credentials and still be
under the same policy guidelines that you set up for the user profile.
User access is optimized for ease-of-use, for both administrators
and end users. It is client platform agnostic and supports any
platform with a web browser, including iOS, Android™, Microsoft®
Windows®, Apple® MacOS X®, Linux® and more.
Using social identity (Twitter or Facebook accounts) for network
access is becoming a larger trend for unpaid access. This creates a
win-win for the provider and the subscriber. Capturing the identity is
a great marketing asset for service providers lead targeted marketing
campaigns for the users and for users it provides exchanging your
Facebook “likes” for unpaid access to the WiFi network.
Businesses large and small are moving their IT services (email, file
shares, archiving, identity services etc.) to the cloud to providers
such as Google. Fortinet Connect integrates with Google Apps to
authenticate users and guests to onboard them on the network
with appropriate policies.
Fortinet Connect supports networking switches, APs (and
controllers) from most major vendors. Such vendor agnostic
interoperability means the ability to leverage your existing
investments.
3
Fortinet Connect
BUSINESS SYSTEMS INTEGRATION
Businesses have existing authentication, billing and network infrastructure. Fortinet Connect integrates with these business systems
seamlessly to avoid duplication of data, maximize appropriate use of these resources and provide a single view into reporting and policies
associated with the usage.
HOSPITALITY
In a traditional hospitality setting at a hotel, lodge, or resort, guest
access is often considered a value add for individual customers.
Integration with existing property management systems makes the
guest experience seamless — hotel guests can gain access to the
wireless network using their room number and name and if it is a
paid service, charge it to the room. Due to integration with a variety
of leading PMS (Property Management Systems), centralized
billing and account management is easy through Fortinet Connect
using either front desk provisioning or self-registration. Guests with
valid accounts can get online as soon as they are in range of the
wireless network without entering their credentials to have a better
guest experience.
User access provides the ability to not only address all of these
situations but also provide tiered access. For example, provide
free internet access for a short duration of time, based on the
user sharing their Facebook account name vs. providing a higher
bandwidth account on a paid service.
Tiered services (e.g. paid vs. free network services, or higher
bandwidth vs. restricted bandwidth network services) may also
be provided by checking on a guest account’s “status” against
a loyalty program. Authentications can be performed not only
against a local database but also against other databases such as
standards-based SQL or RADIUS or LDAP identity stores.
Fortinet Connect supports a wide variety of transport-related
scenarios as well, such as wireless network services for cruise
ships, buses, trains and airplanes. Passengers can readily gain
access to the wireless network
using their transportation ticket
information or pay for it using a
variety of payment processing
systems. Other options include
charging to a loyalty program,
cruise ship cabin room, etc.
Transportation staff can gain access to additional network, business
system & IT resources based on their assigned roles and privileges.
For conventions and conferences, hotels, or convention centers
typically want to associate a specific event with an event code to
track the users and associate policy based on the tiered service
they offer. Fortinet Connect provides a simple and efficient means
for such cases.
Arenas, stadiums, and other public spaces require a different set of
access means. While most of these are public spaces, the access
to the network could be one of:
§§ A simple click-though acknowledging the terms of use
§§ Providing some information (email address or mobile phone
number) to subscribe to the network
§§ Logging on to the network using social media credentials such
as your Facebook or Twitter account
§§ Paid service using credit card or PayPal based payment for
network access. A full PCI report is available through the
Fortinet Connect interface for all credit card based transactions.
EDUCATION
The eduroam initiative allows secure, worldwide roaming access
for the research and education community. Eduroam allows
students, researchers and staff from participating institutions to
obtain Internet connectivity across campus and when visiting other
participating institutions by simply opening their laptop. Fortinet
Connect supports eduroam for authentication of visiting faculty,
students and scholars.
User access for parent-teacher meetings, homecoming or other
special events can be easily arranged using dedicated per-user
self-registration or open access along with policy management
across both wired and wireless networks. Bulk users can be
created by importing a list of visitors or creating random usernames
and passwords.
4
User access, through security
policies set by the enterprise or
through government regulations,
requires tracking and maintaining
audit information regarding the
user account from its creation,
activation, usage (including details on what websites/applications
were accessed) through its expiry and deletion or reactivation in the
system.
User access provides integrated, exportable reports at both
the administrator as well as the sponsor level. Auditing reports
are generated by correlating user information across network
infrastructure against the account information in Fortinet Connect.
www.fortinet.com
Fortinet Connect
HEALTHCARE
With the growing demand for better care for patient and their
out of the box and with little
visitors in healthcare institutions outside of medical treatment,
customization can be used for a
providing WiFi access has become a norm. However, with
variety of patients from different
legitimate security and bandwidth management concerns,
ethnicities to make them feel at
providing reliable, auditable and self-serviced or free internet
home and comfortable.
access is possible with Fortinet Connect.
Features & benefits
User access combines the ability to self-service the user
§§ Automated wireless/wired user management — optimized for
creation process via its highly customizable web portal. It also
ease-of-use
allows the administrator to automatically provision and enforce
§§ Seamless integration with multi-vendor network infrastructure
a preset bandwidth and/or data limit to each individual user so
and client platforms
as to keep the network available for other more mission critical
§§ Fully customizable guest portal
usage. For longer duration guests, devices and usernames can
§§ Comprehensive activity monitoring and reporting
be remembered using a “remember me” feature to make the
§§ Simplifies secure user access to dramatically reduce IT workload
user experience better while still keeping the network secure.
§§ Supports existing infrastructure and visitor devices
Customization of portals and creation of a sophisticated walled
§§ Promotes your brand and ensures an outstanding end-user
garden provides the ability to provide additional information to
experience on any client
visitors as well as manage the branding and marketing for the
§§ Restricts guest access to authorized users only
institute. User access portals are available in 30+ languages
§§ Ensures appropriate use and supports audit requirements
SIMPLIFY BYOD PROVISIONING FOR ANY OS ON ANY NETWORK
Fortinet Connect also provides employees
and other trusted users a way to onboard
their trusted and untrusted devices on
Fortinet Connect Walkthrough: Device Onboarding
the secure network. It provides the
administrator with flexibility to decide on
the correct level of policy for the untrusted
Step 1
Step 2
Step 3
Authenticate using
Web authentication
Download an applet
to configure 802.1X
Automatically connect
with 802.1X
devices being brought onto the network
by the trusted user.
Encrypted
Onboarding refers to auto-provisioning of
corporate- or employee-owned devices
to use the secure (typically 802.1X
Access Point
authenticated) networks. This could be
true of wireless or wired infrastructures.
Smart Connect makes it easy for employees to self-provision their devices
Fortinet Connect provides a set sequence of events for non-technical
the web portal network and reconnected to the secure network
employees and contractors to setup their devices with appropriate
using the new secure settings. All of the steps are done without the
802.1X settings for accessing the wired or wireless network. A
need for a client agent residing on the device thus providing ease of
standard web portal (different from the secure network) is initially
deployment and scale. This workflow is very intuitive for the end
presented for the user to enter their corporate credentials. Once a
users and removes their dependence on IT to onboard their
device connects, its type is detected; the credentials verified
devices. Also, from an IT perspective, since the settings are done
against a backend device and based on the administrator’s
centrally, policies can be set effectively and uniformly based on
configuration appropriate secure network access settings are
both the user role, device role, and the device type.
downloaded to the device. The device is then disconnected from
5
Fortinet Connect
Policy is managed using user roles from the corporate identity
network with, even if the user is
server (AD or RADIUS etc.) as configured into the secure profile.
a trusted user, Fortinet Connect
The device policy is added to this to provide a complete view for
can distinguish the untrusted
that session. Fortinet Connect also integrates with leading MDM
device and not allow access
vendors to create a unique layered policy management framework
to the network. However for
to enhance the native user and device based policy with inputs
a trusted device and user,
from the MDM server. Using a dynamic authorization mechanism,
full network access can be
the session attributes may be changed anytime based on inputs
granted. Also, based on whether
and behavior of the session on the network.
the device is registered with the
In schools, the beginning of a semester or school year is the
busiest time. With new students coming to school new devices
need to be onboarded. Using device onboarding capability
Secure and simple onboarding
MDM system and in compliance with application policies, Fortinet
Connect can change the necessary privileges on the fly based on
input from the MDM systems.
drastically reduces IT time, complexity and training and reduces
Device authentication and policy management can also be
errors both from a misconfiguration as well as policy management
done using device onboarding for devices such as printers,
perspective saving time and resources to troubleshoot and rework
connected hospital equipment (Infusion pumps, heart monitors,
client devices. With the introduction of new devices every year,
blood pressure monitors etc.) and other devices that need to be
rather than having a new release covering onboarding, device
authenticated before being let onto the network. This is especially
onboarding provides a unique capability to just update the support
true of devices that are temporary or short-term leased and do not
for the supported devices automatically.
warrant being managed in the corporate identity servers.
Healthcare demands flexibility for doctors and caregivers to bring
Fortinet Connect seamlessly integrates mobile and traditional
their own devices but regulations and privacy policies mandate
laptop platforms including Windows, Linux, MAC OS, iOS and
severe restrictions on data being shared or stored on these
Android operating systems for onboarding purposes. It also
devices. Fortinet Connect meets this challenge two fold — user
supports setting up supplicants for a variety of secure 802.1X
and device role-based policy access, and applications that the
protocols including PEAP-MSCHAPv2, PEAP-GTC, EAP-TLS as
user can access. Based on the device the user is accessing the
well as non-802.1X authentication mechanisms PAP and CHAP.
Key Features and Benefits
6
Fully integrated platform for policy- and role-based provisioning
of wireless/wired network access
Simplifies secure user access and BYOD
Seamless integration with multi-vendor network infrastructure
and client platforms
Supports existing infrastructure and employee/visitor devices
Enterprise-strength authentication and encryption
Protects the network and sensitive data
Comprehensive activity monitoring and reporting
Ensures appropriate use and supports audit requirements
www.fortinet.com
Fortinet Connect
SPECIFICATIONS
TECHNICAL
Protocols Supported
Hardware Appliance Platforms
802.1X PEAP-GTC
SA250 Services Appliance
PEAP-MSCHAPv2
SA2000 Services Appliance
PEAP-TTLS WPA
Platforms
WPA-PSK WPA2
WPA2-PSK
SA250 Services Appliance supports up to 500 active users
SA2000 Services Appliance supports up to 10,000 active users
Supported Browsers
VIrtual Appliance supports up to 50,000 active users (with appropriate hardware)
IE 7.0 and higher
Virtual Appliance System Requirements
Safari
Minimum hardware specifications: 2 GB memory, 50 GB disk space, 2.0 GHz CPU
VMware support: ESX 4.xi and above
Microsoft Hyper-V on Windows 2008 and later
Chrome
Firefox
Please note the range of Fortinet infrastructure access points are supported by a combination of specific
controller firmware and hardware and are not designed to function with third-party controllers. Specific
supported access point and controller combinations will change from time to time and such changes are
detailed in the respective firmware release notes. The Fortinet range of controllers, whether they are
infrastructure or integrated into FortiOS, only support Fortinet provided access points. Note that not all access
points are supported by all controller types.
Client Platforms Supported
Android 2.1 and greater
Apple iOS 7.0 and greater
Apple Mac OSX 10.7 and greater
Windows 10, Windows 7, Vista, XP SP3
Linux Ubuntu
ORDER INFORMATION
Authenitication
Active Directory
LDAP
Product
SKU
Description
RADIUS / RadSec
Fortinet Connect
MCT-100-U
Fortinet Connect — Includes licenses for up to 100 user
and device access licenses.
MCT-1000-U
Fortinet Connect — Includes licenses for up to 1,000 user
and device access licenses.
MCT-10000-U
Fortinet Connect — Includes licenses for up to 10,000
user and device access licenses.
Kerberos
Facebook
Twitter
Google Apps
SQL Database
Support and virtual appliance or hardware appliance quoted separately
GLOBAL HEADQUARTERS
Fortinet Inc.
899 KIFER ROAD
Sunnyvale, CA 94086
United States
Tel: +1.408.235.7700
www.fortinet.com/sales
EMEA SALES OFFICE
905 rue Albert Einstein
06560 Valbonne
France
Tel: +33.4.8987.0500
APAC SALES OFFICE
300 Beach Road 20-01
The Concourse
Singapore 199555
Tel: +65.6395.2788
LATIN AMERICA SALES OFFICE
Sawgrass Lakes Center
13450 W. Sunrise Blvd., Suite 430
Sunrise, FL 33323
United States
Tel: +1.954.368.9990
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other
product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product
will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in
Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant
hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
FST-PROD-DS-CNCN-DAT-R2-201702
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising