How to apply dynamic access policies with FortiGate and Cloudi-Fi

Easily apply dynamic access policies on FortiGate firewalls by integrating with Cloudi-Fi as a cloud identity and policy provider. This guide explains how FortiGate leverages contextual data—like user profile or device type—from Cloudi-Fi to enforce granular, real-time access control.

Prerequisites

• FortiGate with FortiOS 7.0+ (recommended: 7.2+)

• Cloudi-Fi integrated with FortiGate via RADIUS

Step 1: Understand Cloudi-Fi profile-based attribute mapping

When a user connects to Wi-Fi and completes authentication through Cloudi-Fi captive portal, a profile is automatically assigned to the session. This profile determines the RADIUS attributes returned to FortiGate, which are used to enforce access policies.

How profiles are assigned

A user’s profile is assigned based on:

• The authentication method used (e.g., SSO, email, form-based, social login)
• The sponsor who approved the request (for sponsored guest workflows)
• The lobby administrator who created the account (for pre-created users)

In Cloudi-Fi, policies do not directly assign individual RADIUS attributes such as Fortinet-Group-Name. Instead, policies assign a profile to the user session. The profile itself is what defines which attributes are returned during RADIUS authentication.

A policy can assign a profile based on:

• SSID the user connected to
• Location of the site or country
• Authentication method
• Previously assigned profile

RADIUS attributes returned per profile

Each profile is preconfigured in Cloudi-Fi to return a specific set of RADIUS attributes, including:

• Fortinet-Group-Name: Used to group users on FortiGate for policy enforcement.

The value format is: cloudifi-PROFILE_NAME
Examples: cloudifi-Employees, cloudifi-Guests, cloudifi-Vendors

These values allow FortiGate to match authenticated users to the correct user groups and apply corresponding firewall, UTM, and shaping policies.

Step 2: Configure RADIUS on FortiGate

1. Go to User & Authentication > RADIUS Servers.
2. Click Create New and input:
   • Name: Cloudi-Fi
   • IP address: Cloudi-Fi RADIUS endpoint
   • Shared secret: Same as configured in Cloudi-Fi
   • Authentication method: PAP
3. Save and test the connection.

Step 3: Create user groups based on Fortinet-Group-Name

1. Go to User & Authentication > User Groups.
2. Click Create New.
3. Give it a name
4. Add a Remote Server and select the Cloudi-FiRADIUS server.
5. Under Groups, select Specify and input:
   1. Value: e.g., cloudifi-Employees

Save the group.

Repeat for each Cloudi-Fi profile that should map to a unique FortiGate group. 

Step 4: Create dynamic access policies in FortiGate

Use Fortinet user groups to define access rules based on the profile received from Cloudi-Fi. Below are common use cases.

Use case 1: Guest internet access only

• Profile: cloudifi-Guests
• Group: CloudiFi-Guests
• Policy:
  • Source Interface: Unified_WIFI
  • Source: CloudiFi-Guests user group
  • Destination: Internet
  • Action: Allow
  • Inspection: Optional (e.g., web filtering)
  • Logging: Enabled

Block internal traffic with a separate deny rule below this policy.

Use case 2: Employee access to internal services

• Profile: cloudifi-Employees
• Group: CloudiFi-Employees
• Policy:
  • Source Interface: Unified_WIFI
  • Source: CloudiFi-Employees user group
  • Destination: Internal Networks
  • Action: Allow
  • UTM: Enabled (AV, IPS, etc.)
  • Logging: Enabled

This allows full corporate access with inspection.

Use case 3: Limited access for vendors or contractors

• Profile: cloudifi-Vendors
• Group: CloudiFi-Vendors user group
• Policy:
  • Source Interface: Unified_WIFI
  • Source: CloudiFi-Vendors
  • Destination: Specific internal IPs or services
  • Action: Allow
  • Services: e.g., HTTPS, SSH
  • Logging: Enabled

Block access to the rest of the network using a deny policy.

Use case 4: Differentiated access by login method

Profiles can also reflect trust levels based on login method:

• cloudifi-SSOUsers: Access internal portals or cloud apps.
• cloudifi-FormUsers: Internet-only with limited service access.

Use the returned group to enforce segmentation and apply stricter inspection for lower-trust profiles.

Use case 5: Enforce bandwidth limits per profile

Traffic shaping can be applied to Cloudi-Fi user groups on FortiGate to limit bandwidth usage.

Example: Limit guests to 5 Mbps

• Profile: cloudifi-Guests
• Group: CloudiFi-Guests
• Traffic Shaper:
  • Create a shared shaper:
    • Name: guest-limit
    • Max bandwidth: 5 Mbps
• Policy:
  • Source Interface: Unified_WIFI
  • Source: CloudiFi-Guests user group
  • Destination: Internet
  • Action: Allow
  • Apply guest-limit traffic shaper

This ensures guest users don’t consume excessive network resources.

Use case 6: Apply content filtering by role

UTM profiles can be applied based on Cloudi-Fi groups to allow or restrict access to applications or web categories.

• Employees:
  • Allow collaboration tools
  • Block entertainment, social media
• Guests:
  • Allow only HTTP/HTTPS
  • Block VPNs, streaming platforms

Create and assign UTM profiles in FortiGate based on group membership.

Use case 7: Enforce time-based access control

Combine FortiGate schedules with Cloudi-Fi groups to control user access by time:

• Allow guest access only during business hours.
• Deny contractor access outside of project-specific time windows.

Assign schedules to the relevant firewall policies.

Related documentation

• https://support.cloudi-fi.net/hc/en-us/articles/18913751031965-How-to-set-up-multiple-captive-portals-in-FortiOS-Fortigate
• https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/759080/configuring-a-radius-server
• https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/710485/restricting-radius-user-groups-to-match-selective-users-on-the-radius-server
• https://www.cloudi-fi.com/use-cases/fortigate-cloudifi-granular-access-control