This article describes the various architectures to manage guest network with Zscaler ZIA and Cloudi-Fi. For an existing Zscaler customer, the guest network is usually secured by the tenant but authentication is done locally on the network. The consequence is that all guests are not identified into Zscaler and only one policy is applied to all traffic (daily guests, consultants and BYOD). Enabling captive portal into Zscaler with Cloudi-Fi provides multiple advantages:

Personalized guests onboarding

Profiling of guests with security policies for each profile

Total visibility of all guests traffic

Compliance with local regulations (Data privacy and Internet provider regulations)

Generic Zscaler topology

In order to leverage Zscaler ZIA, GRE/IPSEC redundant tunnels should be configured on the router/firewall/SD-WAN device. Zscaler allows different setup depending on your existing infrastructure. This has been developed in this article.

3 different configurations are possible with consequences in terms of setup and licensing. Please note that this document is subject to be enhanced as Cloudi-Fi & Zscaler may allow easier configuration for certain configurations in the future

The first option is recommended for a new customer to Zscaler or for hotspot, the second option is recommended for an existing Zscaler customer who wants to leverage his existing tenant. The last option is recommended for a customer who cannot benefit from configuring Cloudi-Fi into Zscaler and who will proceed with local configuration with Cloudi-Fi.

Solutions matrix

WAN - Zscaler dedicated tenant

WAN - Zscaler shared tenant

LAN - Local captive portal

Recommended for

Hotspot or new customer to Zscaler

Existing Zscaler customer

Existing Zscaler customer


native to Zscaler

native to Zscaler

in the WiFi

Zscaler tenant









Full, tokenized

Full, tokenized

Partial, requires private IP in logs

New GRE/IPSEC tunnels required




Setup complexity







Limited, cannot profile guests


One unique administration

2 administrations: Cloudi-Fi & Zscaler

Complex, different solutions to maintain

Zscaler licensing

Concurrent licences for all users. Embedded with Cloudi-Fi with Enterprise bundle

Employees with BYOD are recognized, additional Zscaler licences required for guests only

BYOD/guests/servers/IOT are mixed. Payment on unauthenticated transactions or bandwidth.

Authentication flow with WAN deployment

The captive portal is enabled into Zscaler There is no LAN configuration except the creation of open guest SSID and DNS/DHCP service.

The service is reusing existing Zscaler instance used for employees protection or a new instance. The guest network should be routed into the Zscaler tunnels, new locations will be provisioned into Zscaler with authentication to Cloudi-Fi enabled. Policies, quota, QOS can be enabled per profile of guests.

Authentication flow with LAN authentication

The captive portal is configured natively on the Wi-Fi infrastructure with external authentication (URL redirect & Radius server).

The service is reusing existing Zscaler instance used for employees protection. The guest network should be routed into the existing Zscaler tunnel with an identified private network. This private network will belong to a Zscaler sublocation with authentication disabled.

Did this answer your question?