Deployment: Cloudi-Fi Captive portal is configured into an existing Zscaler tenant leveraging existing GRE/IPSEC tunnels. The source guest network(s) should be routed into the tunnels.
Security: Guests can be profiled based on how they authenticate in the captive portal. Daily guest, consultants, employee along with their directory group can all have different policies in Zscaler. Security policies but also quota, time and duration can be configured for each profile.
Compliance: In many countries Internet logs should be kept for a specific duration and matched with the user. In order to process the government request the authentication logs and Internet logs should be correlated. All logs are hosted in the cloud. Authentication logs (in Cloudi-Fi) and pseudonymized Internet logs (in Zscaler) can be correlated in Cloudi-Fi administration interface, menu Visits. Access to this menu should be restricted to few administrators with administration profile.
Configuration: Zscaler configuration is not synchronized with Cloudi-Fi compared to a setup with a dedicated Zscaler tenant. However Zscaler configuration is done in few steps and described below.
0) Prerequisites for Eligibility
Some parameters may conflict with Cloudi-Fi integration, especially regarding the capability to Multiple Authentication Domains.
Below the settings to be verified:
Administration > Authentication Settings :
User Repository Type : Must be Hosted DB
User Authentication Type : Must be SAML
Login Attribute of your existing IdP :
The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address.
If it returns only a username without any domain, Zscaler cannot perform authentications on multiple domains.
Exemple: The ADFS Attribute sAMAccountName only returns a username, without domain.
1) Provide your Zscaler account information
Go to your Zscaler Admin interface > Administration > Company Profile
Copy/Paste the following information:
Cloudi-Fi IDP ID when available
2) Add Cloudi-Fi Guest domain to your Zscaler account
Submit a ticket to Zscaler support to add the Cloudi-Fi authentication domain. The domain name is provided by Cloudi-Fi team.
3) Create Cloudi-Fi Identity Provider
Go to Administration > Authentication Settings > Identity Provider tab >
Add Identity Provider :
IdP SAML Certificate : Available here
SAML Portal URL : Provided by Cloudi-Fi team
Login Name Attribute : token
Domain: Cloudi-Fi dedicated domain
User Display Name Attribute: token
Group Name Attribute: profile
Department Name Attribute: profile
Save the ID assigned to Cloudi-Fi IDP and share it with Cloudi-Fi team.
4) Create Cloudi-Fi Custom URL Categories
Go to Administration > URL Categories > Add URL Category :
We need to create 2 custom categories:
Cloudi-Fi Portal URL : This category contains all URLs to be whitelisted in order to display our captive portal properly :
Cloudi-Fi Connectivity Check URL : This category contains all the URL used by guest's devices to detect the presence of a captive portal.
Below the Custom URL and Custom Key Words to be added :
- Custom URLs:
- Custom Key words:
5) Create Authentication By-pass
To prevent visitors to be redirected to your Authentication IdP, we configure a by-pass for the 2 URL Categories we created previously.
Go to Administration > Advanced Settings:
In Authentication Exemptions section, add our 2 custom categories.
Enable Policy for Unauthenticated Traffic : Enabled
Note : If this option was initially disabled in your account,
an additional URL policy rule should be added when you will create
Cloudi-Fi policy rules in the next section.
6) URL filtering policies for guests:
Configure this bundle of rules in order to redirect your guests on your captive portal, allow authentication users to browse Internet and prevent them from accessing forbidden categories.
Cloudi-Fi team can assist you in the creation of these rules.
And thanks to dynamic groups, you don't need to updates these rules every time you deploy a new Guest location (more information in the next section).
Note: if the option Enable Policy for Unauthenticated Traffic was disabled in Advanced Settings (see previous section), you must add the following rule at the end of Cloudi-Fi rules:
7) Dynamic group of Cloudi-Fi location(s)
Zscaler Dynamic group can be leveraged to simplify the management of guest rules, logs and policy into an existing Zscaler account.
This will allow any new location named Guest to dynamically belong to this Group. Alternatively the condition would be to include all locations with authentication disabled
From now, any new guest location will belong automatically to the group “CLOUDIFI”. This will add it automatically to policy rules, reports and logs and will segregate clearly the data and configuration between the guest and the corporate traffic. (see section 9 for more information about it)
Define a condition for your Guest location.
Go to `Administration > Location Management > Location Groups tab > Create New
8) Create your Guest location/sub-location
You have the choice to create location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).
Go to Administration > Location Management
For new location : Create a new Location
For sub-location : Select an existing location and click on this icon on the right
How to configure your Guest location:
Name : Must match the condition of your Cloudi-Fi dynamic group
Enforce Authentication: ON
Enable IP Surrogate (both options) : Timers should be equal to Cloudi-FI lifetime session
Enforce Firewall control : ON
9) Create the Guest Firewall policy rules
Notes : We recommend to configure these rules at the beginning of your Firewall Policy.
Go to Policy > Firewall control
10) Administration and reporting
Administrators can have restricted scope to the dynamic location and can only see guest (or non guest) data
Alternatively an administrator will all access can build specific reports/insights/log views for guest (or by extension non guest) data.
Custom reports built for guest only
Custom logs research