1. Introduction

The purpose of this article is to explain, step-by-steps, the integration between Versa Networks and Cloudi-Fi. The result for a user is to :

  • connect to guest wifi

  • authenticate through a captive portal provided by Cloudi-Fi

  • and then get connected to Internet or specific URL categories.

Using Versa NG-FW capabilities, the authentication policies are configured to bypass SSO URL & DNS and authenticate all remaining user traffic.

User/Group authentication and authorization between Versa and Cloudi-Fi is achieved using SAML.

Depending on customer’s requirement, some security profiles can be applied, such as :

  • URL filtering

  • IP filtering

  • SSL decryption

  • Web proxy

  • etc…

With Versa Analytics, log collectors can send syslog data to 3rd party systems to comply with regulations as expected by Cloudi-Fi.

2. Versa SAML Authentication Overview

Security Assertion Markup Language (SAML) authenticates users to access multiple services and applications. SAML configuration is useful for accessing multiple services or applications and authenticating for each service or application, for example, Google and its related services.

SAML is a common standard for exchanging authentication between parties, most commonly used for web browser-based single sign-on (SSO).

SAML SSO configuration offers the ability to log in with a single sign-on and access multiple services and applications. Similarly, SAML single sign-out can be configured to end sessions for multiple services and applications and log out using only one session.

SAML authentication can be used for services and applications that are external or internal to a customer organization.

  • FlexVNF supports user-identification from external identity providers using SAML protocol.

  • Customer can use any third party identity provider (IDP) to authenticate users and apply user, group, roles and location based policies.

  • Multiple branches or appliances can use single centrally located authentication server to authenticate users using SAML.

  • Authentication will be done outside of FlexVNF and it will have knowledge of only users.

  • Identity control module will generate required AuthN-request and parse AuthN-response.

  • Captive portal module will be used to send redirection.

Figure - Secure Access SAML authentication

Figure - Workflow in Central Auth-Server (CAS)

3. Cloudi-Fi SAML Authentication Configuration in Versa

3.1 Requirements

Software Version: 20.2 and later

License Tier: Prime Secure SD-WAN

Feature used: NG-FW and DNS Proxy

3.2 Roles

SPEntity : Versa VOS

IdPEntity : Cloudi-Fi

The purpose of DNS Proxy is to redirect DNS requests to cloud-fi.versa-networks.com to an internal DNS server managed by customer to resolv this domain to Versa CPE LAN IP address. All other requests will be managed by public DNS hosted in Internet.

The Versa Central Auth-Server functionality is handled by NG-FW feature.

In this demo, we are going to configure DNS resolution into our windows hosts file as below:

Go to C:\Windows\System32\drivers\etc\hosts and add the following line:

192.168.3.1 cloud-fi.versa-networks.com

The high-level architecture diagram used during our demo is displayed below:

Figure - Versa Networks and Cloudi-Fi integration

Hardware used: Versa CSG770

Software used: Versa VOS 20.2.3

3.3 Configuration

Do the following configuration for SAML Authentication:

1 > Upload certificates

- Get certificate (Cloud-fi-ca-cert) from Cloudi-Fi to secure communication (Assertion and Attributes) between Versa VOS and Cloudi-Fi;

- Get certificate (Cloud-Fi-Cert) from Versa/Customer to secure communication (AuthN request and AuthN response, services granted to user) between Guest Client (user browser) and Versa VOS

- Load Certificates in versa Director and then on appliances

Figure - Upload certificates in Versa Director

2 > Create SAML Profile

Go to:

Flexvnf > Click on Object & Connectors icon > Connector > Users / Group > SAML Profile

Figure - SAML Configuration in Versa Director

3 > Create Authentication Profile for SAML

Go to:

Flexvnf > Click on Object & Connectors icon > Connector > Users / Group > Authentication Profiles

Figure - SAML Authentication Profile Configuration in Versa Director

4 > Create Custom URL category for bypass Single Sign-on URL

Go to:

Flexvnf > Objects & Connectors > Click on Objects > Custom Objects > URL Categories

Figure - URL Category of Cloudi-Fi authentication servers

5 > Create Authentication Rule for bypass DNS Traffic

Go to:

Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules

Figure - authentication rule to bypass DNS traffic authentication

6 > Create Authentication Rule for bypass Single Sign on URL

Go to:

Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules

Figure - Authentication rule to bypass Cloudi-Fi authentication servers

7 > Create Authentication Rule for SAML

Go to:

Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules

Figure - Authentication rule for all wifi guest traffic

8 > Configure Captive Portal

Go to:

Flexvnf > Click on Services icon > Captive Portal

Figure 11 : Captive portal configuration in versa Director

9 > Configure DNS Proxy

o Configure SNAT Under Objects & Connectors > Objects > SNAT Pool

Figure - SNAT Pool Configuration for DNS Proxy in versa Director

o Configure DNS Proxy Profile under Networking > DNS > Proxy Profiles

Figure - DNS Proxy Profile Configuration in versa Director

o Configure DNS Proxy Policy under Networking > DNS > Policies

Figure - DNS Proxy Policy Configuration in versa Director

4. Call Flow verification using SAML-Tracer Extension

Step 1: Request Resource and Redirect to IDP

Figure - URL Redirect sent by Versa CPE

SAML AuthN request sent by Versa CPE to Client Browser:

Figure - SAML AuthN request

Step 2: Client Browser connects to IDP, present AuthN request and gets authentication page

Figure - Captive Portal authentication page

Step 3: Enter credentials (Id and Password), accept user conditions and click at authentication button

Figure - Login credentials submitted to Cloudi-Fi

Step 4: IDP (Cloudi-Fi) sends SAML response to client with AuthN response

Figure - SAML AuthN response sent by Cloudi-Fi

5. Service verification in Versa Director

5.1 User identification under Monitor tab

Figure - User identification profile in Versa CPE

5.2 Logs > Authentication in Analytics

Figure - Successful SAML Authentication logs in versa Analytics

Did this answer your question?