1. Introduction
The purpose of this article is to explain, step-by-steps, the integration between Versa Networks and Cloudi-Fi. The result for a user is to :
connect to guest wifi
authenticate through a captive portal provided by Cloudi-Fi
and then get connected to Internet or specific URL categories.
Using Versa NG-FW capabilities, the authentication policies are configured to bypass SSO URL & DNS and authenticate all remaining user traffic.
User/Group authentication and authorization between Versa and Cloudi-Fi is achieved using SAML.
Depending on customer’s requirement, some security profiles can be applied, such as :
URL filtering
IP filtering
SSL decryption
Web proxy
etc…
With Versa Analytics, log collectors can send syslog data to 3rd party systems to comply with regulations as expected by Cloudi-Fi.
2. Versa SAML Authentication Overview
Security Assertion Markup Language (SAML) authenticates users to access multiple services and applications. SAML configuration is useful for accessing multiple services or applications and authenticating for each service or application, for example, Google and its related services.
SAML is a common standard for exchanging authentication between parties, most commonly used for web browser-based single sign-on (SSO).
SAML SSO configuration offers the ability to log in with a single sign-on and access multiple services and applications. Similarly, SAML single sign-out can be configured to end sessions for multiple services and applications and log out using only one session.
SAML authentication can be used for services and applications that are external or internal to a customer organization.
FlexVNF supports user-identification from external identity providers using SAML protocol.
Customer can use any third party identity provider (IDP) to authenticate users and apply user, group, roles and location based policies.
Multiple branches or appliances can use single centrally located authentication server to authenticate users using SAML.
Authentication will be done outside of FlexVNF and it will have knowledge of only users.
Identity control module will generate required AuthN-request and parse AuthN-response.
Captive portal module will be used to send redirection.
Figure - Secure Access SAML authentication
Figure - Workflow in Central Auth-Server (CAS)
3. Cloudi-Fi SAML Authentication Configuration in Versa
3.1 Requirements
Software Version: 20.2 and later
License Tier: Prime Secure SD-WAN
Feature used: NG-FW and DNS Proxy
3.2 Roles
SPEntity : Versa VOS
IdPEntity : Cloudi-Fi
The purpose of DNS Proxy is to redirect DNS requests to cloud-fi.versa-networks.com to an internal DNS server managed by customer to resolv this domain to Versa CPE LAN IP address. All other requests will be managed by public DNS hosted in Internet.
The Versa Central Auth-Server functionality is handled by NG-FW feature.
In this demo, we are going to configure DNS resolution into our windows hosts file as below:
Go to C:\Windows\System32\drivers\etc\hosts and add the following line:
192.168.3.1 cloud-fi.versa-networks.com
The high-level architecture diagram used during our demo is displayed below:
Figure - Versa Networks and Cloudi-Fi integration
Hardware used: Versa CSG770
Software used: Versa VOS 20.2.3
3.3 Configuration
Do the following configuration for SAML Authentication:
1 > Upload certificates
- Get certificate (Cloud-fi-ca-cert) from Cloudi-Fi to secure communication (Assertion and Attributes) between Versa VOS and Cloudi-Fi;
- Get certificate (Cloud-Fi-Cert) from Versa/Customer to secure communication (AuthN request and AuthN response, services granted to user) between Guest Client (user browser) and Versa VOS
- Load Certificates in versa Director and then on appliances
Figure - Upload certificates in Versa Director
2 > Create SAML Profile
Go to:
Flexvnf > Click on Object & Connectors icon > Connector > Users / Group > SAML Profile
Figure - SAML Configuration in Versa Director
3 > Create Authentication Profile for SAML
Go to:
Flexvnf > Click on Object & Connectors icon > Connector > Users / Group > Authentication Profiles
Figure - SAML Authentication Profile Configuration in Versa Director
4 > Create Custom URL category for bypass Single Sign-on URL
Go to:
Flexvnf > Objects & Connectors > Click on Objects > Custom Objects > URL Categories
Figure - URL Category of Cloudi-Fi authentication servers
5 > Create Authentication Rule for bypass DNS Traffic
Go to:
Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules
Figure - authentication rule to bypass DNS traffic authentication
6 > Create Authentication Rule for bypass Single Sign on URL
Go to:
Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules
Figure - Authentication rule to bypass Cloudi-Fi authentication servers
7 > Create Authentication Rule for SAML
Go to:
Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules
Figure - Authentication rule for all wifi guest traffic
8 > Configure Captive Portal
Go to:
Flexvnf > Click on Services icon > Captive Portal
Figure 11 : Captive portal configuration in versa Director
9 > Configure DNS Proxy
o Configure SNAT Under Objects & Connectors > Objects > SNAT Pool
Figure - SNAT Pool Configuration for DNS Proxy in versa Director
o Configure DNS Proxy Profile under Networking > DNS > Proxy Profiles
Figure - DNS Proxy Profile Configuration in versa Director
o Configure DNS Proxy Policy under Networking > DNS > Policies
Figure - DNS Proxy Policy Configuration in versa Director
4. Call Flow verification using SAML-Tracer Extension
Step 1: Request Resource and Redirect to IDP
Figure - URL Redirect sent by Versa CPE
SAML AuthN request sent by Versa CPE to Client Browser:
Figure - SAML AuthN request
Step 2: Client Browser connects to IDP, present AuthN request and gets authentication page
Figure - Captive Portal authentication page
Step 3: Enter credentials (Id and Password), accept user conditions and click at authentication button
Figure - Login credentials submitted to Cloudi-Fi
Step 4: IDP (Cloudi-Fi) sends SAML response to client with AuthN response
Figure - SAML AuthN response sent by Cloudi-Fi
5. Service verification in Versa Director
5.1 User identification under Monitor tab
Figure - User identification profile in Versa CPE
5.2 Logs > Authentication in Analytics
Figure - Successful SAML Authentication logs in versa Analytics