This guide provides step-by-step instructions to set up the Cloudi-fi Captive Portal with your existing Zscaler tenant, ensuring full synchronization.
Overview
Cloudi-Fi Captive portal is configured into a Zscaler tenant leveraging existing GRE/IPSEC tunnels. The source guest network(s) should be routed into the tunnels.
With the Full option, Zscaler configuration is fully synchronized with Cloudi-Fi.
Key Information to Share with Cloudi-fi Support Team
Attribute | Value | Where? |
Cloudi-fi Guest domain | To share | Go to Step 2: Add a Cloudi-Fi Guest domain to Zscaler account |
Prerequisites
1. Authentication check
Before proceeding, verify the following settings to avoid conflicts with Cloudi-Fi integration, especially related to Multiple Authentication Domains:
- Go to Zscaler Admin interface > Administrations > Authentications > Authentications Settings > Authentication Profiles
- User Repository Type: Must be set to Hosted DB
- User Authentication Type: Must be set to SAML
- Go to Zscaler Admin interface > Administrations > Authentications Settings > Identify Providers
- The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address (e.g., user@my-company.com).
- If the login attribute only returns a username without a domain, Zscaler cannot perform authentications on multiple domains. For example, the ADFS Attribute sAMAccountName only returns a username without a domain.
2. Add a Cloudi-Fi guest domain to Zscaler account
To add a Cloudi-Fi Guest domain to your Zscaler account, you are required to submit a ticket and furnish the following details:
- The domain name provided by the Cloudi-Fi team (e.g., your-company.cloudi-fi.net)
- Make sure to include the following information in the ticket:
- Your Zscaler Company ID
- The authentication domain to be added
- Your company name
3. Check subscriptions
Ensure the following features are activated for a Full integration:
-
Z_API:
- Go to your Zscaler Admin interface > Administration > Company Profile > Subscriptions
- Ensure that the Z_API subscription is activated. If not activated, submit a ticket to Zscaler support.
-
IP_Surrogate:
- Check if "Enable Internal IP Features" is enabled. If not, submit a ticket to Zscaler support.
- Modifying or establishing a Zscaler location should empower you to enforce authentication and Enable IP surrogate option.
-
Source IP-based Load Distribution
- Check with Zscaler Support if the Source IP-based Load Distribution option is enabled.
-
Apply location mapping to Global Auth Bypass traffic
- Check with Zscaler Support if the Apply location mapping to Global Auth Bypass traffic option is enabled.
4. Advanced settings
Enable the "Policy for unauthenticated traffic" option to trigger the captive portal for unauthenticated Guests.
Instructions
1. Creation/collection of API Key
- Go to Zscaler Admin interface > Administration > Authentication > Cloud Service API Security
- Create or collect the API key required for integration
2: Creation of an Admin account
- Go to Zscaler Admin interface > Administration > Authentication > Administrator Management > Administrators
- Add an administrator with the following details:
- Login ID: Use the domain provided in Add a Cloudi-Fi Guest domain to your Zscaler account (e.g., provisioning.api@your-company.cloudi-fi.net).
The Login ID used in Zscaler matches the Zscaler username used in Cloudi-fi - Role: Super Admin
- Password Based Login: ON (Set a password)
- Save the settings
- Login ID: Use the domain provided in Add a Cloudi-Fi Guest domain to your Zscaler account (e.g., provisioning.api@your-company.cloudi-fi.net).
3. Synchronize your Cloudi-fi tenant with Zscaler tenant
- Go to your Cloudi-fi Admin interface > Configurations > Integrations > Zscaler.
- Enable the Zscaler integration
- Enter the following details:
- Zscaler API Key: Use the API key obtained in Step 1 Creation/Collection of API Key
- Zscaler Username and Zscaler Password: Use the Login ID and password created in Step 2 Creation of an Admin account
- Zscaler Cloud: Select your Zscaler Cloud
- Tenant type: Existing tenant
- Synchronisation Mode: Full
- Finally, click on the "Connect" button.
For detailed information on all configurations pushed during this synchronization, please navigate to: How to deploy Cloudi-fi Captive portal into an existing Zscaler tenant - option Location Only
Troubleshooting
Once you have completed the configuration steps, you are now ready to start using the Cloudi-fi captive portal solution. If you encounter any issues or have any questions, please do not hesitate to reach out to our Support team.
Additionally, you can consult the Cloudi-Fi and Zscaler Troubleshooting guide for further assistance.
What’s next?
From now on, all of your locations with "CLOUDIFI" in their name will be automatically uploaded to the Cloudi-fi Admin interface under the Locations section.
For more information about our solutions integrated with Zscaler, including a how-to video and a comprehensive solution brief, please visit our partner page.