This documentation provides step-by-step instructions for setting up the Cloudi-Fi Captive portal with an existing Zscaler tenant using the Location Only integration.
Overview
The Cloudi-Fi Captive portal is configured into an existing Zscaler tenant, utilizing GRE/IPSEC tunnels. The guest network(s) should be routed into these tunnels.
With the Location Only option, the Zscaler configuration is partially synchronized with Cloudi-Fi instead of a Full setup. However, the Zscaler configuration can be completed in just a few steps outlined below.
Key Information to Share with Cloudi-fi Support Team :
Attribute | Value | Where? |
Cloudi-fi Guest domain | To share | Go to Add a Cloudi-Fi Guest domain to Zscaler account |
Company ID Name Domains |
To share To share To share |
Go to Provide your Zscaler account information |
IDP ID | To share |
Prerequisites
Authentication check
Before proceeding, verify the following settings to avoid conflicts with Cloudi-Fi integration, especially related to Multiple Authentication Domains.
Go to Zscaler Admin interface > Administrations > Authentications > Authentications Settings > Authentication Profiles
- User Repository Type: Must be set as Hosted DB
- User Authentication Type: Must be set as SAML
Go to Zscaler Admin interface > Administrations > Authentications > Authentications Settings > Identify Providers
- The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address (e.g., user@my-company.com)
- If the login attribute only returns a username without a domain, Zscaler cannot perform authentications on multiple domains. For example, the ADFS Attribute sAMAccountName only returns a username without a domain
Add a Cloudi-Fi Guest domain to Zscaler account
To add a Cloudi-Fi Guest domain to your Zscaler account, you are required to submit a ticket and furnish the following details:
- The domain name provided by the Cloudi-Fi team (e.g. your-company.cloudi-fi.net)
- Make sure to include the following information in the ticket:
- Your Zscaler Company ID
- The authentication domain to be added
- Your company name
Check subscriptions
In order to perform the Location Only integration, it is necessary to ensure that the following features are activated.
Z_API
Go to your Zscaler Admin interface > Administration > Company Profile > Subscriptions
Ensure that the Z_API subscription is activated. If not activated, submit a ticket to Zscaler support
IP_Surrogate
Check if "Enable Internal IP Features" is enabled. If not, submit a ticket to Zscaler support.
Modifying or establishing a Zscaler location should empower you to enforce authentication and Enable IP surrogate option.
Source IP-based Load Distribution
Check with Zscaler Support if the Source IP-based Load Distribution option is enabled.
Apply location mapping to Global Auth Bypass traffic
Check with Zscaler Support if the Apply location mapping to Global Auth Bypass traffic option is enabled.
Provide your Zscaler account information
Copy/Paste the following information from your Zscaler Admin interface > Administration > Company Profile: Company ID, Name, Domains
1. Zscaler configuration
1.1. Create Cloudi-Fi Identity Provider
Access the Zscaler Admin interface: Go to Authentication > Authentication Settings > Identity Provider.
Add Identity Provider.
-
General Info :
- Name: Enter the name of your IDP
- Status: Ensure it is set to Enabled
- SAML Portal URL
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net
Change "************" to match your Cloudi-fi public key visible in your Cloudi-fi Admin interface under "Settings > Company Account".
Change "zscaler.net" to match your Zscaler Entity ID (zscaler.net or zscloud.net or zscalerthree.net, etc).
-
- Login Name Attribute : Set it to "token"
- Org-Specific Entity ID : Keep it disabled
- IdP SAML Certificate : Provide the certificate (Available here)
-
Vendor : Specify the vendor (Any)
-
Criteria :
-
Location : Set it to "None"
- Authentication domain : Enter the domain provided in step 2 (your-company.cloudi-fi.net)
-
-
Service Provider (SP) options :
- Sign SAML Request : Keep it turned off (OFF)
- Sign SAML Request : Keep it turned off (OFF)
-
Provisioning options :
- Enable SAML Auto-provisioning : Turn it on (ON)
- User Display Name Attribute : Set it to "token"
- Group Name Attribute : Set it to "profile"
- Department Name Attribute : Set it to "profile"
- Enable SCIM Provisioning : Keep it turned off (OFF)
Save the settings
Save the ID assigned to Cloudi-Fi IDP and share it with the Cloudi-Fi team.
1.2. Creating Cloudi-Fi Custom URL Categories
To create custom URL categories in Cloudi-Fi, follow these steps :
Go to your Zscaler Admin interface and navigate to Administration > Access Control > URL Categories > Add URL Category.
Create the following three custom categories:
Category 1 : Cloudi-Fi Portal URL
This category contains all URLs to be whitelisted to display our captive portal correctly :
.cloudi-fi.net
.cloudi-fi.com
guest-api-v1.cloudi-fi.net
login.cloudi-fi.net
login-cn.cloudi-fi.net
www.cloudi-fi.com
Category 2 : Cloudi-Fi Connectivity Check URL
This category contains all the URLs used by guests' devices to detect the presence of a captive portal.
Add the following custom URLs and custom keywords :
Custom URLs :
captive.apple.com
clients3.google.com/generate_204
connectivity-check.ubuntu.com
connectivitycheck.gstatic.com/generate_204
detectportal.firefox.com
network-test.debian.org
www.apple.com/library/test/success.html
www.google.com/blank.html
www.msftconnecttest.com
www.msftncsi.com
Custom Keywords :
/generate_204
/gen_204
Category 3 : Cloudi-fi Apple Check URL
This category contains all the URLs used by guests’ devices to detect the presence of a captive portal (only for Apple devices).
Below are the Custom URL and Custom Key Words to be added :
Custom URLs :
captive.apple.com
www.apple.com/library/test/success.html
1.3. Create an Authentication Bypass
To avoid visitors being redirected to your Authentication IdP, we have set up a bypass for the previously created URL Categories (Cloudi-Fi Connectivity Check URL, Cloudi-fi Portal).
- Go to your Zscaler Admin interface > Administration > Cloud Configuration > Advanced Settings.
- In the Authentication Exemptions section, add the three custom categories.
- In the Policy for unauthenticated traffic, select Enabled.
Note: If this option was originally disabled in your account, you will need to enable it and add an additional URL policy rule when creating Cloudi-Fi policy rules in the next section (see Rule 7 (optional) - Allow Unauthenticated Traffic).
1.4. Dynamic group for Cloudi-Fi location(s)
To streamline the management of guest rules, logs, and policies within your Zscaler account, you can utilize Zscaler Dynamic groups. This will simplify the process of including new Cloud-fi locations or areas with disabled authentication in a specific group.
Go to your Zscaler Admin interface > Administration > Location Management > Location Groups > Add Dynamic Group.
Configure the dynamic group for Cloudi-Fi location(s) in the Zscaler admin portal.
Save the settings.
By creating this dynamic group, any new guest location will automatically be included in the "CLOUDIFI" group. This will ensure that the location is added to relevant policy rules, reports, and logs, while keeping the data and configuration separate from corporate traffic.
1.5. URL filtering policies for guests
Configure the following set of rules to achieve the following objectives :
- Redirect guests to the captive portal
- Allow authenticated users to browse the Internet
- Prevent access to forbidden categories
To set up the Cloudi-Fi Captive portal with an existing Zscaler tenant using the Location Only integration :
Go to your Zscaler Admin interface
Navigate to Policy > Access Control > URL and Cloud App Control
Create the following rules :
Rule 1 : apple captive portal URL
URL Filtering Rule
- Rule Name : for instance Apple Captive Portal
- Rule status : enabled
Criteria
- URL categories : Cloudi-fi Apple Check URL
- Department : Unauthenticated Transactions
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE
- Time : Always
- Location Group : CLOUDIFI
- Web Traffic : Block
- Allow override : OFF
- Redirect URL :
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net?source=transient
Change "************" to match your Cloudi-fi public key visible in your Cloudi-fi Admin interface under "Settings > Company Account".
Change "zscaler.net" to match your Zscaler Entity ID (zscaler.net or zscloud.net or zscalerthree.net, etc).
⚠️ "?source=transient" is needed for Iphones/Ipad to switch from CaptiveNetworkAgent browser to Safari.
And Save
Rule 2 : Walled Garden
URL Filtering Rule
- Rule Name : for instance, Walled Garden
- Rule status : enabled
Criteria
- URL categories : Cloudi-fi Apple Check URL, Cloudi-fi Portal
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE
- Time : Always
- Location Group : CLOUDIFI
Action
- Web Traffic : Allow
And Save
Rule 3 : Cloudi-fi redirection
URL Filtering Rule
- Rule Name : for instance, Cloudi-fi Redirection
- Rule status : enabled
Criteria
- Department : Unauthenticated Transactions, Wallguard(*)
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE
- Time : Always
- Location Group : CLOUDIFI
Action
- Web Traffic : Block
- Allow override : OFF
- Redirect URL :
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net
Change "************" to match your Cloudi-fi public key visible in your Cloudi-fi Admin interface under "Settings > Company Account".
Change "zscaler.net" to match your Zscaler Entity ID (zscaler.net or zscloud.net or zscalerthree.net, etc).
And Save
(*) the Wallguard Department will be available after your first test of authentications. It cannot be created manually, so you will have to update this rule after your first tests.
Rule 4 : Denied Categories
URL Filtering Rule
- Rule Name : for instance, Denied Categories
- Rule status : enabled
Criteria
- URL Categories : add the categories you want to block for your Guests. For instance: Adult Sex Education, Adult Theme, Nudity, etc.
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE,
- Time : Always
- Location Group : CLOUDIFI
Action
- Web Traffic : Block
- Allow override : OFF
- Redirect URL :
https://login.cloudi-fi.net/eun.php
And Save
Rule 5 : Department Allow
URL Filtering Rule
- Rule Name : for instance, Department Allow
- Rule status : enabled
Criteria
- Department : Guest, etc. (*)
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE,
- Time : Always
- Location Group : CLOUDIFI
Action
- Web Traffic : Allow
- Allow override : OFF
(*) The department here will be the Guest profiles you will create in Cloudi-fi > Users > Profiles. These Departments will be available after your first test of authentications. It cannot be created manually, so you will have to update this rule after your first tests.
Rule 6 : Block (default)
URL Filtering Rule
- Rule Name : for instance, Block
- Rule status : enabled
Criteria
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE,
- Time : Always
- Location Group : CLOUDIFI
Action
- Web Traffic : Block
- Allow override : OFF
- Redirect URL :
https://login.cloudi-fi.net/eun.php
And Save
Rule 7 (optional) : Allow Unauthenticated Traffic
If the option Enable Policy for Unauthenticated Traffic was initially disabled in Advanced Settings (see Step 1.3: Create an Authentication Bypass ), add the following rule at the end of Cloudi-Fi rules:
URL Filtering Rule
- Rule Name : for instance, Allow Unauthenticated Traffic
- Rule status : enabled
Criteria
- Department : Unauthenticated Transactions
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE,
- Time : Always
Action
Web Traffic : Allow
1.6. Create the guest firewall policy rules
It is recommended to configure these rules at the beginning of your Firewall Policy.
Go to your Zscaler Admin interface > Policy > Firewall control and and create the following rules :
Rule 1 : Allow Web Guest locations
Firewall Filtering Rule
- Rule Name : for instance, Allow Web Guest locations
- Rule status : enabled
Who, Where, When
- Criteria > Location Group : CLOUDIFI
- Action > Network traffic : Allow
Services
- Criteria > Network Services : DNS, HTTP, HTTP Proxy, HTTPS
- Action > Network traffic : Allow
And Save
Rule 2 : Deny all Guest
Firewall Filtering Rule
- Rule Name : for instance, Deny All Guests
- Rule status : enabled
Who, Where, When
- Criteria > Location Group : CLOUDIFI
- Action > Network traffic : Block
And Save
1.7. Create your guest location/sub-location
You have the flexibility to create either a location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).
Go to your Zscaler Admin interface and navigate to Administration > Location Management > Locations
For a new location : Create a new location
For a sub-location : If you want to reuse an existing location, select the location and click on the icon located on the right side to add Sub-location.
Configure the settings for your guest location :
- Name : Make sure the name matches the condition of your Cloudi-Fi dynamic group
- Enforce Authentication : ON
- Enable IP Surrogate : ON
- Enable IP Surrogate for known Browsers : ON
- Enforce Firewall Control : ON
- Idle Time to Disassociation : Set this value to match the Cloudi-Fi lifetime session. Refer to your Cloudi-Fi Admin interface under Portals > Template > Session Lifetime for the correct value
- Refresh Time for re-validation of Surrogacy : Set this value to match the Cloudi-Fi lifetime session. Refer to your Cloudi-Fi Admin interface under Portals > Template > Session Lifetime for the correct value
2. Synchronization between Cloudi-fi and Zscaler
To ensure seamless integration between your Cloudi-fi and Zscaler tenants, follow these steps.
2.1. Creation / collection of API key
Access your Zscaler Admin interface and navigate to Administration > Authentication > Cloud Service API Security. Create or collect the API key from this section.
2.2. Creation of an admin account
In the Zscaler Admin interface, go to Administration > Authentication > Administrator Management > Administrators. Click on "Add Administrators" to create a new admin account.
Specify the following details for the admin account :
- Login ID : For instance provisioning.api@your-company.cloudi-fi.net. This should match the domain provided in 0.2 when adding a Cloudi-Fi Guest domain to your Zscaler account
- Role : Select "Super Admin" for the admin role
- Password-Based Login : Enable this option and set a password. Ensure that the Zscaler password matches the password used in Cloudi-fi
Save the settings
2.3. Synchronize your Cloudi-fi tenant with your Zscaler tenant
Access your Cloudi-fi Admin interface and navigate to Configurations > Integrations > Zscaler. Enable the Zscaler integration
Fill in the following details:
- Zscaler API Key : go to Step 2.1: Creation/Collection of API Key
- Zscaler Username : is the Login ID of Step 2.2: Creation of an Admin account
- Zscaler Password : is the Password of Step 2.2: Creation of an Admin account
- Zscaler Cloud : select your Zscaler Cloud
- Tenant type : Existing tenant
- Synchronisation Mode : Only Location
Click on "Connect" to establish the synchronization between Cloudi-fi and Zscaler.
Troubleshooting
Once you have completed the configuration steps, you are now ready to start using the Cloudi-fi captive portal solution. If you encounter any issues or have any questions, please do not hesitate to reach out to our Support team.
Additionally, you can consult the Cloudi-Fi and Zscaler Troubleshooting guide for further assistance.
What’s Next?
For more information about our solutions integrated with Zscaler, including a how-to video and a comprehensive solution brief, please visit our partner page.