Use Case:
Simplify IoT profiling and deployment with Cloudi-Fi and Zscaler. Automate device profiling, ensure security and streamline onboarding. Explore now!
The primary goal of the Cloudi-Fi IoT framework is to provide a hassle-free experience by automatically identifying devices as they connect to the network.
This documentation provides detailed instructions on how to manage the DHCP service in Cloudi-Fi and seamlessly integrate it with Zscaler ZIA for device identification and policy enforcement.
Prerequisites:
Before configuring the service, you must activate Cloudi-fi's DHCP module, configure the location and a subnet.
Within the Zscaler framework, a sublocation is automatically assigned to each IoT category and linked to a corresponding security profile. Thanks to Sublocation-Based Security Profiles, IoT security is simplified.
Instructions
Step 1: Security Profiles
To classify network devices, you must define the security policy for each device set connected to your network based on the rules established within the security profiles.
- Navigate to network > Security profiles > Add profiles
Note: By default, a quarantine-type security profile is automatically created.
- Name: Provide a descriptive name for the security profile
- Location: All or a single location
- Subnet: Select an existing subnet
- Ipv4 pool size: Leave it as 0% for automatic IP deployment management
In the advanced options, select the type of security profile from the three choices:
- Quarantine: This is the default profile for unknown devices that require categorization.
- Whitelist: Devices that match the rules within this profile will receive a MAC address
- Blacklist: For identified devices that are not allowed network access, resulting in no IP delivery
Cloudi-Fi offers you an optimized structure that consists firstly of the groups in which you configure the rules, which in turn include sequences:
- Groups: Deploy the security profile and click on Add group(top left). Categorize devices based on their functionality, such as Fire Detection, Surveillance Cameras, and Meeting room management.
- Rules: Deploy Groups and click on add Rules(top left). Rules provide methods for filtering and interpreting the DHCP/MAC data set. The available rule types include:
- Static MAC (ranges)
- Static MAC - advanced (regexp)
- Vendor MAC (OUI)
- Automated (based on device Model and Brand)
- DHCP Fingerprint (Option55 and Option60)
- Sequence: Deploy Rules and click on add Sequence (top left):
-
- For static MAC: Name and fill in the MAC range
- For static MAC - advanced: This sequence allows you to filter MAC with regular expression
- For Vendor MAC: Filter using vendor ID and regular expression
- For Automated:
- We suggest to set up the confidence score to “Medium”
- Select devices type in the fingerprint devices section
- And filter by using regular expression
- DHCP Fingerprint: You can profile devices with DHCP Parameter option 55 and 60.
Step 2: DHCP configuration
Zero-touch Zscaler integration: In Zscaler based deployments, bindings between DHCP server pools (IoT Security profiles) and sub-locations/sub-location-groups are automatically provisioned.
Zscaler sub-locations are created, updated (resized), and removed based on the configured security profiles in Cloudi-Fi and the number of IoTs onboarding in each profile. This integration allows Cloudi-Fi's IoT/DHCP service to act as a unified platform for device identification and policy enforcement.
Location: Each location created appears in network > DHCP, where existing subnets can be added. If you create a new location, you'll be asked to reuse the same subnet name, which means that all security profiles connected to the subnet will automatically be recreated in the same location and subnet; not the IP addresses block, just the name, this way you'll be able to apply the configuration without having to recreate them.
To add a subnet to your location, navigate to Network > DHCP:
- Name : Select the one with the name of the subnet associated with the security profile you plan to set up or create a new one (in this case, specify the name)
- Subnet: IP range to use for new Guest
- Fill in DHCP relay et la DHCP range
DHCP pools are automatically inherited from security profiles configuration. IP addresses are assigned automatically too.
If the tunnel is inactive after subnet configuration, check the IPsec tunnel logs from your vpn gateway.
Step 3: DHCP settings
By default, DHCP settings are inherited from global settings(top right of DHCP dashboard).
DHCP settings can be customized at different levels of network hierarchy, from the highest to the lowest level:
- Global
- Location
- Subnet
In each of them, you'll find the following settings, editable as you need:
- Lease time: lease for unauthenticated used; by default it is set to 3600 seconds
- Extended Lease: lease duration for users already authenticate; by default it is set to 3600 seconds
- Default Gateway: Last subnet IP or First subnet IP
- DNS: DNS the Guest user needs to use
- Advanced settings (NTP server, SMTP server, etc.)
Troubleshooting
Once you have completed the configuration steps, you are now ready to start using the Cloudi-fi captive portal solution. If you encounter any issues or have any questions, please do not hesitate to reach out to our Support team.
Additionally, you can consult the status of various services, including Captive Portal, Admin Console, and DHCP on Cloudi-Fi Services Status.
What’s next?
For more information about our solutions integrated with Zscaler, including a how-to video…