Skip to main content

Search

Cloudi-Fi Knowledge Base

Guest identities and authentication sessions with Cloudi-Fi

Alexandre de THOMASSON
  • Updated

In the context of guest authentication, the concepts of session and identity are fundamental to understanding how access and interactions are managed for users.

 

1. Guest User Identity

An identity is a unique representation of a guest user within the system. It encompasses the attributes and credentials that define the guest and what they can do.

A user identity will be defined by the following attributes (see Cloudi-Fi Admin UI > Users > Accounts):

  • Display name is a user-friendly identifier for the guest user. It is often the first name and last name (e.g. Robert Dupont)
  • Login represents the credentials or identifier the guest uses to authenticate. This could be an email address (e.g., robert.dupont@gmail.com), phone number, or another unique identifier Cloudi-Fi uses to authenticate the guest.
  • Creation date records when the guest identity was first created in the system
  • Status indicates the current state of the guest's identity (see Status of a visitor identity)
  • Validity Start marks the beginning of the period when the guest's identity is considered valid. It can be used to automatically re-authenticate the user in case the authentication token expires.
  • Validity End marks the expiration date and time of the guest's identity.
  • Profiles define the duration of the user identity and are more about the validity of the user's credentials. They are configured in Admin UI > Users > Profiles.

 

Cloudi-Fi admin console - User accounts list

See Cloudi-Fi Admin UI > Users > Accounts

 

2. Authentication Token

Once a user authenticates, a session is created, and this session typically involves storing information about the user's identity and authorization in a session token. The Session Lifetime defines how long this session is valid.

Admin Portals Templates Session Lifetime

Session lifetime is configured in Cloudi-Fi Admin UI > Portals > Templates.

 

  • Duration: Depending on the security requirements and use case, it can range from 1 hour to several hours.
  • Expiry: When the session lifetime expires, the user is usually logged out automatically or asked to re-authenticate.
  • Purpose: The purpose of session lifetime is to limit the risk of unauthorized access if a session token is stolen or the user forgets to log out.

 

admin user authentications sessions

See Cloudi-Fi Admin UI > Users > Authentications

 

Session status refers to the current state of a user's session. It indicates whether the session is active or expired.

  • Green: The session token is currently valid and active, and the guest user is authenticated. This status usually persists until the session reaches its predefined lifetime.
  • Grey: The session token has reached its end of life because the session lifetime has expired. Once a session has expired, the user typically needs to re-authenticate to regain access.

Authentication status refers to Cloudi-Fi's ability to recognize the guest user when he authenticated.

  • Logged In: the visitor logs in for the first time
  • Returning: The visitor has a valid account but needs to be directly recognized by Cloudi-Fi. He has to reconnect by entering his login.
  • Returning (auto): The visitor has a valid account and is transparently authenticated. Using Cloudi-Fi cookies, we can find a guest in our database. Then, we check his validity to authenticate him (or not) transparently. 

 

Summary

Sessions (or tokens) and user identities work together. For example, a session's lifetime is less than or equal to identity duration.

  • Session Lifetime: defining the duration of the authentication session.
  • User Identity: defining the duration for which the user will have permission to automatically re-authenticate in case the Session Lifetime has expired.

 

Example

Context

Cloudi-Fi Captive portal with a Meraki Integration

Authentication process

On Monday at 8 a.m., a user logs in for the first time using the captive portal.

  • A token is assigned to the user (e.g., user1@company.cloudi-fi.net). This token is valid for 4 hours based on the Customer’s configuration (see session_lifetime in Admin UI > Portals > Templates)
  • An identity is created (see Admin UI > Users > Accounts) with a validity of 5 days (i.e., until Friday) based on the Customer’s configuration (see profile_duration in Admin UI > Users > Profiles)

On Monday at midnight, the Meraki system tries to re-authenticate the user because the 4-hour session has expired.

  • When the captive portal loads, Cloudi-Fi detects the user’s profile is valid until Friday.
  • Instead of the regular login page, it shows a “Continue” button, allowing users to bypass re-entering their credentials.

On Saturday, the user logs in to the SSID with the same device

    • Since his identity was valid only up until the day before (i.e. Friday), the user will need to log in again through the full captive portal experience.