Skip to main content

Search

Cloudi-Fi Knowledge Base

How to configure an external CA certificate as an authentication provider

Default Admin
  • Updated

Set up an external Certificate Authority (CA) certificate as an authentication provider in Cloudi-Fi Cloud NAC. This lets Cloudi-Fi validate device certificates from your organization's PKI and use certificate attributes to map user identity.

Prerequisites

To complete this configuration, you will need:

  • Administrator access to the Cloudi-Fi admin console.
  • A valid CA certificate in PEM or DER format. This should be the same CA that signs the device certificates you intend to authenticate.
  • Knowledge of which certificate attributes should be mapped to specific Cloudi-Fi identity fields (e.g., Common Name, Organization Unit).

 

1. Add a new authentication provider

  1. In the Cloudi-Fi admin console, navigate to Network > NAC Providers.
  2. Click Add NAC provider.
  3. From the list of authentication methods, select Certificate.
Cloudi-Fi 802.1X NAC providers.png

 

2. Upload the CA Certificate

  1. On the configuration form, click Upload CA certificate.
  2. Select the CA certificate file from your local machine.
  3. Cloudi-Fi will automatically parse the certificate and display key details, including the subject, issuer, expiration date, and serial number. This confirms the certificate was uploaded successfully.
Cloudi-Fi NAC provider - add certificate.png

 

3. Configure attribute mapping

  1. Go to the Mapping section of the configuration form.
  2. Define how attributes from the device certificate will map to Cloudi-Fi identity fields. This is a crucial step for correctly identifying users and devices.
    1. For example:
      1. IdentifierCommon Name (CN)
      2. Full nameCommon Name (CN) or another suitable attribute.
      3. ProfileOrganizational Unit (OU)
  3. Click Save to apply the mapping. These settings will be used to process all future certificate-based authentications.

 

Cloudi-Fi Admin - set NAC mapping.png

 

4. Save and review the configuration

  1. Click Save to finalize the authentication provider's setup.
  2. You will be redirected to a Configuration overview page. This page provides a summary of the settings you just configured, including the CA certificate details, the attribute mappings, and the current status of the authentication provider.

 

5. Activate your provider

Go to Cloudi-Fi Admin UI > Policies > NAC and edit the default rule.

If you want to assign the same Identity Provider to all of your locations, simply select the Identity Provider you previously activated and click Save.


However, if you want to assign different Identity Providers based on locations, you can leave the selection disabled on the default rule and create a dedicated policy.

In this policy, you can set the desired Identity Provider as the authentication and specify criteria such as the target location.

 

6. Update configuration if needed

You can modify the provider's settings at any time by returning to its configuration page.

  • To update the CA certificate, simply upload a new one.
  • To adjust the identity mapping, modify the Mapping section.

 

Once the configuration is complete, Cloudi-Fi Cloud NAC will begin validating device certificates against the uploaded CA certificate. It will then use the defined attribute mappings to create an authenticated identity and assign the appropriate user profile.

 

To get Cloudi-fi Certificate to trust, please contact Cloudi-Fi support (see How to contact your Cloudi-Fi support)