How to activate Zscaler Guest wifi into Cloudi-Fi to start authenticating your Guests and track their network usage

1. Introduction

2. Pre-requisites / Eligibility

3. Synchronization

4. Service Activation

5. Further Zscaler configuration to adjust

6. Last consideration

7. Deep dive explanations

1 - Introduction

Deployment: Cloudi-Fi Captive portal is configured into an existing Zscaler tenant leveraging existing GRE/IPSEC tunnels. The source guest network(s) should be routed into the tunnels.

Security: Guests can be profiled based on how they authenticate in the captive portal. Daily guests, consultants, employees, and their directory group can all have different policies in Zscaler. Security policies and quota, time, and duration can be configured for each profile.

Compliance: In many countries, Internet logs should be kept for a specific duration and matched with the user. In order to process the government request, the authentication and Internet logs should be correlated. All logs are hosted in the cloud. Authentication logs (in Cloudi-Fi) and pseudonymized Internet logs (in Zscaler) can be correlated in the Cloudi-Fi administration interface and menu Visits. This menu should be restricted to a few administrators with administration profiles.

2 - Pre-requisites / Elligibility

Some parameters may conflict with Cloudi-Fi integration, especially regarding the capability to use Multiple Authentication Domains.

Below are the settings to be verified:

Authentication

Zscaler Administration Authentication Settings :

• User Repository Type: Must be Hosted DB

• User Authentication Type: Must be SAML

Login Attribute of your existing IdP :

The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address.

Example: user@my-company.com

If it returns only a username without any domain, Zscaler cannot perform authentications on multiple domains.

Example: The ADFS Attribute sAMAccountName only returns a username without a domain.

URL Policies for Unauthenticated traffic

Zscaler Administration Advanced Settings

Make sure the "Apply URL Policies for Unauthenticated Traffic" is checked.

This option allows Cloudi-Fi to redirect any unauthenticated Guest to the appropriate captive portal page and recognize the Guest's location.

With this option enabled, you will have better control over your traffic by allowing or blocking unauthenticated traffic.

Subscriptions

Zscaler Administration Company Profile Subscriptions

API Licence must be set on the Zscaler account and not expired.

Tunnels

Guest traffic must go through an IPSec or GRE Tunnel to Zscaler.

Client IP address must be visible by Zscaler.

No NAT ( Network Address Translation ) must be applied to traffic going through Zscaler Tunnels.

3 - Synchronization

To enable Cloudi-Fi in Zscaler, connect to your Cloudi-Fi Administration and go to Cloudi-Fi Settings Integration Zscaler Learn More.

Click on the "Enable this integration" button.

Once done, you will be requested to provide Zscaler connection details.

Zscaler API Key can be found under "Zscaler Administration Cloud Service API Key Management" under your Zscaler administration console.

Click "Connect" to continue.

During the activation process, the following actions are performed on your Zscaler tenant :

1. Adding a new IDP configuration dedicated to Guests ( refers to Cloudi-Fi IDP configuration )

2. Creation of multiple custom Categories

3. Customization of Advanced Settings ( URL Bypass Category list )

4. Add a Location Group "Cloudi-Fi" which will contain all location and sublocation when Cloudi-Fi portal has to be enabled.

5. Add base URL Filtering rules. These rules only applies on "Cloudi-Fi" location group in order to make sure Cloudi-Fi configuration does not interfere with existing Employee ruleset.

If you need to know exactly what configuration is changed by this Activation, you can just follow this link.

4 - Service Activation

You have the choice to create location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).

Cloudi-Fi portal will be automatically enabled on your location by changing your location name and prefix it by "CLOUDIFI-". If you want to enable Cloudi-Fi on a subset of your Location, you will have to create a sublocation.

Go to Zscaler Administration Location Management

• For new location : Create a new Location

• For sub-location : Select an existing location and click on this icon on the right

How to configure your Guest location:

• Name : Must start with "CLOUDIFI-" in order to match the Dynamic location Group configuration

• Enforce Authentication: ON

• Enable IP Surrogate (both options) : Timers should be equal to Guest session duration

• Enforce Firewall control: ON

5 - Further Zscaler configuration to adjust

In addition to the base Cloudi-Fi ruleset, some of your Zscaler settings may be adjusted to ensure access to the Internet for your Guest.

Firewall configuration

Configure these rules at the beginning of your Firewall Policy.

Go to Zscaler Policy Firewall control

SSL Inspection policies

If you have SSL Inspection enabled, you must check your existing policies and create a dedicated SSL Policy for Guest traffic.

Go to "Zscaler Policy SSL Inspection"

6 - Last consideration

Your Guest can have different profiles. Cloudi-FI shares these profiles with Zscaler through SAML AutoProvisioning. You may have to add any newly created profile to the Zscaler Allow URL policy.

Departments created through Cloudi-Fi SAML Auto-provisioning are all suffixed by "{Cloudi-Fi}" in their name.

7 - Deep dive explanations

This article describes in detail all the changes made by Cloudi-Fi service activation.