Skip to main content

Cloudi-Fi and Zscaler Troubleshooting guide

Alexandre de THOMASSON
  • Updated

 

This document describes the main steps to troubleshoot Cloudi-Fi captive portal solution integrated into a Zscaler environment

                                                            

Document summary

More information here

Cloudi-Fi Help Website

Cloudi-Fi Monitoring and Troubleshooting Guides

Cloudi-Fi and Zscaler integration

 

Contacts

https://admin.cloudi-fi.net/

 

1/ Revoke authorization of a device

You may need to revoke the authorization of a device to display the portal again.

• Note the private IP address of the device, then disconnect it from the SSID

• Go to Zscaler interface Analytics Web Insights Logs Filter on Client IP

• Note the User assigned to this IP address

• Go to Zscaler interface Administration User Management

• Search the User ID, edit it, and delete it

• Activate your modification in Zscaler

• On the device, clear the cookies of the default web-browser

• Reconnect to the SSID; you should be redirected to the captive portal

 

 

2/ Unable to associate with the SSID or have limited connectivity

• Ask the user to verify his private IP

• No private IP or an IP in 168.254.X.X means an issue with the DHCP server.

• Verify your DHCP Server and the Layer2 connectivity in your LAN.

 

 

3/ Captive portal doesn’t show up

• Disable cellular connectivity on your phone to enforce WiFi connectivity

• Make sure you can load http://ip.zscaler.com/

o This page MUST tell you, “you are protected by Zscaler”.

o If not, verify your local routing and VPN tunnel.

• Ask the user to access to http://3wi.fi or http://neverssl.com , this will enforce portal redirection.

• If you see 2 different websites and not the portal, you are probably already authenticated on the service.

o Follow “Revoke authorization of a device” to fix this.

• If you are unable to revoke your authorization

o get your private IP

o check the Zscaler logs (Zscaler UI Analytics Web Insight Logs Filter by « Client IP » )

• From Zscaler admin console, verify if the private IP is already assigned to the User token. If yes, that means an IP already allowed has been reassigned to another user.

• Ensure that the DHCP scope has enough IP for all your guests and that the lease time is equal of higher than the Cloudi-Fi session lifetime (Portals session lifetime depending on the portal).

 

 

4/ Unable to browse the Internet

This issue can have multiple origins, from a local network problem to an Internet peering or DNS resolution issue.

• Disable cellular connectivity on your phone to enforce WiFi connectivity

• Try to access http://status.cloudi-fi.net and http://ip.zscaler.com/

• If none of these pages display, you probably have a problem with your DHCP or DNS server.

o If you need further assistance, please follow the steps described in section 8 ( information to provide to Cloudi-Fi support ).

• If you don’t have any problem with your DHCP or DNS server

o please follow section 8 and get in touch with Cloudi-Fi support at https://admin.cloudi-fi.net/ 

• If these pages display properly, you most likely have an authentication/authorization issue. In such case, go to http://3wi.fi or http://neverssl.com

• If you are not yet authenticated, you will be immediately redirected to the captive portal. Once authenticated on the portal, you will have access to the Internet.

 

 

5/ Error during the authentication process

Web developers tools are used to display every web requests done in the browser.

 

To activate developers' tools in common browsers (Firefox, Chrome, IE, Edge):

• click on F12, go to the Network tab, and tick « Persist logs » and « Disable cache ».

 

HAR Capture - Enable persist logs and disable cache options

To perform the capture :

• Connect your PC to the SSID.

• The portal normally shows up automatically

o If not, going to User is not redirected to the captive portal

• Do not authenticate on the portal. Open a new tab in your browser, and activate the developer tools (F12) as explained above.

• When the developer tool is activated, go to : http://3wi.fi

• You will normally be redirected to the captive portal, and you can now login as usual on the captive portal.

• Once finished or when you face an error, please go to the developer tool and export the logs :

 

Save HAR capture

• Provide these logs to Cloudi-Fi support for analysis.

 

In some cases, we need more advanced debug logs.

In such a case, we will ask to have a Wireshark capture to retrieve all network packets (not only web requests).

 

 

6/ The portal displayed is not the correct portal

If we cannot recognize from which location the user is coming, we display the default portal of the company account.

Here are different ways to verify which location is detected.

 

6.1 Cloudi-Fi Visit menu

If the user has been authenticated on the portal :

• Go to Cloudi-FI interface Visits

• Search for the user name (depending on the portal, it can be the name, phone number, email address...)

• You can see the location. « Default » means that the location has not been recognized

 

6.2 Default location

If a user is assigned to the location « Default », he will see the default portal of the company account.

This default portal is configured in Cloudi-Fi interface Settings Global Settings.

 

You can have this behavior if you have excluded Cloudi-Fi’s public IP from your VPN and the public IP seen by Cloudi-Fi is not declared in any location.

• Go to Cloudi-Fi interface Visits Search the user and note the « Source IP »

• Verify in Cloudi-Fi interface Location if this IP is assigned to a location

 

You can now route the Cloudi-Fi public IP in the Zscaler VPN. This eases the VPN configuration and avoids this kind of error.

Before doing this, don't hesitate to get in touch with Cloudi-Fi support to be sure that your account is ready for this:

How to contact your support? 

 

7/ Web surfing is slow

If your LAN and Internet links are healthy, please perform these tests :

• Verify which Zscaler ZEN you use and if you use the nearest node

• Once the ZEN node is identified, ping it with a large ping and verify if you experienced packet loss

• Perform a traceroute from your router to the ZEN

• Verify the VPN logs of your equipment

 

• If you can, submit a ticket directly to Zscaler support https://help.zscaler.com/submit-ticket, and provide them with the output of the test performed above.

• Specify also the Zscaler Company ID.

o You can find it in the Zscaler interface Administration Company Profile Company ID

• You can also contact Cloudi-Fi support for any doubts (How to contact your support? )

 

 

8/ Information to provide to Cloudi-Fi Support

If the portal doesn’t show up and you can’t browse the Internet:

• please capture a Wireshark trace before opening a ticket to Cloudi-Fi support.

 

You will need a computer to gather this troubleshooting information.

Here are the steps to follow to take a packet capture :

• Download Wireshark from https://www.wireshark.org/#download

• Install it on a Mac or Linux or Windows computer

• Start Wireshark and run a capture on your computer’s WiFi interface

• Connect to the Guest's SSID

• Try to access http://3wi.fi/ and http://neverssl.com/

• Stop the capture, save it in PCAP format, and send it to Cloudi-Fi support with the location name

• this information can be submitted through https://admin.cloudi-fi.net/ with the botnet 

 

 

 

 

Related to

Related articles

Comments

0 comments