Step-by-step instructions to set up a captive portal with Versa Network and Cloudi-Fi for user authentication.
Use case
This guide explains, step-by-step, the integration between Versa Networks and Cloudi-Fi. The result for a user is to :
-
Connect to the guest wifi
-
Authenticate through a captive portal provided by Cloudi-Fi
-
Get connected to the Internet or specific URL categories.
Using Versa NG-FW capabilities, the authentication policies are configured to bypass SSO URL & DNS and authenticate all remaining user traffic.
User/Group authentication and authorization between Versa and Cloudi-Fi is achieved using SAML.
Depending on the customer’s requirement, some security profiles can be applied, such as :
-
URL filtering
-
IP filtering
-
SSL decryption
-
Web proxy
-
etc.
With Versa Analytics, log collectors can send Syslog data to third-party systems to comply with regulations, as Cloudi-Fi expects.
SAML configuration
Security Assertion Markup Language (SAML) authenticates users to access multiple services and applications. SAML configuration is useful for accessing multiple services or applications and authenticating for each service or application, for example, Google and its related services.
SAML is a common standard for exchanging authentication between parties, most commonly used for web browser-based single sign-on (SSO).
SAML SSO configuration
It offers the ability to log in with a single sign-on and access multiple services and applications. Similarly, SAML single sign-out can be configured to end sessions for multiple services and applications and log out using only one session.
SAML authentication can be used for services and applications that are external or internal to a customer organization:
-
FlexVNF supports user identification from external identity providers using SAML protocol.
-
Customers can use any third-party identity provider (IDP) to authenticate users and apply user, group, roles and location-based policies.
-
Multiple branches or appliances can use a single centrally located authentication server to authenticate users using SAML.
-
Authentication will be done outside of FlexVNF and will only know users.
-
The identity control module will generate the required AuthN-request and parse AuthN-response.
-
The Cloudi-Fi captive portal module will be used to send redirection.
SPEntity: Versa VOS
IdPEntity: Cloudi-Fi
Figure - Secure Access SAML authentication
Figure - Workflow in Central Auth-Server (CAS)
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Software Version: 20.2 and later
- License Tier: Prime Secure SD-WAN
- The feature used: NG-FW and DNS Proxy
In this article
- Hardware used: Versa CSG770
- Software used: Versa VOS 20.2.3
The purpose of DNS Proxy is to redirect DNS requests to cloud-fi.versa-networks.com to an internal DNS server managed by the customer to resolve this domain to Versa CPE LAN IP address. All other requests will be managed by public DNS hosted on the Internet.
The NG-FW feature handles the Versa Central Auth-Server functionality.
In this demo, we are going to configure DNS resolution into our windows hosts file as below:
Go to C:\Windows\System32\drivers\etc\hosts and add the following line:
192.168.3.1 cloud-fi.versa-networks.com
The high-level architecture diagram used during our demo is displayed below:
Figure - Versa Networks and Cloudi-Fi integration
1. Get Cloudi-Fi required URL
To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, follow these instructions:
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com
Versa
https://login.cloudi-fi.net/start/ebd2egzrfgrgq2
Note:
- If multiple physical sites are routed behind Versa, create an IdP profile for each physical location.
- It would be best if you modified the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.
2. Upload certificates
- Get a certificate (Cloud-fi-ca-cert) from Cloudi-Fi to secure communication (Assertion and Attributes) between Versa VOS and Cloudi-Fi;
- Get the certificate (Cloud-Fi-Cert) from Versa/Customer to secure communication (AuthN request and AuthN response, services granted to user) between Guest Client (user browser) and Versa VOS.
- Load Certificates in versa Director and then on appliances
Figure - Upload certificates in Versa Director
3. Create SAML Profile
Go to Flexvnf > click on Object & Connectors icon > Connector > Users / Group > SAML Profile
- Host : https://cloudi-fi.versa-networks.com:44991
- SSO URL : Cloudi-Fi Location URL
- SP Entity ID : https://cloudi-fi.versa-networks.com:44991/metadata
- Identity Provider ID : https://login.cloudi-fi.net/auth/saml2/idp/metadata.php
- IDP Certificate : cloudi-fi ca-cert
Figure - SAML Configuration in Versa Director
4. Create an Authentication Profile for SAML
Go to Flexvnf > click on Object & Connectors icon > Connector Users / Group > Authentication Profiles
Figure - SAML Authentication Profile Configuration in Versa Director
5. Create a Custom URL category to bypass Single Sign-on URL
Go to Flexvnf > Objects & Connectors > click on Objects > Custom Objects > URL Categories
Figure - URL Category of Cloudi-Fi authentication servers
6. Create an Authentication Rule to bypass DNS Traffic
Go to Flexvnf > Click on Services icon > Next Gen Firewall > Authentication > Policies > Rules
Figure - authentication rule to bypass DNS traffic authentication
7. Create an Authentication Rule to bypass Single Sign-on URL
Go to Flexvnf > Click on the Services icon > Next Gen Firewall > Authentication > Policies > Rules.
Figure - Authentication rule to bypass Cloudi-Fi authentication servers
8. Create an Authentication Rule for SAML
Go to Flexvnf > Click on the Services icon > Next Gen Firewall > Authentication > Policies > Rules.
Figure - Authentication rule for all wifi guest traffic
9. Configure Captive Portal
Go to Flexvnf > Click on the Services icon > Captive Portal
Figure - Captive portal configuration in versa Director
10. Configure DNS proxy
Configure SNAT Under Objects & Connectors Objects SNAT Pool
Figure - SNAT Pool Configuration for DNS Proxy in versa Director
Configure DNS Proxy Profile under Networking DNS Proxy Profiles
Figure - DNS Proxy Profile Configuration in versa Director
Configure DNS Proxy Policy under Networking DNS Policies
Figure - DNS Proxy Policy Configuration in versa Director
11. Call Flow verification using SAML-Tracer Extension
11.1. Request Resources and Redirect to IDP
Figure - URL Redirect sent by Versa CPE
SAML AuthN request sent by Versa CPE to Client Browser:
Figure - SAML AuthN request
11.2. Client Browser connects to IDP, presents AuthN request and gets authentication page
Figure - Captive Portal authentication page
11.3. Enter credentials (Id and Password), accept user conditions and click on the authentication button
Figure - Login credentials submitted to Cloudi-Fi
11.4. IDP (Cloudi-Fi) sends SAML response to the client with AuthN response
Figure - SAML AuthN response sent by Cloudi-Fi
12. Service verification in Versa Director
12.1 User identification under the Monitor tab
Figure - User identification profile in Versa CPE
12.2 Logs Authentication in Analytics
Figure - Successful SAML Authentication logs in versa Analytics
What's next?
Congratulations on enabling Cloudi-Fi's Captive Portal in Versa Network!
For additional information on the Cloudi-Fi technology partnership with Vera, please consult our partner page here.