Guest WiFi integration between Versa Networks and Cloudi-Fi using SAML authentication with Captive Portal
1. Introduction
The purpose of this article is to explain, step-by-step, the integration between Versa Networks and Cloudi-Fi. The result for a user is to :
-
connect to the guest wifi
-
authenticate through a captive portal provided by Cloudi-Fi
-
and then get connected to the Internet or specific URL categories.
Using Versa NG-FW capabilities, the authentication policies are configured to bypass SSO URL & DNS and authenticate all remaining user traffic.
User/Group authentication and authorization between Versa and Cloudi-Fi is achieved using SAML.
Depending on the customer’s requirement, some security profiles can be applied, such as :
-
URL filtering
-
IP filtering
-
SSL decryption
-
Web proxy
-
etc.
With Versa Analytics, log collectors can send Syslog data to 3rd party systems to comply with regulations as expected by Cloudi-Fi.
2. Versa SAML Authentication Overview
SAML configuration:
Security Assertion Markup Language (SAML) authenticates users to access multiple services and applications. SAML configuration is useful for accessing multiple services or applications and authenticating for each service or application, for example, Google and its related services.
SAML is a common standard for exchanging authentication between parties, most commonly used for web browser-based single sign-on (SSO).
SAML SSO configuration:
It offers the ability to log in with a single sign-on and access multiple services and applications. Similarly, SAML single sign-out can be configured to end sessions for multiple services and applications and log out using only one session.
SAML authentication can be used for services and applications that are external or internal to a customer organization:
-
FlexVNF supports user identification from external identity providers using SAML protocol.
-
Customers can use any third-party identity provider (IDP) to authenticate users and apply user, group, roles and location-based policies.
-
Multiple branches or appliances can use a single centrally located authentication server to authenticate users using SAML.
-
Authentication will be done outside of FlexVNF and will only know users.
-
The identity control module will generate the required AuthN-request and parse AuthN-response.
-
The Cloudi-Fi captive portal module will be used to send redirection.

Figure - Secure Access SAML authentication

Figure - Workflow in Central Auth-Server (CAS)
3. Cloudi-Fi SAML Authentication Configuration in Versa
3.1 Requirements
Software Version: 20.2 and later
License Tier: Prime Secure SD-WAN
The feature used: NG-FW and DNS Proxy
3.2 Roles
SPEntity: Versa VOS
IdPEntity: Cloudi-Fi
The purpose of DNS Proxy is to redirect DNS requests to cloud-fi.versa-networks.com to an internal DNS server managed by the customer to resolve this domain to Versa CPE LAN IP address. All other requests will be managed by public DNS hosted on the Internet.
The Versa Central Auth-Server functionality is handled by the NG-FW feature.
In this demo, we are going to configure DNS resolution into our windows hosts file as below:
Go to C:\Windows\System32\drivers\etc\hosts and add the following line:
192.168.3.1 cloud-fi.versa-networks.com
The high-level architecture diagram used during our demo is displayed below:

Figure - Versa Networks and Cloudi-Fi integration
Hardware used: Versa CSG770
Software used: Versa VOS 20.2.3
3.3 Configuration
Do the following configuration for SAML Authentication:
1) Upload certificates
- Get a certificate (Cloud-fi-ca-cert) from Cloudi-Fi to secure communication (Assertion and Attributes) between Versa VOS and Cloudi-Fi;
- Get the certificate (Cloud-Fi-Cert) from Versa/Customer to secure communication (AuthN request and AuthN response, services granted to user) between Guest Client (user browser) and Versa VOS
- Load Certificates in versa Director and then on appliances


Figure - Upload certificates in Versa Director
2) Create SAML Profile
Go to:
Flexvnf Click on Object & Connectors icon Connector Users / Group SAML Profile

Figure - SAML Configuration in Versa Director
3) Create an Authentication Profile for SAML
Go to:
Flexvnf Click on Object & Connectors icon Connector Users / Group Authentication Profiles

Figure - SAML Authentication Profile Configuration in Versa Director
4) Create a Custom URL category to bypass Single Sign-on URL
Go to:
Flexvnf Objects & Connectors Click on Objects Custom Objects URL Categories

Figure - URL Category of Cloudi-Fi authentication servers
5) Create an Authentication Rule to bypass DNS Traffic
Go to:
Flexvnf Click on Services icon Next Gen Firewall Authentication Policies Rules


Figure - authentication rule to bypass DNS traffic authentication
6) Create an Authentication Rule to bypass Single Sign-on URL
Go to:
Flexvnf Click on the Services icon Next Gen Firewall Authentication Policies Rules.


Figure - Authentication rule to bypass Cloudi-Fi authentication servers
7) Create an Authentication Rule for SAML
Go to:
Flexvnf Click on the Services icon Next Gen Firewall Authentication Policies Rules.
Figure - Authentication rule for all wifi guest traffic
8) Configure Captive Portal
Go to:
Flexvnf Click on the Services icon Captive Portal

Figure 11: Captive portal configuration in versa Director
9) Configure DNS Proxy
o Configure SNAT Under Objects & Connectors Objects SNAT Pool

Figure - SNAT Pool Configuration for DNS Proxy in versa Director
o Configure DNS Proxy Profile under Networking DNS Proxy Profiles

Figure - DNS Proxy Profile Configuration in versa Director
o Configure DNS Proxy Policy under Networking DNS Policies


Figure - DNS Proxy Policy Configuration in versa Director
4. Call Flow verification using SAML-Tracer Extension
Step 1: Request Resources and Redirect to IDP

Figure - URL Redirect sent by Versa CPE
SAML AuthN request sent by Versa CPE to Client Browser:

Figure - SAML AuthN request
Step 2: Client Browser connects to IDP, presents AuthN request and gets authentication page


Figure - Captive Portal authentication page
Step 3: Enter credentials (Id and Password), accept user conditions and click on the authentication button

Figure - Login credentials submitted to Cloudi-Fi
Step 4: IDP (Cloudi-Fi) sends SAML response to the client with AuthN response



Figure - SAML AuthN response sent by Cloudi-Fi
5. Service verification in Versa Director
5.1 User identification under the Monitor tab

Figure - User identification profile in Versa CPE
5.2 Logs Authentication in Analytics

Figure - Successful SAML Authentication logs in versa Analytics
For additional information on the Cloudi-Fi technology partnership with Vera, please consult our partner page here.