Guest WiFi integration between Versa Networks and Cloudi-Fi using SAML authentication with Captive Portal

1. Introduction

The purpose of this article is to explain, step-by-step, the integration between Versa Networks and Cloudi-Fi. The result for a user is to :

connect to the guest wifi
authenticate through a captive portal provided by Cloudi-Fi
and then get connected to the Internet or specific URL categories.

Using Versa NG-FW capabilities, the authentication policies are configured to bypass SSO URL & DNS and authenticate all remaining user traffic.

User/Group authentication and authorization between Versa and Cloudi-Fi is achieved using SAML.

Depending on the customer’s requirement, some security profiles can be applied, such as :

URL filtering
IP filtering
SSL decryption
Web proxy
etc.

With Versa Analytics, log collectors can send Syslog data to 3rd party systems to comply with regulations as expected by Cloudi-Fi.

2. Versa SAML Authentication Overview

SAML configuration:

Security Assertion Markup Language (SAML) authenticates users to access multiple services and applications. SAML configuration is useful for accessing multiple services or applications and authenticating for each service or application, for example, Google and its related services.

SAML is a common standard for exchanging authentication between parties, most commonly used for web browser-based single sign-on (SSO).

SAML SSO configuration:

It offers the ability to log in with a single sign-on and access multiple services and applications. Similarly, SAML single sign-out can be configured to end sessions for multiple services and applications and log out using only one session.

SAML authentication can be used for services and applications that are external or internal to a customer organization:

FlexVNF supports user identification from external identity providers using SAML protocol.
Customers can use any third-party identity provider (IDP) to authenticate users and apply user, group, roles and location-based policies.
Multiple branches or appliances can use a single centrally located authentication server to authenticate users using SAML.
Authentication will be done outside of FlexVNF and will only know users.
The identity control module will generate the required AuthN-request and parse AuthN-response.
The Cloudi-Fi captive portal module will be used to send redirection.

Figure - Secure Access SAML authentication

Figure - Workflow in Central Auth-Server (CAS)

3. Cloudi-Fi SAML Authentication Configuration in Versa

3.1 Requirements

Software Version: 20.2 and later

License Tier: Prime Secure SD-WAN

The feature used: NG-FW and DNS Proxy

3.2 Roles

SPEntity: Versa VOS

IdPEntity: Cloudi-Fi

The purpose of DNS Proxy is to redirect DNS requests to cloud-fi.versa-networks.com to an internal DNS server managed by the customer to resolve this domain to Versa CPE LAN IP address. All other requests will be managed by public DNS hosted on the Internet.

The Versa Central Auth-Server functionality is handled by the NG-FW feature.

In this demo, we are going to configure DNS resolution into our windows hosts file as below:

Go to C:\Windows\System32\drivers\etc\hosts and add the following line:

192.168.3.1 cloud-fi.versa-networks.com

The high-level architecture diagram used during our demo is displayed below:

Figure - Versa Networks and Cloudi-Fi integration

Hardware used: Versa CSG770

Software used: Versa VOS 20.2.3

3.3 Configuration

Do the following configuration for SAML Authentication:

1) Upload certificates

- Get a certificate (Cloud-fi-ca-cert) from Cloudi-Fi to secure communication (Assertion and Attributes) between Versa VOS and Cloudi-Fi;

- Get the certificate (Cloud-Fi-Cert) from Versa/Customer to secure communication (AuthN request and AuthN response, services granted to user) between Guest Client (user browser) and Versa VOS

- Load Certificates in versa Director and then on appliances