Describes how to add guest security into an existing Zscaler ZIA tenant
Zscaler Deployment into an existing tenant on cloudi-Fi captive portal:
Cloudi-Fi Captive portal is configured into an existing Zscaler tenant leveraging existing GRE/IPSEC tunnels. The source guest network(s) should be routed into the tunnels.
Zscaler security policies: quota, time, and duration can be configured for each profile
Guests can be profiled based on how they authenticate in the captive portal. Daily guests, consultants, employees, and directory groups can all have different policies in Zscaler. Security policies and quota, time, and duration can be configured for each profile.
Manage compliance for your captive portal deployed on Zscaler:
In many countries, Internet logs should be kept for a specific duration and matched with the user. The authentication and Internet logs should be correlated to process the government request. All logs are hosted in the cloud. Authentication logs (in Cloudi-Fi) and pseudonymized Internet logs (in Zscaler) can be correlated in the Cloudi-Fi administration interface and menu Visits. This menu should be restricted to a few administrators with administration profiles.
Zscaler configuration with Zscaler:
Zscaler configuration is not synchronized with Cloudi-Fi compared to a setup with a dedicated Zscaler tenant. However, Zscaler configuration is done in a few steps and described below.
0) Prerequisites for Eligibility
Some parameters may conflict with Cloudi-Fi integration, especially regarding the capability to use Multiple Authentication Domains.
Below are the settings to be verified:
Administration Authentication Settings :
User Repository Type: Must be Hosted DB
User Authentication Type: Must be SAML
Login Attribute of your existing IdP :
The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address.
If it returns only a username without any domain, Zscaler cannot perform authentications on multiple domains.
Example: The ADFS Attribute sAMAccountName only returns a username without a domain.
1) Provide your Zscaler account information
Go to your Zscaler Admin interface Administration Company Profile
Copy/Paste the following information:
Cloudi-Fi IDP ID, when available
2) Add a Cloudi-Fi Guest domain to your Zscaler account
Submit a ticket to Zscaler support to add the Cloudi-Fi authentication domain. The domain name is provided by the Cloudi-Fi team.
3) Create Cloudi-Fi Identity Provider
Go to Administration Authentication Settings Identity Provider tab
Add Identity Provider :
IdP SAML Certificate: Available here
SAML Portal URL: Provided by the Cloudi-Fi team
Login Name Attribute: token
Domain: Cloudi-Fi dedicated domain
User Display Name Attribute: token
Group Name Attribute: profile
Department Name Attribute: profile
Save the ID assigned to Cloudi-Fi IDP and share it with Cloudi-Fi team.
4) Create Cloudi-Fi Custom URL Categories
Go to Administration URL Categories Add URL Category :
We need to create two custom categories:
Cloudi-Fi Portal URL: This category contains all URLs to be whitelisted to display our captive portal correctly:
Cloudi-Fi Connectivity Check URL: This category contains all the URLs used by guests' devices to detect the presence of a captive portal.
Below are the Custom URL and Custom Key Words to be added :
- Custom URLs:
- Custom Keywords:
5) Create an Authentication Bypass
To prevent visitors from being redirected to your Authentication IdP, we configure a bypass for the 2 URL Categories we created previously.
Go to Administration Advanced Settings:
In the Authentication Exemptions section, add our two custom categories.
Enable Policy for Unauthenticated Traffic: Enabled
Note : If this option was initially disabled in your account,
an additional URL policy rule should be added when you will create
Cloudi-Fi policy rules in the next section.
6) URL filtering policies for guests:
Configure this bundle of rules to redirect your guests to your captive portal, allow authentication users to browse the Internet, and prevent them from accessing forbidden categories.
The Cloudi-Fi team can help you create these rules.
And thanks to dynamic groups, you don’t need to update these rules every time you deploy a new Guest location (more information in the next section).
Note: if the option Enable Policy for Unauthenticated Traffic was disabled in Advanced Settings (see the previous section), you must add the following rule at the end of Cloudi-Fi rules:
7) Dynamic group for Cloudi-Fi location(s)
Zscaler Dynamic group can be leveraged to simplify the management of guest rules, logs, and policies into an existing Zscaler account.
This will dynamically allow any new location named Guest to belong to this Group. Alternatively, the condition would be to include all areas with authentication disabled.
From now, any new guest location will belong automatically to the group “CLOUDIFI.” This will automatically add it to policy rules, reports, and logs and segregate the data and configuration between the guest and the corporate traffic. (see section 9 for more information about it)
Define a condition for your Guest location.
Go to Administration Location Management Location Groups tab Create New.
8) Create your Guest location/sub-location
You can create a location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).
Go to Administration Location Management
For new location: Create a new Location
For sub-location: Select an existing location and click on this icon on the right.
How to configure your Guest location:
Name: Must match the condition of your Cloudi-Fi dynamic group
Enforce Authentication: ON
Enable IP Surrogate (both options): Timers should be equal to Cloudi-FI lifetime session
Enforce Firewall control: ON
9) Create the Guest Firewall policy rules
Notes: We recommend configuring these rules at the beginning of your Firewall Policy.
Go to Policy Firewall control.
10) Administration and reporting
Administrators can restrict the scope to the dynamic location and only see guest (or non-guest) data.
Alternatively, an administrator with all access can build specific reports /insights/log views for guest (or, by extension, non-guest) data.
Custom reports built for guests only.
Custom logs research
You can learn more about our solutions integrated with Zscaler, a how-to video, and a full solution brief from our partner page here.