Learn how to integrate the Cloudi-Fi captive portal with Palo Alto Network Strata and configure your SAML identity provider.
1. Solution Overview
Solution tested
VM Series with PAN-Os 9.0.3
VM Series with PAN-Os 9.1.3
2. Configure SAML Identity Provider (IdP)
SAML Identity Provider
Go to Devices Server Profiles SAML Identity Provider
-
Identity Provider ID: https://login.cloudi-fi.net/auth/saml2/idp/metadata.php
-
Import Cloudi-FI_SAML_cert
-
Identity Provider SSO URL = Cloudi-Fi Location URL
-
https://login.cloudi-fi.net/start/
This URL can be found from the Cloudi-Fi admin interface in the Location menu.
Note:
Currently, the URL format provided in the Cloudi-Fi admin interface is different from that should be configured in the PAN-OS. You have to rewrite it to match the format described.
An update of the Cloudi-Fi admin interface will be performed soon.
|
Original URL format |
https://login.cloudi-fi.net/auth/saml2/idp/SSOService.php?spentityid=spsomething.com&ch=0a2526ed79aa434&lh=145cb1a21a871c& |
|
Palo Alto URL format |
https://login.cloudi-fi.net/start/0a2526ed79aa434/145cb1a21a871c |
Note: If multiple physical sites are routed behind Palo Alto, create an IdP profile for each physical location.
It would help if you modified the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.
Configure SAML Authentication Profile
Go to Device Authentication Profile
-
Type: SAML
-
IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1
-
Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)
-
SAML Attributes / Username Attribute: token
-
SAML Attributes / User Group Attribute: profile
Certificate profile
Create Web-forms
Create a specific web form that will be used in the Authentication policy:
Create one web form per location if you have multiple locations behind one Palo Alto equipment.
Go to Object Authentication Add
3. Configure Captive portal settings
Go to Device User-Identification Captive portal Settings Edit
Note: During the redirection to the Cloudi-Fi captive portal, the user will be redirected to a Layer3 interface of the Palo Alto equipment.
The field “Redirect Host” shall specify the intranet hostname that resolves the IP address of the Layer 3 interface to which the firewall redirects web requests.
Note:
When the redirection is performed in HTTPS, you will experience a Certificate warning in the Guest web browser. The installation of a public certificate is, therefore, necessary.
The idle timer and timer should equal and match the session lifetime configured in the Cloudi-Fi captive portal.
This FQDN will also be used during the SAML authentication as Service Provider EntityID and must be declared in the Cloudi-Fi administration interface.
Cloudi-Fi admin settings Advanced settings PaloAlto Networks:
4. Layer 3 Interface Configuration
Interface Management Profile
Create a new Interface Management profile
Go to Network Network Profiles Interface Management Add
Enable:
- Ping (optional)
- Response Pages
- User-ID
Zone
Go to Network Zone add
Create a dedicated zone for the Guest and enable User Identification.
Layer 3 interface
Create the Guest interface or sub-interface and assign the Interface Management profile and the zone created in the previous steps.
DHCP Server
Create a DHCP server for the Guest network
Go to Network DHCP DHCP Server Add
- Select the Guest interface
- Define an IP Pool and DHCP Options
Note that the Layer3 interface dedicated to the Guest is configured as a DNS server for the Guest
DNS Proxy
We will use the DNS Proxy feature to add a DNS static entry to resolve the FQDN configured in the captive portal settings and redirect the user to the Layer3 interface or sub-interface
Go to Network DNS Proxy Add
- Select the Guest interface or sub-interface
- Fill a valid DNS server reachable by the PAN as the Primary server
-
Go to static entry and add the FQDN and IP Address.
5. Configure the Policy
Create a custom URL Category
We will create custom URL categories and will use them to create the Walled Garden (URL accessible by the user before being authenticated)
Go to Object Custom Objects URL Category Add
- Profile Name: Cloudi-Fi_portal
- Type: URL List
- Sites:
o *.cloudi-fi.net
o *.cloudi-fi.com
Create another custom URL category if you have social media in your captive portal.
Domains will be provided by the Cloudi-Fi team.
Creates security rules
We shall create four security rules:
1/ Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server
o Source: Guest gateway IP address (Zone Guest)
o Destination: DNS server(s) configured in the DNS-Proxy
o Application: DNS
o Action Allow
2/ Walled Garden rule: to allow an unauthenticated user to access the captive portal
o Source: Guest network (Zone Guest)
o User: Unknown
o Destination: Any (Zone External)
o Application: Any (you can restrict as you wish. At least web-browsing and SSL)
o URL Filtering: Cloudi-Fi custom categories
o Action: Allow
3/ Guest-Allowed: Allow authenticated users to access the Internet
o Source: Guest network (Zone Guest)
o User: Know-User
o Destination: Any (Zone External)
o Application: Any (you can restrict as you wish. At least web-browsing and SSL)
o Action: Allow
o Profile Settings: URL Filtering enabled
4/ Guest-DenyAll: Explicit deny to prevent the Guest network from accessing other internal resources (optional with default PAN policy behaviour but recommended)
o Source: Guest network (Zone Guest)
o Destination: Any (All zones)
o Application / Services: Any
o Action: Deny
NAT rule
You have to create a NAT rule to translate Guest private IP addresses into a public address.
- Original packet
o Source zone: Guest
o Destination zone: External
o Source address: Guest network
- Translated packet, Source address translation:
o Translation type: Dynamic IP and Port
o Address type: Interface address
o Interface: ethernet1/1 in our case
o Destination address translation: None
Authentication rule
This rule will redirect the unauthenticated user to the Cloudi-Fi captive portal.
Go to Policy Authentication. Add
- Source: Guest Network (Guest zone)
- User: Unknown
- Destination: Any (External Zone)
- Service: HTTP/HTTPS
- Action: Authentication enforcement: Cloudi-Fi web form created at step 1
Note that if multiple physical sites are behind the PAN, you must create one authentication rule per physical location with the appropriate web form.
If you would like more information on Cloudi-Fi’s partnership with Palo Alto Networks, you can visit our partner page here.