Learn how to integrate the Cloudi-Fi captive portal with Palo Alto Network Strata and configure your SAML identity provider.

                                                            

 

1. Solution Overview

Solution tested

VM Series with PAN-Os 9.0.3

VM Series with PAN-Os 9.1.3

 

 

 

2. Configure SAML Identity Provider (IdP)

SAML Identity Provider

Go to Devices Server Profiles SAML Identity Provider

 

• Identity Provider ID: https://login.cloudi-fi.net/auth/saml2/idp/metadata.php

• Import Cloudi-FI_SAML_cert

• Identity Provider SSO URL = Cloudi-Fi Location URL

• https://login.cloudi-fi.net/start//
  This URL can be found from the Cloudi-Fi admin interface in the Location menu.

Note:

Currently, the URL format provided in the Cloudi-Fi admin interface is not the same as that should be configured in the PAN-OS. You have to rewrite it to match the format described.

An update of the Cloudi-Fi admin interface will be performed soon.

 

Note: If multiple physical sites are routed behind Palo Alto, create an IdP profile for each physical location.

You must modify the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.

 

 

Configure SAML Authentication Profile

Go to Device Authentication Profile

 

• Type: SAML

• IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1

• Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)

• SAML Attributes / Username Attribute: token

• SAML Attributes / User Group Attribute: profile

 

Certificate profile

Create Web-forms

Create a specific web form that will be used in the Authentication policy:

Create one web form per location if you have multiple locations behind one Palo Alto equipment.

 

Go to Object Authentication Add

3. Configure Captive portal settings

Go to Device User-Identification Captive portal Settings Edit

 

Note: During the redirection to the Cloudi-Fi captive portal, the user will be redirected to a Layer3 interface of the Palo Alto equipment.

The field “Redirect Host” shall specify the intranet hostname that resolves the IP address of the Layer 3 interface to which the firewall redirects web requests.

 

Note:

You will experience a Certificate warning in the Guest web browser when the redirection is performed in HTTPS. The installation of a public certificate is, therefore, necessary.

 

The idle timer and timer should equal and match the session lifetime configured in the Cloudi-Fi captive portal.

 

This FQDN will also be used during the SAML authentication as Service Provider EntityID and have to be declared in the Cloudi-Fi administration interface.

 

Cloudi-Fi admin settings Advanced settings PaloAlto Networks:

 

 

4. Layer 3 Interface Configuration

Interface Management Profile

Create a new Interface Management profile

 

Go to Network Network Profiles Interface Management Add

 

Enable:

- Ping (optional)

- Response Pages

- User-ID

 

Zone

Go to Network Zone add

 

Create a dedicated zone for the Guest and enable User Identification.

 

Layer 3 interface

Create the Guest interface or sub-interface and assign the Interface Management profile and the zone created in the previous steps.

 

DHCP Server

Create a DHCP server for the Guest network

Go to Network DHCP DHCP Server Add

 

- Select the Guest interface

- Define an IP Pool and DHCP Options

 

Note that the Layer3 interface dedicated to the Guest is configured as a DNS server for the Guest

 

DNS Proxy

We will use the DNS Proxy feature to add a DNS static entry to resolve the FQDN configured in the captive portal settings and redirect the user to the Layer3 interface or sub-interface

 

Go to Network DNS Proxy Add

 

- Select the Guest interface or sub-interface

- Fill a valid DNS server reachable by the PAN as the Primary server

-

Go to static entry and add the FQDN and IP Address.

 

5. Configure the Policy

Create a custom URL Category

We will create custom URL categories and will use them to create the Walled Garden (URL accessible by the user before being authenticated)

 

Go to Object Custom Objects URL Category Add

 

- Profile Name: Cloudi-Fi_portal

- Type: URL List

- Sites:

o *.cloudi-fi.net

o *.cloudi-fi.com

Create another custom URL category if you have social media in your captive portal.

Domains will be provided by the Cloudi-Fi team.

 

Creates security rules

We shall create four security rules:

1/ Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server

o Source: Guest gateway IP address (Zone Guest)

o Destination: DNS server(s) configured in the DNS-Proxy

o Application: DNS

o Action Allow

 

2/ Walled Garden rule: to allow an unauthenticated user to access the captive portal

o Source: Guest network (Zone Guest)

o User: Unknown

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o URL Filtering: Cloudi-Fi custom categories

o Action: Allow

 

3/ Guest-Allowed: Allow authenticated users to access the Internet

o Source: Guest network (Zone Guest)

o User: Know-User

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o Action: Allow

o Profile Settings: URL Filtering enabled

 

4/ Guest-DenyAll: Explicit deny to prevent the Guest network from accessing other internal resources (optional with default PAN policy behavior but recommended)

o Source: Guest network (Zone Guest)

o Destination: Any (All zones)

o Application / Services: Any

o Action: Deny

 

NAT rule

You have to create a NAT rule to translate Guest private IP addresses into a public address.

- Original packet

o Source zone: Guest

o Destination zone: External

o Source address: Guest network

 

- Translated packet, Source address translation:

o Translation type: Dynamic IP and Port

o Address type: Interface address

o Interface: ethernet1/1 in our case

o Destination address translation: None

 

Authentication rule

This rule will redirect the unauthenticated user to the Cloudi-Fi captive portal.

Go to Policy Authentication Add

 

- Source: Guest Network (Guest zone)

- User: Unknown

- Destination: Any (External Zone)

- Service: HTTP/HTTPS

- Action: Authentication enforcement: Cloudi-Fi web form created at step 1

 

Note that if multiple physical sites are behind the PAN, you must create one authentication rule per physical location with the appropriate web form.

 

For additional information on Cloudi-Fi's partnership with Palo Alto Networks, visit our partner page here.