Implementing Cloudi-Fi into a Palo Alto Strata environment to enable captive portal functionality.
Use case
This article will walk through the implementation of Cloudi-Fi into a Palo Alto Strata Environment to enable the captive portal.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Access to Strata Admin Console
- Knowledge of your network’s IP addressing scheme.
- Access to a Public DNS Provider
- Access to Certificate Manager
- Access to Cloudi-Fi Admin Console
Solution overview
Solution tested
VM Series with PAN-Os 9.0.3
VM Series with PAN-Os 9.1.3
1. Configure SAML Identity Provider (IdP)
SAML Identity Provider
- Go to Devices Server Profiles SAML Identity Provider
-
Identity Provider ID: https://login.cloudi-fi.net/auth/saml2/idp/metadata.php
-
Import Cloudi-FI_SAML_cert
-
Identity Provider SSO URL = Cloudi-Fi Location URL
-
https://login.cloudi-fi.net/start/
This URL can be found in the Location menu from the Cloudi-Fi admin interface.
Note:
Currently, the URL format provided in the Cloudi-Fi admin interface is different from what should be configured in the PAN-OS. You have to rewrite it to match the format described.
Original URL format |
https://login.cloudi-fi.net/auth/saml2/idp/SSOService.php?spentityid=spsomething.com&ch=0a2526ed79aa434&lh=145cb1a21a871c& |
Palo Alto URL format | https://login.cloudi-fi.net/start/0a2526ed79aa434/145cb1a21a871c |
Note: If multiple physical sites are routed behind Palo Alto, create an IDP profile for each physical location.
It would help if you modified the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.
Configure SAML Authentication Profile
- Go to Device Authentication Profile
-
Type: SAML
-
IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1
-
Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)
-
SAML Attributes / Username Attribute: token
-
SAML Attributes / User Group Attribute: profile
Certificate profile
Create Web-forms
- Create a specific web form that will be used in the Authentication policy:
- Create one web form per location if you have multiple locations behind one Palo Alto equipment.
- Go to Object > Authentication > Add
2. Configure Captive portal settings
- Go to Device > User-Identification > Captive Portal Settings > Edit
- Note: During the redirection to the Cloudi-Fi captive portal, the user will be redirected to a Layer3 interface of the Palo Alto equipment.
- The field “Redirect Host” shall specify the intranet hostname that resolves the IP address of the Layer 3 interface to which the firewall redirects web requests.
- Note: The guest web browser will experience a Certificate warning when the redirection is performed in HTTPS. Therefore, a public certificate must be installed.
- The idle timer and timer should equal and match the session lifetime configured in the Cloudi-Fi captive portal.
- This FQDN appended with port 6082 (Required for captive portals using SSL/TLS profiles) will also be added to the Palo Alto tile in the integrations section of the Cloudi-Fi Admin Portal.
3. Layer 3 interface configuration
Interface management profile
- Create a new Interface Management profile
- Go to Network > Network Profiles > Interface Management > Add
- Enable:
- Ping (optional)
- Response Pages
- User-ID
Zone
- Go to Network > Zone > Add
- Create a dedicated zone for the Guest and enable User Identification.
Layer 3 interface
- Create the Guest interface or sub-interface and assign the Interface Management profile and the zone created in the previous steps.
DHCP server
- Create a DHCP server for the Guest network
- Go to Network > DHCP > DHCP Server > Add
- Select the Guest interface
- Define an IP Pool and DHCP Options
Note that the Layer3 interface dedicated to the Guest is configured as a DNS server for the Guest
DNS Proxy
- We will use the DNS Proxy feature to add a DNS static entry to resolve the FQDN configured in the captive portal settings and redirect the user to the Layer3 interface or sub-interface.
- Go to Network > DNS Proxy > Add
- Select the Guest interface or sub-interface
- Fill a valid DNS server reachable by the PAN as the Primary server
- Go to static entry and add the FQDN and IP Address.
4. Configure the policy
Create a custom URL category.
- We will create custom URL categories and will use them to create the Walled Garden (URL accessible by the user before being authenticated)
- Go to Object > Custom Objects > URL Category > Add
- Profile Name: Cloudi-Fi_portal
- Type: URL List
- Sites:
- login.cloudi-fi.net
- guest-api-v1.cloudi-fi.net
- Create another custom URL category if you have social media in your captive portal.
- Domains will be provided by the Cloudi-Fi team.
Create security rules
- Go to Policies > Security > Rules
- We shall create four security rules:
- 1. Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server
- Source: Guest gateway IP address (Zone Guest)
- Destination: DNS server(s) configured in the DNS Proxy
- Application: DNS
- Action Allow
- 2. Whitelist rule: to allow an unauthenticated user to access the captive portal
- Source: Guest network (Zone Guest)
- User: Unknown
- Destination: Any (Zone External)
- Application: Any (you can restrict as you wish. At least web-browsing and SSL)
- URL Filtering: Cloudi-Fi custom categories
- Action: Allow
- 3. Guest-Allowed: Allow authenticated users to access to the Internet
- Source: Guest network (Zone Guest)
- User: Know-User
- Destination: Any (Zone External)
- Application: Any (you can restrict as you wish. At least web-browsing and SSL)
- Action: Allow
- Profile Settings: URL Filtering enabled
- 4. Guest-DenyAll: Explicit deny to prevent the Guest network from accessing other internal resources (optional with default PAN policy behavior but recommended)
- Source: Guest network (Zone Guest)
- Destination: Any (All zones)
- Application / Services: Any
- Action: Deny
NAT rule
- You must create a NAT rule to translate private guest IP addresses into public ones.
- Original packet
- Source zone: Guest
- Destination zone: External
- Source address: Guest network
- Translated packet, Source address translation:
- Translation type: Dynamic IP and Port
- Address type: Interface address
- Interface: ethernet1/1 in our case
- Destination address translation: None
Authentication rule
- This rule will redirect the unauthenticated user to the Cloudi-Fi captive portal.
- Go to Policy Authentication. Add
- Source: Guest Network (Guest zone)
- User: Unknown
- Destination: Any (External Zone)
- Service: HTTP/HTTPS
- Action: Authentication enforcement: Cloudi-Fi web form created at step 1
Note that if multiple physical sites are behind the PAN, you must create one authentication rule per physical location with the appropriate web form.
For more information on Cloudi-Fi’s partnership with Palo Alto Networks, visit our partner page here.
Troubleshooting
- Verify DNS resolution to correct Redirect IP from FQDN.
- Verify installation of Certificate
- Contact support@cloudi-fi.com with any other issues.
What's next?
Congratulations on enabling Cloudi-Fi's Captive Portal in Palo Alto Strata!