This article describes how to configure your Palo Alto Networks Prisma Access to enable Cloudi-Fi's captive portal.
1) Solution Overview
Solution tested: Prisma Access Plugin v 1.8


Captive Portal FQDN resolves Prisma Captive Portal Redirect IP Address:
This DNS record is created by Cloudi-Fi.


Note: All the configurations should be done in the correct template.
Template mapping is configured in the:
Panorama Cloud Services Configuration Remote Networks

2) Configure SAML Identity Provider (IdP)
SAML Identity Provider
Go to Device Server Profiles SAML Identity Provider:

-
Identity Provider ID: https://login.cloudi-fi.net/auth/saml2/idp/metadata.php
-
Import Cloudi-FI_SAML_cert
-
Identity Provider SSO URL = Cloudi-Fi Location URL
-
https://login.cloudi-fi.net/start/<locationhash">
This URL can be found from the Cloudi-Fi admin interface in the Location menu.

Original URL format |
https://login.cloudi-fi.net/auth/saml2/idp/SSOService.php?spentityid=spsomething.com&ch=0a2526ed79aa434&lh=145cb1a21a871c& |
Palo Alto URL format |
https://login.cloudi-fi.net/start/0a2526ed79aa434/145cb1a21a871c |
Note: If multiple physical sites are routed behind Palo Alto, create an IdP profile for each physical location.
It would be best if you modified the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.
Configure SAML Authentication Profile
Go to Device Authentication Profile

-
Type: SAML
-
IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1
-
Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)
-
SAML Attributes / Username Attribute: token
-
SAML Attributes / User Group Attribute: profile
Certificate profile:

Create Web-forms:
Create a specific web form that will be used in the Authentication policy:
Create one web form per location if you have multiple locations behind one Palo Alto equipment.
Go to Objects Authentication. Add

3) Configure Captive portal settings
Go to Device User-Identification Captive portal Settings Edit
FQDN: customer.cloudi-fi.net
This FQDN resolves the IP Address of the Prisma Access Captive Portal IP.
Each Prisma Access Customer has a unique Captive Portal Redirect IP. This IP should be provided to Cloudi-Fi to create the dedicated DNS record.

The idle timer and timer should equal and match the session lifetime configured in the Cloudi-Fi captive portal.
This FQDN will also be used during the SAML authentication as Service Provider EntityID and must be declared in the Cloudi-Fi administration interface.
Cloudi-Fi admin settings Advanced settings PaloAlto Networks:

4. Captive Portal
Prisma Access provides a dedicated IP Address where is enabled the Captive Portal Service.
You can go to Panorama Cloud Services Status Network Details Service Infrastructure.

5. Configure Policy
Create a custom URL Category
We will create custom URL categories and will use them to make the Walled Garden (URL accessible by the user before being authenticated)
Go to Objects Custom Objects URL Category Add
- Profile Name: Cloudi-Fi_portal
- Type: URL List
- Sites:
*.cloudi-fi.net
If you have social media in your captive portal, create another custom URL category.
Domains will be provided by the Cloudi-Fi team.

Creates security rules
Go to Policies Security Rules
We shall create four security rules:
1/ Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server
o Source: Guest gateway IP address (Zone Guest)
o Destination: DNS server(s) configured in the DNS-Proxy
o Application: DNS
o Action Allow
2/ Whitelist rule: to allow an unauthenticated user to access the captive portal
o Source: Guest network (Zone Guest)
o User: Unknown
o Destination: Any (Zone External)
o Application: Any (you can restrict as you wish. At least web-browsing and SSL)
o URL Filtering: Cloudi-Fi custom categories
o Action: Allow
3/ Guest-Allowed: Allow authenticated users to access to the Internet
o Source: Guest network (Zone Guest)
o User: Know-User
o Destination: Any (Zone External)
o Application: Any (you can restrict as you wish. At least web-browsing and SSL)
o Action: Allow
o Profile Settings: URL Filtering enabled
4/ Guest-DenyAll: Explicit deny to prevent the Guest network from accessing other internal resources (optional with default PAN policy behaviour but recommended)
o Source: Guest network (Zone Guest)
o Destination: Any (All zones)
o Application / Services: Any
o Action: Deny

Authentication rule
This rule will redirect the unauthenticated users to the Cloudi-Fi captive portal.
Go to Policies Authentication. Add
- Source: Guest Network (Guest zone)
- User: Unknown
- Destination: Any (External Zone)
- Service: HTTP
- Action: Authentication enforcement: Cloudi-Fi web form created at step 1

Note that if multiple physical sites are behind the PAN, you must create one authentication rule per physical location with the appropriate web form.
Logs
