Skip to main content

Search

How can we help ?

Palo Alto Networks Prisma Access integration with Cloudi-Fi

Alexandre de THOMASSON
  • Updated

This article describes how to configure your Palo Alto Networks Prisma Access to enable Cloudi-Fi's captive portal.

                                                            

 

1) Solution Overview

Solution tested: Prisma Access Plugin v 1.8

 

Captive Portal FQDN resolves Prisma Captive Portal Redirect IP Address:

This DNS record is created by Cloudi-Fi.

 

 

Note: All the configurations should be done in the correct template.

Template mapping is configured in the:

Panorama Cloud Services Configuration Remote Networks

 

 

2) Configure SAML Identity Provider (IdP)

SAML Identity Provider

Go to Device Server Profiles SAML Identity Provider:

 

  • Identity Provider ID: https://login.cloudi-fi.net/auth/saml2/idp/metadata.php

  • Import Cloudi-FI_SAML_cert

  • Identity Provider SSO URL = Cloudi-Fi Location URL

  • https://login.cloudi-fi.net/start/<locationhash">
    This URL can be found from the Cloudi-Fi admin interface in the Location menu. 

 

Original URL format

https://login.cloudi-fi.net/auth/saml2/idp/SSOService.php?spentityid=spsomething.com&ch=0a2526ed79aa434&lh=145cb1a21a871c&

Palo Alto URL format

https://login.cloudi-fi.net/start/0a2526ed79aa434/145cb1a21a871c

Note: If multiple physical sites are routed behind Palo Alto, create an IdP profile for each physical location.

It would be best if you modified the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.

 

Configure SAML Authentication Profile

Go to Device Authentication Profile

 

  • Type: SAML

  • IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1

  • Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)

  • SAML Attributes / Username Attribute: token

  • SAML Attributes / User Group Attribute: profile

Certificate profile:

 

Create Web-forms:

Create a specific web form that will be used in the Authentication policy:

Create one web form per location if you have multiple locations behind one Palo Alto equipment.

 

Go to Objects Authentication. Add

 

 

3) Configure Captive portal settings

Go to Device User-Identification Captive portal Settings Edit

 

FQDN: customer.cloudi-fi.net

This FQDN resolves the IP Address of the Prisma Access Captive Portal IP.

Each Prisma Access Customer has a unique Captive Portal Redirect IP. This IP should be provided to Cloudi-Fi to create the dedicated DNS record.

 

The idle timer and timer should equal and match the session lifetime configured in the Cloudi-Fi captive portal.

 

This FQDN will also be used during the SAML authentication as Service Provider EntityID and must be declared in the Cloudi-Fi administration interface.

 

Cloudi-Fi admin settings Advanced settings PaloAlto Networks:

 

4. Captive Portal

Prisma Access provides a dedicated IP Address where is enabled the Captive Portal Service.

You can go to Panorama Cloud Services Status Network Details Service Infrastructure.

 

5. Configure Policy

Create a custom URL Category

We will create custom URL categories and will use them to make the Walled Garden (URL accessible by the user before being authenticated)

 

Go to Objects Custom Objects URL Category Add

 

- Profile Name: Cloudi-Fi_portal

- Type: URL List

- Sites:

*.cloudi-fi.net

 

If you have social media in your captive portal, create another custom URL category.

Domains will be provided by the Cloudi-Fi team.

 

 

Creates security rules

 

Go to Policies Security Rules

 

We shall create four security rules:

1/ Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server

o Source: Guest gateway IP address (Zone Guest)

o Destination: DNS server(s) configured in the DNS-Proxy

o Application: DNS

o Action Allow

 

2/ Whitelist rule: to allow an unauthenticated user to access the captive portal

o Source: Guest network (Zone Guest)

o User: Unknown

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o URL Filtering: Cloudi-Fi custom categories

o Action: Allow

 

3/ Guest-Allowed: Allow authenticated users to access to the Internet

o Source: Guest network (Zone Guest)

o User: Know-User

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o Action: Allow

o Profile Settings: URL Filtering enabled

 

4/ Guest-DenyAll: Explicit deny to prevent the Guest network from accessing other internal resources (optional with default PAN policy behaviour but recommended)

o Source: Guest network (Zone Guest)

o Destination: Any (All zones)

o Application / Services: Any

o Action: Deny

 

 

Authentication rule

 

This rule will redirect the unauthenticated users to the Cloudi-Fi captive portal.

Go to Policies Authentication. Add

 

- Source: Guest Network (Guest zone)

- User: Unknown

- Destination: Any (External Zone)

- Service: HTTP

- Action: Authentication enforcement: Cloudi-Fi web form created at step 1

 

Note that if multiple physical sites are behind the PAN, you must create one authentication rule per physical location with the appropriate web form.

 

Logs