This article describes three ways to leverage Zscaler captive portal with Cloudi-Fi.
Various architectures to manage a guest network with Zscaler ZIA and Cloud-Fi
For an existing Zscaler customer, the guest network is usually secured by the tenant, but authentication is done locally on the network. Consequently, all guests are not identified in Zscaler, and only one policy is applied to all traffic (daily guests, consultants, and BYOD).
Enabling a captive portal into Zscaler with Cloudi-Fi provides multiple advantages:
Personalized guests onboarding
Profiling of guests with security policies for each profile
Total visibility of all guests traffic
Compliance with local regulations (Data privacy and Internet provider regulations)
Generic Zscaler topology
To leverage Zscaler ZIA, GRE/IPSEC redundant tunnels should be configured on the router/firewall/SD-WAN device. Zscaler allows different setups depending on your existing infrastructure. This has been developed in this article.
3 different configurations are possible with consequences in terms of setup and licensing:
Please note that this document is subject to be enhanced as Cloudi-Fi & Zscaler may allow easier configuration for certain configurations in the future.
The first option is recommended for a new customer to Zscaler or for a hotspot, and the second option is recommended for an existing Zscaler customer who wants to leverage his existing tenant. The last option is recommended for a customer who cannot benefit from configuring Cloudi-Fi into Zscaler and will proceed with local configuration with Cloudi-Fi.
|
Solutions matrix |
WAN - Zscaler dedicated tenant |
LAN - Local captive portal |
|
|
Recommended for |
Hotspot or new customer to Zscaler |
Existing Zscaler customer |
Existing Zscaler customer |
|
Authentication |
native to Zscaler |
native to Zscaler |
in the WiFi |
|
Zscaler tenant |
Dedicated |
Shared |
Shared |
|
Setup |
Automated |
Manual |
Manual |
|
Compliance |
Full, tokenized |
Full, tokenized |
Partial requires private IP in logs |
|
New GRE/IPSEC tunnels required |
Yes |
No |
No |
|
Setup complexity |
Easy |
Medium |
High |
|
Security |
High |
High |
Limited, cannot profile guests |
|
Management |
One unique administration |
2 administrations: Cloudi-Fi & Zscaler |
Complex, different solutions to maintain |
|
Zscaler licensing |
Concurrent licenses for all users. Embedded with Cloudi-Fi with Enterprise bundle |
Employees with BYOD are recognized; additional Zscaler licenses are required for guests only |
BYOD/guests/servers/IOT are mixed. Payment on unauthenticated transactions or bandwidth. |
Authentication flow with WAN deployment
The captive portal is enabled into Zscaler There is no LAN configuration except the creation of open guest SSID and DNS/DHCP service.
The service is reusing an existing Zscaler instance used for employee protection or a new instance. The guest network should be routed into the Zscaler tunnels; new locations will be provisioned into Zscaler with authentication to Cloudi-Fi enabled. Policies, quota, and QOS can be enabled per profile of guests.
Authentication flow with LAN deployment
The captive portal is configured natively on the Wi-Fi infrastructure with external authentication (URL redirect & Radius server).
The service is reusing existing Zscaler instances used for employee protection. The guest network should be routed into the existing Zscaler tunnel with an identified private network. This private network will belong to a Zscaler sublocation with authentication disabled.
You can visit our Zscaler partner page for videos and full solution brief related to Zscaler integration.
Comments
0 comments