Welcome to your Cloud NAC journey! Follow this step-by-step guide to set up your deployment hierarchy, integrate your Identity Provider, establish network access policies, and configure your infrastructure.
Step 1: Set Up Locations and Access Points
Cloud4Wi is built around the concept of Locations. A Location typically represents a physical site (like an office branch), but because it is a virtual asset, you can also map your entire network to a single Location if preferred.
Organizing your network into Locations allows you to deploy site-specific onboarding experiences, enforce targeted network policies, and view granular reports and insights.
How to get started:
Navigate to Manage > Locations in your dashboard.
Click Add Location to start the manual creation wizard.
Follow the prompts—the wizard will also invite you to add your first Access Point during this setup.
Step 2: Connect an Identity Provider (IdP)
Cloud NAC delivers identity-based access control, allowing users to safely self-onboard using their existing corporate accounts (e.g., Microsoft Entra ID). Connecting your corporate IdP ensures user authentication is seamless and keeps your user directory automatically synchronized.
Why this matters: If an employee changes departments, Cloud NAC automatically detects the update from your IdP and dynamically adjusts their network policies.
How to get started:
Navigate to Users > Auth Sources.
Click Add and select your specific IdP.
Follow the dedicated integration guide for your provider to complete the configuration.
Note: Currently, the only fully supported Identity Provider platform that guarantees user authentication and fully automated directory synchronization is Microsoft Entra ID (setup documentation). More Identity Providers will be available soon!
Step 3: Configure Group Policies
Once your IdP integration is complete, Cloud4Wi automatically initializes a Group Policy (named after your IdP integration) along with a rule that maps all authenticating users to it.
⚠️ Note: To honor Zero-Trust security principles, this default Group Policy is initially configured to Block Network Authorization. You must update or create new policies to let users online.
You have two options for managing user access:
-
Option A: Allow All IdP Users (Quick Setup)
Modify the automatically created Group Policy and switch the Authorization configuration from Deny Access to Allow Access. The existing Trusted Access Rule already assigns this policy to all users identified by your IdP, granting them immediate network access upon authentication.
-
Option B: Selective, Group-Based Access Control (Recommended)
Create distinct Group Policies for different departments or roles (e.g., assigning a unique VLAN to Finance). Then, create Trusted Access Rules to map these specific Group Policies to corresponding groups within your IdP.
Step 4: Choose Your Onboarding Channels
Cloud NAC offers two primary self-onboarding channels to get user devices connected. You can choose the method that best fits your deployment:
A) BYOD Portal
This is a standalone, branded online portal with a dedicated URL that you can distribute to your users (e.g., via a welcome email).
How it works: Users navigate to the URL, log in with their corporate credentials, and securely download a Passpoint profile directly onto their device for automated future connections.
B) Captive Portal
As an alternative to the BYOD portal, you can deploy a traditional Captive Portal with Single Sign-On (SSO) enabled.
How it works: Users connect to an open SSID, the Captive Portal prompts them to authenticate via your corporate IdP, and they are authorized onto the network.
Note: Combining SSO with a Captive Portal involves specific Multi-Factor Authentication (MFA) requirements. Please consult our dedicated guide in the Help Center to learn more.
Step 5: Configure Your Network Infrastructure
The final step is configuring your physical network hardware to use Cloud NAC for onboarding and AAA (Authentication, Authorization, and Accounting).
Retrieve your required RADIUS parameters directly from the onboarding wizard on the General Settings page.
Visit the Help Center to find the specific hardware configuration guide for your vendor (e.g., Cisco, Aruba, Meraki) and follow the step-by-step instructions.
General SSID Requirements:
Configure a dedicated SSID for Passpoint connections (if using the BYOD Portal).
Configure a dedicated Captive Portal SSID for web-based onboarding and/or guest Wi-Fi services.