Captive Portal
      Back to home
      1. Help Center
      2. Access Point Instructions
      3. Captive Portal

      Cisco WLC 9800

      Captive Portal configuration on Cisco Catalyst 9800

      This page will guide you through the Captive Portal configuration for Cisco WLC 9800 hardware / VM and authentication via IronWiFi.

      IronWiFi Console Configuration

      1. Log into the IronWiFi console or register for free
      2. Create a new network
      3. After that, create a new captive portal, with vendor Cisco WLC

      This guide has been based on the WLC 9800 firmware version 17.12.4

      Radius Servers Configuration [AAA]

      Log in to your WLC9800 controller GUI, and go to Configuration > Security > AAA.

      Click + Add in Servers / Groups tab.

      • Name - guestradius
      • Server Address - get this value from the IronWiFi console
      • Key Type - Clear Text
      • Key* and Confirm Key* - get this value from the IronWiFi console
      • Auth Porth and Acct Port - get this value from the IronWiFi console
      • Server Timeout - 10 seconds
      • Retry Count - 3
      • Support for CoA - disabled (CoA will be available in the near future for Cisco WLC)

      Click Apply to Device.

      Repeat the above for the Backup / Secondary Server.

      Switch from Servers to the Server Groups tab and click + Add.

      • Name - guestradius-group
      • Group Type - RADIUS
      • MAC-Delimiter - hyphen
      • MAC-Filtering - none

      Move the server(s) you have added in previous step from Available Servers to Assigned Servers field.

      Click Apply to Device.

      Switch to AAA Method List tab, and with Authentication highlighted on the left click + Add.

      • Method List Name - guest-auth-method
      • Type - login
      • Group Type - group

      Move the group you have added in previous steps (guestradius-group) from Available Servers Groups to Assigned Servers Groups field.

      Highlight the Accounting on the left and click + Add.

      • Method List Name - guest-acct-method
      • Type -  identity

      Move the group you have added in previous steps (guestradius-group) from Available Servers Groups to Assigned Servers Groups field.

      Switch to AAA Advanced tab and configure

      • Interim Updates - selected
      • Interim Interval (Minutes) - 10

      Click on Show Advanced Settings >>>

      In Radius Attributes, Accounting, select:

      • Called-station-id - ap-macaddress-sid
      • Called-station-id case - upper
      • Mac-Delimiter - hyphen
      • Username Case - lower
      • Username Delimiter - none

      In Radius Attributes, Authentication, select:

      • Called-station-id - ap-macaddress-sid
      • Called-station-id case - upper
      • Mac-Delimiter - hyphen



      Trusted Certificate Configuration

      Due to the changes in the mobile and desktop Operating Systems in 2024, it is essential to obtain and install a VALID PUBLIC certificate to avoid insecure site warning during the final authentication step, when the traffic is redirected to controller VirtualIP Domain Name for the authentication.

       

      Go to Configuration > Security > PKI Management

      In Key Pair Generation tab click + Add

      • Enter Key Name - pick something recognisable, use FQDN of the virtualIP Domain Name - i.e.wlc.your.domain
      • you can leave all other options as they are

      Click Generate.

      Switch to Add Certificate tab and expand Generate Certificate Signing Request section.

      Fill in all the require fields.

      • Certificate name - for simplicity use the same name as above for Key Name - i.e. wlc.your.domain
      • Key Name - select previously generated key from the drop-down
      • Domain Name - use FQDN of the virtualIP Domain Name - i.e. wlc.your.domain
      • Fill in the remaining fields with the relevant data, in practice only Country Code is required, as the other fields will be overwritten by Certificate Authority when they sign your CSR

      Click Generate.

      After the CSR has been generated you will have the option to either Copy or Save it.

      Submit the CSR to your chosen Certificate Authority for signing, you should receive Signed Certificate and Certificate Chain.

      Expand Authenticate Issuer CA section and:

      • select the Trustpoint - it should match your FQDN from the previous steps - i.e. wlc.your domain
      • paste the Issuing CA certificate (it will be the Intermediate CA that directly signed your CSR) into the Issuer CA Certificate (.pem) field

      Click Authenticate.

      Expand Import Device Certificate section and:

      • select the Trustpoint - it should match your FQDN from the previous steps - i.e. wlc.your domain
      • paste the Signed Certificate you have received from you CA into the Signed Certificate (.pem) field

      Click Import.

      Configure Web Auth

      Go to Configuration > Security > Web Auth

      Double click on global in Parameter Map Name list to edit it and in the General tab:

      • Select Trustpoint that was created in the previous step
      • Put your FQDN you have the certificate issued for in Virtual IPv4 Hostname i.e. wlc.your.domain
      • Select Enable HTTP server for Web Auth

      Click Update & Apply

      Click Add +

      • Parameter-map Name - guest-webauth-map
      • Maximum HTTP connections - 200
      • Init-State Timeout(secs) - 3600
      • Type - webauth

      Click Apply to Device.

      Double click on the map you have just created to edit and in the General tab:

      • Select Disable Success Window
      • Select Disable Logout Window
      • Select Disable Cisco Logo
      • Select Sleeping Client Status
      • Make sure that Sleeping Client Timeout (minutes) is set to 720

      Switch to Advanced tab

      In Redirect to external server:

      • Redirect URL for login - paste your Splash Page URL from IronWiFi Console
      • Redirect On-Success - paste your Success Page URL from IronWiFi Console
      • Redirect On-Failure - paste your Splash Page URL from IronWiFi Console
      • Redirect Append for AP MAC Address - ap-mac
      • Redirect Append for Client MAC Address - client-mac
      • Redirect Append for WLAN SSID - wlan-ssid
      • Portal IPV4 Address - 107.178.250.42

      Click Update & Apply.

       

      For the redirect process to work as expected, you have to have an A record for your FQDN added to your DNS server or DNS proxy that serves the wireless clients so it resolves to your Virtual IPv4 Address, i.e. wlc.your.domain -> 192.0.2.1

      Configure ACL

      During the configuration process described above, the Access Control List should have been created automatically. Go to Configuration > Security > ACL to locate it

      It should have 9 entries, consisting of:

      • Action - permit, Source IP - any, Destination IP - 107.178.250.42, Protocol - tcp, Source Port - None, Destination Port - eq www
      • Action - permit, Source IP - any, Destination IP - 107.178.250.42, Protocol - tcp, Source Port - None, Destination Port - eq 443
      • Action - permit, Source IP - 107.178.250.42, Destination IP - any, Protocol - tcp, Source Port - None, Destination Port - eq www
      • Action - permit, Source IP - 107.178.250.42, Destination IP - any, Protocol - tcp, Source Port - None, Destination Port - eq 443
      • Action - permit, Source IP - any, Destination IP - any, Protocol - tcp, Source Port - None, Destination Port - eq domain
      • Action - permit, Source IP - any, Destination IP - any, Protocol - udp, Source Port - None, Destination Port - eq domain
      • Action - permit, Source IP - any, Destination IP - any, Protocol - udp, Source Port - None, Destination Port - eq bootpc
      • Action - permit, Source IP - any, Destination IP - any, Protocol - udp, Source Port - None, Destination Port - eq bootps
      • Action - deny, Source IP - any, Destination IP - any, Protocol - ip, Source Port - None, Destination Port - None

      Take note of the autogenerated ACL name as you will need it in the next steps.

      Configure WLAN

      Go to Configuration > Tags & Profiles > WLANs

      Click +Add to add the new WLAN or double-click on the existing WLAN to edit it.

      In General tab:

      • Profile Name - as required
      • SSID - as required
      • Status - Enabled
      • Broadcast SSID - Enabled
      • Radio Policy - as required

      In Security - Layer 2 tab, configure either an open network or protected with PSK - as required

      In Layer 3 sub-tab:

      • Web Policy - selected
      • Web Auth Parameter Map - select previously created parameter map
      • Authentication List - select previously created Authentication Method list

      Click on Show Advances Settings >>> in the same window and in Preauthentication ACL

      • IPv4 - select ACL name created in the previous step

      Click Apply to Device.

      Configure URL Filter and Policy

      Go to Configuration > Security > URL Filters

      Click +Add

      • List Name - guest-url-preauth
      • Type - PRE-AUTH
      • Action - PERMIT
      • URLs - 107.178.250.42
                        *.ironwifi.com

      Click Apply to Device

      Go to Configuration > Tags & Profiles > Policy

      Click +Add and in General tab:

      • Name - guest-policy-profile
      • Status - enabled

      On Access Policies tab in URL Filters

      • Pre Auth - select list created in previous step

      On Advanced tab:

      • Session Timeout (sec) - 43200 (or as required)
      • Idle Timeout (sec) -  3600 (or as required)
      • Allow AAA Override - selected
      • Accounting List - select accounting list method created in previous steps
      • Interim Accounting - Enabled

      Click Apply to Device.

      Go to Configuration > Tags & Profiles > Tags

      In Policy tab click + Add

      • Name - guest-policy-wlan-map

      In WLAN-Policy Maps click +Add

      • WLAN Profile - select previously created WLAN profile
      • Policy Profile - select previously created Policy profile

      Click tick symbol to add. Click Apply to Device

       

      Don't forget to apply the tag to the Access Point or Site for the SSID to be broadcasted on your selected Access Points !