Use Case

This guide provides step-by-step instructions on how to integrate Cloudi-Fi's cloud-based captive portal service with Cisco Catalyst 9800 Series Wireless Controllers operating in FlexConnect mode. FlexConnect mode allows APs to handle authentication and data forwarding locally or by tunneling traffic back to the WLC (Central Switching).

FlexConnect provides flexibility in managing network traffic while ensuring that Cloudi-Fi's authentication services remain accessible regardless of the switching mode. This approach ensures optimal performance, security, and scalability when deploying guest WiFi solutions in branch and corporate environments.

When choosing the appropriate FlexConnect switching mode for External Web Authentication (WebAuth), aligning the configuration with the specific network environment and business requirements is essential. The decision should be based on traffic flow, WAN reliability, and security policies.

• Local Switching is preferred when the priority is to reduce WAN dependency and ensure authentication remains functional even if the WAN link to the WLC is unstable. This is ideal for branch offices where direct internet breakout is needed.
• Central Switching is recommended when all traffic needs to be processed centrally for consistent security policy enforcement and monitoring. This is best suited for corporate environments where security compliance requires all traffic to flow through the WLC.

The steps outlined in this guide remain valid regardless of the switching mode used: Local or Central Switching.

Prerequisites

Before starting, ensure that you have the following prerequisites:

• • Access to Cloudi-Fi's admin console.
  • Cloudi-Fi Radius IPs and Secret.
  • Access to your Cisco Catalyst 9800 Series Wireless Controllers.
  • Knowledge of your network’s IP addressing scheme.

1. Get Cloudi-Fi required URL

Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:

• Location Name
• Type (Redirect URL)
• Portal template
• Country 

Location URL: this URL will be used to configure an External Captive Portal

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spcisco.com

2. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to go ahead with the setup.

1. IPs address of the Radius servers
2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)

You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.

What shared secret is used for the Radius server with WLC 9800? (Please save this confidential information securely, and do not share it publicly).

3. Enable FlexConnect Mode on APs

• Navigate to WLC UI > Configuration > Wireless > Access Points
• Select the AP to configure
• Verify that AP Mode is set to Flex

4. Configure a Global Web Auth

• Navigate to WLC UI > Configuration > Security > Web Auth
• Click on Global Profile
• Ensure the following settings are configured
• Virtual IPv4 Address: 192.0.2.2

If you want to know how to Add a certificate to a Cisco Wireless Controller (Cisco WLC), check the following page.

5. Configure WLAN using the Wizard

• Navigate to WLC UI > Configuration > Wireless Setup > WLAN Wizard
• Select WLAN Type: Flex Connect
• Click on External Web Auth

Define Network Name and SSID

• • Under Network Name, enter a Profile Name: Cloudi-Fi_Guest
  • Set the SSID name that clients will connect to Cloudi-Fi_Guest
  • Assign a WLAN ID, which uniquely identifies this WLAN on the controller

Configure WLAN Policy

• • • Click Create New to define a new policy profile, or select an existing one
    • Enter the Policy Profile Name: Cloudi-Fi_Guest_flex
    • Assign the appropriate VLAN for client traffic: WLC_VLAN_20

Define Web Authentication Parameters

• Under WLAN Specific Configuration, click Create New
• Set Parameter-map Name to Cloudi-Fi_Guest
• In Redirect URL for login, enter the Splash page URL copied from Cloudi-Fi Admin Console
• Set Portal IPv4 Address to 104.26.5.244

Configure Flex Profile

• Under Flex Profile, enter the Profile Name: Flex_Profile
• Set the Native VLAN ID 

Configure Pre-Authentication ACL (Cloudi-Fi ACL)

• Under Pre Auth ACL, enter the ACL Name: Cloudi-Fi_ACL_Flex
• Add the following IP addresses of Cloudi-Fi services that need to be permitted before authentication:

Configure URL Filtering (Walled Garden)

• Under URL Filter, set the Filter Name: Walled_Garden
• Add permitted URLs that should be accessible before authentication:
  • login.cloudi-fi.net 
  • *.cloudi-fi.net 
  • login-cn.cloudi-fi.net 

Configure the Site Tag

• Under Site Configuration:
  • Click Select Existing to choose an existing Site Tag: default-site-tag
  • Or click Create New to define a new Site Tag
  • Click + (Add) to apply the selected Site Tag

Configure the Policy Tag

• Under Policy Tag, you should create a new Policy Tag:
  • Click Create New to define a new Policy Tag
  • In the Enter Policy Tag field, enter the name: flex_guest_tag
  • Click + (Add) to apply the new Policy Tag

Configure the RF Tag

• Under RF Tag Configuration, select an existing RF Tag:
  • Click Search or Select to choose an existing RF Tag: default-rf-tag
  • Click + (Add) to apply the RF Tag

Select Access Points (APs) to Provision

• Under Step 1: Select APs and find the list of joined APs
• Check the box next to the AP(s) that should be assigned to this WLAN
• Use the search bar if you need to locate a specific AP

Assign Policy, Site, and RF Tags

• Under Step 2: Select Tags, choose the appropriate tags for the AP:
  • Policy Tag: default-policy-tag (Manages WLAN and security policies)
  • Site Tag: default-site-tag (Determines FlexConnect or Central switching)
  • RF Tag: default-rf-tag (Controls radio frequency parameters for APs)
• Click Add to assign the selected tags to the AP

Review and Apply Configuration

• Verify the settings in the CLI Preview on the right.
• Click Apply to finalize the configuration and push it to the controller.

6. Update the Tags of the Access Point (AP)

Update the Policy Tag of the Access Point (AP)

Go to Configuration > Wireless > Access Points > Select the AP to update:

• In the Edit AP panel on the right, locate the Tags section
• Click on the Policy Tag dropdown
• Change the selection from default-policy-tag to flex_guest_tag (created via the WLAN Wizard)
• Click Update & Apply to Device to push the new Policy Tag to the AP
• The AP will reboot automatically to apply the changes

Update the Site Tag of the Access Point (AP)

Go to Configuration > Tags & Profiles > Tags > Select the Site tab:

• Click on the default-site-tag (this is the one selected from the WLAN Wizard)
• In the Edit Site Tag panel on the right:
  • Uncheck Enable Local Site
  • Flex Profile: Choose Flex_Profile, ensuring that APs operate in FlexConnect mode.
• Click Update & Apply to Device to save and push the new settings.
• The AP will reboot automatically to apply the changes.

7. Update the Web Auth

Go to WLC UI > Configuration > Security > Web Auth > select the Cloudi-Fi_Guest parameter map (the one created via the WLAN Wizard) to edit it.

• On the General Tab :
  • Banner Type: None
  • Turn-on Consent with Email: Disabled
  • Captive Bypass Portal: Disabled
  • Disable Success Window: Enabled
  • Disable Logout Window: Enabled
  • Sleeping Client Status: Enabled
  • Sleeping Client Timeout: 720
• On the Advanced Tab:
  • Redirect for log-in: Splash page URI copied from the Cloudi-Fi interface (see Step 1: Get Cloudi-Fi required URL)
  • Redirect On-Success: https://login.cloudi-fi.net/success.php
  • Redirect On-Failure: Splash page URI copied from the Cloudi-Fi interface
  • Redirect Append for AP MAC Address: ap_mac
  • Redirect Append for Client MAC Address: client_mac
  • Redirect Append for WLAN SSID: wlan_ssid
  • Portal IPV4 Address: 104.26.5.244

8. Configure a Radius server

Go to WLC UI > Configuration > Security > AAA > Servers / Groups > Server and add:

• Name: Cloudi-Fi-Rad1
• IPv4 / IPv6 Server Address: Primary IP
• Key Type: Clear text
• Key: Shared Secret (see Step 2: Get Radius Information)
• Confirm Key: Shared Secret
• Auth Port: 1812
• Acct Port: 1813
• Server Timeout: 10
• Retry Count: 3
• Support for CoA: Disabled

Apply to Device

You can add additional Radius server (see RADIUS & SYSLOG servers)

Then go to WLC UI > Configuration > Security > AAA > Servers / Groups > Server Groups and add

• Name: Cloudi-Fi-Group
• Group Type: RADIUS
• MAC-Delimiter: hyphen
• MAC-Filtering: none
• Assigned Servers: Cloudi-Fi-Rad1, Cloudi-Fi-Rad2

Then go to WLC UI > Configuration > Security > AAA > AAA Method lists > Authentication and add

• Method List Name: Cloudi-Fi_Auth
• Type: login
• Group Type: Group
• Assigned Server Groups: Cloudi-Fi-Group

Then go to WLC UI > Configuration > Security > AAA > AAA Method lists > Accounting and add

• Method List Name: Cloudi-Fi_Acct
• Type: Identity
• Assigned Server Groups: Cloudi-Fi-Group

Then go to WLC UI > Configuration > Security > AAA > AAA Advanced > Global Settings and configure both Accounting and Authentication with:

• Call Station ID: ap-macaddress-ssid
• Call Station ID Case: upper
• MAC-Delimiter: hyphen
• Username Case: lower
• Username Delimiter: none

9. Update Policy for RADIUS authentication

Go to WLC UI > Configuration > Tags & Profiles > Policy.

• Select Cloudi-Fi_Guest_flex (the policy tag selected from the WLAN Wizard).

• Go to the Advanced tab and update the following settings:

  • Session Timeout: 43200 seconds

  • Idle Timeout: 3600 seconds

  • Allow AAA Override: Enabled

  • Accounting List: Cloudi-Fi_Acct

• Click Update & Apply to Device

10. Update WLAN for RADIUS authentication

Go to WLC UI > Configuration > Tags & Profiles > WLANs.

• Select your configured WLAN (Cloudi-Fi_Guest, the one created from the WLAN Wizard).

• Go to the Security > Layer 3 tab and modify the following settings:

  • Web Policy: Enabled

  • Web Auth Parameter Map: Cloudi-Fi_Guest

  • Authentication List: Cloudi-Fi_Auth

• Click Update & Apply to Device

Troubleshooting Tips

• If redirection fails, check if DNS resolution and HTTP/HTTPs traffic are allowed before authentication.

• Check ACL configurations to ensure Cloudi-Fi domains are accessible.
• Check our first level troubleshooting guide.