Skip to main content

Search

Cloudi-Fi Knowledge Base

Configure 802.1X with Cloudi-Fi RADIUS on Cisco WLC 9800

Default Admin
  • Updated

This guide explains how to integrate Cloudi-Fi’s cloud RADIUS service with a Cisco Catalyst 9800 WLC to enable 802.1X authentication.

Prerequisites

Before starting, ensure the following:

  • A Cisco access point managed by a Cisco Catalyst 9800 WLC

  • Cloudi-Fi RADIUS IP addresses and shared secret

  • Administrator access to the Cisco WLC GUI

  • Knowledge of your internal IP addressing scheme

  • Firewall access to allow required ports

Source Destination Port Protocol Action Comment
802.1X subnet Cloudi-Fi IPs 1815 UDP Allow RADIUS traffic
802.1X subnet Any 80 TCP Allow HTTP traffic
802.1X subnet Any 443 TCP Allow HTTPS traffic
802.1X subnet Any 53 UDP/TCP Allow DNS resolution
* * * * Deny Adjust as needed

 

1. Get the Cloudi-Fi NAS-ID

You must create or use a Cloudi-Fi location and retrieve its NAS-ID (Hash key).

  • Log in to the Cloudi-Fi admin console.
  • Go to Location.
  • Create a new location if needed and fill in:
    • Location name
    • Type (Redirect URL)
    • Country
  • Save.
Cloudi-Fi UI - Create 802.1x location.png
  • Click the location you created.
  • Go to Network parameters and copy the Hash key — this will be used as the NAS-ID.
Cloudi-Fi admin - get nas-id.png

 

2. Configure a custom NAS-ID on the WLC

  • Navigate to Configuration > Security > Wireless AAA policy.
  • Edit an existing policy or create a new one.
  • Under NAS-ID option 1, set the type to Custom string.
  • Paste the Hash key obtained from Cloudi-Fi.
Cisco WLC 9800 customise nas-id.png

 

3. AAA configuration on Cisco 9800 WLC

3.1. Declare the RADIUS server

Navigate to:
Configuration > Security > AAA > Servers / Groups > RADIUS > Servers > +Add

Enter:

  • Name: 802.1x_Cloudi-Fi_Srvs

  • RADIUS IPs: see Radius Servers for 802.1X

  • Authentication port: 1815/UDP

  • Accounting port: 1813/UDP

  • Shared secret: Obtained via Cloudi-Fi chatbot or support

  • Server timeout: 20

  • Retry count: 20

Cisco WLC 9800 Declare the RADIUS server for 802.1X.png

Click Apply.

 

3.2. Create a RADIUS server group

Navigate to:
Configuration > Security > AAA > Servers / Groups > RADIUS > Server Groups > +Add

  • Create a new group (for example Cloudi-Fi_8021x_Group).

  • Move your RADIUS server into Assigned Servers.

Cisco WLC 9800 Create a RADIUS server group for 802.1X.png

 

3.3. Create an authentication method list

Navigate to:
Configuration > Security > AAA > AAA Method List > Authentication > +Add

Set:

  • Method list name: 802.1X_Cloudi-Fi_Method

  • Type: dot1x

  • Group type: group

  • Add the RADIUS server group created above to Assigned Server Groups.

Cisco WLC 9800 Create an authentication method list for 802.1X.png

 

4. WLAN profile configuration

4.1. Create the WLAN

Navigate to Configuration > Tags & Profiles > WLANs > +Add

Enter your SSID details.

Add the SSID name, profile name, and enable broadcast.

Cisco WLC 9800 Create WLAN for 802.1x.png

 

4.2. Configure WLAN security

Navigate to the Security tab.

  • Select WPA2 + 802.1X
    or if required:

  • WPA2 + WPA3 mixed mode

Cisco WLC 9800 Define WLAN parameters for 802.1x.png

 

4.3. Apply the AAA method

Navigate to Security > AAA and assign the authentication method list created earlier (802.1X_Cloudi-Fi_Method).

Cisco WLC 9800 Apply the AAA method for 802.1X.png

 

5. Policy profile configuration

The policy profile controls VLAN assignment, ACLs, QoS, timers, and mobility behavior.

Go to Configuration > Tags & Profiles > Policy Profile

5.1. Create or edit the profile

  • Edit default-policy-profile
    or

  • Click + Add to create a new policy profile

5.2. Enable the policy profile

In the General tab:

  • Ensure Policy Profile State : Enabled

5.3. Configure settings for local mode APs

If your APs operate in Local Mode, enable the following under the Advanced or General tabs (depending on WLC version):

  • Central Switching

  • Central Authentication

  • Central DHCP

Cisco WLC 9800 Configure settings for 802.1X.png

5.4. Assign the VLAN

Go to the Access Policies tab:

  • Set the VLAN used for authenticated 802.1X clients

Cisco WLC 9800 Assign the VLAN for 802.1X.png

5.5. Enable AAA override

Enable this if Cloudi-Fi returns RADIUS attributes such as dynamically assigned VLANs.

  • Go to the Advanced tab.

  • Enable AAA Override.

  • In Policy Name, select the policy configured with the custom NAS-ID.

Cisco WLC 9800 Enable AAA override for 802.1x.png

 

6. Policy tag configuration

The policy tag ties together the WLAN profile and the policy profile.

Go to Configuration > Tags & Profiles > Tags > Policy

6.1. Create or use an existing policy tag

  • Select an existing tag
    or

  • Click + Add to create a new policy tag

6.2. Associate profiles

Inside the policy tag:

  • Assign your WLAN Profile

  • Assign your Policy Profile

Click Apply.

 

7. Policy tag assignment

This step applies the policy tag to specific access points.

Go to Configuration > Wireless > Access Points

7.1. Select the AP

Click the AP name you want to configure.

7.2. Apply the policy tag

Under the General tab → Tags section:

  • Select the desired Policy Tag

7.3. Save the configuration

Click Update & Apply to Device.

7.4. Repeat or bulk assign

  • Repeat for each AP
    or

  • Use AP Join Profiles for group-level assignment

 

Your Cisco WLC 9800 is now configured to authenticate clients using Cloudi-Fi RADIUS via 802.1X.