Cisco Catalyst 9800 Series Wireless Controllers Integration

This article describes enabling Cloudi-Fi Captive Portal directly and natively in your Cisco Catalyst 9800 Series Wireless Controllers.

Summary:

1. Get Cloudi-Fi required information

2. WEB Auth configuration

3. Radius Configuration

4. WLAN Configuration

5. Walled Garden and Radius Accounting

6. Tags & Profiles

1) Get Cloudi-Fi required URL and Radius Secret

Go to your Cloudi-Fi administration interface and get the URL for external authentication:

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

• Transform the URI as follows

Go to the chat interface and ask for your Radius secret

• Copy the secret as well

2) WEB Auth configuration

Go to Configuration Security Web Auth. Click on Global profile and ensure the below :

• Virtual IPv4 Address: 192.0.2.1

Click on Add Button and configure as described below :

• Parameter-map name: guest_wifi

• Maximum HTTP connections: 200

• Init-State Timeout: 3600

• Type: webauth

Apply to device

You can click on the object you have created and modify the below.

On the General Tab :

• Banner Type: None

• Turn-on Consent with Email: Disabled

• Captive Bypass Portal: Disabled

• Disable Success Window: Enabled

• Disable Logout Window: Enabled

• Sleeping Client Status: Enabled

• Sleeping Client Timeout: 720

On the Advanced Tab:

• Redirect for log-in: Splash page URI copied from the Cloudi-Fi interface

• Redirect On-Success: https://login.cloudi-fi.net/success.php

• Redirect On-Failure: Splash page URI copied from the Cloudi-Fi interface

• Redirect Append for AP MAC Address: ap_mac

• Redirect Append for Client MAC Address: client_mac

• Redirect Append for WLAN SSID: wlan_ssid

• Portal IPV4 Address: 178.33.251.41

Apply to Device

3) Radius configuration

Go to Configuration Security AAA. Select Servers / Groups and add:

• Name: Cloudi-Fi-Rad1

• IPv4 / IPv6 Server Address: Primary IP

• Key Type: 0

• Key: Shared Secret

• Confirm Key: Shared Secret

• Auth Port: 1812

• Acct Port: 1813

• Server Timeout: 10

• Retry Count: 3

• Support for CoA: Disabled

Apply to Device

Click Add again and configure :

• Name: Cloudi-Fi-Rad2

• IPv4 / IPv6 Server Address: Secondary IP

• Key Type: 0

• Key: Shared Secret

• Confirm Key: Shared Secret

• Auth Port: 1812

• Acct Port: 1813

• Server Timeout: 10

• Retry Count: 3

• Support for CoA: Disabled

Apply to Device

On the Servers Groups sub-tab, add:

• Name: Cloudi-Fi_Radius

• Group Type: RADIUS

• MAC-Delimiter: hyphen

• MAC-Filtering: none

• Assigned Servers: Cloudi-Fi-Rad1, Cloudi-Fi-Rad2

Apply to Device

Click on the AAA Method List tab and add:

• Method List Name: Cloudi-Fi_Auth

• Type: login

• Group Type: Group

• Assigned Server Groups: Cloudi-Fi_Radius

Apply to Device

Click on the Accounting sub-tab and add:

• Method List Name: Cloudi-Fi_Acct

• Type: Identity

• Assigned Server Groups: Cloudi-Fi_Radius

Go to AAA Advanced and click on Advanced Settings. Configure both Accounting and Authentication with:

• Call Station ID: ap-macaddress-ssid

• Call Station ID Case: upper

• MAC-Delimiter: hyphen

• Username Case: lower

• Username Delimiter: none

4) WLAN configuration

Go to Configuration -> Security -> ACL and create a new ACL

• ACL Name: Cloudi-Fi_ACL

• Sequences 1
  • Action: permit
  • Source IP: Any
  • Destination IP: 104.26.4.244
  • Protocole: ip
• Sequences 2
  • Action: permit
  • Source IP: Any
  • Destination IP: 104.26.5.244
  • Protocole: ip
• Sequences 3
  • Action: permit
  • Source IP: Any
  • Destination IP: 172.67.70.238
  • Protocole: ip
• Sequences 4
  • Action: permit
  • Source IP: Any
  • Destination IP: 178.33.251.41
  • Protocole: ip

• Sequence 5

  • Action: permit
  • Source IP: Any
  • Destination IP: your DNS servers
  • Protocole: udp eq domain

• Sequence 6

  • Action: permit
  • Source IP: Any
  • Destination IP: 54.37.221.71
  • Protocole: udp (1812-1813)

• Sequence 7

  Action: permit
  Source IP: Any
  Destination IP: 87.98.173.68
  Protocole: udp (1812-1813)

• Sequence 9
  • Action: deny
  • Source IP: Any
  • Destination IP: any
  • Protocole: ip

5) WLAN configuration

Go to Configuration -> Tags & Profiles -> WLANS and add or edit an existing WLAN :

On the General tab:

• Profile Name: Cloudi-Fi_Guest

• SSID: YOUR_SSID_NAME

• Status: Enabled

• Radio Policy: All

• Broadcast SSID: Enabled

On Security Layer 2 tab:

• Layer 2 Security Mode: None

• MAC Filtering: Disabled

On Security Layer 3 tab. Click on Show Advanced Settings :

• Web Policy - Enabled

• Web Auth Parameter Map - guest_wifi

• Authentication List - Cloudi-Fi_Radius

• On Mac Filter Failure - Disabled

• Splash Web Redirect - Disabled

• IPv4 ACL - Cloudi-Fi_ACL

Apply to Device

6) Walled Garden and Radius Accounting

Go to Configuration -> Security -> URL Filters and add :

• List Name: WalledGarden

• Type: PRE_AUTH

• Action: PERMIT

• URLs:

  • 178.33.251.41

  • login.cloudi-fi.net

  • login-cn.cloudi-fi.net

  • *.cloudi-fi.net

Apply to device

Go to Configuration -> Tags & Profiles Policy and add

On the General tab:

• Name: guest_policy

• Status: Enabled

On the Access Policies tab:

• URL Filters: WalledGarden

On the Advanced tab:

• Session Timeout: 43200

• Idle Timeout: 3600

• Allow AAA Override: Enabled

• Accounting List: Cloudi-Fi_Acct

Apply to device

7) Tags & Profiles

Go to Configuration Tags & Profiles Tags and Add

• Name: guest_tag

• WLAN Profile: Cloudi-Fi_Guest

• Policy Profile: guest_policy

Apply to Device

Finally, go to Administration Management HTTP/HTTPS/Netconf and ensure the following:

• HTTP Access: Enabled

• HTTPS Access: Enabled

Make sure to Save the Configuration to ensure your changes are persisted on reboot.

For more information on the Cisco technology partnership, how-to video, and solution brief, please visit our partner page here.