This article describes enabling Cloudi-Fi Captive Portal directly and natively in your Cisco Catalyst 9800 Series Wireless Controllers.
Summary:
1) Get Cloudi-Fi required URL and Radius Secret
Go to your Cloudi-Fi administration interface and get the URL for external authentication:
Go to Locations Menu
Click on the menu button of the location and select "Copy Splash page URI"
-
Transform the URI as follows
Go to the chat interface and ask for your Radius secret
-
Copy the secret as well
2) WEB Auth configuration
Go to Configuration Security Web Auth. Click on Global profile and ensure the below :
-
Virtual IPv4 Address: 192.0.2.1
Click on Add Button and configure as described below :
-
Parameter-map name: guest_wifi
-
Maximum HTTP connections: 200
-
Init-State Timeout: 3600
-
Type: webauth
Apply to device
You can click on the object you have created and modify the below.
On the General Tab :
-
Banner Type: None
-
Turn-on Consent with Email: Disabled
-
Captive Bypass Portal: Disabled
-
Disable Success Window: Enabled
-
Disable Logout Window: Enabled
-
Sleeping Client Status: Enabled
-
Sleeping Client Timeout: 720
On the Advanced Tab:
-
Redirect for log-in: Splash page URI copied from the Cloudi-Fi interface
-
Redirect On-Success: https://login.cloudi-fi.net/success.php
-
Redirect On-Failure: Splash page URI copied from the Cloudi-Fi interface
-
Redirect Append for AP MAC Address: ap_mac
-
Redirect Append for Client MAC Address: client_mac
-
Redirect Append for WLAN SSID: wlan_ssid
-
Portal IPV4 Address: 178.33.251.41
Apply to Device
3) Radius configuration
Go to Configuration Security AAA. Select Servers / Groups and add:
-
Name: Cloudi-Fi-Rad1
-
IPv4 / IPv6 Server Address: Primary IP
-
Key Type: 0
-
Key: Shared Secret
-
Confirm Key: Shared Secret
-
Auth Port: 1812
-
Acct Port: 1813
-
Server Timeout: 10
-
Retry Count: 3
-
Support for CoA: Disabled
Apply to Device
Click Add again and configure :
-
Name: Cloudi-Fi-Rad2
-
IPv4 / IPv6 Server Address: Secondary IP
-
Key Type: 0
-
Key: Shared Secret
-
Confirm Key: Shared Secret
-
Auth Port: 1812
-
Acct Port: 1813
-
Server Timeout: 10
-
Retry Count: 3
-
Support for CoA: Disabled
Apply to Device
On the Servers Groups sub-tab, add:
-
Name: Cloudi-Fi_Radius
-
Group Type: RADIUS
-
MAC-Delimiter: hyphen
-
MAC-Filtering: none
-
Assigned Servers: Cloudi-Fi-Rad1, Cloudi-Fi-Rad2
Apply to Device
Click on the AAA Method List tab and add:
-
Method List Name: Cloudi-Fi_Auth
-
Type: login
-
Group Type: Group
-
Assigned Server Groups: Cloudi-Fi_Radius
Apply to Device
Click on the Accounting sub-tab and add:
-
Method List Name: Cloudi-Fi_Acct
-
Type: Identity
-
Assigned Server Groups: Cloudi-Fi_Radius
Go to AAA Advanced and click on Advanced Settings. Configure both Accounting and Authentication with:
-
Call Station ID: ap-macaddress-ssid
-
Call Station ID Case: upper
-
MAC-Delimiter: hyphen
-
Username Case: lower
-
Username Delimiter: none
4) WLAN configuration
Go to Configuration -> Security -> ACL and create a new ACL
-
ACL Name: Cloudi-Fi_ACL
- Sequences 1
- Action: permit
- Source IP: Any
- Destination IP: 104.26.4.244
- Protocole: ip
- Sequences 2
- Action: permit
- Source IP: Any
- Destination IP: 104.26.5.244
- Protocole: ip
- Sequences 3
- Action: permit
- Source IP: Any
- Destination IP: 172.67.70.238
- Protocole: ip
- Sequences 4
- Action: permit
- Source IP: Any
- Destination IP: 178.33.251.41
- Protocole: ip
-
Sequence 5
- Action: permit
- Source IP: Any
- Destination IP: your DNS servers
- Protocole: udp eq domain
-
Sequence 6
- Action: permit
- Source IP: Any
- Destination IP: 54.37.221.71
- Protocole: udp (1812-1813)
-
Sequence 7
Action: permit
Source IP: Any
Destination IP: 87.98.173.68
Protocole: udp (1812-1813) - Sequence 9
- Action: deny
- Source IP: Any
- Destination IP: any
- Protocole: ip
5) WLAN configuration
Go to Configuration -> Tags & Profiles -> WLANS and add or edit an existing WLAN :
On the General tab:
-
Profile Name: Cloudi-Fi_Guest
-
SSID: YOUR_SSID_NAME
-
Status: Enabled
-
Radio Policy: All
-
Broadcast SSID: Enabled
On Security Layer 2 tab:
-
Layer 2 Security Mode: None
-
MAC Filtering: Disabled
On Security Layer 3 tab. Click on Show Advanced Settings :
-
Web Policy - Enabled
-
Web Auth Parameter Map - guest_wifi
-
Authentication List - Cloudi-Fi_Radius
-
On Mac Filter Failure - Disabled
-
Splash Web Redirect - Disabled
-
IPv4 ACL - Cloudi-Fi_ACL
Apply to Device
6) Walled Garden and Radius Accounting
Go to Configuration -> Security -> URL Filters and add :
-
List Name: WalledGarden
-
Type: PRE_AUTH
-
Action: PERMIT
-
URLs:
-
178.33.251.41
-
login.cloudi-fi.net
- login-cn.cloudi-fi.net
-
*.cloudi-fi.net
-
Apply to device
Go to Configuration -> Tags & Profiles Policy and add
On the General tab:
-
Name: guest_policy
-
Status: Enabled
On the Access Policies tab:
-
URL Filters: WalledGarden
On the Advanced tab:
-
Session Timeout: 43200
-
Idle Timeout: 3600
-
Allow AAA Override: Enabled
-
Accounting List: Cloudi-Fi_Acct
Apply to device
7) Tags & Profiles
Go to Configuration Tags & Profiles Tags and Add
-
Name: guest_tag
-
WLAN Profile: Cloudi-Fi_Guest
-
Policy Profile: guest_policy
Apply to Device
Finally, go to Administration Management HTTP/HTTPS/Netconf and ensure the following:
-
HTTP Access: Enabled
-
HTTPS Access: Enabled
Make sure to Save the Configuration to ensure your changes are persisted on reboot.
For more information on the Cisco technology partnership, how-to video, and solution brief, please visit our partner page here.