Step-by-step instructions to set up a Radius-based captive portal with Cisco Catalyst 9800 Series Wireless Controllers and Cloudi-Fi for user authentication.
Table of contents
Step 1: Get Cloudi-Fi required URL
Step 2: Get Radius information
Step 4: Configure a Radius server
Step 7: Configure Walled Garden and Radius Accounting
Step 8: Configure Tags & Profiles
Use Case
The following sections will provide step-by-step instructions to enable Cloudi-Fi cloud-based WiFi Captive portal service with your existing Cisco Catalyst 9800 Series Wireless Controllers.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Access to Cloudi-Fi's admin console
- Cloudi-Fi Radius IPs and Secret
- Access to your Cisco Catalyst 9800 Series Wireless Controllers
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports :
| Source | Destination | Port | Protocol | Action |
Comment |
|
Guest subnet |
1812-1813 | UDP | Allow | RADIUS traffic | |
|
Guest subnet |
Any | 80 | TCP | Allow |
HTTP traffic |
|
Guest subnet |
Any | 443 | TCP | Allow |
HTTPS traffic |
|
Guest subnet |
Any | 53 | UDP/TCP | Allow | DNS resolution |
| * | * | * | * | Deny | To be adjusted according to your needs |
Step 1: Get Cloudi-Fi required URL
Location URL : this URL will be used to configure an External Captive Portal
Go to Cloudi-Fi administration UI > Locations and create your location
- Location_name
- Type: select Redirect_URL
- Portal: select Default
- Country
And Save.
Then, select your location, click on the menu button (...) of the location and select "Copy Splash page URI"
Step 2: Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to go ahead with the setup.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
- What shared secret is used for the Radius server with WLC 9800? (Please save this confidential information securely, and do not share it publicly)
Step 3: Configure a Web Auth
Go to WLC UI > Security > Web Auth. Click on Global profile and ensure the below :
- Virtual IPv4 Address: 192.0.2.1
Then click on “Add” button and configure as described below :
- Parameter-map name: guest_wifi
- Maximum HTTP connections: 200
- Init-State Timeout: 3600
- Type: webauth
Apply to device
You can click on the object you have created (“guest_wifi) and modify the below.
- On the General Tab :
- Banner Type: None
- Turn-on Consent with Email: Disabled
- Captive Bypass Portal: Disabled
- Disable Success Window: Enabled
- Disable Logout Window: Enabled
- Sleeping Client Status: Enabled
- Sleeping Client Timeout: 720
- On the Advanced Tab:
- Redirect for log-in: Splash page URI copied from the Cloudi-Fi interface (see Step 1: Get Cloudi-Fi required URL)
- Redirect On-Success: https://login.cloudi-fi.net/success.php
- Redirect On-Failure: Splash page URI copied from the Cloudi-Fi interface
- Redirect Append for AP MAC Address: ap_mac
- Redirect Append for Client MAC Address: client_mac
- Redirect Append for WLAN SSID: wlan_ssid
- Portal IPV4 Address: 178.33.251.41
Apply to Device
Step 4: Configure a Radius server
Go to WLC UI > Configuration > Security > AAA > Servers / Groups > Server and add:
- Name: Cloudi-Fi-Rad1
- IPv4 / IPv6 Server Address: Primary IP
- Key Type: 0
- Key: Shared Secret (see Step 2: Get Radius Information)
- Confirm Key: Shared Secret
- Auth Port: 1812
- Acct Port: 1813
- Server Timeout: 10
- Retry Count: 3
- Support for CoA: Disabled
Apply to Device
You can add additional Radius server (see RADIUS & SYSLOG servers)
Then go to WLC UI > Configuration > Security > AAA > Servers / Groups > Server Groups and add
- Name: Cloudi-Fi_Radius
- Group Type: RADIUS
- MAC-Delimiter: hyphen
- MAC-Filtering: none
- Assigned Servers: Cloudi-Fi-Rad1, Cloudi-Fi-Rad2
Then go to WLC UI > Configuration > Security > AAA > AAA Method lists > Authentication and add
- Method List Name: Cloudi-Fi_Auth
- Type: login
- Group Type: Group
- Assigned Server Groups: Cloudi-Fi_Radius
Then go to WLC UI > Configuration > Security > AAA > AAA Method lists > Accounting and add
- Method List Name: Cloudi-Fi_Acct
- Type: Identity
- Assigned Server Groups: Cloudi-Fi_Radius
Then go to WLC UI > Configuration > Security > AAA > AAA Advanced > Global Settings and configure both Accounting and Authentication with:
- Call Station ID: ap-macaddress-ssid
- Call Station ID Case: upper
- MAC-Delimiter: hyphen
- Username Case: lower
- Username Delimiter: none
Step 5: Configure ACL
Go to WLC UI > Configuration > Security > ACL and create a new ACL
- ACL Name: Cloudi-Fi_ACL
| Sequences | Action | Source IP | Destination IP | Protocole | Destination port |
| 1 | permit | Any | 104.26.4.244 | ip | None |
| 2 | permit | Any | 104.26.5.244 | ip | None |
| 3 | permit | Any | 172.67.70.238 | ip | None |
| 4 | permit | Any | 178.33.251.41 | ip | None |
| 5 | permit | Any | 47.57.139.198 | ip | None |
| 6 | permit | Any | your DNS servers | udp | eq domain |
| 7 | permit | Any | 54.37.221.71 | udp | 1812-1813 |
| 8 | permit | Any | 87.98.173.68 | udp | 1812-1813 |
| 9 | permit | Any | 47.57.139.198 | udp | 1812-1813 |
| 10 | deny | Any | Any | ip | None |
If you added more than 2 Radius servers (in step 4), you will need to add sequences after Seq9 with Radius_IP added.
Step 6: Configure WLAN
Go to WLC UI > Configuration > Tags & Profiles > WLANs and add or edit an existing WLAN :
- On the General tab:
- Profile Name: e.g. Cloudi-Fi_Guest
- SSID: YOUR_SSID_NAME
- Status: Enabled
- Radio Policy: All
- Broadcast SSID: Enabled
- On Security Layer 2 tab:
- Layer 2 Security Mode: None
- MAC Filtering: Disabled
- On Security Layer 3 tab:
- Web Policy: Enabled
- Web Auth Parameter Map - guest_wifi
- Authentication List - Cloudi-Fi_Radius
- On Mac Filter Failure - Disabled
- Splash Web Redirect - Disabled
- IPv4 ACL - Cloudi-Fi_ACL
Apply to Device
Step 7: Configure Walled Garden and Radius Accounting
Go to WLC UI > Configuration > Security > URL Filters and add :
- List Name: WalledGarden
- Type: PRE_AUTH
- Action: PERMIT
- URLs:
- 178.33.251.41
- login.cloudi-fi.net
- login-cn.cloudi-fi.net
- *.cloudi-fi.net
Apply to device
Then go to WLC UI > Configuration > Tags & Profiles > Policy and add
- On the General tab:
- Name: guest_policy
- Status: Enabled
- On the Access Policies tab:
- URL Filters: WalledGarden
- On the Advanced tab:
- Session Timeout: 43200
- Idle Timeout: 3600
- Allow AAA Override: Enabled
- Accounting List: Cloudi-Fi_Acct
Apply to device
Step 8: Configure Tags & Profiles
Go to WLC UI > Configuration > Tags & Profiles > Tags and add:
- Name: guest_tag
- WLAN Profile: Cloudi-Fi_Guest
- Policy Profile: guest_policy
Apply to Device
Step 9: Allow HTTP/HTTPS
Go to WLC UI > Administration > Management > HTTP/HTTPS/Netconf and ensure the following:
- HTTP Access: Enabled
- HTTPS Access: Enabled
Make sure to Save the Configuration to ensure your changes are persisted on reboot.
Troubleshooting:
Cloudi-Fi first level troubleshooting guide
See HERE
Test Radius server
Before testing user credentials, make sure that the Radius Server is already configured and there are no connectivity issues between the WLC and Radius Server.
In order to check the Radius server user credentials, you can follow use the command
test aaa radius
(see Cisco documentation)
Certifications issues
A certificate error page is displayed on your screen when connected to the Guest SSID. TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. Adding a certificate to your network environment will ensure a safer internet experience for your users.
Please follow this article Add a certificate on a Cisco Wireless Controller (Cisco 9800)
What's Next ?
Congratulations on enabling the captive portal with your cisco WLC 9800! For more information on the Cisco technology partnership, how-to video, and solution brief, please visit our partner page here.