Use Case
The following sections will provide step-by-step instructions to enable Cloudi-Fi cloud-based Wi-Fi captive portal service with your existing Cisco Catalyst 9800 Series Wireless Controllers (WLC 9800).
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Access to Cloudi-Fi's admin console
- Cloudi-Fi Radius IPs and Secret
- Access to your Cisco Catalyst 9800 Series Wireless Controllers
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports :
| Source | Destination | Port | Protocol | Action |
Comment |
|
Cisco WLC |
1812-1813 | UDP | Allow | RADIUS traffic | |
|
Guest subnet |
Any | 80 | TCP | Allow |
HTTP traffic |
|
Guest subnet |
Any | 443 | TCP | Allow |
HTTPS traffic |
|
Guest subnet |
Any | 53 | UDP/TCP | Allow | DNS resolution |
| * | * | * | * | Deny | To be adjusted according to your needs |
1. Get Cloudi-Fi required URL
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com
Cisco WLC 9800
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spcisco.com
2. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to go ahead with the setup.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
- What shared secret is used for the Radius server with WLC 9800? (Please save this confidential information securely, and do not share it publicly)
3. Configure a Web Auth
Go to WLC UI > Configuration > Security > Web Auth. Click on Global profile and ensure the below :
- Virtual IPv4 Address: 192.0.2.2
Then click on “Add” button and configure as described below.
- Parameter-map name: Cloudi-Fi
- Maximum HTTP connections: 200
- Init-State Timeout: 3600
- Type: webauth
You can click on the object you have created (Cloudi-Fi) and modify the below.
- On the General Tab:
- Banner Type: None
- Turn-on Consent with Email: Disabled
- Captive Bypass Portal: Disabled
- Disable Success Window: Enabled
- Disable Logout Window: Enabled
- Sleeping Client Status: Enabled
- Sleeping Client Timeout: 720
- On the Advanced Tab:
- Redirect for log-in: Splash page URI copied from the Cloudi-Fi interface (see Step 1: Get Cloudi-Fi required URL)
- Redirect On-Success: https://login.cloudi-fi.net/success.php
- Redirect On-Failure: Same as Redirect for log-in
- Redirect Append for AP MAC Address: ap_mac
- Redirect Append for Client MAC Address: client_mac
- Redirect Append for WLAN SSID: wlan_ssid
- Portal IPV4 Address: 104.26.5.244
4. Configure a Radius server
Go to WLC UI > Configuration > Security > AAA > Servers / Groups > Server and add:
- Name: Cloudi-Fi-Rad1
- IPv4 / IPv6 Server Address: Primary IP
- Key Type: Clear text
- Key: Shared Secret (see Step 2: Get Radius Information)
- Confirm Key: Shared Secret
- Auth Port: 1812
- Acct Port: 1813
- Server Timeout: 10
- Retry Count: 3
- Support for CoA: Disabled
You can add additional Radius server (see RADIUS & SYSLOG servers).
Then go to WLC UI > Configuration > Security > AAA > Servers / Groups > Server Groups and add:
- Name: Cloudi-Fi-Group
- Group Type: RADIUS
- MAC-Delimiter: hyphen
- MAC-Filtering: none
- Assigned Servers: Cloudi-Fi-Rad1, Cloudi-Fi-Rad2
Then go to WLC UI > Configuration > Security > AAA > AAA Method lists > Authentication and add:
- Method List Name: Cloudi-Fi_Auth
- Type: login
- Group Type: Group
- Assigned Server Groups: Cloudi-Fi-Group
Then go to WLC UI > Configuration > Security > AAA > AAA Method lists > Accounting and add:
- Method List Name: Cloudi-Fi_Acct
- Type: Identity
- Assigned Server Groups: Cloudi-Fi-Group
Then go to WLC UI > Configuration > Security > AAA > AAA Advanced > Global Settings and configure both Accounting and Authentication with:
- Call Station ID: ap-macaddress-ssid
- Call Station ID Case: upper
- MAC-Delimiter: hyphen
- Username Case: lower
- Username Delimiter: none
5. Configure a custom pre-auth ACL (optional)
When the Web Auth is configured, two ACLs are automatically created and used:
- "WA-sec-104.26.5.244" : allow any DHCP/DNS servers (can be replaced by your own ACL)
- "WA-v4-int-104.26.5.244" : web redirection ACL (replaced by the URL filter configured on step 7)
If you want to allow only some specific DHCP and/or DNS servers at the controller layer, you can create your own ACL. If you have a dedicated firewall, you can also do this configuration at your firewall layer.
Here one example to allow only Cloudflare DNS :
Extended IP access list Cloudi-Fi_ACL
10 permit udp any 1.1.1.1 eq domain
20 permit udp 1.1.1.1 eq domain any
30 permit udp any 9.9.9.9 eq domain
40 permit udp 9.9.9.9 eq domain any
50 permit udp any any eq bootpc
60 permit udp any any eq bootps
70 deny ip any any
6. Configure WLAN
Go to WLC UI > Configuration > Tags & Profiles > WLANs and add or edit an existing WLAN:
- On the General tab:
- Profile Name: e.g. Cloudi-Fi_Guest
- SSID: YOUR_SSID_NAME
- Status: Enabled
- Radio Policy: All
- Broadcast SSID: Enabled
- On Security Layer 2 tab:
- Layer 2 Security Mode: None
- MAC Filtering: Disabled
- On Security Layer 3 tab:
- Web Policy: Enabled
- Web Auth Parameter Map: guest_wifi
- Authentication List: Cloudi-Fi_Auth
- On Mac Filter Failure: Disabled
- Splash Web Redirect: Disabled
- PreAuthentication ACL - IPV4: Cloudi-Fi_ACL (Only if you created a custom ACL to replace the default ACL "WA-sec-104.26.5.244")
7. Configure Walled Garden and Radius accounting
Go to WLC UI > Configuration > Security > URL Filters and add:
- List Name: WalledGarden
- Type: PRE_AUTH
- Action: PERMIT
-
URLs:
- *.cloudi-fi.net
Then go to WLC UI > Configuration > Tags & Profiles > Policy and add:
- On the General tab:
- Name: guest_policy
- Status: Enabled
- On the Access Policies tab:
- URL Filters: WalledGarden
- On the Advanced tab:
- Session Timeout: 43200
- Idle Timeout: 3600
- Allow AAA Override: Enabled
- Accounting List: Cloudi-Fi_Acct
8. Configure tags and profiles
Go to WLC UI > Configuration > Tags & Profiles > Tags and add:
- Name: guest_tag
- WLAN Profile: Cloudi-Fi_Guest
- Policy Profile: guest_policy
9. Allow HTTP/HTTPS
Go to WLC UI > Administration > Management > HTTP/HTTPS/Netconf and ensure the following:
- HTTP Access: Enabled
- HTTPS Access: Enabled
Make sure to apply and save your new configuration to ensure your changes are persisted on reboot.
Troubleshooting
Cloudi-Fi first level troubleshooting guide
See HERE
Test Radius server
Before testing user credentials, make sure that the Radius Server is already configured and there are no connectivity issues between the WLC and Radius Server.
In order to check the Radius server user credentials, you can follow use the command
test aaa radius
(see Cisco documentation)
Certifications issues
A certificate error page is displayed on your screen when connected to the Guest SSID. TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. Adding a certificate to your network environment will ensure a safer internet experience for your users.
Please follow this article Add a certificate on a Cisco WLC 9800
What's next?
Congratulations on enabling the captive portal with your cisco WLC 9800 ! For more information on the Cisco technology partnership, how-to video, and solution brief, please visit our partner page here.