Skip to main content

Search

How can we help ?

Cisco WLC integration with Cloudi-Fi

Alexandre de THOMASSON
  • Updated

Learn how to integrate Cisco WLC with Cloudi-Fi cloud-based captive portal solution, configure the radius server and create access lists.  

                                                            

 

Technical notes

  • This feature has been tested and validated on a Cisco WLC 3504 with software versions 8.5.131.0 and 8.5.140.0.

  • The customer shall provide DNS and DHCP service.

  • VLANs used for Guests shall be routed on the customer network.

0. Get Cloudi-Fi required URL

Go to your Cloudi-Fi administration interface and get the URL for external authentication.

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

  • Copy the URI

  • Transform the URI as shown in the following screenshot

Cloudi-fi

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq25326b2e/lh/qgrzqrgegs/sp/spsomething.com

Cisco WLC

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq25326b2e/lh/qgrzqrgegs/sp/spcisco.com

 

1. Configure the Cloudi-Fi Radius server

On Cisco WLC GUI, go to Security AAA Radius Authentication

Auth Called Station ID Type: AP MAC Address:SSID

 

Then click on « New » to add the Cloudi-Fi Radius server:

  • Server Address: 87.98.173.68

  • A shared secret will be provided to the IT contact.

  • Port number: 1812

  • Uncheck « Management » to avoid issues login on the Cisco WLC GUI.

Click on Apply

Nota : Make sure to allow this flow on your firewalls

2. Create Access-lists (ACLs)

2.1 Creation of 2 ACLs

  • A Pre-Auth ACL to allow the user to access to Cloudi-Fi portal (and eventually Social networks connectors if enabled in your captive portal)

  • An Auth ACL for authenticated users

2.1 Auth ACL

We recommend creating a « Permit Any » in this ACL to leverage Cloudi-Fi security partner (if subscribed)

2.2 Pre-auth ACL

This ACL will allow the user to access to the Cloudi-Fi portal, the Zscaler Cloud and the DNS servers.

With Cisco WLC (firmware above 8.2.100) when NOT using FlexConnect, it is possible to use DNS-based ACLs. First, create your ACL and then click on Add-Remove URL to set your domains.

URLs will be provided by Cloudi-Fi support.

If you cannot use URL ACL, you must create a standard ACL and allow IP ranges.

Below are the minimum ACL for Cloudi-Fi. If you have Social Network connectors on your captive portal, Cloudi-Fi Support will provide you with more IP ranges.

 

*Note: in ACL 1 and 2, replace DNS_SERVER_IP by your DNS server IP.

 
config acl create cloudifi_pre-auth

config acl rule add cloudifi_pre-auth 1
config acl rule action cloudifi_pre-auth 1 permit

config acl rule destination address cloudifi_pre-auth DNS_SERVER_IP NET_MASK
config acl rule destination port range cloudifi_pre-auth 1 53 53

config acl rule add cloudifi_pre-auth 2
config acl rule action cloudifi_pre-auth 2 permit

config acl rule source address cloudifi_pre-auth 2 DNS_SERVER_IP NET_MASK
config acl rule source port range cloudifi_pre-auth 2 53 53

config acl rule add cloudifi_pre-auth 3
config acl rule destination address cloudifi_pre-auth 3 178.33.251.41 255.255.255.255
config acl rule action cloudifi_pre-auth 3 permit

config acl rule add cloudifi_pre-auth 4
config acl rule source address cloudifi_pre-auth 4 178.33.251.41 255.255.255.255
config acl rule action cloudifi_pre-auth 4 permit

config acl rule add cloudifi_pre-auth 5
config acl rule destination address cloudifi_pre-auth 3 104.26.5.244 255.255.255.255
config acl rule action cloudifi_pre-auth 5 permit

config acl rule add cloudifi_pre-auth 6
config acl rule source address cloudifi_pre-auth 4 104.26.5.244 255.255.255.255
config acl rule action cloudifi_pre-auth 6 permit

config acl rule add cloudifi_pre-auth 7
config acl rule destination address cloudifi_pre-auth 3 172.67.70.238 255.255.255.255
config acl rule action cloudifi_pre-auth 7 permit

config acl rule add cloudifi_pre-auth 8
config acl rule source address cloudifi_pre-auth 4 172.67.70.238 255.255.255.255
config acl rule action cloudifi_pre-auth 8 permit

config acl rule add cloudifi_pre-auth 8
config acl rule destination address cloudifi_pre-auth 3 104.26.4.244 255.255.255.255
config acl rule action cloudifi_pre-auth 8 permit

config acl rule add cloudifi_pre-auth 9
config acl rule source address cloudifi_pre-auth 4 104.26.4.244 255.255.255.255
config acl rule action cloudifi_pre-auth 9 permit

config acl rule add cloudifi_pre-auth 10
config acl rule destination address cloudifi_pre-auth 5 188.165.39.61 255.255.255.255
config acl rule action cloudifi_pre-auth 10 permit

config acl rule add cloudifi_pre-auth 10
config acl rule source address cloudifi_pre-auth 5 188.165.39.61 255.255.255.255
config acl rule action cloudifi_pre-auth 10 permit

config acl rule add cloudifi_pre-auth 11
config acl rule action cloudifi_pre-auth 11 deny
 
 

3. Create Interfaces for Guest Users

We will create an interface with a dedicated VLAN for Guest users.

In Cisco WLC GUI, go to Controller Interfaces New

 

Guest interface

Fill the name, port numbers, network information (VLAN, IP, Mask, Gateway) and your primary DHCP.

4. WLAN creation

We will now create the Guest/Employee WLAN.
In Cisco WLC Controller, go to WLANs WLANs Create new

 

4.1 General

In the General tab, fill the profile and SSID name, select your Guest interface and check Broadcast SSID.

Fill your Cloudi-Fi company Key as NAS-ID. Cloudi-Fi company key is available in the Cloudi-Fi admin interface Settings Company Key

Click Apply.

4.2 Security L3

In the Security tab Layer3

  • Set the Layer 3 Security to Web Policy

  • Set the Captive Network Assistant Bypass to Disable

  • Check « Authentication »

  • For the Preauthentication ACL , apply your IPv4

ACL ONLY if you are in « Local mode », or your Flex-

  • Check the Sleeping client Enable and configure the timer to be equal to the Cloudi-Fi portal

  • Check Override Global Config Enable

  • Set Web Auth Type to External (Re-direct to external server)

  • Fill the Redirect URL with URL with your dedicated Cloudi-Fi URL (see step 0 "Get Cloudi-Fi required URL").

  • Click Apply

4.3 Security AAA Servers

In the Security tab AAA Servers

  • Check « RADIUS Server Overwrite interface »

  • Enable « Authentication Servers » and select Cloudi-Fi Radius server

  • Keep only « RADIUS » in the Authentication priority order for web-auth user

4.4 Advanced

In the Advanced tab :

  • Check « Allow AAA Override »

Then provide this export to Cloudi-Fi Support (How to contact your support? ).

 

You can visit our Cisco Partner Page here for more information about our solutions.