Step-by-step instructions to set up a Radius-based captive portal with Cisco Catalyst 5520 Series Wireless Controllers and Cloudi-Fi for user authentication.
Use Case
The following sections will provide step-by-step instructions to enable Cloudi-Fi cloud-based WiFi Captive portal service with your existing Cisco Catalyst 5520 Series Wireless Controllers. This documentation article has been made for Local mode tunnel (vs. FlexConnect mode).
If you are using FlexConnect mode, you will have to
- In Step 4: Create Access-lists (ACLs), replace “Access-lists (ACLs)” with “FlexConnect ACLs”
- In Step 6: WLAN creation, for Security > Layer 3, set
- IPv4: None
- IPv6: None
- WebAuth Flex ACL: set the pre-auth FlexConnect ACL configured
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Access to Cloudi-Fi's admin console
- Cloudi-Fi radius IPs and Secret
- Access to your Cisco Catalyst 9800 Series Wireless Controllers
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports :
| Source | Destination | Port | Protocol | Action |
Comment |
|
Cisco WLC |
1812-1813 | UDP | Allow | RADIUS traffic | |
|
Guest subnet |
Any | 80 | TCP | Allow |
HTTP traffic |
|
Guest subnet |
Any | 443 | TCP | Allow |
HTTPS traffic |
|
Guest subnet |
Any | 53 | UDP/TCP | Allow | DNS resolution |
| * | * | * | * | Deny | To be adjusted according to your needs |
1. Get Cloudi-Fi required URL
To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, follow these instructions:
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com
Cisco WLC
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spcisco.com
2. Get Radius information
You will need the radius information (Server IPs, Secret, Ports) to set up.
- IPs address of the radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the radius server? (Please save this confidential information securely, and do not share it publicly.)
3. Configure the Cloudi-Fi Radius server
Go to WLC UI > Security > AAA > Radius > Authentication and select “Auth Called Station ID Type: AP MAC Address:SSID”
Then click on « New » to add the Cloudi-Fi radius server:
- Server Address: 87.98.173.68
- Shared secret (see Step 2: Get radius information)
- Port number: 1812
- Uncheck « Management » to avoid issues login on the Cisco WLC GUI.
Click on Apply
You can add additional Radius server (see RADIUS & SYSLOG servers)
4. Create access-lists (ACLs)
Creation of 2 ACLs
- A Pre-Auth ACL to allow the user to access to Cloudi-Fi portal (and eventually Social networks connectors if enabled in your captive portal)
- An Auth ACL for authenticated users
4.1. Create pre-auth (ACL)
This ACL will allow the user to access to Cloudi-Fi (captive portal, radius servers) and the DNS servers. With Cisco WLC (firmware above 8.2.100) when NOT using FlexConnect, it is possible to use DNS-based ACLs. First, create your ACL and then click on Add-Remove URL to set your domains. URLs will be provided by Cloudi-Fi support.
If you cannot use URL ACL, you must create a standard ACL and allow IP ranges. Below are the minimum ACL for Cloudi-Fi. If you have Social Network connectors on your captive portal, Cloudi-Fi Support will provide you with more IP ranges.
*Note: in ACL 1 and 2, replace DNS_SERVER_IP by your DNS server IP.
config acl create cloudifi_pre-auth
config acl rule add cloudifi_pre-auth 1
config acl rule action cloudifi_pre-auth 1 permit
config acl rule destination address cloudifi_pre-auth DNS_SERVER_IP NET_MASK
config acl rule destination port range cloudifi_pre-auth 1 53 53
config acl rule add cloudifi_pre-auth 2
config acl rule action cloudifi_pre-auth 2 permit
config acl rule source address cloudifi_pre-auth 2 DNS_SERVER_IP NET_MASK
config acl rule source port range cloudifi_pre-auth 2 53 53
config acl rule add cloudifi_pre-auth 3
config acl rule destination address cloudifi_pre-auth 3 178.33.251.41 255.255.255.255
config acl rule action cloudifi_pre-auth 3 permit
config acl rule add cloudifi_pre-auth 4
config acl rule source address cloudifi_pre-auth 4 178.33.251.41 255.255.255.255
config acl rule action cloudifi_pre-auth 4 permit
config acl rule add cloudifi_pre-auth 5
config acl rule destination address cloudifi_pre-auth 5 104.26.5.244 255.255.255.255
config acl rule action cloudifi_pre-auth 5 permit
config acl rule add cloudifi_pre-auth 6
config acl rule source address cloudifi_pre-auth 6 104.26.5.244 255.255.255.255
config acl rule action cloudifi_pre-auth 6 permit
config acl rule add cloudifi_pre-auth 7
config acl rule destination address cloudifi_pre-auth 7 172.67.70.238 255.255.255.255
config acl rule action cloudifi_pre-auth 7 permit
config acl rule add cloudifi_pre-auth 8
config acl rule source address cloudifi_pre-auth 8 172.67.70.238 255.255.255.255
config acl rule action cloudifi_pre-auth 8 permit
config acl rule add cloudifi_pre-auth 9
config acl rule destination address cloudifi_pre-auth 9 104.26.4.244 255.255.255.255
config acl rule action cloudifi_pre-auth 9 permit
config acl rule add cloudifi_pre-auth 10
config acl rule source address cloudifi_pre-auth 10 104.26.4.244 255.255.255.255
config acl rule action cloudifi_pre-auth 10 permit
config acl rule add cloudifi_pre-auth 11
config acl rule destination address cloudifi_pre-auth 11 188.165.39.61 255.255.255.255
config acl rule action cloudifi_pre-auth 11 permit
config acl rule add cloudifi_pre-auth 12
config acl rule source address cloudifi_pre-auth 12 188.165.39.61 255.255.255.255
config acl rule action cloudifi_pre-auth 12 permit
config acl rule add cloudifi_pre-auth 13
config acl rule action cloudifi_pre-auth 13 permit
config acl rule destination address cloudifi_pre-auth 13 87.98.173.68 255.255.255.255
config acl rule destination port range cloudifi_pre-auth 13 1812 1813
config acl rule add cloudifi_pre-auth 14
config acl rule action cloudifi_pre-auth 14 permit
config acl rule destination address cloudifi_pre-auth 14 54.37.221.71 255.255.255.255
config acl rule destination port range cloudifi_pre-auth 14 1812 1813
config acl rule add cloudifi_pre-auth 15
config acl rule action cloudifi_pre-auth 15 permit
config acl rule destination address cloudifi_pre-auth 15 47.57.139.198 255.255.255.255
config acl rule destination port range cloudifi_pre-auth 15 1812 1813
config acl rule add cloudifi_pre-auth 16
config acl rule action cloudifi_pre-auth 16 deny
|
Seq |
Action | Source IP/Mask | Dest IP/ Mask | Protocol |
Srce Port |
Dest Port |
DSCP |
Direction | Comment |
| 1 | Permit |
0.0.0.0/ 0.0.0.0 |
DNS_SERVER_IP | UDP | Any | DNS | Any | Any | |
| 2 | Permit | DNS_SERVER_IP |
0.0.0.0/ 0.0.0.0 |
UDP | DNS | Any | Any | Any | |
| 3 | Permit |
0.0.0.0/ 0.0.0.0 |
178.33.251.41 / 255.255.255.255 |
Any | Any | Any | Any | Any | |
| 4 | Permit | 178.33.251.41 / 255.255.255.255 |
0.0.0.0/ 0.0.0.0 | Any | Any | Any | Any | Any | |
| 5 | Permit | 0.0.0.0/ 0.0.0.0 | 104.26.5.244/ 255.255.255.255 |
Any | Any | Any | Any | Any | |
| 6 | Permit | 104.26.5.244/ 255.255.255.255 |
0.0.0.0/ 0.0.0.0 | Any | Any | Any | Any | Any | |
| 7 | Permit | 0.0.0.0/ 0.0.0.0 | 172.67.70.238 / 255.255.255.255 |
Any | Any | Any | Any | Any | |
| 8 | Permit | 172.67.70.238 / 255.255.255.255 |
0.0.0.0/ 0.0.0.0 | Any | Any | Any | Any | Any | |
| 9 | Permit | 0.0.0.0/ 0.0.0.0 | 104.26.4.244/ 255.255.255.255 |
Any | Any | Any | Any | Any | |
| 10 | Permit | 104.26.4.244/ 255.255.255.255 |
0.0.0.0/ 0.0.0.0 | Any | Any | Any | Any | Any | |
| 11 | Permit | 0.0.0.0/ 0.0.0.0 | 188.165.39.61 / 255.255.255.255 |
Any | Any | Any | Any | Any | |
| 12 | Permit | 188.165.39.61 / 255.255.255.255 |
0.0.0.0/ 0.0.0.0 | Any | Any | Any | Any | Any | |
| 13 | Permit | 0.0.0.0/ 0.0.0.0 | 87.98.173.68 / 255.255.255.255 |
UDP | Any | RADIUS | Any | Any | EMEA, AMER |
| 14 | Permit | 0.0.0.0/ 0.0.0.0 | 54.37.221.71/ 255.255.255.255 |
UDP | Any | RADIUS | Any | Any | EMEA, AMER |
| 15 | Permit | 0.0.0.0/ 0.0.0.0 | 47.57.139.198/ 255.255.255.255 |
UDP | Any | RADIUS | Any | Any | APAC |
| 16 | Permit | 0.0.0.0/ 0.0.0.0 | 0.0.0.0/ 0.0.0.0 | Any | Any | Any | Any | Any |
4.2. Create auth (ACL)
We recommend creating a « Permit Any » in this ACL to leverage Cloudi-Fi security partner (if subscribed)
config acl create cloudifi_authenticated
config acl rule add cloudifi_authenticated 1
config acl rule action cloudifi_authenticated 1 permit
5. Create interfaces for guest users
You will create an interface with a dedicated VLAN for Guest users.
In Cisco WLC GUI, go to Controller > Interfaces > New and fill
- Name,
- Port numbers
- Network information (VLAN, IP, Mask, Gateway)
- Your primary DHCP
6. WLAN creation
In WLC UI, go to WLANs > Create new
General
- Profile name (e.g. “Cisco-Guest”)
- SSID name (e.g. “Cisco-Guest”)
- Status: Enabled
- Interface: select your Guest interface (e.g. “cloudifi guest”)
- Broadcast SSID: check
- Nas-ID: Cloudi-Fi company Key (available in Cloudi-Fi UI > Settings > Company key)
Click Apply.
Security > Layer 3
- Captive Network Assistant Bypass: Disable
- Authentication: check
- Preauthentication ACL:
- IPv4: set the pre-auth ACL configured in Step 4.1: Create Pre-auth (ACL)
- IPv6: None
- WebAuth Flex ACL: None
- Sleeping client: Enable
- Sleeping Client timeout: to be equal to the Cloudi-Fi portal (e.g. 720 min i.e. 12 hours)
- Override Global Config: Enable
- Web Auth type: External
- Redirect URL: redirect URI collected in Step 1: Get Cloudi-Fi required URL
Click Apply.
Security > AAA servers
- RADIUS Server Overwrite interface: check
- Authentication Servers: Enabled and select Cloudi-Fi radius server
- Keep only « RADIUS » in the Authentication priority order for web-auth user
Advanced
- Allow AAA Override: Enabled
- Coverage Hole Detection: Enabled
- Enable Session Timeout: 720 secs
- Client Exclusion: Enabled (180 secs)
- Client user idle timeout: check (720 secs)
- 11ac MU-MIMO: check
- Scan Defer Priority: 4, 5, 6
- Scan Defer time (msecs): 100 secs
- FlexConnect local switching: Enabled
- Learn Client IP Address: Enabled
Troubleshooting
Cloudi-Fi first level troubleshooting guide
See HERE
Test radius server
Before testing user credentials, make sure that the radius Server is already configured and there are no connectivity issues between the WLC and radius Server.
In order to check the radius server user credentials, you can follow use the command
test aaa radius
(see Cisco documentation)
Certifications issues
A certificate error page is displayed on your screen when connected to the Guest SSID. TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. Adding a certificate to your network environment will ensure a safer internet experience for your users.
Please follow this article Add a certificate on a Cisco Wireless Controller (Cisco WLC)
What's Next ?
Congratulations on enabling the captive portal with your cisco WLC 5520! For more information on the Cisco technology partnership, how-to video, and solution brief, please visit our partner page here.