Cisco (WLC managed)

NOTE: We highly recommend you use WLC code version 8.2.100.0 or above as this includes many stability and feature improvements.


IMPORTANT: If you are using a guest anchor, please contact support for further instructions as additional/different steps need to be taken.


Open a web browser and log in to your Cisco WLC interface (Advanced view)

 

Click on "Security" on the top menu and then "AAARadius > Authentication" on the left menu. Set the correct settings then click Apply:

 

Click the "New" button at the top right and configure with the below settings:

  • Server IP Address: *insert radius_server_ip here*
  • Shared Secret Format: ASCII
  • Shared Secret: *insert radius_secret here*
  • Confirm Shared Secret: *insert radius_secret here*
  • Port: enter 1812
  • Server Status: Enabled
  • Network User: Unticked (Disabled)
  • Management: Unticked (Disabled)

Press Apply to Save

 

Click the "New" button again at the top right and configure with the below settings:

 

  • Server IP Address: *insert radius_server2_ip here*
  • Shared Secret Format: ASCII
  • Shared Secret: *insert radius_secret here*
  • Confirm Shared Secret: *insert radius_secret here*
  • Port: enter 1812
  • Server Status: Enabled
  • Network User: Unticked (Disabled)
  • Management: Unticked (Disabled)


Press Apply to Save


Click on "Accounting" on the left. Set the correct settings then click Apply:
  • Acct Called Station ID Type: select AP MAC Address from the drop down menu
  • MAC Delimiter: select Hyphen

 "New" at the top right and configure with the below settings:
  • Server IP Address: *insert radius_server_ip here*
  • Shared Secret Format: ASCII
  • Shared Secret: *insert radius_secret here*
  • Confirm Shared Secret: *insert radius_secret here*
  • Port: enter 1813
  • Server Status: Enabled
  • Network User: Disabled

Press Apply to Save


Click the "New" button again at the top right and configure with the below settings:

 

  • Server IP Address: *insert radius_server2_ip here*
  • Shared Secret Format: ASCII
  • Shared Secret: *insert radius_secret here*
  • Confirm Shared Secret: *insert radius_secret here*
  • Port: enter 1813
  • Server Status: Enabled
  • Network User: Disabled

Press Apply to Save


Click "Access Control Lists" (or FlexConnect ACLs if you use FlexConnect) on the left menu and then "New", and configure with the settings:

  • Access Control List Name: Guest Wi-Fi
  • ACL Type: IPv4

    Press Apply to Save

IMPORTANT: If you are using WLC code version 8.2.100.0 or above (non FlexConnect mode), or WLC code version 8.7 (FlexConnect mode):

To the right of the ACL you just created, hover the blue arrow and click Add-Remove URL. In the "URL String Name" box add the following domains one at a time:

*insert access_domain here*

venuewifi.com

openweathermap.org

cloudfront.net
stripe.com


If you wish to support social network logins, you also need to add the domains below for each network you plan to support


Facebook
Twitter
LinkedIn
Instagram
facebook.com
fbcdn.net
akamaihd.net
connect.facebook.net

twitter.com
twimg.com

linkedin.com
licdn.net
licdn.com

instagram.com

 

OR if you are using a WLC code version below v8.2.100.0 or FlexConnect mode with code version 8.6 or below:

Click on the ACL you just created (blue link). Click on "Add New Rule" and enter the following:
  • Sequence: 1
  • Source: IP Address
  • IP Address: *insert walled_garden_ip here*
  • Netmask: 255.255.255.255
  • Action: Permit

    Press Apply to Save

 

Click "
Add New Rule" and enter the following:
  • Sequence: 2
  • Destination: IP Address
  • IP Address: *insert walled_garden_ip here*
  • Netmask: 255.255.255.255
  • Action: Permit

    Press 
    Apply to Save

 

Click "Add New Rule" and enter the following:

  • Sequence: 3
  • Source: IP Address
  • IP Address: *insert walled_garden2_ip here*
  • Netmask: 255.255.255.255
  • Action: Permit

    Press 
    Apply to Save


Click "Add New Rule" and enter the following:

  • Sequence: 4
  • Destination: IP Address
  • IP Address: *insert walled_garden2_ip here*
  • Netmask: 255.255.255.255
  • Action: Permit

    Press 
    Apply to Save

From the left Hand Menu, click "Web Auth" on the left menu and enter the following:

  • Web Authentication Type: External
  • Redirect URL after login: *insert redirect_url here*
  • External Webauth URL: *insert access_url here*

    Press 
    Apply to Save

 

Click on "
WLANs" at the top and then "WLANs" on the left hand menu, then select "Create New" and Click "Go" on the right to create a new profile.

 

Enter the following:

  • Type: WLAN
  • Profile Name: Guest Wi-Fi
  • SSID: Enter whatever wireless network name (SSID) you want

    Press 
    Apply to Save

 

Now click on the new SSID profile you just created to edit the settings, and on the General Tab:


Enter the following details:

  • Status: Enabled
  • Broadcast SSID: Enabled

 On the Security tab, then the Layer 2 tab


Enter the following details:

  • Layer 2 Security: None

 
On the Layer 3 tab:

  • Layer 3 Security: Web Policy
  • Authentication: Ticked (Enabled)
  • Pre-authentication ACL (IPv4): Guest Wi-Fi


Important Note - Again if you are using your APs in Flex Connect Mode then you will need to use the drop down box next too "WebAuth FlexACL" for the right policy to be applied correctly.


On the 
AAA Servers tab:

  • Authentication Servers: Enabled
  • Server 1: IP: *insert radius_server_ip here*, Port: 1812
  • Server 2: IP: *insert radius_server2_ip here*, Port: 1812
  • Accounting Servers: Enabled

  • Server 1: IP: *insert radius_server_ip here*, Port: 1813
  • Server 2: IP: *insert radius_server2_ip here*, Port: 1813
  • Interim Update: Ticked, Interval: 600
  • Authentication priority order for web-auth user (Not Used): LOCAL, LDAP
  • Authentication priority order for web-auth user (Order Used For Authentication): RADIUS


On the Advanced tab:


  • Allow AAA Overide: Enabled
  • Enable Session Timeout: Ticked
  • Session Timeout (secs): 43200


Press Apply to Save


Select the Management Tab and then HTTP-HTTPS option from the left hand menu. Set the following:

  • WebAuth SecureWeb: Disabled
  • HTTPS Redirection: Disabled


Select the Controller Tab and change the option Fast SSID change to Enabled


Press Apply to Save

Finally, click Save Configuration at the top right to ensure all settings are saved. Once this is complete you will need to reboot your controller for all the features to work.


Troubleshooting


When setting up a Cisco WLC with the WiFi solution it's important to allow traffic to and from our Radius servers *insert radius_server_ip here* and *insert radius_server2_ip here* inbound and outbound using UDP .


When inputting the AP MAC address(es) into the portal remember that it is the Base Radio MAC address that we need and not the AP MAC address.





Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.