Cisco (WLC managed)

IMPORTANT: We no longer recommend WLC code below v8.2.100.0. Please ensure you are using v8.2.100.0 or higher (v8.7 or higher if using FlexConnect)
NOTE: If you are using Guest Anchor, please contact support as additional steps will be required


Start by logging into your Cisco WLC web interface.

Step 1 - RADIUS

Click Security at the top and then AAA > Radius Authentication on the left menu. Set the below setting then click Apply:

Auth Called Station ID Type
AP MAC Address:SSID

Click New at the top right and configure with:

Server IP Address
*insert radius_server_ip here*
Shared Secret Format
ASCII
Shared Secret
*insert radius_secret here*
Confirm Shared Secret
as above
Port
1812
Server Status
Enabled
Network User
No
Management
No

Click Apply to save. Click New again and configure with:

Server IP Address
*insert radius_server2_ip here*
Shared Secret Format
ASCII
Shared Secret
*insert radius_secret here*
Confirm Shared Secret
as above
Port
1812
Server Status
Enabled
Network User
No
Management
No

Click Apply to save. Click Radius Accounting on the left menu. Set the below setting then click Apply:

Acct Called Station ID Type
AP MAC Address:SSID

Click >New at the top right and configure with:

Server IP Address
*insert radius_server_ip here*
Shared Secret Format
ASCII
Shared Secret
*insert radius_secret here*
Confirm Shared Secret
as above
Port
1813
Server Status
Enabled
Network User
No
Management
No

Click Apply to save. Click New again and configure with:

Server IP Address
*insert radius_server2_ip here*
Shared Secret Format
ASCII
Shared Secret
*insert radius_secret here*
Confirm Shared Secret
as above
Port
1813
Server Status
Enabled
Network User
No
Management
No

Click Apply to save.

Step 2 - ACLs

Click Access Control Lists (or FlexConnect ACLs if you use FlexConnect) on the left and then New at the top right. Configure with:

Access Control List Name
Guest WiFi
ACL Type
IPv4

Click Apply to save.



If you are using local AP's (not FlexConnect mode):


To the right of the ACL you just created, hover the blue arrow and click Add-Remove URL. In the URL String Name box add the following domains one at a time:

*insert access_domain here*

cloudfront.net

venuewifi.com

openweathermap.org

stripe.com

Note: If you wish to support social network logins, you also need to add the URL entries below for each network you plan to support:

Facebook:

facebook.com

fbcdn.net

akamaihd.net

connect.facebook.net


Twitter:

twitter.com

twimg.com


LinkedIn:

linkedin.com

licdn.net

licdn.com


Instagram:

instagram.com


OR if you are using FlexConnect mode:


Click in to the ACL you just created, then click Add Rule > URL rule at the top right. In the URL box add the following domains one at a time, ensuring you set the Action to Permit each time:

*insert access_domain here*

cloudfront.net

venuewifi.com

openweathermap.org

stripe.com

Note: If you wish to support social network logins, you also need to add the URL entries below for each network you plan to support:

Facebook:

facebook.com

fbcdn.net

akamaihd.net

connect.facebook.net


Twitter:

twitter.com

twimg.com


LinkedIn:

linkedin.com

licdn.net

licdn.com


Instagram:

instagram.com


Click Web Auth > Web Login Page on the left and configure with:

Redirect URL after login
leave blank

Click Apply to save.

Step 3 - WLAN

Click WLANs at the top and then WLANs on the left. Click Create New > Go at the top right (or edit and existing WLAN if you have one already). If creating a new WLAN, configure with:

Type
WLAN
Profile Name
Guest Wi-Fi
SSID
Guest Wi-Fi (or whatever you wish)

Click Apply to save. Next, click the SSID profile to edit the settings.


On the General tab:

Status
Enabled
Broadcast SSID
Enabled
SSID
Guest Wi-Fi (or whatever you wish)

On the Security > Layer 2 tab:

Layer 2 Security
None

On the Security > Layer 3 tab:

Layer 3 Security
Web Policy
Authentication
Enabled
Pre-authentication ACL (if Local)
Guest Wi-Fi
WebAuth FlexACL (if FlexConnect)
Guest Wi-Fi
Override Global Config
Enable
Web Auth type
External (Re-direct to external server)
Redirect URL
*insert access_url here*

On the Security > AAA Servers tab:

Authentication Servers
Enabled
Server 1
IP: *insert radius_server_ip here*, Port: 1812
Server 2
IP: *insert radius_server2_ip here*, Port: 1812
Accounting Servers
Enabled
Server 1
IP: *insert radius_server_ip here*, Port: 1813
Server 2
IP: *insert radius_server2_ip here*, Port: 1813
Interim Update
Enabled - Interim Interval: 600
Authentication priority order for web-auth user (Not Used)
LOCAL, LDAP
Authentication priority order for web-auth user (Order Used For Authentication)
RADIUS

On the Advanced tab:

Allow AAA Overide
Enabled
Enable Session Timeout
Enabled
Session Timeout (secs)
43200

Click Apply to save. Next, click Management at the top then HTTP-HTTPS on the left. Configure with:

WebAuth SecureWeb
Disabled
HTTPS Redirection
Disabled
Note: It is important that the virtual IP address is changed from the default 1.1.1.1 to avoid issues.

Click Controller at the top then Interfaces on the left. Configure with:

IP Address
192.0.2.1

Click Apply to save.


Finally, be sure to click Save Configuration at the top right.

IMPORTANT: You will need to reboot your controller for all the features to work.
Note: When adding the AP MAC address(es) into the portal remember to use the Base Radio MAC.


The configuration is now complete.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.