Cisco Catalyst

NOTE: IOS-XE v16.10 or higher is required in order to continue.

Open a web browser and log in to your Cisco Catalyst web interface. At the top right, click the Settings icons and enable the Expert mode.


Click on Configuration > Security > Web Auth on the left. Click in to the global profile and configure with:

Virtual IPv4 Address
192.0.2.1

Click Apply to save. Next, click the Add button. Configure with:

Parameter-map name
guest_wifi
Maximum HTTP connections
200
Init-State Timeout
3600
Type
webauth

Click Apply to Device to save. Next, click in to the profile you just created and configure with:


On the General tab:

Banner Type
None
Turn-on Consent with Email
Disabled
Captive Bypass Portal
Disabled
Disable Success Window
Enabled
Disable Logout Window
Enabled
Sleeping Client Status
Enabled
Sleeping Client Timeout
720

On the Advanced tab:

Redirect for log-in
*insert access_url here*
Redirect On-Success
*insert access_url here*success
Redirect On-Failure
*insert access_url here*
Redirect Append for AP MAC Address
ap_mac
Redirect Append for Client MAC Address
client_mac
Redirect Append for WLAN SSID
wlan_ssid
Portal IPV4 Address
*insert walled_garden_ip here*

Click Apply to save. Next, click on Configuration > Security > AAA on the left. Select the Servers / Groups tab click Add. Configure with:

Name
rad1
IPv4 / IPv6 Server Address
*insert radius_server_ip here*
Key Type
0
Key
*insert radius_secret here*
Confirm Key
as above
Auth Port
1812
Acct Port
1813
Server Timeout
10
Retry Count
3
Support for CoA
Enabled

Click Apply to Device to save. Next, click Add again and configure with:

Name
rad2
IPv4 / IPv6 Server Address
*insert radius_server2_ip here*
Key Type
0
Key
*insert radius_secret here*
Confirm Key
as above
Auth Port
1812
Acct Port
1813
Server Timeout
10
Retry Count
3
Support for CoA
Enabled

Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:

Name
guest_radius
Group Type
RADIUS
MAC-Delimiter
hyphen
MAC-Filtering
none
Assigned Servers
rad1, rad2

Click Apply to Device to save. Next, click on the AAA Method List tab. Click Add and configure with:

Method List Name
guest_auth
Type
login
Group Type
group
Assigned Server Groups
guest_radius

Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:

Method List Name
guest_acct
Type
identity
Assigned Server Groups
guest_radius

Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:

Call Station ID
ap-macaddress-ssid
Call Station ID Case
upper
MAC-Delimiter
hyphen
Username Case
lower
Username Delimiter
none

Click Apply to Device to save. Next, click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure with:


On the General tab:

Profile Name
Guest WiFi
SSID
Guest WiFi (or whatever you wish)
Status
Enabled
Radio Policy
All
Broadcast SSID
Enabled

On the Security > Layer 2 tab:

Layer 2 Security Mode
None
MAC Filtering
Disabled

On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure with:

Web Policy
Enabled
Web Auth Parameter Map
guest_wifi
Authentication List
guest_radius
On Mac Filter Failure
Disabled
Splash Web Redirect
Disabled
IPv4 ACL
preauth_v4

Click Apply to Device to save. Next, click Configuration > Security > URL Filters. Click Add and configure with:

List Name
guest_url_filter
Type
PRE_AUTH
Action
PERMIT
URLs

*insert access_domain here*

venuewifi.com

openweathermap.org

cloudfront.net

stripe.com


Note: If you wish to support social network logins, you also need to add the below entries for each network you plan to support.


Facebook:

facebook.com

fbcdn.net

akamaihd.net

connect.facebook.net


Twitter:

twitter.com

twimg.com


LinkedIn:

linkedin.com

licdn.net

licdn.com


Instagram:

instagram.com

Click Apply to save. Next, click Configuration > Tags & Profiles > Policy on the left. Click Add, leaving all settings at default apart from the following:


On the General tab:

Name
guest_policy
Status
Enabled

On the Access Policies tab:

URL Filters
guest_url_filter

On the Advanced tab:

Session Timeout
43200
Idle Timeout
3600
Allow AAA Override
Enabled
Accounting List
guest_acct

Click Apply to Device to save. Next, click Configuration > Tags & Profiles > Tags on the left. Click Addand configure with:

Name
guest_tag
WLAN Profile
Guest WiFi
Policy Profile
guest_policy

Click Apply to Device to save. Finally, click Administration > Management > HTTP/HTTPS/Netconf on the left. Configure with:

HTTP Access
Enabled
HTTPS Access
Enabled

Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.


The configuration is now complete.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.