Cisco (Catalyst WLC Managed)

NOTE: Please see table below for supported versions before proceeding:


Version SeriesRelease
IOS-XE 3.6.x3.6.3E or above
IOS-XE 3.7.x3.7.3E or above
IOS-XE 16.xUnsupported at present


Open a web browser and log in to your Cisco Catalyst switch wireless interface (http://switch-ip/wireless):

Click on Configuration at the top and select Controller. On the left menu navigate to Management > Protocol Management > HTTP-HTTPS. Configure with the following:

  • HTTP Access: Enabled
  • HTTPS Access: Enabled
Click Apply to Save

Next, click on Configuration at the top and select Security. On the left menu navigate to AAA > RADIUS > Servers. Click New and configure with the following:

  • Server Name: guest1
  • Server IP Address: *insert radius_server_ip here*
  • Shared Secret *insert radius_secret here*
  • Confirm Shared Secret: as above
  • Auth Port: 1812
  • Acct Port: 1813
  • Server Timeout: 5
  • Retry Count: 5
  • Support for RFC 3576: Enabled
Click Apply to Save.

Click New and configure with the following:

  • Server Name: guest2
  • Server IP Address: *insert radius_server2_ip here*
  • Shared Secret *insert radius_secret here*
  • Confirm Shared Secret: as above
  • Auth Port: 1812
  • Acct Port: 1813
  • Server Timeout: 5
  • Retry Count: 5
  • Support for RFC 3576: Enabled

Click Apply to Save.


Next, on the left menu navigate to AAA > Server Groups > Radius. Click New and configure with the following:

  • Group Name: guest_radius
  • MAC-delimiter: hyphen
  • MAC-filtering: none
  • Dead-time: 2
  • Group Type: Radius
  • Servers In This Group: click on guest1 and guest2 and move them over to the box on the right.
Click Apply to Save


Next, on the left menu navigate to AAA > Method Lists > Authentication. Click New and configure with the following:

  • Method List Name: guest_auth
  • Type: login
  • Group Type: group
  • Fallback to local: disabled
  • Groups In This Method: click guest and move it to the box on the right.
Click Apply to Save

Next, on the left menu navigate to AAA > Method Lists > Accounting. Click New and configure with the following:

  • Method List Name: guest_acct
  • Type: network
  • Groups In This Method: click guest and move it to the box on the right.

Click Apply to Save


Next, on the left menu navigate to Web Auth > Webauth Parameter Map. Click on global and configure just the two below settings:

  • Virtual IPv4 Address: 1.1.1.1
Click Apply to Save


Next, on the left menu navigate to Web Auth > Webauth Parameter Map. Click New and configure with the following:

  • Parameter-map name: guest
  • Maximum HTTP connection: 200
  • Type: webauth
  • Redirect for login: *insert access_url here*
  • Redirect On-Failure: *insert access_url here*?res=failed
  • Redirect On-Success: *insert redirect_url here*
  • Portal IPv4 address: *insert walled_garden_ip here*
Click Apply to Save

Next, on the left menu navigate to ACL > Access Control Lists. Click Add New and configure with the following:
  • Access List Type: IPv4 Extended
  • Name: guest
Click Apply to Proceed. On the next page, configure with the following:
  • Sequence number: 1
  • Action: permit
  • Source: any
  • Destination: any
  • Protocol: ip
Click Apply to Save

Next, on the left menu navigate to FQDN > Domain Lists. Click Add and configure with the following:
  • Domain List Name: guest
In the Domain Name field, add the following domains one at a time by clicking the Add Domain button:


*insert access_domain here*
openweathermap.org
cloudfront.net
venuewifi.com
stripe.com


If you wish to support social network logins, you also need to add the following domains for each network you plan to support

Facebookfacebook.com
fbcdn.net
akamaihd.net
connect.facebook.net
Twittertwitter.com
twimg.com
LinkedInlinkedin.com
licdn.com
Instagraminstagram.com
Weiboweibo.com
sina.com.cn
VKontaktevk.me
vk.com


Press OK to Save


Next, on the left menu navigate to FQDN > Parameter Mapping. Click Add and configure with the following:

  • Domain Name List: guest
  • Access List: guest
  • Global: disabled
  • Paramater map: click on guest and move it over to the box on the right.
Click OK to Save

Next, click on Configuration at the top and then select Wireless. On the left menu navigate to WLAN > WLANs. Click New and configure with the following:
  • WLAN ID: 1 (or any available WLAN ID)
  • SSID: Guest WiFi (or whatever you wish)
  • Profile Name: guest
Click Apply to Save

Next, click on the new WLAN Profile you just created and configure with the following:

On the General tab:
  • Status: Enabled
  • Interface: default (or whatever Interface you need to use)
  • Broadcast SSID: Enabled
On the Security > Layer2 tab:
  • Layer 2 Security: None
On the Security > Layer3 tab:
  • Web Policy: Enabled
  • Webauth Authentication List: guest_auth
  • Webauth Parameter List: guest
  • Preauthentication IPv4 ACL: guest
  • Preauthentication IPv6 ACL: none
On the Security > AAA Server tab:
  • Authentication Method: guest_auth
  • Accounting Method: guest_acct
On the Advanced tab:
  • Allow Override Enabled
Click Apply to Save

Finally, you need to login to your Catalyst controller via terminal or SSH. Once logged in, enter enable mode then config mode, i.e:

enable

configure terminal


Now, copy and paste the following:


parameter-map type webauth guest

logout-window-disabled

success-window-disabled

redirect append ap-mac tag ap_mac

redirect append wlan-ssid tag wlan_ssid

redirect append client-mac tag client_mac

wireless security dot1x radius accounting call-station-id ap-macaddress-ssid

wireless security dot1x radius accounting mac-delimiter hyphen

end


Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.