Welcome to Purple Support

Cisco Catalyst WLC (IOS-XE)

  • Updated

Note

IOS-XE v16.10 or higher is required in order to continue.

Logging in

Open a web browser and log in to your Cisco Catalyst web interface. At the top right, click the Settings icon and enable Expert mode.

Web Auth

Click Configuration > Security > Web Auth on the left. Click into the global profile and configure with:

Virtual IPv4 Address: 192.0.2.1

Click Apply to save. Next, click the Add button. Configure with:

Parameter-map name: guest_wifi
Maximum HTTP connections: 200
Init-State Timeout: 3600
Type: webauth

Click Apply to Device to save. Next, click into the profile you just created and configure with:

On the General tab:

Banner Type: None
Turn-on Consent with Email: Disabled
Captive Bypass Portal: Disabled
Disable Success Window: Enabled
Disable Logout Window: Enabled
Sleeping Client Status: Enabled
Sleeping Client Timeout: 720

On the Advanced tab:

Redirect for log-in: *insert access_url here*
Redirect On-Success: *insert access_url here*success
Redirect On-Failure: *insert access_url here*
Redirect Append for AP MAC Address: ap_mac
Redirect Append for Client MAC Address: client_mac
Redirect Append for WLAN SSID: wlan_ssid
Portal IPV4 Address: *insert walled_garden_ip here*

AAA Servers

Click Configuration > Security > AAA on the left. Select the Servers / Groups tab and click Add. Configure with:

Name: rad1
IPv4 / IPv6 Server Address: *insert radius_server_ip here*
Key Type: 0
Key: *insert radius_secret here*
Confirm Key: as above
Auth Port: 1812
Acct Port: 1813
Server Timeout: 10
Retry Count: 3
Support for CoA: Enabled

Click Apply to Device to save. Next, click Add again and configure with:

Name: rad2
IPv4 / IPv6 Server Address: *insert radius_server2_ip here*
Key Type: 0
Key: *insert radius_secret here*
Confirm Key: as above
Auth Port: 1812
Acct Port: 1813
Server Timeout: 10
Retry Count: 3
Support for CoA: Enabled

Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:

Name: guest_radius
Group Type: RADIUS
MAC-Delimiter: hyphen
MAC-Filtering: none
Assigned Servers: rad1, rad2

Click Apply to Device to save. Next, click on the AAA Method List tab. Click Add and configure with:

Method List Name: guest_auth
Type: login
Group Type: group
Assigned Server Groups: guest_radius

Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:

Method List Name: guest_acct
Type: identity
Assigned Server Groups: guest_radius

Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:

Call Station ID: ap-macaddress-ssid
Call Station ID Case: upper
MAC-Delimiter: hyphen
Username Case: lower
Username Delimiter: none

WLANs

Click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure with:

On the General tab:

Profile Name: Guest WiFi
SSID: Guest WiFi (or whatever you wish)
Status: Enabled
Radio Policy: All
Broadcast SSID: Enabled

On the Security > Layer 2 tab:

Layer 2 Security Mode: None
MAC Filtering: Disabled

On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure with:

Web Policy: Enabled
Web Auth Parameter Map: guest_wifi
Authentication List: guest_auth
On Mac Filter Failure: Disabled
Splash Web Redirect: Disabled

URL Filters

Click Configuration > Security > URL Filters. Click Add and add all required domains.

List Name: guest_url_filter
Type: PRE_AUTH
Action: PERMIT
URLs: Please refer to this list.

Policy

Click Configuration > Tags & Profiles > Policy on the left. Click Add, leaving all settings at default apart from the following:

On the General tab:

Name: guest_policy
Status: Enabled

On the Access Policies tab:

URL Filters: guest_url_filter

On the Advanced tab:

Session Timeout: 43200
Idle Timeout: 3600
Allow AAA Override: Enabled
Accounting List: guest_acct

Tags

Click Configuration > Tags & Profiles > Tags on the left. Click Add and configure with:

Name: guest_tag
WLAN Profile: Guest WiFi
Policy Profile: guest_policy

Administration

Click Administration > Management > HTTP/HTTPS/Netconf on the left. Configure with:

HTTP Access: Enabled
HTTPS Access: Enabled
Policy Profile: guest_policy

Final Steps

The final step is to ensure that secure webauth is disabled in order for the authentication to succeed. You will need to login to the CLI of the controller and once in configuration (enable) mode, run the following commands:

parameter-map type webauth global
webauth-http-enable
secure-webauth-disable

Save and Apply

The configuration is now complete. Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.

Share online:
Was this article helpful?
1 out of 1 found this helpful