Note
IOS-XE v17 or higher is required in order to continue.
Logging in
Open a web browser and log in to your Cisco Catalyst web interface. At the top right, click the Settings icon and enable Expert mode.
Web Auth
Click Configuration > Web Auth on the left. Click into the global profile and configure with:
| Virtual IPv4 Address: | 192.0.2.1 |
Click Apply to save. Next, click the Add button. Configure with:
| Parameter-map name: | guest_wifi |
| Maximum HTTP connections: | 200 |
| Init-State Timeout: | 3600 |
| Type: | webauth |
Click Apply to Device to save. Next, click into the profile you just created and configure with:
On the General tab:
| Banner Type: | None |
| Turn-on Consent with Email: | Disabled |
| Captive Bypass Portal: | Disabled |
| Disable Success Window: | Enabled |
| Disable Logout Window: | Enabled |
| Sleeping Client Status: | Enabled |
| Sleeping Client Timeout: | 720 |
On the Advanced tab:
| Redirect for log-in: | *insert access_url here* |
| Redirect On-Success: | *insert access_url here*success |
| Redirect On-Failure: | *insert access_url here* |
| Redirect Append for AP MAC Address: | ap_mac |
| Redirect Append for Client MAC Address: | client_mac |
| Redirect Append for WLAN SSID: | wlan_ssid |
| Portal IPV4 Address: | *insert walled_garden_ip here* |
Click Update & Apply.
AAA Servers
Click Configuration > AAA on the left. Select the Servers / Groups tab and click Add. Configure with:
| Name: | guest_rad1 |
| IPv4 / IPv6 Server Address: | *insert radius_server_ip here* |
| Key Type: | 0 |
| Key: | *insert radius_secret here* |
| Confirm Key: | as above |
| Auth Port: | 1812 |
| Acct Port: | 1813 |
| Server Timeout: | 10 |
| Retry Count: | 3 |
| Support for CoA: | Enabled |
Click Apply to Device to save. Next, click Add again and configure with:
| Name: | guest_rad2 |
| IPv4 / IPv6 Server Address: | *insert radius_server2_ip here* |
| Key Type: | 0 |
| Key: | *insert radius_secret here* |
| Confirm Key: | as above |
| Auth Port: | 1812 |
| Acct Port: | 1813 |
| Server Timeout: | 10 |
| Retry Count: | 3 |
| Support for CoA: | Enabled |
Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:
| Name: | guest_radius |
| Group Type: | RADIUS |
| MAC-Delimiter: | hyphen |
| MAC-Filtering: | none |
| Assigned Servers: | guest_rad1, guest_rad2 |
Click Apply to Device to save. Next, click on the AAA Method List tab. Click Add and configure with:
| Method List Name: | guest_auth |
| Type: | login |
| Group Type: | group |
| Assigned Server Groups: | guest_radius |
Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:
| Method List Name: | guest_acct |
| Type: | identity |
| Assigned Server Groups: | guest_radius |
Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:
| Call Station ID: | ap-macaddress-ssid |
| Call Station ID Case: | upper |
| MAC-Delimiter: | hyphen |
| Username Case: | lower |
| Username Delimiter: | none |
Click Apply to Device.
WLAN
Click Configuration > WLANs on the left. Click Add or edit an existing WLAN and configure with:
On the General tab:
| Profile Name: | Guest WiFi |
| SSID: | Guest WiFi (or whatever you wish) |
| Status: | Enabled |
| Radio Policy: | All |
| Broadcast SSID: | Enabled |
On the Security > Layer 2 tab:
| Layer 2 Security Mode: | None |
| MAC Filtering: | Disabled |
On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure with:
| Web Policy: | Enabled |
| Web Auth Parameter Map: | guest_wifi |
| Authentication List: | guest_auth |
| On Mac Filter Failure: | Disabled |
| Splash Web Redirect: | Disabled |
| URL Filter: | guest_url_filter |
Click Apply to Device.
URL Filters
Click Configuration > Security > URL Filters.
If you are using Local mode AP's, under URL Filters click Add and configure with:
| List Name: | guest_url_filter |
| Type: | PRE_AUTH |
| Action: | PERMIT |
| URLs: | Please refer to this list for a list of required URLs (domains) |
Click Apply to Device.
OR, if you are using FlexConnect mode APs, under Enhanced URL Filters, click Add for each URL (domain). Please refer to this list for the required URLs (domains), i.e.
| URL: | *insert access_domain here* |
| Preference: | 1 |
| Action: | PERMIT |
Click Apply to Device.
Policy
Click Configuration > Policy on the left. Click Add, configure your basic required settings as required and then configure with the following:
On the General tab:
| Name: | guest_policy |
| Status: | Enabled |
On the Access Policies tab:
| URL Filters: | guest_url_filter |
On the Advanced tab:
| Session Timeout: | 43200 |
| Idle Timeout: | 3600 |
| Allow AAA Override: | Enabled |
| Accounting List: | guest_acct |
| Interim Accounting: | Enabled |
If you are using FlexConnect mode APs, click Configuration > Flex on the left. Click Add, configure your basic required settings as required and then configure with the following:
On the General tab:
| Name: | guest_flex_profile |
| Status: | Enabled |
On the Policy ACL tab click Add and configure with:
| ACL Name: | WA-sec-*insert walled_garden_ip here* |
| URL Filter: | guest_url_filter |
Click Apply to Device.
Tags
Click Configuration > Tags on the left. Click Add and configure with:
| Name: | guest_tag |
| WLAN Profile: | Guest WiFi |
| Policy Profile: | guest_policy |
Click Apply to Device.
Administration
Click Administration > HTTP/HTTPS/Netconf on the left. Configure with:
| HTTP Access: | Enabled |
| HTTPS Access: | Enabled |
Click Apply to Device.
Final Steps
The final step is to ensure that secure webauth is disabled in order for the authentication to succeed. You will need to login to the CLI of the controller and once in configuration (enable) mode, run the following commands:
parameter-map type webauth global
webauth-http-enable
secure-webauth-disable
Save and Apply
The configuration is now complete. Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.
Secure WiFi AAA Servers
Click Configuration > AAA on the left. Select the Servers / Groups tab and click Add. Configure with:
| Name: | secure_rad1 |
| IPv4 / IPv6 Server Address: | rad1-secure.purple.ai |
| Key Type: | 0 |
| Key: | *insert radius_secret here* |
| Confirm Key: | as above |
| Auth Port: | 1812 |
| Acct Port: | 1813 |
| Server Timeout: | 10 |
| Retry Count: | 3 |
| Support for CoA: | Enabled |
Click Apply to Device to save. Next, click Add again and configure with:
| Name: | secure_rad2 |
| IPv4 / IPv6 Server Address: | rad2-secure.purple.ai |
| Key Type: | 0 |
| Key: | *insert radius_secret here* |
| Confirm Key: | as above |
| Auth Port: | 1812 |
| Acct Port: | 1813 |
| Server Timeout: | 10 |
| Retry Count: | 3 |
| Support for CoA: | Enabled |
Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:
| Name: | secure_radius |
| Group Type: | RADIUS |
| MAC-Delimiter: | hyphen |
| MAC-Filtering: | none |
| Assigned Servers: | secure_rad1, secure_rad2 |
Click Apply to Device to save. Next, click on the AAA Method List tab. Click Add and configure with:
| Method List Name: | secure_auth |
| Type: | login |
| Group Type: | group |
| Assigned Server Groups: | secure_radius |
Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:
| Method List Name: | secure_acct |
| Type: | identity |
| Assigned Server Groups: | secure_radius |
Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:
| Call Station ID: | ap-macaddress-ssid |
| Call Station ID Case: | upper |
| MAC-Delimiter: | hyphen |
| Username Case: | lower |
| Username Delimiter: | none |
Click Apply to Device.
Secure WiFi Hotspot 2.0
Click Configuration > Hotspot/OpenRoaming on the left. Under ANQP Servers click Add and configure with:
On the General/OpenRoaming tab:
| Name: | Purple WiFi |
| Internet Access | Enabled |
| Network Type: | Free Public |
Under NAI Realms click Add and configure with:
| NAI Realm Name: | securewifi.purple.ai |
| EAP Methods: | eap-ttls (Enabled) |
On the right side popup, select inner-auth-non-eap and select pap. Click Apply to Device.
Under Roaming OIs configure with:
| Roaming OI: | 5A03BA0000 |
| Beacon State: | Enabled |
Click Add. Do the same again with the following:
Under NAI Realms click Add and configure with:
| Roaming OI: | 004096 |
| Beacon State: | Enabled |
Click Add.
Under Domains configure with:
| Domain Name: | securewifi.purple.ai |
Click Add. On the Server Settings tab, configure with:
| Download Speed: | set the maximum speed your connection supports |
| Upload Speed: | set the maximum speed your connection supports |
| Link Status: | Up |
Click Apply to Device.
Secure WiFi WLAN
Click Configuration > WLANs on the left. Click Add or edit an existing WLAN and configure with:
On the General tab:
| Profile Name: | Secure WiFi |
| SSID: | Secure WiFi (or whatever you wish) |
| Status: | Enabled |
| Radio Policy: | All |
| Broadcast SSID: | Enabled |
On the Security > Layer 2 tab:
| Layer 2 Security Mode: | WPA + WPA2 |
| WPA2 Policy: | Enabled |
| WPA2 Encryption: | AES |
| Auth Key Mgmt | 802.1x |
On the Security > AAA tab configure with:
| Web Auth Parameter Map: | secure_wifi |
Click Apply to Device.
Secure WiFi Policy
Click Configuration > Policy on the left. Click Add, configure your basic required settings as required and then configure with the following:
On the General tab:
| Name: | secure_policy |
| Status: | Enabled |
On the Advanced tab:
| Client Exclusion Timeout: | Disabled (unchecked) |
| Hotspot Server: | Purple |
| Allow AAA Override: | Enabled |
| Accounting List: | secure_acct |
| Interim Accounting: | Enabled |
Click Apply to Device.
Secure WiFi Tags
Click Configuration > Tags on the left. Click Add and configure with:
| Name: | secure_tag |
| WLAN Profile: | Secure WiFi |
| Policy Profile: | secure_policy |
Click Apply to Device.
Save and Apply
The configuration is now complete. Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.