Welcome to Purple Support

Cisco Catalyst WLC (IOS-XE)

  • Updated
NOTE: IOS-XE v16.10 or higher is required in order to continue.

Open a web browser and log in to your Cisco Catalyst web interface. At the top right, click the Settings icons and enable the Expert mode.


Click on Configuration > Security > Web Auth on the left. Click in to the global profile and configure with:

Virtual IPv4 Address
192.0.2.1

Click Apply to save. Next, click the Add button. Configure with:

Parameter-map name
guest_wifi
Maximum HTTP connections
200
Init-State Timeout
3600
Type
webauth

Click Apply to Device to save. Next, click in to the profile you just created and configure with:


On the General tab:

Banner Type
None
Turn-on Consent with Email
Disabled
Captive Bypass Portal
Disabled
Disable Success Window
Enabled
Disable Logout Window
Enabled
Sleeping Client Status
Enabled
Sleeping Client Timeout
720

On the Advanced tab:

Redirect for log-in
*insert access_url here*
Redirect On-Success
*insert access_url here*success
Redirect On-Failure
*insert access_url here*
Redirect Append for AP MAC Address
ap_mac
Redirect Append for Client MAC Address
client_mac
Redirect Append for WLAN SSID
wlan_ssid
Portal IPV4 Address
*insert walled_garden_ip here*

Click Apply to save. Next, click on Configuration > Security > AAA on the left. Select the Servers / Groups tab click Add. Configure with:

Name
rad1
IPv4 / IPv6 Server Address
*insert radius_server_ip here*
Key Type
0
Key
*insert radius_secret here*
Confirm Key
as above
Auth Port
1812
Acct Port
1813
Server Timeout
10
Retry Count
3
Support for CoA
Enabled

Click Apply to Device to save. Next, click Add again and configure with:

Name
rad2
IPv4 / IPv6 Server Address
*insert radius_server2_ip here*
Key Type
0
Key
*insert radius_secret here*
Confirm Key
as above
Auth Port
1812
Acct Port
1813
Server Timeout
10
Retry Count
3
Support for CoA
Enabled

Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:

Name
guest_radius
Group Type
RADIUS
MAC-Delimiter
hyphen
MAC-Filtering
none
Assigned Servers
rad1, rad2

Click Apply to Device to save. Next, click on the AAA Method List tab. Click Add and configure with:

Method List Name
guest_auth
Type
login
Group Type
group
Assigned Server Groups
guest_radius

Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:

Method List Name
guest_acct
Type
identity
Assigned Server Groups
guest_radius

Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:

Call Station ID
ap-macaddress-ssid
Call Station ID Case
upper
MAC-Delimiter
hyphen
Username Case
lower
Username Delimiter
none

Click Apply to Device to save. Next, click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure with:


On the General tab:

Profile Name
Guest WiFi
SSID
Guest WiFi (or whatever you wish)
Status
Enabled
Radio Policy
All
Broadcast SSID
Enabled

On the Security > Layer 2 tab:

Layer 2 Security Mode
None
MAC Filtering
Disabled

On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure with:

Web Policy
Enabled
Web Auth Parameter Map
guest_wifi
Authentication List
guest_auth
On Mac Filter Failure
Disabled
Splash Web Redirect
Disabled

Click Apply to Device to save. Next, click Configuration > Security > URL Filters. Click Add and configure with:

List Name
guest_url_filter
Type
PRE_AUTH
Action
PERMIT
URLs

*.*insert access_domain here*

*.venuewifi.com

*.openweathermap.org

*.cloudfront.net

*.stripe.com


Note: If you wish to support social network logins, you also need to add the below entries for each network you plan to support.


Facebook:

*.facebook.com

*.fbcdn.net

*.akamaihd.net

connect.facebook.net


Twitter:

*.twitter.com

*.twimg.com


LinkedIn:

*.linkedin.com

*.licdn.net

*.licdn.com


Click Apply to save. Next, click Configuration > Tags & Profiles > Policy on the left. Click Add, leaving all settings at default apart from the following:


On the General tab:

Name
guest_policy
Status
Enabled

On the Access Policies tab:

URL Filters
guest_url_filter

On the Advanced tab:

Session Timeout
43200
Idle Timeout
3600
Allow AAA Override
Enabled
Accounting List
guest_acct

Click Apply to Device to save. Next, click Configuration > Tags & Profiles > Tags on the left. Click Addand configure with:

Name
guest_tag
WLAN Profile
Guest WiFi
Policy Profile
guest_policy

Click Apply to Device to save. Finally, click Administration > Management > HTTP/HTTPS/Netconf on the left. Configure with:

HTTP Access
Enabled
HTTPS Access
Enabled


The final step is to ensure that secure webauth is disabled in order for the authentication to succeed. You will need to login to the CLI of the controller and once in configuration (enable) mode, run the following commands:

parameter-map type webauth global

webauth-http-enable

secure-webauth-disable


The configuration is now complete.


Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.


Share online: