NOTE: You need to be running firmware version 4.6.5R or above in order to proceed.
Log in to your Wireless Controller interface and click on Configuration at the top. On the left menu, choose Security > AAA > RADIUS.
Click Add and configure with the following:
- Type: Auth/Acct
- IP Address: *insert radius_server_ip here*
- Shared Secret Format: ASCII
- Shared Secret: *insert radius_secret here*
- Confirm Shared Secret: as above
- Auth Port Number: 1812
- Acct Port Number: 1813
- CoA: Enable
- Password Type: MAC Address
- MAC Delimiter: Hyphen
- MAC Case: Upper
Click Add again and configure with the following:
- Type: Auth/Acct
- IP Address: *insert radius_server2_ip here*
- Shared Secret Format: ASCII
- Shared Secret: *insert radius_secret here*
- Confirm Shared Secret: as above
- Auth Port Number: 1812
- Acct Port Number: 1813
- CoA: Enable
- Password Type: MAC Address
- MAC Delimiter: Hyphen
- MAC Case: Upper
Click Apply to Save
Next, go to Security > Access Control Lists > IP ACL. Click Add and enter the following:
- Name: guestwifi
- Sequence: 1
- Protocol: Any
- Source: Any
- Source Port: Any
- Destination: URL: *insert access_domain here*
- Destination Port: Any
- Action: Permit
Next, click on Security > Captive Portal > Web Service and set both the Domain Name and IP Address to the local IP address of your controller (Same IP as you access the web interface in your browser). Click Apply to Save.
- Profile Name: guestwifi
- SSID: Guest WiFi (or whatever you wish)
- Interface Group: Select your preferred interface
- Radio Area: 2.4GHz/5GHz
- AAA Override: Enable
- Admin Status: Enable
- L2 Security Type: None
Click Apply to Save. On the Security tab > L3 tab, configure:
- Web Policy: Enable, choose Web Authentication from the list
- Pre-Authentication ACL: guestwifi
- Web Page Type: External
- URL: *insert access_url here*
- Server Type: RADIUS
- Primary RADIUS Server: *insert radius_server_ip here* : 1812
- Secondary RADIUS Server: *insert radius_server2_ip here* : 1812
- Cache Duration: 30
- After Authentication: Select Redirect URL and enter: *insert redirect_url here*
- Primary RADIUS Server: *insert radius_server_ip here* : 1813
- Accounting Interval: 3
Click Apply to Save.
Next, click Administration at the top then HTTP-HTTPS on the left. Configure with the following:
- HTTP: Enable
- Captive Portal Port: 80
The final step is to SSH or console in to the controller to run a command. This is required in order for authentication to work correctly. Once logged in to the console, enter the following commands one line at a time:
# conf t
# security captive-portal radius-called-station-id ap-mac
# exit
# save local