Important Note
We no longer recommend WLC code below v8.2.100.0. Please ensure you are using v8.2.100.0 or higher (v8.7 or higher if using FlexConnect).
Additionally, if you are using Guest Anchor, please contact support as additional steps will be required.
Logging in
Start by logging into your Cisco WLC web interface.
RADIUS
Click Security at the top and then AAA > Radius Authentication on the left menu. Set the below setting then click Apply:
Auth Called Station ID Type: | AP MAC Address:SSID |
Click New at the top right and configure with:
Server IP Address: | *insert radius_server_ip here* |
Shared Secret Format: | ASCII |
Shared Secret: | *insert radius_secret here* |
Confirm Shared Secret: | as above |
Port: | 1812 |
Server Status: | Enabled |
Network User: | No |
Management: | No |
Click Apply to save. Click New again and configure with:
Server IP Address: | *insert radius_server2_ip here* |
Shared Secret Format: | ASCII |
Shared Secret: | *insert radius_secret here* |
Confirm Shared Secret: | as above |
Port: | 1812 |
Server Status: | Enabled |
Network User: | No |
Management: | No |
Click Apply to save. Click Radius Accounting on the left menu. Set the below setting then click Apply:
Acct Called Station ID Type: | AP MAC Address:SSID |
Click New at the top right and configure with:
Server IP Address: | *insert radius_server_ip here* |
Shared Secret Format: | ASCII |
Shared Secret: | *insert radius_secret here* |
Confirm Shared Secret: | as above |
Port: | 1813 |
Server Status: | Enabled |
Network User: | No |
Management: | No |
Click Apply to save. Click New again and configure with:
Server IP Address: | *insert radius_server2_ip here* |
Shared Secret Format: | ASCII |
Shared Secret: | *insert radius_secret here* |
Confirm Shared Secret: | as above |
Port: | 1813 |
Server Status: | Enabled |
Network User: | No |
Management: | No |
Click Apply to save.
ACLs
Click Access Control Lists (or FlexConnect ACLs if you use FlexConnect) on the left and then New at the top right. Configure with:
Access Control List Name: | Guest WiFi |
ACL Type: | IPv4 |
Click Apply to save.
URL Configuration
If you are using local AP's (not FlexConnect mode):
To the right of the ACL you just created, hover the blue arrow and click Add-Remove URL. In the URL String Name box add the required domains one at a time. Please refer to this list.
OR if you are using FlexConnect mode:
Click into the ACL you just created, then click Add Rule > URL rule at the top right. In the URL box add the required domains one at a time, ensuring you set the Action to Permit each time. Please refer to this list.
Click Web Auth > Web Login Page on the left and configure with:
Redirect URL after login: | leave blank |
Click Apply to save.
WLAN
Click WLANs at the top and then WLANs on the left. Click Create New > Go at the top right (or edit an existing WLAN if you have one already). If creating a new WLAN, configure with:
Type: | WLAN |
Profile Name: | Guest Wi-Fi |
SSID: | Guest Wi-Fi (or whatever you wish) |
Click Apply to save. Next, click the SSID profile to edit the settings.
On the General tab:
Status: | Enabled |
Broadcast SSID: | Enabled |
SSID: | Guest Wi-Fi (or whatever you wish) |
On the Security > Layer 2 tab:
Layer 2 Security: | None |
On the Security > Layer 3 tab:
Layer 3 Security: | Web Policy |
Authentication: | Enabled |
Pre-authentication ACL (if Local): | Guest Wi-Fi |
WebAuth FlexACL (if FlexConnect): | Guest Wi-Fi |
Override Global Config: | Enable |
Web Auth type: | External (Re-direct to external server) |
Redirect URL: | *insert access_url here* |
On the Security > AAA Servers tab:
Authentication Servers: | Enabled |
Server 1: | IP: *insert radius_server_ip here*, Port: 1812 |
Server 2: | IP: *insert radius_server2_ip here*, Port: 1812 |
Accounting Servers: | Enabled |
Server 1: | IP: *insert radius_server_ip here*, Port: 1813 |
Server 2: | IP: *insert radius_server2_ip here*, Port: 1813 |
Interim Update: | Enabled - Interim Interval: 600 |
Authentication priority order for web-auth user (Not Used): | LOCAL, LDAP |
Authentication priority order for web-auth user (Order Used For Authentication): | RADIUS |
On the Advanced tab:
Allow AAA Overide: | Enabled |
Enable Session Timeout: | Enabled |
Session Timeout (secs): | 43200 |
Click Apply to save. Next, click Management at the top then HTTP-HTTPS on the left. Configure with:
WebAuth SecureWeb: | Disabled |
HTTPS Redirection: | Disabled |
Note: It is important that the virtual IP address is changed from the default 1.1.1.1 to avoid issues.
Click Controller at the top then Interfaces on the left. Configure with:
IP Address: | 192.0.2.1 |
Click Apply to save.
Finally, be sure to click Save Configuration at the top right.
Configuration Complete
The configuration is now complete.
Important Notes
You will need to reboot your controller for all the features to work.
When adding the AP MAC address(es) into the portal remember to use the Base Radio MAC