Note
IOS-XE v16.10 or higher is required in order to continue.
Logging in
Open a web browser and log in to your Cisco Catalyst web interface. At the top right, click the Settings icon and enable Expert mode.
Web Auth
Click Configuration > Security > Web Auth on the left. Click into the global profile and configure with:
Virtual IPv4 Address: | 192.0.2.1 |
Click Apply to save. Next, click the Add button. Configure with:
Parameter-map name: | guest_wifi |
Maximum HTTP connections: | 200 |
Init-State Timeout: | 3600 |
Type: | webauth |
Click Apply to Device to save. Next, click into the profile you just created and configure with:
On the General tab:
Banner Type: | None |
Turn-on Consent with Email: | Disabled |
Captive Bypass Portal: | Disabled |
Disable Success Window: | Enabled |
Disable Logout Window: | Enabled |
Sleeping Client Status: | Enabled |
Sleeping Client Timeout: | 720 |
On the Advanced tab:
Redirect for log-in: | *insert access_url here* |
Redirect On-Success: | *insert access_url here*success |
Redirect On-Failure: | *insert access_url here* |
Redirect Append for AP MAC Address: | ap_mac |
Redirect Append for Client MAC Address: | client_mac |
Redirect Append for WLAN SSID: | wlan_ssid |
Portal IPV4 Address: | *insert walled_garden_ip here* |
AAA Servers
Click Configuration > Security > AAA on the left. Select the Servers / Groups tab and click Add. Configure with:
Name: | rad1 |
IPv4 / IPv6 Server Address: | *insert radius_server_ip here* |
Key Type: | 0 |
Key: | *insert radius_secret here* |
Confirm Key: | as above |
Auth Port: | 1812 |
Acct Port: | 1813 |
Server Timeout: | 10 |
Retry Count: | 3 |
Support for CoA: | Enabled |
Click Apply to Device to save. Next, click Add again and configure with:
Name: | rad2 |
IPv4 / IPv6 Server Address: | *insert radius_server2_ip here* |
Key Type: | 0 |
Key: | *insert radius_secret here* |
Confirm Key: | as above |
Auth Port: | 1812 |
Acct Port: | 1813 |
Server Timeout: | 10 |
Retry Count: | 3 |
Support for CoA: | Enabled |
Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:
Name: | guest_radius |
Group Type: | RADIUS |
MAC-Delimiter: | hyphen |
MAC-Filtering: | none |
Assigned Servers: | rad1, rad2 |
Click Apply to Device to save. Next, click on the AAA Method List tab. Click Add and configure with:
Method List Name: | guest_auth |
Type: | login |
Group Type: | group |
Assigned Server Groups: | guest_radius |
Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:
Method List Name: | guest_acct |
Type: | identity |
Assigned Server Groups: | guest_radius |
Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:
Call Station ID: | ap-macaddress-ssid |
Call Station ID Case: | upper |
MAC-Delimiter: | hyphen |
Username Case: | lower |
Username Delimiter: | none |
WLANs
Click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure with:
On the General tab:
Profile Name: | Guest WiFi |
SSID: | Guest WiFi (or whatever you wish) |
Status: | Enabled |
Radio Policy: | All |
Broadcast SSID: | Enabled |
On the Security > Layer 2 tab:
Layer 2 Security Mode: | None |
MAC Filtering: | Disabled |
On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure with:
Web Policy: | Enabled |
Web Auth Parameter Map: | guest_wifi |
Authentication List: | guest_auth |
On Mac Filter Failure: | Disabled |
Splash Web Redirect: | Disabled |
URL Filters
Click Configuration > Security > URL Filters. Click Add and add all required domains.
List Name: | guest_url_filter |
Type: | PRE_AUTH |
Action: | PERMIT |
URLs: | Please refer to this list. |
Policy
Click Configuration > Tags & Profiles > Policy on the left. Click Add, leaving all settings at default apart from the following:
On the General tab:
Name: | guest_policy |
Status: | Enabled |
On the Access Policies tab:
URL Filters: | guest_url_filter |
On the Advanced tab:
Session Timeout: | 43200 |
Idle Timeout: | 3600 |
Allow AAA Override: | Enabled |
Accounting List: | guest_acct |
Tags
Click Configuration > Tags & Profiles > Tags on the left. Click Add and configure with:
Name: | guest_tag |
WLAN Profile: | Guest WiFi |
Policy Profile: | guest_policy |
Administration
Click Administration > Management > HTTP/HTTPS/Netconf on the left. Configure with:
HTTP Access: | Enabled |
HTTPS Access: | Enabled |
Policy Profile: | guest_policy |
Final Steps
The final step is to ensure that secure webauth is disabled in order for the authentication to succeed. You will need to login to the CLI of the controller and once in configuration (enable) mode, run the following commands:
parameter-map type webauth global
webauth-http-enable
secure-webauth-disable
Save and Apply
The configuration is now complete. Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.