NOTE: We highly recommend you use 9800 WLC IOS-XE Gibraltar v16.XX or above as this includes many stability and feature improvements.
Purpose
This guide shows how to configure a Cisco Systems WLC Controllers in the "Controller - AP" architecture, in order to use each Access Point as a Hotspot. Please use parameters under “Parameters for the Configuration” at the end of this document.
Architecture
| Cisco WLAN Controller version | 9800 WLC IOS-XE Gibraltar v16.XX or above |
Cisco WLAN Controllers Configuration Steps
This article applies to all Wi-Fi Cisco controllers. The configuration procedure has been performed and tested for the version 9800 WLC IOS-XE Gibraltar v16.XX.
To correctly integrate a Cisco controller with the Solution, it is necessary that the controller:
- is connected to the Internet
- is reachable in the network
- correctly assigns IP addresses to APs
- has both management port and service port correctly set
To get a better functioning experience, we suggest loading all necessary certificates to the controller.
AAA Configuration on 9800 WLC
Navigate to Configuration > Security > AAA > Servers / Groups > RADIUS > Servers
Click + Add and enter the RADIUS server's information.
- Enter the name for the radius server
- Enter the IP Address of the radius server (find the details in the "Parameters for the Configuration" section at the end of this document)
- Enter Secret Key: This will be provided by IPERA Engineers
- Enter the radius authentication port (1812)
- Enter the radius accounting port (1813)
- Enable the Support for CoA
Select the Server Groups tab and click on the Add.
Enter the name for the server Group and assign the IPERA servers to it.
To create an authentication method list navigate to Configuration > Security > AAA > AAA Method List > Authentication > + Add
Click on the Add and enter the following
- Enter the Method List Name
- Select the login as a Type
- Select the group as a Group Type
- Assign the IPERA server group to the list
**If you are enabling the MAC filtering,
To create an authorization method list, select the Authentication section and click on the Add.
Click on the Add and enter the following
- Enter the Method List Name
- Select the type as a 'Network'
- Assign the IPERA server group to the list
-
**
To create an accounting method list select the accounting section and click on the Add.
- Enter the Method List Name
- Select the identity as a Type
- Assign the IPERA server group to the list
In order to use Radius Accounting in Anchor-Foreign deployments, please do the following.
- WLAN -> Edit 'SSIDNAME' -> Security -> AAA Servers
- Disable the radius accounting servers in the anchor controller and keep only radius authentication servers
- Disable the radius authentication servers in the foreign controller and keep only radius accounting servers
Navigate to the Configuration > Security > AAA > AAA Advanced
Enable the Interim Update and 3 minutes as a value
Change Caller Station ID, Caller Station ID Case & Mac Delimiter under the Global Config > Radius Attributes.
Add Web Auth Parameters
To configure the Web Auth parameters navigate to the Configuration > Security > Web Auth.
Click on Add to create new Parameter Map
Click on the parameter map configured in the previous step, navigate to the Advanced tab, and enter the Redirect for log-in URL, Redirect for Success URL, Append for AP MAC Address, Append for Client MAC Address, Append for WLAN SSID and portal IPv4 Address.
Keep “Sleeping Client Status” disable
WLAN Configuration
To create a new WLAN navigate to Configuration > Tags & Profiles > WLANs > + Add
Define the Profile Name and SSID
Navigate to Security > Layer2 and select none for Layer 2 Security Mode
Navigate to Security > Layer3 and enable the Web Policy option.
Select the Web Auth Parameter Map & Authentication List.
**If you are enabling the MAC filtering,
The following information must be configured in Layer 2 and Layer 3:
Navigate to Security > Layer2
Enable 'MAC Filtering'
Select the Authorization List that created.
2. Navigate to Security > Layer3 > Advanced settings
Enable 'On MAC Filter Failure'
Enable 'Splash Web Redirection'
**
Create URL Filter
To create a new URL filter navigate to Configuration > Security > URL Filters > + Add
- Enter the Method List Name
- Select PRE-AUTH as a Type
- Select PERMIT as an Action
- Define the required URLs in the URLs sections
It is mandatory to add the following domains to ACL
- engage.iperawifi.com
- me.iperawifi.com
- static.iperawifi.com
If you wish to support social network logins, you need to add rules for domains below for each network you plan to support
|
|
login.microsoftonline.com | accounts.google.com | |
| aadcdn.msauth.net | www.google.com | ||
| login.live.com | fonts.gstatic.com | ||
| akamaihd.net | play.google.com | ||
| aadcdn.msftauth.net | ssl.gstatic.com | ||
| www.facebook.com | accounts.youtube.com | ||
| www.facebook.net | accounts.google.com | ||
| static.xx.fbcdn.net | TikTok (**) | *.tiktok.com | |
| api.twitter.com | firebaseinstallations.googleapis.com | ||
| abs-0.twimg.com | storage.googleapis.com | ||
| pbs.twimg.com | *.ibytedtos.com | ||
|
|
www.linkedin.com | *.tiktokv.com | |
| static.licdn.com | open-api.tiktok.com | ||
| media.licdn.com | www.tiktok.com | ||
| ponf.linkedin.com | *.ttwstatic.com | ||
| platform.linkedin.com | *.tiktokcdn.com | ||
| Apple | www.apple.com | ||
| appleid.apple.com | |||
| appleid.cdn-apple.com | |||
| is4-ssl.mzstatic.com | |||
(*) Please refer to the below URL if you wish to use Microsoft login method
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/review-admin-consent-requests
(**) Google, Facebook, Twitter, and Apple should be also added for TikTok
Important Note: URL Filtering Limitations
The Cisco Catalyst 9800 (IOS XE 17.x) enforces strict limits on the number of entries per URL filter list. Any entries configured beyond these limits will be ignored by the system, even if the configuration is accepted.
Standard Limit: Maximum of 20 entries (if no wildcards are used).
Wildcard Limit: Maximum of 16 entries (if the list contains any wildcard domains, e.g.,
*.example.com).
Action Required: Ensure your URL lists strictly adhere to these counts to guarantee all rules are applied.
Create Policy
To create a new policy navigate to Configuration > Tags & Profiles > Policy > + Add
Define a name for the policy and make the status enabled
Navigate to the Access Policies tab; Select the appropriate VLAN and Pre Auth URL Filter
Navigate to the Advance tab, enable the Allow AAA Override, and select Accounting List
Create Policy Tag
To create a new policy navigate to Configuration > Tags & Profiles > Tags > Policy > + Add
Click on the Add and select the WLAN Profile and Policy Profile
Map the Policy Tag to AP
To map the new policy tag to access point navigate to Configuration > Wireless > Access Points
Select the Policy and click on the Update & Apply to Device
Parameters for the Configuration
For AWS:
IPERA Radius IP Address (Primary): 35.156.39.198
IPERA Radius IP Address (Secondary): 35.156.23.166
Shared Secret: (it will be communicated by IPERA)
Authentication Port Number: 1812
Accounting Port Number: 1813
Redirect URL after login: https://engage.iperawifi.com/onboarding
External Webauth URL: https://engage.iperawifi.com/onboarding
For Azure:
IPERA Radius IP Address (Primary): 20.174.25.122
IPERA Radius IP Address (Secondary): 20.174.42.3
Shared Secret: (it will be communicated by IPERA)
Authentication Port Number: 1812
Accounting Port Number: 1813
Redirect URL after login: https://me.iperawifi.com/onboarding
External Webauth URL: https://me.iperawifi.com/onboarding
Any changes on the above parameters and values will be communicated with IPERA customers in advance.
Comments
0 comments
Please sign in to leave a comment.