This document is in draft version. For any problem with the configuration please contact our support team.
Prerequisites
Use Cisco IOS XE Amsterdam 17.3 or later for Cloud4Wi.
Log in to the Cisco Catalyst 9800 Series Wireless Controller Dashboard
To start the configuration process, log in to the Cisco Catalyst 9800-CL Wireless Controller Dashboard as admin. For existing environments with additional users, log in as a user with administrative privileges.
The Cisco Catalyst 9800-CL Wireless Controller Dashboard appears. Your access points are displayed.
Note: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.
Set up a secure RADIUS connection
It’s important to set up a secure RADIUS connection between the wireless LAN controller and Cloud4Wi. We recommend that you create a primary and a secondary RADIUS server for high availability. Then create a server group and add those servers to the group.
Add RADIUS authentication and accounting servers
- Select Configuration > Security > AAA from the menu on the left side of the Dashboard.
The AAA page appears. - Make sure that RADIUS and Servers are selected.
- Click + Add under Servers/Groups.
The Create AAA Radius Server dialog box appears. - Enter a Name, such as “Primary_radius”.
- For the Server Address enter the IP address of the Primary Radius server (52.48.102.108)
- For Key, enter the value that will be communicated by Cloud4Wi, then enter the same value for Confirm Key.
- Verify that Auth Port is 1812 (RADIUS authentication) and Acct Port is 1813 (RADIUS accounting).
- For Server Timeout, enter “30” seconds. This is the maximum timeout as recommended in RFC 5080.
- Click Apply to Device on the bottom right.
You return to the AAA page where the server you added is listed. - To review or edit server values, select the server in the list.
- Repeat steps 3-10 to add the Secondary RADIUS server (34.252.97.217)
Add a RADIUS server group
Using a server group, you can separate Cloud4Wi authentication requests from the rest of your network. If you don’t create a server group, the controller will send authentication requests to the default server group, which might contain servers that aren’t associated with Cloud4Wi.
- Navigate to Configuration > Security > AAA.
- On the AAA page, under Servers/Groups, select the Server Groups tab.
- Make sure that RADIUS and Server Groups are selected.
- Click + Add under Servers/Groups.
The Create AAA Radius ServerGroup dialog box appears. - Enter a Name, such as “Cloud4Wi_RADIUS”.
- Select all of your RADIUS servers under Available Servers.
- Click > to move the servers to Assigned Servers.
- Click Apply to Device on the bottom right.
You see a message indicating that the configuration was saved. You return to the AAA page where the server group you added is listed.
Create AAA Method List
- Navigate to Configuration > Security > AAA > AAA Method List
- Select the Authentication tab and click + Add
The Quick Setup : AAA Authentication box appears.
- Enter a Method List Name, such as “guest_auth”.
- For the category Type select dot1x from the drop-down menu.
- For the category Group Type select group from the drop-down menu.
- Select all of the RADIUS servers group previously created under Available Server Groups.
- Click > to move the servers to Assigned Servers Groups.
- Click Apply to Device on the bottom right.
- Select the Accouting tab on the left and click + Add
The Quick Setup : AAA Accouting box appears. - Enter a Method List Name, such as “guest_acct”.
- For the category Type select identity from the drop-down menu.
- Select all of the RADIUS servers group previously created under Available Server Groups.
- Click > to move the servers to Assigned Servers Groups.
- Click Apply to Device on the bottom right.
Configure the WLAN AA Policy
- Navigate to Configuration > Security > Wireless AAA Policy
- Click + Add
The Add Wireless AAA Policy dialog appears. - Enter a Policy Name such as "Cloud4Wi"
- On NAS-ID Option 1 select AP MAC Address
- Click Apply to Device on the bottom right.
Configure Hotspot 2.0
Hotspot 2.0 allows mobile devices to join a WiFi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.
Configure ANQP Server Parameters
Access Network Query Protocol (ANQP) provides a range of information, such as IP address type and availability, and roaming partners accessible through a hotspot.
- Select Configuration > Wireless > Hotspot/Openroaming from the menu on the left side of the Dashboard.
The Hotspot/OpenRoaming page appears. - Click + Add under ANQP Servers.
The Add New ANQP Server dialog box appears. The General/OpenRoaming tab is selected.
General/OpenRoaming settings
- In the Add New ANQP Server dialog box, enter a Name for the server, such as “Cloud4Wi”.
- Check the box next to Internet Access.
- For Network Type, select Free Public.
- In the NAI Realms section on the bottom left, click + Add.
The Add NAI Realm page appears. - For NAI Realm Name, enter the value associated with your home network domain, as provided in the Cloud4Wi dashboard, such as “companyname.securewifi.io”.
- For EAP Method, select eap-ttls.
An EAP-TTLS dialog box appears. - Select inner-auth-non-eap, and check to box next to mschap2. T
his is the EAP authentication method. - Click Save at the bottom of the EAP-TLS dialog box.
- Click Apply to Device at the bottom of the Add NAI Realm dialog box.
You see your real, such as companyname.securewifi.io listed as an NAI realm. - To enable also OpenRoaming, in the Roaming OIs section on the top right, enter “5A03BA0000” for Roaming OI.
- Click + Add.
- Repeat the same steps to add also the Roaming OIs "004096".
You see the RCOI under Assigned ROI :: Beacon State. - Check the box next to Beacon State. This includes the RCOI in access point broadcasts.
- In the Domains section, enter your home network domain, as provided in the Cloud4Wi dashboard, such as “companyname.securewifi.io” for Domain Name
- Click + Add.
You see the domain name in the Domain Name list.
Server Settings
- Still on the Add New ANQP Server dialog box, select Server Settings at the top.
The Server Settings page appears. - In the WAN Metrics section, set the parameters as appropriate for your network. Don’t leave these values blank.
- Set Link Status to Up.
- Don’t enable Full Capacity Link unless you want to block devices from connecting. This setting tells devices that there’s no bandwidth available so devices will refuse to connect.
- Click Apply to Device at the bottom right.
You see a message indicating that the configuration was saved. You return to the Hotspot/OpenRoaming page where the ANQP server you added is listed.
Configure the Wireless LAN Profile
To configure the wireless LAN, you create an SSID to identify the wireless LAN. Then you associate the security profile and RADIUS servers with the wireless LAN.
Create the SSID
- Select Configuration > Tags & Profiles > WLANs from the menu on the left side of the Dashboard.
The WLANs page appears. - Click + Add.
The Add WLAN dialog box appears. The General tab is selected. - Enter a Profile Name, such as, “Cloud4Wi”.
- For SSID, enter your SSID name, such as “Cloud4Wi”.
- Change Status to Enabled.
- Click Apply to Device on the bottom right.
You see a message indicating that the configuration was saved. You return to the WLANs page where the wireless LAN you added is listed.
Associate the security profile and RADIUS servers with the wireless LAN
- Navigate to Configuration > Tags & Profiles > WLANs.
- Select the wireless LAN you added.
The Edit WLAN page appears. - Select Security at the top. The Layer2 tab is selected.
- For Layer 2 Security Mode, select WPA + WPA2 (default).
Note: do not use a security level lower than “WPA2 + WPA3”, otherwise you might get a “Security Weak” error on iOS. - Verify that the boxes next to these security options are checked:
WPA2 Policy
WPA2 Encryption AES(CCMP128)
Auth Key Mgmt 802.1x - Select AAA at the top.
- Select the Authentication list created earlier from the drop down menu, “guest_auth”.
Configure Policy Profile
A Policy Profile enables you to assign parameters like VLAN, Access Controls List [ACLs], Quality of Service [QoS].
- Navigate to Configuration > Tags & Profiles > Policy > ADD+
- The Add Policy Profile page appears.
- Enter a Policy Name, such as, “Cloud4Wi”
- Enter a Policy Description, such as, “Cloud4Wi”
- Enable the Status of this profile by clicking on the category.
- Still on the Add Policy Profile dialog box, select Access Policies option at the top.
The Access Policies page appears as below:
- Enter the VLAN ID allocated for Cloud4Wi WLAN, in case of default VLAN type the number 1. DO NOT leave this field blank or select default from the drop down menu.
- Still on the Add Policy Profile dialog box, select Advanced option at the top.
The Advanced Option page appears:
- Under the WLAN Timeout section, uncheck the Client Exclusion Timeout option
- Under Hotspot Server option (Top right) select the Hotspot Server name configured earlier, “Cloud4Wi”.
- Under AAA Policy (Bottom Left) check the box next to Allow AAA Override and
as Policy Name select the Wireless AAA Policy created before (e.g. "Cloud4Wi")
as a Accoutning List select the Accoutning List created before (e.g. Cloud4Wi") - Click Apply to Device at the bottom right.
Configure Policy Tag
A Policy tag is configured to connect the WLAN Profile to the Policy Profile.
- Navigate to Configuration > Tags & Profiles > Tags > Policy > ADD
- The Add Policy Tag dialogue box appears.
- Enter a Profile Name, such as, “Cloud4Wi”.
- For Description, enter “Cloud4Wi”.
- Click on ADD under WLAN-POLICY Maps
- Select the WLAN Profile configured earlier from the drop down menu option ("Cloud4Wi").
- Select the Policy Profile configured earlier from the drop down menu option ("Cloud4Wi").
- Click on the check mark below & Save & Apply to Device on the bottom right.
Assign Policy Tag
To deploy configured policies to the Access Points each Policy Tag should be attached to the required Access Point.
- Navigate to Configuration > Wireless Setup > Advanced > Start Now > Apply
- Click on Tag APs (Bottom Right) of the page
- Select the Access Points to be tagged and +Tag APs from the Top of the page
- The Tag APs dialogue box appears
- For Policy select the Policy Tag configured earlier from the drop down menu.
- Click Save & Apply to Device on the bottom right.