Cisco Systems controllers and Cloud4Wi

Follow

Purpose

This guide shows how to configure a Cisco Systems device in the "Controller - AP" architecture, in order to use each Access Point as a Hotspot.

Please note that the images contained in this article may contain outdated configuration data. Therefore, please check the data contained in the article "Parameters for the Solution" at the bottom of the page, as they are certainly up to date.

Prerequisites

This article applies to all WiFi Cisco controllers. The configuration procedure has been performed and tested for the version 7.4.121.0.

To correctly integrate a Cisco controller with the Solution, it is necessary that the controller:

  • is connected to the Internet
  • is reachable in the network
  • correctly assigns IP addresses to APs
  • has both management port and service port correctly set

To get a better functioning experience, we suggest loading all necessary certificates to the controller.

RADIUS server for the authentication phase

In order to configure the RADIUS server for authentication phase, you must click the Security > RADIUS > Authentication menu. To display or edit the details for an existing RADIUS server you must click the corresponding Server Index.

1.png

Otherwise, to create a new RADIUS server it is necessary to select New... . The following parameters must be configured:

Call Station ID Type: AP MAC Address
MAC Delimiter: Colon
Server Address: 54.247.117.188
Shared Secret: (it will be communicated by Cloud4Wi)
Port: 1812

2.png

You can also configure a secondary RADIUS server. Please check these data in the paragraph called Parameters for the Solution, at the end of this page.

RADIUS server for the accounting phase

In order to configure the RADIUS server for accounting phase, you must click the Security > RADIUS > Accounting menu. To display or edit the details for an existing RADIUS server you must click the corresponding Server Index

3.png

Otherwise, to create a new RADIUS server it is necessary to select New... . The following parameters must be configured:

MAC Delimiter: Colon
Server Address: 54.247.117.188
Shared Secret: (it will be communicated by Cloud4Wi)
Port: 1813

4.png

You can also configure a secondary RADIUS server. Please check the data in the paragraph called Parameters for the Solution, at the end of this article. 

 

Splash Portal configuration

In order to configure the Splash Portal where the end-user is redirected to, it is necessary to click the Security > Web Auth > Web Login page.

The following information must be configured:

 

 

Access Control List

An Access Control List (ACL) is a set of rules used to limit the access to a particular interface.
You can set your ACL by clicking Security in the main toolbar and then Access Control List in the left sidebar.
In this case, it is necessary to set two access lists, Outbound and Inbound.

 

6.png

Through this feature it is possible to configure the Walled Garden. The following articles are available:

 

Authorizing an Access Point

You must authorize an access point to perform traffic according to the policies just configured. To do that you must click Security > AAA > AP Policies and perform the following steps:

  • Click Add to access the Add AP to Authorization List area.
  • In the MAC address input field, enter the MAC address of the access point.
7.png

 

Configuring WLANs

You can view WLANs currently configured by accessing the WLANs section in the web interface.
To display or edit the details for an existing WLAN you must click the corresponding WLAN ID. To create a new WLAN it is necessary to select Create New and then click Go button, as shown below.

8.png

By accessing the Security > AAA Servers it is possible to set RADIUS Servers previously created, for the authentication and accounting phases.

9.png

In the same section, please make sure that the list called Authentication priority order for web-auth user has "RADIUS" set as only item.

cisco9b.png

By accessing the WLAN > Advanced section it is necessary to enable the Allow AAA Override option.

10

 

Configuring FlexConnect

By the same WLAN > Advanced section it is necessary to enable the FlexConnect Local Switching option.



Then you must access the Wireless menu and click to each AP where we intend to apply ACLs. Here you must click External WebAuthentication ACLs.



Then, please choose the ACL in the WebAuth ACL drop-down menu for the particular WLAN Id.
Similarly, for Web Policy ACLs (for example: the Conditional Redirect or Splash Page Redirect), you have to select an option for the FlexConnect ACLs, under WebPolicies.



The ACLs can also be applied at the FlexConnect Group level. In order to do this, please enter to the WLAN-ACL mapping tab in the FlexConnect Groups configuration. Then, choose the WLAN Id and the ACLs you intend to apply and click Add. This allows to define ACLs for a group of APs.



Similarly, for WebPolicy ACLs (for example: the Conditional Redirect or Splash Page Redirect), you must select the WebPolicies tab.



Web Authentication and Web Pass-through Flex ACLs can also be applied to the WLAN. In order to do this, it is necessary to choose the ACL from the WebAuth FlexACL drop-down menu under the Layer 3 tab in WLAN > Security.

 

Allowing free access to the CDN

Explained in the article Improving the performance of Control Panel and Splash Portal by enabling the CDN, you must add some rules in order to support the access to the CDN.
The domains to add for this purpose are:

Rule #1:
Action
: Permit
Source IP/Mask: 50.18.178.180/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound

Rule #2:
Action
: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 50.18.178.180/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound

Rule #3:
Action
: Permit
Source IP/Mask: 54.248.102.194/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound

Rule #4:
Action
: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.248.102.194/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound

Rule #5:
Action
: Permit
Source IP/Mask: 54.246.86.254/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound

Rule #6:
Action
: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.246.86.254/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound

Rule #7:
Action
: Permit
Source IP/Mask: 46.137.206.166/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound

Rule #8:
Action
: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 46.137.206.166/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound

Rule #9:
Action
: Permit
Source IP/Mask: 54.232.119.5/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound

Rule #10:
Action
: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.232.119.5/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound

Rule #11:
Action
: Permit
Source IP/Mask: 54.253.118.101/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound

Rule #12:
Action
: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.253.118.101/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound

 

Entering the device to the Control Panel

For CiscoWireless Access Points in the "Controller - AP" architecture, the Control Panel requires only the MAC address. The Identifier field is not required.
To add a new Hotspot to the system, please read How to add a Hotspot.

 

Parameters for the Solution

The parameters to integrate the device with the Solution are the following:

Redirect URL after login: https://splashportal.cloud4wi.com/
External Webauth URL: https://splashportal.cloud4wi.com/
Web Server IP Address (primary): 54.247.117.188
Web Server IP Address (secondary): 79.125.111.180
RADIUS Server Address (primary): 54.247.117.188
RADIUS Server Address (secondary): 79.125.111.180
Authentication port: 1812
Accounting port: 1813
Shared Secret: (it will be communicated by Cloud4Wi)

Please note that it is necessary to enter the Splash Portal URL exactly as it is written above.
If you enter the Splash Portal URL in different formats (e.g. https://splashportal.cloud4wi.com/c4wportal/mysplashportal), then the redirection to the Splash Portal will fail and the end-user will not be able to see the Splash Portal.

If these parameters change in the future, we will promptly inform you about new values.

Have more questions? Submit a request

Comments