Purpose
This guide shows how to configure a Cisco Systems device in the "Controller - AP" architecture for Cloud4Wi.
Prerequisites
This article applies to all WiFi Cisco controllers. The configuration procedure has been performed and tested for the version 7.4.121.0
Minimum compatibility 7.4.121.0
To correctly integrate a Cisco controller with the Solution, it is necessary that the controller:
- is connected to the Internet
- is reachable on the network
- correctly assigns IP addresses to access points
- has both the management port and service port correctly set
To ensure proper user experience, you have to upload a trusted certificate into the controller.
RADIUS server for the authentication
To correctly set up the accounting, you must click the Security → RADIUS → Authentication menu. To display or edit the details for an existing RADIUS server you must click the corresponding Server Index.
Otherwise, to create a new RADIUS server, it is necessary to select New... . You have to configure he following parameters:
Call Station ID Type: AP MAC Address
MAC Delimiter: Colon
Server Address: 54.247.117.188
Shared Secret: (Cloud4Wi will communicate it)
Port: 1812
You can also configure a secondary RADIUS server. Please check these data in the paragraph called Parameters for the Solution, at the end of this page.
RADIUS server for the accounting
To correctly set up the accounting, you must click the Security → RADIUS → Accounting menu. To display or edit the details for an existing RADIUS server you must click the corresponding Server Index.
Otherwise, to create a new RADIUS server, it is necessary to select New... . You have to configure the following parameters:
MAC Delimiter: Colon
Server Address: 54.247.117.188
Shared Secret: (Cloud4Wi will communicate it)
Port: 1813
You can also configure a secondary RADIUS server. Please check the data in the paragraph called Parameters for the Solution, at the end of this article.
Splash Page configuration
To configure the Splash Page, it is necessary to click the Security → Web Auth → Web Login page.
Set the following values:
- Web Authentication Type: External (Redirect to external server)
- Redirect URL after login: https://splashportal.cloud4wi.com
- External Webauth URL: https://splashportal.cloud4wi.com
- Web Server IP Address: 54.247.117.188
Access Control List
An Access Control List (ACL) is a set of rules used to limit access to a particular interface.
You can set your ACL by clicking Security in the main toolbar and then Access Control List in the left sidebar.
In this case, it is necessary to set two access lists, Outbound and Inbound.
Through this feature, it is possible to configure the walled garden. The following articles are available:
- Walled garden for the Social Login (websites/domains to open)
- Walled garden for PayPal feature (websites/domains to open)
On Cisco WLC (firmware above 8.2.100) when NOT using FlexConnect, it is possible to use DNS-based ACLs. First, create your ACL and then click on Add-Remove URL to set your domains.
Authorizing an access point
You must allow an access point to perform traffic according to the policies just configured. To do that you must click Security → AAA → AP Policies and perform the following steps:
- Click Add to access the Add AP to Authorization List area.
- In the MAC address input field, enter the MAC address of the access point.
Configuring WLANs
You can view WLANs currently configured by accessing the WLANs section in the web interface.
To display or edit the details for an existing WLAN you must click the corresponding WLAN ID. To create a new WLAN, it is necessary to select Create New and then click the Go button, as shown below.
By accessing the Security → AAA Servers, it is possible to set RADIUS Servers previously created, for the authentication and accounting phases.
In the same section, please make sure that the list called Authentication priority order for web-auth user has "RADIUS" set as the only item.
By accessing the WLAN → Advanced section, it is necessary to enable the Allow AAA Override option.
Configuring FlexConnect
By the same WLAN → Advanced section, it is necessary to enable the FlexConnect Local Switching option.
Then you must access the Wireless menu and click on each AP where we intend to apply ACLs. Here you must click External WebAuthentication ACLs.
Then, please choose the ACL in the WebAuth ACL drop-down menu for the particular WLAN Id.
Similarly, for Web Policy ACLs (for example, the Conditional Redirect or Splash Page Redirect), you have to select an option for the FlexConnect ACLs, under WebPolicies.
You can also apply ACLs at the FlexConnect Group level. To do this, please enter the WLAN-ACL mapping tab in the FlexConnect Groups configuration. Then, choose the WLAN Id and the ACLs you intend to apply and click Add. That allows defining ACLs for a group of APs.
Similarly, for WebPolicy ACLs (for example, the Conditional Redirect or Splash Page Redirect), you must select the WebPolicies tab.
You can also apply Web Authentication and Web Pass-through Flex ACLs to the WLAN. To do this, it is necessary to choose the ACL from the WebAuth FlexACL drop-down menu under the Layer 3 tab in WLAN → Security.
Allowing free access to the CDN
You have to add some rules to load resources from the CDN.
The domains to add for this purpose are:
Rule #1:
Action: Permit
Source IP/Mask: 50.18.178.180/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound
Rule #2:
Action: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 50.18.178.180/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound
Rule #3:
Action: Permit
Source IP/Mask: 54.248.102.194/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound
Rule #4:
Action: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.248.102.194/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound
Rule #5:
Action: Permit
Source IP/Mask: 54.246.86.254/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound
Rule #6:
Action: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.246.86.254/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound
Rule #7:
Action: Permit
Source IP/Mask: 46.137.206.166/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound
Rule #8:
Action: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 46.137.206.166/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound
Rule #9:
Action: Permit
Source IP/Mask: 54.232.119.5/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound
Rule #10:
Action: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.232.119.5/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound
Rule #11:
Action: Permit
Source IP/Mask: 54.253.118.101/255.255.255.255
Destination IP/Mask: 0.0.0.0/0.0.0.0
Protocol: Any
Source Port: Any
Dest Port: 80
DSCP: Any
Direction: Outbound
Rule #12:
Action: Permit
Source IP/Mask: 0.0.0.0/0.0.0.0
Destination IP/Mask: 54.253.118.101/255.255.255.255
Protocol: Any
Source Port: 80
Dest Port: Any
DSCP: Any
Direction: Inbound
HTTP/HTTPS Configuration
Go to Management → HTTP-HTTPS and enable the WebAuth SecureWeb option.
Entering the device details into the Cloud4Wi Dashboard
For CiscoWireless access points in the "Controller - AP" architecture, the Cloud4Wi Dashboard requires only the MAC address. The Identifier field is not required.
To add a new access point to the system, please read How to add an access point.
Parameters for the Solution
The parameters to integrate the device with the Solution are the following:
Redirect URL after login: https://splashportal.cloud4wi.com/
External Webauth URL: https://splashportal.cloud4wi.com/
Web Server IP Address (primary): 54.247.117.188
Web Server IP Address (secondary): 79.125.111.180
RADIUS Server Address (primary): 54.247.117.188
RADIUS Server Address (secondary): 79.125.111.180
Authentication port: 1812
Accounting port: 1813
Shared Secret: (Cloud4Wi will communicate it)
Please note that it is necessary to enter the Splash Page URL exactly as it is written above.
If you enter the Splash Page URL in different formats (e.g., https://splashportal.cloud4wi.com/c4wportal/mysplashportal), then the redirection will fail, and the end-user will not be able to see the Splash Page.
If these parameters change in the future, we will promptly inform you about new values.