Purpose
This guide shows how to configure the Cisco Catalyst 9800 to use it in accordance with Cloud4Wi.
Please note that the images contained in this article may contain outdated configuration data. Therefore, please check the text data, as they are certainly up to date.
Prerequisites
- Cisco Catalyst 9800
- Firmware: at least IOS-XE v16.12 (4a)
To correctly integrate a Cisco controller with the Solution, it is necessary that the controller:
- is connected to the Internet
- is reachable on the network
- correctly assigns IP addresses to access points
- has both the management port and service port correctly set
To ensure proper user experience, you have to upload a trusted certificate into the controller.
WEB Auth configuration
Click on Configuration > Security > Web Auth on the left. Click on the global profile and configure as described below:
- Virtual IPv4 Address: 192.0.2.1
- Click Apply to save. Next, click the Add button. Configure as described below:
- Parameter-map name: guest_wifi
- Maximum HTTP connections: 200
- Init-State Timeout: 3600
- Type: webauth
Click Apply to Device to save.
Next, click on the profile you just created and configure as described below.
On the General tab:
- Banner Type: None
- Type: webauth
- Captive Bypass Portal: Disabled
- Disable Success Window: Enabled
- Disable Logout Window: Enabled
- Sleeping Client Status: Enabled
- Sleeping Client Timeout: 720
On the Advanced tab:
- Redirect for log-in: https://splashportal.cloud4wi.com
- Redirect On-Success: https://splashportal.cloud4wi.com
- Redirect On-Failure: https://splashportal.cloud4wi.com
- Redirect Append for AP MAC Address: ap_mac
- Redirect Append for Client MAC Address: client_mac
- Redirect Append for WLAN SSID: wlan_ssid
- Portal IPV4 Address: 54.247.117.188
Click Apply to save.
Images:
RADIUS configuration
Next, click on Configuration > Security > AAA on the left. Select the Servers / Groups tab click Add.
Configure as described below.
- Name: Primary_radius
- IPv4 / IPv6 Server Address: 54.247.117.188
- PAC key: unflagged
- Key Type: 0
- Key: (it will be communicated by Cloud4Wi)
- Confirm Key: as above
- Auth Port: 1812
- Acct Port: 1813
- Server Timeout: 10
- Retry Count: 3
- Support for CoA: Enabled
Click Apply to Device to save.
Next, click Add again and configure as described below:
- Name: Secundary_radius
- IPv4 / IPv6 Server Address: 79.125.111.180
- PAC key: unflagged
- Key Type: 0
- Key: (it will be communicated by Cloud4Wi)
- Confirm Key: as above
- Auth Port: 1812
- Acct Port: 1813
- Server Timeout: 10
- Retry Count: 3
- Support for CoA: Enabled
Click Apply to Device to save.
On the Server Groups sub-tab, click Add. Configure as described below:
- Name: guest_radius
- Group Type: RADIUS
- MAC-Delimiter: hyphen
- MAC-Filtering: none
- Dead-time (mins): 5
- Load Balance: disabled
- Assigned Servers Primary_radius, Secundary_radius
Click Apply to Device to save.
Next, click on the AAA Method List tab. Authentication section -->Click Add and configure as described below:
- Method List Name: guest_auth
- Type: login
- Group Type: group
- Assigned Server Groups: guest_radius
- Click Apply to Device to save.
- Next, click the Accounting sub nav menu on the left and click Add. Configure as described below:
- Method List Name: guest_acct
- Type: identity
- Assigned Server Groups: guest_radius
Click Apply to Device to save.
Next, click the AAA Advanced tab
- Local Authentication: none
- Local Authorization: none
- Radius server load balance: none
- Interime update: flagged
- Interim interval (Minutes): 5
Then Show Advanced Settings >>> Radius Attributes. Configure both Accounting and Authentication with:
- Call Station ID: ap-macaddress-ssid
- Call Station ID Case: upper
- MAC-Delimiter: hyphen
- Username Case: lower
- Username Delimiter: none
Click Apply to Device to save.
WLAN configuration
Next, click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure as described below.
On the General tab:
- Profile Name: Guest WiFi
- SSID: Guest WiFi (or whatever you wish)
- Status: Enabled
- Radio Policy: All
- Broadcast SSID: Enabled
On the Security > Layer 2 tab:
- Layer 2 Security Mode: None
- MAC Filtering: Disabled
On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure as described below:
- Web Policy: Enabled
- Web Auth Parameter Map: guest_wifi
- Authentication List: guest_radius
On Mac Filter Failure: Disabled
- Splash Web Redirect: Disabled
- IPv4 ACL: WA-sec-54.247.117.188
Click Apply to Device to save.
URL filters & RADIUS Accounting
Next, click Configuration > Security > URL Filters. Click Add and configure as described below:
- List Name: guest_url_filter
- Type: PRE_AUTH
- Action: PERMIT
URLs:
- c4wstatic.cloud4wi.com
- c4wstaticjs.cloud4wi.com
- cloud4wi.com
For Facebook:
- facebook.com
- facebook.net
- m.facebook.com
- xwf.facebook.com
- static.xx.fbcdn.net
- connect.facebook.net
- c4wstatic.cloud4wi.com
- xwf-static.xx.fbcdn.net
- c4wstaticjs.cloud4wi.com
- xwf-scontent.xx.fbcdn.net
Go to Configuration/Tags & Profile/Policy and click on add
On the General tab:
- Name: guest_policy
- Status: Enabled
On the Access Policies tab:
- IPv4 ACL: leave blank
- IPv6 ACL: leave blank
- URL Filters: guest_url_filter
On the Advanced tab:
- Session Timeout: 1800
- Idle Timeout: 300
- Client Exclusion Timeout (sec): unchecked
- Allow AAA Override: Enabled
- Accounting List: guest_acct
Click Apply to Device to save.
Tags & Profiles
Next, click Configuration > Tags & Profiles > Tags on the left. Click Add and configure as described below:
- Name: guest_tag
- WLAN Profile: Guest WiFi
- Policy Profile: guest_policy
Click Apply to Device to save.
HTTP/HTTPS:
Finally, click Administration > Management > HTTP/HTTPS/Netconf on the left. Configure as described below:
- HTTP Access: Enabled
- HTTPS Access: Enabled
Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.
Access point identity
In order to ensure correct end-to-end communication with our solution and with our RADIUS servers, please set the "AP MAC Address" as the NAS identifier.
After doing this, you can add the new access point into our Admin Panel, by entering its MAC address.