Purpose
This guide shows how to configure the Cisco Catalyst 9800 to use it in accordance with Cloud4Wi updated to 17.9.4a
Please note that the images contained in this article may contain outdated configuration data. Therefore, please check the text data, as they are certainly up to date.
Prerequisites
- Cisco Catalyst 9800
To correctly integrate a Cisco controller with the Solution, it is necessary that the controller:
- is connected to the Internet
- is reachable on the network
- correctly assigns IP addresses to access points
- has both the management port and service port correctly set
Important: To ensure proper user experience, you have to upload a trusted certificate into the controller.
More details on the certificate:
When the user submits their login credentials before going online, the controller performs an internal redirection to a predefined URL (DNS A record created by Customer) (e.g., https://wifiguest.domain.com).
Before proceeding with authentication, the controller verifies the certificate of the controller:
- Common Name (CN) / Subject Alternative Name (SAN): Must match the configured FQDN (e.g., wifiguest.domain.com).
- IP binding (if configured): The certificate must be valid for the assigned portal IP (e.g., 192.0.2.1).
- Certificate validity and issuer: Must be issued by a trusted CA and still valid.
WEB Auth configuration
Click on Configuration > Security > Web Auth on the left. Click on the global profile and configure as described below:
- Virtual IPv4 Address: 192.0.2.1
- Type: Webauth
- Disable Success Window: flagged
- Disable Logout Window: flagged
- Disable Cisco Logo: flagged
- Sleeping Client Timeout (minutes): 720
To prevent potential security alerts during the authentication phase, it is necessary in the Trustpoint section to select a previously uploaded trusted certificate and associate the corresponding FQDN in the format hostname.domain.com in the Virtual IPv4 Hostname section. In this case, the “Web Auth intercept HTTPS” option must be enabled.
Click Apply to save. Next, click the Add button. Configure as described below:
- Parameter-map name: guest_wifi
- Maximum HTTP connections: 200
- Init-State Timeout: 3600
-
Type: webauth
- Disable Success Window: flagged
- Disable Logout Window: flagged
- Disable Cisco Logo: flagged
- Sleeping Client Timeout (minutes): 720
On the Advanced tab:
- Redirect for log-in: https://splashportal.cloud4wi.com
- Redirect On-Success: https://splashportal.cloud4wi.com
- Redirect On-Failure: https://splashportal.cloud4wi.com
- Redirect Append for AP MAC Address: ap_mac
- Redirect Append for Client MAC Address: client_mac
- Redirect Append for WLAN SSID: wlan_ssid
- Portal IPV4 Address: 54.247.117.188
Click Apply to save.
Images:
RADIUS configuration
Next, click on Configuration > Security > AAA on the left. Select the Servers / Groups tab click Add.
Configure as described below.
- Name: Primary_radius
- IPv4 / IPv6 Server Address: 54.216.93.188
- PAC key: unflagged
- Key Type: Clear Text
- Key: (it will be communicated by Cloud4Wi)
- Confirm Key: as above
- Auth Port: (it will be communicated by Cloud4Wi)
- Acct Port: (it will be communicated by Cloud4Wi)
- Server Timeout: 10
- Retry Count: 3
- Support for CoA: Enabled
Click Apply to Device to save.
Next, click Add again and configure as described below:
- Name: Secundary_radius
- IPv4 / IPv6 Server Address: 34.249.131.154
- PAC key: unflagged
- Key Type: 0
- Key: (it will be communicated by Cloud4Wi)
- Confirm Key: as above
- Auth Port: (it will be communicated by Cloud4Wi)
- Acct Port: (it will be communicated by Cloud4Wi)
- Server Timeout: 10
- Retry Count: 3
- Support for CoA: Enabled
Click Apply to Device to save.
On the Server Groups sub-tab, click Add. Configure as described below:
- Name: guest_radius
- Group Type: RADIUS
- MAC-Delimiter: hyphen
- MAC-Filtering: none
- Dead-time (mins): 5
- Load Balance: disabled
- Assigned Servers Primary_radius, Secundary_radius
Click Apply to Device to save.
Next, click on the AAA Method List tab. Authentication section -->Click Add and configure as described below:
- Method List Name: guest_auth
- Type: login
- Group Type: group
- Assigned Server Groups: guest_radius
- Click Apply to Device to save.
- Next, click the Accounting sub nav menu on the left and click Add. Configure as described below:
- Method List Name: guest_acct
- Type: identity
- Assigned Server Groups: guest_radius
Click Apply to Device to save.
Next, click the AAA Advanced tab
- Local Authentication: none
- Local Authorization: none
- Radius server load balance: none
- Interime update: flagged
- Interim interval (Minutes): 5
Then Show Advanced Settings >>> Radius Attributes. Configure both Accounting and Authentication with:
- Call Station ID: ap-macaddress-ssid
- Call Station ID Case: upper
- MAC-Delimiter: hyphen
- Username Case: lower
- Username Delimiter: none
Click Apply to Device to save.
WLAN configuration
Next, click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure as described below.
On the General tab:
- Profile Name: Guest WiFi
- SSID: Guest WiFi (or whatever you wish)
- Status: Enabled
- Radio Policy: All
- Broadcast SSID: Enabled
On the Security > Layer 2 tab:
- Layer 2 Security Mode: None
- MAC Filtering: Enabled
On the Security > Layer 3 tab, click Show Advanced Settings >>> and configure as described below:
- Web Policy: Enabled
- Web Auth Parameter Map: guest_wifi
- Authentication List: guest_radius
- On Mac Filter Failure: Enabled
- Splash Web Redirect: Disabled
- IPv4 ACL: WA-sec-54.247.117.188
Click Apply to Device to save.
URL filters & RADIUS Accounting
Next, click Configuration > Security > URL Filters. Click Add and configure as described below:
- List Name: guest_url_filter
- Type: PRE_AUTH
- Action: PERMIT
URLs:
- c4wstatic.cloud4wi.com
- c4wstaticjs.cloud4wi.com
- cloud4wi.com
For Facebook (only if required):
- facebook.com
- facebook.net
- m.facebook.com
- xwf.facebook.com
- static.xx.fbcdn.net
- connect.facebook.net
- c4wstatic.cloud4wi.com
- xwf-static.xx.fbcdn.net
- c4wstaticjs.cloud4wi.com
- xwf-scontent.xx.fbcdn.net
Go to Configuration/Tags & Profile/Policy and click on add
On the General tab:
- Name: guest_policy
- Status: Enabled
On the Access Policies tab:
- IPv4 ACL: leave blank
- IPv6 ACL: leave blank
- URL Filters: guest_url_filter
On the Advanced tab:
- Session Timeout: 1800
- Idle Timeout: 300
-
Client Exclusion Timeout (sec): unchecked
- Allow AAA Override: Enabled
- Accounting List: guest_acct
Click Apply to Device to save.
Tags & Profiles
Next, click Configuration > Tags & Profiles > Tags on the left. Click Add and configure as described below:
- Name: guest_tag
- WLAN Profile: Guest WiFi
- Policy Profile: guest_policy
Click Apply to Device to save.
HTTP/HTTPS:
Finally, click Administration > Management > HTTP/HTTPS/Netconf on the left. Configure as described below:
- HTTP Access: Enabled
- HTTPS Access: Enabled
Be sure to click on Save Configuration at the top right of the page to ensure your changes are persisted on reboot.
Access point identity
In order to ensure correct end-to-end communication with our solution and with our RADIUS servers, please set the "AP MAC Address" as the NAS identifier.
After doing this, you can add the new access point into our Admin Panel, by entering its MAC address.
Parameters for the Solution
The parameters to use to integrate the device with the Solution are described in the following document:
Intro to WiFi network configuration