Wi-Fi employee access – Cisco Wireless Controller

In this topic, you will learn how to configure a Cisco Wireless Controller to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Wi-Fi connections.

Warning: We tested this configuration using a Cisco Virtual Wireless Controller with software version 8.10.142.0 in our lab, but we cannot guarantee that it will cover every relevant product and version. Also, the configuration is generic and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on 802.1X configuration, we strongly recommend that you refer to the documentation provided by Cisco on these topics for your particular software version and related devices.
  1. In the top menu of the Cisco Wireless Controller web interface, click on the SECURITY option

  2. In the left-hand side menu, select the AAA > RADIUS > Authentication options.

  3. In the RADIUS Authentication Servers pane, click on the New... button in the top-right corner.

  4. In the RADIUS Authentication Servers > New pane, enter the details of the Portnox Cloud RADIUS server that you created earlier: the Server IP Address, the authentication Port Number, and the Shared Secret. Set the timeout to 30 seconds. Then, click on the Apply button in the top-right corner.
    Note: The Support for CoA switch should be set to Enable if you want to use the CoA feature and/or the IPSK feature of Portnox Cloud.

  5. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.

    The above screenshot shows an example configuration for two Cloud RADIUS region authentication servers. Adjust the IP addresses and port numbers to your tenant configuration.

  6. In the left-hand side menu select AAA > RADIUS > Accounting menu option.

  7. In the RADIUS Accounting Servers pane, click on the New... button in the top-right corner.

  8. In the RADIUS Accounting Servers > New pane, enter the details of the Portnox Cloud RADIUS server that you created earlier: the Server IP Address, the accounting Port Number, and the Shared Secret. Set the timeout to 30 seconds. Then, click on the Apply button in the top-right corner.

  9. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.

    The above screenshot shows an example configuration for two Cloud RADIUS region accounting servers. Adjust the IP addresses and port numbers to your tenant configuration.

  10. In the top menu of the Cisco Wireless Controller web interface, click on the WLANs option

  11. In the WLANs pane, select the Create New option from the drop-down menu, and then click on the Go button.

    Note: Instead of creating a new WLAN, you can edit an existing WLAN by clicking on the number in the WLAN ID column.

  12. In the WLANs > New pane, enter the Profile Name and the SSID for the secure SSID that you want to create, and then click on the Apply button in the top-right corner.

  13. In the WLANs > Edit pane, click on the Security tab and select the following options in the Layer 2 tab that is opened by default:

    1. In the Layer 2 Security field, select the WPA2+WPA3 option.
      Note: If you want to use this SSID to connect IoT devices that do not support 802.1x, select the None option and activate the MAC Filtering checkbox instead.
    2. In the Security Type field, select the Enterprise option.
    3. In the Authentication Key Management section, activate the Enable checkbox next to the 802.1X-SHA1 option.
  14. Click on the AAA Servers tab and in the Authentication Servers and Accounting Servers columns, select the relevant servers that you defined earlier. Then, click on the Apply button in the top-right corner.

    Important: If you want to use the IPSK feature of Portnox Cloud, additionally, activate the RADIUS Server Overwrite Interface checkbox.

    The following screenshot shows an example configuration for two Cloud RADIUS servers. Adjust the IP addresses and port numbers to your tenant configuration.

Result: Your Wi-Fi devices can now access the protected Wi-Fi network, using the Portnox Cloud RADIUS servers for authentication.