Guest access – Cisco Wireless Controller

In this topic, you will learn how to configure a Cisco Wireless Controller to work together with the Portnox™ Cloud captive portal for guest user authentication.

Before you begin configuring your access point, you must configure the guest network in Portnox Cloud and note down the values of the fields: IP (for walled garden) and Captive Portal URL.

Important: This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.

Warning: This topic contains documentation prepared by our support agents more than 12 months ago. It may not cover the newest models or the newest interfaces of NAS devices. We’re working on bringing you updated documentation for NAS devices in the near future. However, the methods of setting up third-party devices may still change when the manufacturers update their firmware or release new models.

Navigate to Security > AAA > RADIUS > Authentication and click on New to add a new authentication RADIUS server.
In the RADIUS Authentication Servers > Edit window that appears:
1. Enter your Portnox Cloud RADIUS details that you noted down when creating your RADIUS server.
2. Set the Server Timeout to 30 seconds.
3. Optional: Repeat this for the second RADIUS server, if needed.
Navigate to Security > AAA > RADIUS > Accounting and click on New to add a new accounting RADIUS server.
In the RADIUS Accounting Servers > Edit window that appears:
1. Enter your Portnox Cloud RADIUS details that you noted down when creating your RADIUS server.
2. Set the Server Timeout to 30 seconds.
3. Optional: Repeat this for the second RADIUS server, if needed.
Navigate to Security > Access Control Lists and click on New to create a new access control list
In the Access Control List > Rules window, click on Add New Rule to add each of the following two rules:
1. For the first rule:
  - In Sequence, enter 1.
  - In Source, enter the first IP address for walled garden that you obtained when you configured the guest network in Portnox Cloud.
  - In Action, select Permit.
2. For the second rule:
  - In Sequence, enter 2.
  - In Destination, enter the same first IP address for walled garden.
  - In Action, select Permit.
3. Click on Apply. Verify that the two rules are listed similarly to the rules shown below.
Navigate to Security > Web Auth > Web Login Page and then:
1. In Web Authentication Type, select External (Redirect to external server).
2. In Redirect URL after login, enter the URL of the page to which the user will be redirected after being successfully authenticated, or after approving the disclaimer.
  Note: In this example, we used the Portnox home page, but you should use a page relevant to your company.
3. In External Webauth URL, enter the Captive Portal URL that you obtained when you configured the guest network in Portnox Cloud.
Navigate to WLANs and select the WLAN to be secured or create a new WLAN.
1. Select Security > Layer 2.
2. In Layer 2 Security, select None.
3. Select Security > Layer 3.
4. In Layer 3 Security, select Web Policy, and then select the Authentication radio button.
5. In Preauthentication ACL, select the access control list you created earlier.
6. Select Security > AAA Servers.
7. Select the RADIUS authentication server and the RADIUS accounting server that you added earlier.
8. Click on Apply to apply the changes.
9. Navigate to Controller > Interfaces and select the virtual interface.
10. Check the value in the virtual interface’s DNS Host Name field:
  - If a DNS Host Name is listed, make sure there is a DNS record for the listed host name on your local DNS server (this is a Cisco requirement).
  - If the DNS Host Name field is empty, continue to the next step.
  Note: The IP address of the virtual interface must be an address from one of the private IP ranges. We recommend that you use an IP address from a range that is not used in your internal network infrastructure, or make sure that this IP address is not used by any other interface in your network.
Optional: Configure the re-authentication timeout for the guest WLAN (the maximum time the device session remains active before requiring re-authentication):
1. Navigate to WLANs, select the relevant WLAN, and select the Advanced tab.
2. In the Advanced tab, select the Enable Session Timeout checkbox and set the Session Timeout value.