Guest access – Cisco Wireless Controller

In this topic, you will learn how to configure a Cisco Wireless Controller to work together with the Portnox™ Cloud captive portal for guest user authentication.

Important:
This guide gives general instructions for integrating Portnox Cloud with specific third-party devices. We try to provide useful examples for common models, but settings can differ between manufacturers, models, and environments. Because of this, we cannot guarantee these steps will work in every case. For questions or problems with RADIUS setup – which is an industry standard and not specific to Portnox – or with device-specific settings and troubleshooting, we recommend checking the device manufacturer’s documentation and contacting their support team. Portnox Support can help when possible, but detailed setup of third-party devices is usually best handled by the manufacturer. We also recommend updating your NAS device firmware to the latest version, as old firmware can cause issues.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.

Cisco Catalyst 9800 Wireless LAN Controller (IOS-XE)

Before you begin configuring your wireless controller, you must:

Note:
This configuration was tested on Cisco Catalyst 9800, but it may be appropriate for other IOS-XE-based wireless LAN controllers.
  1. Navigate to Configuration > Security > AAA and click on the + Add button to create an AAA RADIUS server configuration.
  2. In the Create AAA Radius Server window, enter the RADIUS server details:

    1. In the Name field, enter the name of this server, for example, Portnox Cloud US.
    2. In the IPv4 / IPv6 Server Address field, enter the Cloud RADIUS IP value copied from the Cloud RADIUS server configuration.
    3. In the Key and Confirm Key fields, enter the Shared Secret value copied from the Cloud RADIUS server configuration.
    4. In the Auth Port field, enter the Authentication port value copied from the Cloud RADIUS server configuration.
    5. In the Acct Port field, enter the Accounting port value copied from the Cloud RADIUS server configuration.
    6. Click on the Apply to Device button.
    Note:
    If you want to use more than one Cloud RADIUS server, repeat the steps above for the second server.
  3. Navigate to Configuration > Security > AAA > Servers / Groups > RADIUS > Server Groups, and click on the + Add button to create a RADIUS server group configuration.
  4. In the Create AAA Radius Server Group window, configure the RADIUS server group details:

    1. In the Name field, enter a name for this group.
    2. In the MAC-Delimiter field, select the hyphen option.
    3. In the MAC-Filtering field, select the none option.
    4. Use the > button to move all Portnox Cloud servers from the Available Servers list to the Assigned Servers list.
    5. Click on the Apply to Device button.
  5. Navigate to Configuration > Security > AAA > AAA Method List > Authentication, and click on the + Add button to create an AAA authentication list.
  6. In the Quick Setup: AAA Authentication window, configure the AAA authentication list details:

    1. In the Method List Name field, enter a name for this method list.
    2. In the Type field, select the login option.
    3. In the Group Type field, select the group option.
    4. Use the > button to move the Portnox Cloud RADIUS server group from the Available Server Groups list to the Assigned Server Groups list.
    5. Click on the Apply to Device button.
  7. Navigate to Configuration > Security > Web Auth, and click on the + Add button to create a web auth parameter map.
  8. In the Create Web Auth Parameter window, enter a Parameter-map Name, and in the Type field, select the webauth option. Then, click on the Apply to Device button.

  9. Select and open the newly created parameter map to edit it, and make sure that the Captive Bypass Portal checkbox is not active. Then, click on the Advanced tab.

    You can also optionally set the Banner Title.

  10. In the Redirect to external server section:

    1. In the Redirect URL for login field, paste the Captive Portal URL value copied from Portnox Cloud when creating the guest network (see first steps in this section).
    2. In the Portal IPv4 Address field, paste the IP (for walled garden) value copied from Portnox Cloud when creating the guest network.
      Note:
      The IP (for walled garden) field may contain more than one IP, but Catalyst 9800 allows only one IP to be entered. If so, choose any of the IPs from this field.
    3. Click on the Update & Apply button.
  11. Navigate to Configuration > Security > ACL and add or edit an ACL (access control list) that you will use as a pre-authentication ACL for the captive portal.

    1. Optional: If creating a new ACL, enter its name in the ACL Name field.
    2. In the relevant Source IP and Destination IP fields, use the addresses from the IP (for walled garden) field, from Portnox Cloud guest network configuration.
    3. Click on the Update & Apply to Device button.
  12. Navigate to Configuration > Tags & Profiles > WLANs, and click on the + Add button to add a new WLAN or edit an existing WLAN, and then click on the Security tab.
    If you add a new WLAN, enter its Profile Name and SSID before you go to the Security tab.
  13. In the Add WLAN or Edit WLAN window, in the Advanced > Layer2 tab, choose the None option and leave the default values for other settings.

  14. In the Layer 3 tab:

    1. Activate the Web Policy checkbox.
    2. In the Web Auth Parameter Map field, select the parameter map that you created earlier.
    3. In the Authentication List field, select the AAA authentication list that you created earlier.
    4. In the Preauthentication ACL section, in the IPv4 field, select the preauthentication ACL that you created earlier.
    5. Click on the Update & Apply to Device button.

Cisco AireOS Wireless LAN Controllers

Before you begin configuring your access point, you must configure the guest network in Portnox Cloud and note down the values of the fields: IP (for walled garden) and Captive Portal URL.

Warning:
This topic contains documentation prepared by our support agents more than 12 months ago. It may not cover the newest models or the newest interfaces of NAS devices. We’re working on bringing you updated documentation for NAS devices in the near future. However, the methods of setting up third-party devices may still change when the manufacturers update their firmware or release new models.
  1. Navigate to Security > AAA > RADIUS > Authentication and click on New to add a new authentication RADIUS server.
  2. In the RADIUS Authentication Servers > Edit window that appears:

    1. Enter your Portnox Cloud RADIUS details that you noted down when creating your RADIUS server.
    2. Set the Server Timeout to 30 seconds.
    3. Optional: Repeat this for the second RADIUS server, if needed.
  3. Navigate to Security > AAA > RADIUS > Accounting and click on New to add a new accounting RADIUS server.
  4. In the RADIUS Accounting Servers > Edit window that appears:

    1. Enter your Portnox Cloud RADIUS details that you noted down when creating your RADIUS server.
    2. Set the Server Timeout to 30 seconds.
    3. Optional: Repeat this for the second RADIUS server, if needed.
  5. Navigate to Security > Access Control Lists and click on New to create a new access control list
  6. In the Access Control List > Rules window, click on Add New Rule to add each of the following two rules:
    1. For the first rule:

    2. For the second rule:

      • In Sequence, enter 2.

      • In Destination, enter the same first IP address for walled garden.

      • In Action, select Permit.

    3. Click on Apply. Verify that the two rules are listed similarly to the rules shown below.

  7. Navigate to Security > Web Auth > Web Login Page and then:

    1. In Web Authentication Type, select External (Redirect to external server).
    2. In Redirect URL after login, enter the URL of the page to which the user will be redirected after being successfully authenticated, or after approving the disclaimer.
      Note:
      In this example, we used the Portnox home page, but you should use a page relevant to your company.
    3. In External Webauth URL, enter the Captive Portal URL that you obtained when you configured the guest network in Portnox Cloud.
  8. Navigate to WLANs and select the WLAN to be secured or create a new WLAN.
    1. Select Security > Layer 2.
    2. In Layer 2 Security, select None.

    3. Select Security > Layer 3.
    4. In Layer 3 Security, select Web Policy, and then select the Authentication radio button.
    5. In Preauthentication ACL, select the access control list you created earlier.

    6. Select Security > AAA Servers.
    7. Select the RADIUS authentication server and the RADIUS accounting server that you added earlier.

    8. Click on Apply to apply the changes.
    9. Navigate to Controller > Interfaces and select the virtual interface.

    10. Check the value in the virtual interface’s DNS Host Name field:

      • If a DNS Host Name is listed, make sure there is a DNS record for the listed host name on your local DNS server (this is a Cisco requirement).

      • If the DNS Host Name field is empty, continue to the next step.

      Note:
      The IP address of the virtual interface must be an address from one of the private IP ranges. We recommend that you use an IP address from a range that is not used in your internal network infrastructure, or make sure that this IP address is not used by any other interface in your network.
  9. Optional: Configure the re-authentication timeout for the guest WLAN (the maximum time the device session remains active before requiring re-authentication):

    1. Navigate to WLANs, select the relevant WLAN, and select the Advanced tab.
    2. In the Advanced tab, select the Enable Session Timeout checkbox and set the Session Timeout value.