Free Guest WiFi for Cisco Wireless Lan Controller (WLC) V.2.100 or above
Captive Login
Want to offer guest wifi with a captive login?
Do you want to build a marketing database by offering Free WiFi?
This guide is for you if you already have Cisco wireless access points & the Cisco VLC and want to add a configuration to broadcast a ‘Free WiFi` solution.
What you’ll need
- Access to your Cisco Wireless Lan Controller
- A PoweredLocal account — you can get one of these by reaching out to us at poweredlocal.com
This guide will help you configure a Cisco AP to broadcast a wireless internet network that seems unlocked/no password, but requires the user to authenticate with social or email details.
Setting up PoweredLocal on the Controller
The below guide is a generic one to setup a PoweredLocal service onto a Cisco Wireless Lan Controller (WLC) as an additional WiFi Network. Your IT department may need to configure other components that will be unique to your network.
Step 1 — RADIUS
Click Security at the top and then AAA > Radius Authentication on the left menu. Set the below setting then click Apply :
+-----------------------------+----------------------+
| Field | Value |
+-----------------------------+----------------------+
| Auth Called Station ID Type | AP MAC Address:SSID |
+-----------------------------+----------------------+Click New at the top right and configure with:
+------------------------+-------------------------+
| Field | Value |
+------------------------+-------------------------+
| Server IP Address | radius.poweredlocal.com |
| Shared Secret Format | ASCII |
| Shared Secret | vxTFg1AWMd)m<#q |
| Confirm Shared Secret | vxTFg1AWMd)m<#q |
| Port | 1812 |
| Server Status | Enabled |
| Network User | No |
| Management | No |
+------------------------+-------------------------+Click Apply to save.
Note: When you enter the radius server you may see and error: “Host for RADIUS is not a valid IP address.” This is an expected error message, the field prefers an IP address but will still work with a domain name in this field. If your version of the controller continues to complain, use IP addresses
35.189.26.255as RADIUS server #1 and create another one with all the same settings except use13.55.169.104as RADIUS server #2.
Click Radius Accounting on the left menu.
Set the below setting then click Apply :
+------------------------------+----------------------+
| Field | Value |
+------------------------------+----------------------+
| Acct Called Station ID Type | AP MAC Address:SSID |
+------------------------------+----------------------+Click >New at the top right and configure with:
+------------------------+-----------------+
| Field | Value |
+------------------------+-----------------+
| Server IP Address | 35.189.26.255 |
| Shared Secret Format | ASCII |
| Shared Secret | vxTFg1AWMd)m<#q |
| Confirm Shared Secret | vxTFg1AWMd)m<#q |
| Port | 1813 |
| Server Status | Enabled |
| Network User | No |
| Management | No |
+------------------------+-----------------+Click Apply to save. Click New again and configure with:
+------------------------+-----------------+
| Field | Value |
+------------------------+-----------------+
| Server IP Address | 13.55.169.104 |
| Shared Secret Format | ASCII |
| Shared Secret | vxTFg1AWMd)m<#q |
| Confirm Shared Secret | vxTFg1AWMd)m<#q |
| Port | 1813 |
| Server Status | Enabled |
| Network User | No |
| Management | No |
+------------------------+-----------------+Click Apply to save.
Step 2 — ACLs
Click Access Control Lists (or FlexConnect ACLs if you use FlexConnect) on the left and then New at the top right. Configure with:
+--------------------------+------------+
| Field | Value |
+--------------------------+------------+
| Access Control List Name | Guest WiFi |
| ACL Type | IPv4 |
+--------------------------+------------+Now click Add New Rule and create two rules with the below data
+---------------------+-------------------+------------------+
| Seq | 1 | 2 |
+---------------------+-------------------+------------------+
| Action | Permit | Deny |
| Source IP/Mask | 0.0.0.0 / 0.0.0.0 | 13.210.155.93 / |
| | | 255.255.255.255 |
| Destiantion IP/Mask | 13.210.155.93 / | |
| | 255.255.255.255 |0.0.0.0 / 0.0.0.0 |
| Protocal | Any | Any |
| Source Port | Any | Any |
| Dest Port | Any | Any |
| DSCP | Any | Any |
| Direction | Any | Any |
| Number of Hits | 0 | 0 |
+---------------------+-------------------+------------------+
Click Apply to save.
If you are using local AP’s (not FlexConnect mode) :
To the right of the ACL you just created, hover the blue arrow and click Add-Remove URL . In the URL String Name box add the following domains one at a time:
+----------------------+
| URL String |
+----------------------+
| *.poweredlocal.com |
| poweredlocal.com |
| *.facebook.com |
| facebook.com |
+----------------------+OR if you are using FlexConnect mode :
Click in to the ACL you just created, then click Add Rule > URL rule at the top right. In the URL box add the following domains one at a time, ensuring you set the Action to Permit each time:
+----------------------+
| URL String |
+----------------------+
| *.poweredlocal.com |
| poweredlocal.com |
| *.facebook.com |
| facebook.com |
+----------------------+
For the next part, you will need your login page url, best way to get this is to login to the PoweredLocal portal at my.poweredlocal.com & grab the URL of your page and have that handy.
Now back to the Cisco Controller, Click Web Auth > Web Login Page on the left and change the Web Authentication Type to External (Redirect to external server)
Then set the Redirect URL after login: http://login.poweredlocal.com/{pageId}/success (swap {pageId} for your real ID as noted above.)
And External Webauth URL: http://login.poweredlocal.com/{pageId (swap {pageId} for your real ID as noted above.)
Note: Make sure to use http when setting this up.
Click Apply to save.
Step 3 — WLAN
Click WLANs at the top and then WLANs on the left. Click Create New > Go at the top right (or edit and existing WLAN if you have one already). If creating a new WLAN, configure with:
+--------------+------------------------------------------+
| Field | Value |
+--------------+------------------------------------------+
| Type | WLAN |
| Profile Name | Guest Wi-Fi |
| SSID | [Venue] Free WiFi (or whatever you wish) |
+--------------+------------------------------------------+Click Apply to save. Next, click the SSID profile to edit the settings.
On the General tab:
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Status | Enabled |
| Broadcast SSID | Enabled |
| SSID | [Venue] Free WiFi (or whatever you wish) |
+----------------+------------------------------------------+On the Security > Layer 2 tab:
+------------------+-------+
| Field | Value |
+------------------+-------+
| Layer 2 Security | None |
+------------------+-------+On the Security > Layer 3 tab:
+------------------------------------+--------------+
| Field | Value |
+------------------------------------+--------------+
| Layer 3 Security | Web Policy |
| Authentication | Enabled |
| Pre-authentication ACL (if Local) | Guest Wi-Fi |
| WebAuth FlexACL (if FlexConnect) | Guest Wi-Fi |
| Override Global Config | Enable |
| Web Auth type | External |
+------------------------------------+--------------+Then set the Redirect URL: http://login.poweredlocal.com/{pageId} (swap {pageId} for your real ID as noted above.)
On the Security > AAA Servers tab:
+-------------------------+----------------------------------+
| Field | Value |
+-------------------------+----------------------------------+
| Authentication Servers | Enabled |
| Server 1 | IP: 35.189.26.255, Port: 1812 |
| Server 2 | IP: 13.55.169.104, Port: 1812 |
| Accounting Servers | Enabled |
| Server 1 | IP: 35.189.26.255, Port: 1813 |
| Server 2 | IP: 13.55.169.104, Port: 1813 |
| Interim Update | Enabled - Interim Interval: 600 |
+-------------------------+----------------------------------+& Also…
Authentication priority order for web-auth user (not Used):LOCAL, LDAPAuthentcation priority order for web-Auth user (Order Used For Authentication): RADIUS
On the Advanced tab:
+-------------------------+---------+
| Field | Value |
+-------------------------+---------+
| Allow AAA Overide | Enabled |
| Enable Session Timeout | Enabled |
| Session Timeout (secs) | 43200 |
+-------------------------+---------+Click Apply to save. Next, click Management at the top then HTTP-HTTPS on the left. Configure with:
+--------------------+----------+
| Field | Value |
+--------------------+----------+
| WebAuth SecureWeb | Disabled |
| HTTPS Redirection | Disabled |
+--------------------+----------+Note: It is important that the virtual IP address is changed from the default
1.1.1.1to avoid issues.
Click Controller at the top then Interfaces on the left. Configure with:
+-------------+------------+
| Field | Value |
+-------------+------------+
| IP Address | 192.0.2.1 |
+-------------+------------+Click Apply to save.
Finally, be sure to click Save Configuration at the top right.
IMPORTANT : You will need to reboot your controller for all the features to work.
Note: When adding the AP MAC address(es) into the portal remember to use the Base Radio MAC.
That’s it. All done. Just use your computer or mobile to test the network is working as desired.
Since there are different versions of the Controller and hardware, some settings may be slightly different to the instructions we have noted in this manual. It’s also important that due to the configuration some of the network settings may not be configurable through the PoweredLocal dashboard (my.poweredlocal.com) and you may want to adjust Whitelisting and bandwidth limiting in the Cisco Controller.
