Cisco Mobility Express

Owned by Luis Alejandro Ortiz Arce (Unlicensed)
Last updated: Oct 18, 2021 by Pedro Doroshenko
6 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Cisco Mobility Express equipment for integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Servers

The next step is to configure the Radius Server parameters to which the user authentication requests will be sent. Access to Management > Admin Accounts > RADIUS and select the following options:

  • Authentication Call Station ID Type: AP MAC Address:SSID

  • Authentication MAC Delimiter: Hyphen

  • Accounting Call Station ID Type: AP MAC Address:SSID

  • Accounting MAC Delimiter: Hyphen

Then the two radius of authentication will be created. To do this, click on the "Add Radius Authentication Server" button for each of the two, and enter the values:

Radius 1

  • State: Enabled

  • CoA: Deshabilitado.

  • Server IP Address: <IP_Radius_1>

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1812

  • Server Timeout: 3

Radius 2

  • State: Enabled

  • CoA: Deshabilitado.

  • Server IP Address: <IP_Radius_2>

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1812

  • Server Timeout: 3

Then enter the Radius Accounting servers, by clicking on the button: "Add Radius Accounting Server"

Radius 1

  • State: Enabled

  • Server IP Address: <IP_Radius_1>

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1813

  • Server Timeout: 3

Radius 2

  • State: Enabled

  • Server IP Address: <IP_Radius_2>

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1813

  • Server Timeout: 3

Activation Interium-Update

For proper monitoring of the service in the WIFI platform, the Accounting Interium-Update packages must be activated. It is possible to activate by CLI with the command:

config wlan radius_server acct interim-update 600 <Wlan_id>

2.2 WLAN configuration

The next step is to create a new WLAN or modify an existing one. To do this go to the Wireless Settings> WLANs section and create or modify a WLAN with the following parameters.

General

  • Profile Name: Name that we want to give to the WLAN Guest profile

  • SSID: network name or SSID Guest that will radiate.

  • Admin State: Enabled

  • Radio Policy: All

  • Broadcast SSID: Activado

WLAN Security

  • Guest Network: Enable

  • Captive Network Assitant: Disabled.

  • Captive Portal: External Splash page

  • Captive Portal URL (revisar apartado 2.3 para que la redirección de la url sea http o https)

    • http Option: http://<captive_portal_domain>/login/hotspot/cisco

    • https Option: https://<captive_portal_domain>/login/hotspot/cisco

  • Access Type: Radius

  • Radius Server: In the Radius Server tab, press the button "Add Radius Authentication Server" and add the radius created with Add to Pre Auth ACLs option enabled. The same operation by clicking the "Add Radius Accounting Server" option and adding the created radius.

  • Preath ACL:Press the "Add URL Rules" button and enter the necessary domains to provide the service, with the "Permit" option activated. Please find below the domains that you will have to add to make the captive portal works properly depending on the services configured in the captive portal.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

Example:

Advanced

Enable the option: Allow AAA Override

2.3  HTTP or HTTPS login process configuration

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.

HTTP option

For this it will be necessary to execute the following commands:

config network web-auth https-redirect disable config network web-auth secureweb disable save config reset system

In the WLAN configuration section, the redirect URL will be indicated. If these options are modified, the changes will only take effect once the controller is restarted.

HTTPS option

If you choose to configure this secure validation option, it is very important to know that a DNS resolution is required between the subdomain associated with the certificate and the virtual IP of the controller, otherwise the validations will not be redirected to the AP WLC and the authentication will fail. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.

To find out the virtual interface IP, it can be done with the command: show interface summary

Archivo adjunto desconocido

Firstly, it is necessary to load a new certificate associated to the subdomain name to make the login. Certificates are offered, for which it will be necessary to configure and start an FTP transfer with the following commands:

transfer download mode ftp transfer download datatype webauthcert transfer download serverip <XX.XX.XX.XX> transfer download path <PATH> transfer download filename ciscosecurelogin.pem transfer download username <username> transfer download password <password> transfer download port <port> transfer download certpassword <certpassword> transfer download start

Next, the following commands must be entered by CLI

 

2.4  Otras configuraciones

To allow VPN clients full authentication without the need for web-auth security, and avoid connection drops run the following commands:

Disable logout pop-up just logged in. If the browser does not have the pop-up blocker enabled, it can cause problems in the logout and login processes. To disable it run the following command:

For simultaneous connections of several devices with the same username, the parameter "Max Concurrent Logins for a user name" must be set to 0 so that there is no limit. To do this, enter the command

 

2.5 List of Authorized MACs

In order to allow the users to authenticate in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In this case, it is required to add the MAC addresses asigned to the Wifi interface of every Access Point that will radiate the configured SSID.

To do this, enter the next command by CLI:

 

3 - Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Platform Enterprise Module.

3.1  MAC Caching

To enable MAC Caching or MAC Authentication functionality, it is necessary to edit the created WLAN and enable this option.

3.2 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packets, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cisco. Although the most common and proprietary Cisco radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

They define speed limits for a given session, both upstream and downstream. It is necessary to configure all four.

Kilobyte

Airespace-Guest-Role-Name

Assignment of a QoS Role Name, previously created in Cisco Catalyst 9800.

 

Airespace-ACL-Name

Assignment of an Access Control List, previously created in Cisco Catalyst 9800.

 

cisco-av-pair

String with many possibilities

 

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

QoS Role Name Assignment: Although the configuration parameters can be sent directly from the radius server, it is also possible to assign a QoS Role, which can be associated from the platform with the radius Airespace-Guest-Role-Name attribute.

 

3.3 Identity PSK Configuration

Some devices that connect to our networks, especially IoT devices, do not have the ability to make connections through secure validations such as 802.1X and therefore connect through WPA-PSK validations. This type of validation has security drawbacks since the key is unique and any device can connect. Cisco's Identity PSK functionality allows two-factor authentication through MAC filtering and PSK keys, which can be assigned per device or device groups, enabling large-scale security and control. To configure Identity PSK:

Cisco Configuration

Go to Wireless Settings > WLANs, add or edit a WLAN and configure in the WLAN Security tab:

  • MAC Filtering: Enable

  • Security type: WPA2 Personal

  • Add RADIUS Authentication Server

    • Server: Configured in point 2.1 of the manual.

Advanced Tab

  • Allow AAA Override: Enable

Click on Apply to save the configuration

WPA2 Personal is a security method using PSK authentication. After a successful MAC authentication, the RADIUS server returns the following Cisco AVPair attributes:

  • psk-mode - The value can be ASCII, HEX, asciiEnc, or hexEnc.

  • psk

Octopus platform configuration > Access Profile

Radius attributes to configure:

  • cisco-av-pair = “psk-mode=ascii”

  • cisco-av-pair += “psk=password”

 

Possible to combine with local policy with the attribute

  • cisco-av-pair += “role=policyCiscoMobilityExpress”