Cisco WLC

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 18, 2021 by Pedro Doroshenko
12 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Cisco WLC for integration with Octopus Platform.

1- Pre-requisites

  • Prior to any configuration, it is advisable to check the Cisco WLC version and upgrade to version 8.2.100.0 or higher for local mode configurations and 8.7 or higher in flexconnect mode. This is because in these versions it is allowed to configure ACLs from domain names or url-domain which brings several advantages.

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

Radius Authentication

The next step is to configure the Radius Server parameters to which the user authentication requests will be sent. Access to Security > AAA > RADIUS > Authentication and configure the following parameters:

  • Auth Called Station ID Type: AP MAC Address:SSID

  • MAC Delimiter: Hyphen

 

After configuring these parameters click on the New button to add the first Radius Server configuring the following fields: 

  • Server IP Address: <IP_Radius_1>

  • Server Secret Format: ASCII

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1812

  • Server Status: Enabled

  • Server Timeout: 3 seconds

 

Then, add the second Radius Server:

  • Server IP Address: <IP_Radius_2>

  • Server Secret Format: ASCII

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1812

  • Server Status: Enabled

  • Server Timeout: 3 seconds

 

Radius Accounting

Access Security > AAA > RADIUS > Accounting and configure the following global parameters:

  • Auth Called Station ID Type: AP MAC Address:SSID

  • MAC Delimiter: Hyphen

 

Click on the New button to add the first radius server by configuring the following fields:

  • Server IP Address: <IP_Radius_1>

  • Shared Secret Format: ASCII

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1813

  • Server Status: Enabled

  • Server Timeout: 3 seconds

 



Add the second Radius Server:

  • Server IP Address: <IP_Radius_2>

  • Shared Secret Format: ASCII

  • Shared Secret: <Secret>

  • Confirm Shared Secret: <Secret>

  • Port Number: 1813

  • Server Status: Enabled

  • Server Timeout: 3 seconds

 

 

Other configuration

To allow simultaneous connections from several devices with the same username and have the limit managed by the radius server, go to Security > AAA > User Login Policies and configure:

  • Max Concurrent Logins for a user name: 0

 

 

2.2 Access Control List

It is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. In this case, the most simple way to add the domains is executing a script. If you prefer to add the ACL list using the user interface, it is possible to do it in Security > Access Control Lists. 

Create ACL

config acl create WALLEDGARDEN_GUEST

 

Add free access to the Captive portal and basic domains:

config acl url-domain add <dominio_captive_portal> WALLEDGARDEN_GUEST config acl url-domain add google-analytics.com WALLEDGARDEN_GUEST config acl url-domain add docubleclick.net WALLEDGARDEN_GUEST

 

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

 

Review the configuration and apply changes

Configuration detail:

show acl detailed WALLEDGARDEN_GUEST

If after reviewing the configuration all the parameters are correct, execute the following commands to save the changes.

 

2.3 WLAN Settings

First, on the Controller tab:

  • Fast SSID change: Enable

 

The next step in the WLANs section is to create a new WLAN or modify an existing one where we want to associate the captive portal. To create it:

  • Type: WLAN

  • Profile Name: set the Profile Name.

  • SSID: SSID name that will be visible to the wireless users.


Dentro de la configuración de la WLAN realizar la siguiente configuración:

General

Once these parameters are configured, please click Apply to create the WLAN. Then, follow the steps described below to finish the configuration of this WLAN.

  • SSID: Name of the SSID.

  • Status: Enabled

Layer 2

In the Security > Layer 2 tab, set the following parameter:

  • Layer 2 Security: None

 

Layer 3

EIn the Security > Layer 3 tab, set the following parameters:

 

AAA Servers

In the Security > AAA Servers tab, select the Radius Authentication and Accounting Servers created before. To do it, please perform the following configuration:

  • Authentication Servers

    • Marcar la casilla Enabled

    • Server 1: select the Radius Server with the IP address <IP_Radius_1>

    • Server 2: select the Radius Server with the IP address <IP_Radius_2>

  • Accounting Servers

    • Marcar la casilla Enabled

    • Server 1: select the Radius Server with the IP address <IP_Radius_1>

    • Server 2: select the Radius Server with the IP address <IP_Radius_2>

  • Radius Server Accounting

    • Interim Update: check this box

    • Interim Interval: 600 

 

Advanced Configuration

Finally, go to Advanced tab and perform the following configuration:

  • Allow AAA Override: Enabled

  • Enable Session timeout: Enabled. Fill in a value, although it will actually be overwritten from the radius server.

  • Client user idle timeout (15-100000): It is recommended between 600 and 900 seconds

 

After having accomplished these changes, click Apply to save the configuration. 

2.4 Option configuration login process: HTTP or HTTPS

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.

Opción HTTP

It is advisable to make some changes to the controller settings to improve the end user experience. To do this, access Management and configure the following parameters:

  • WebAuth SecureWeb: Disabled

  • HTTPS Redirection: Disabled

 


It is advised to disable the option WebAuth SecureWeb because if this option is enable it would appear a security warning. 


In addition, it is advised to disabled the HTTPS redirection option. Taking into consideration the Cisco notice about the HTTPS redirection, it can cause a bad user experience because the old web browser versions detect it as a "Man in the middle" error.

 

If you make any changes in this section it will be necessary to save them and restart the controller to apply this configuration.

 

HTTPS option

 

If you choose to configure this secure validation option, it is very important to know that a DNS resolution is required between the subdomain associated with the certificate and the virtual IP of the controller, otherwise the validations will not be redirected to the WLC and authentication errors will occur. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.


Firstly, it is necessary to load a new certificate associated to the subdomain name to make the login. Certificates are offered, for which it will be necessary to configure and start an FTP transfer with the following commands:

If everything is correct, then it will be necessary to enable HTTPS authentication. To do this, access to Management > HTTP-HTTPS and configure the parameter

  • WebAuth SecureWeb: Enabled

 

 

Once enabled the sending of user credentials via HTTPS is necessary to change the DNS Name of the Cisco WLC to match the Domain Name included in the certificate provided. To do that, access to Controller > Interfaces and edit the Virtual Interface to modify the following parameter

 

 

 

Once the changes have been made it will be necessary to save the configuration and restart the controller so that all the changes made are applied correctly.

 

2.5 FlexConnect configuration option

APs configuration with Flexconnect mode

Enter each of the APs that appear in the Wireless tab > Access Points > General tab.

  • AP mode: FlexConnect

 

 

 

 

 

 

High Avalilability tab

  • Primary Controller: <WLC name>

 

FlexConnect tab

  • VLAN Support: enabled

  • Native VLAN ID: <vlan management APs>

 

Click on the Apply button and repeat these steps for each of the installed APs.

 

FlexConnect Group configuration

To configure the APs you need to create a FlexConnect Group by going to the Wireless tab > FlexConnect Groups and click on New to add a new group.

  • Group Name: <group name>

Within the created group, go to General > FlexConnect APs tab

  • Click on Add AP and add all those we want to assign to the group.

WLAN VLAN mapping Tab

  • WLAN Id: Identifier of the WLAN guest to be applied.

  • Vlan Id: VLAN identifier assigned to the WLAN.

 

FlexConnect Access Control List configuration

For the user validation process to work correctly, it is necessary to allow access to certain domains. The easiest way to do this is to load a small script to create the ACLs, although it is also possible to do this through the graphical interface in Security > Access Control Lists > FlexConnect ACLs. Below are the steps to follow to create the ACL by connecting to the computer via SSH or console.

Create ACL

 

Add permissions for Captive Portal and basic domains:

 

 

Review the configuration and apply changes

Configuration detail:

If after reviewing the configuration all the parameters are correct, execute the following commands to save the changes.

 

Assign the ACL in WLAN

In the WLAN > Layer 3 > Preauthentication ACL edition, modify the following parameters:

 

  • WebAuth FlexAcl: Select the ACL created earlier for the FlexConnect configuration




 2.6 Other configurations

To allow VPN clients full authentication without the need for web-auth security, and avoid connection drops run the following commands:

 

Disable logout pop-up just logged in. If the browser does not have the pop-up blocker enabled, it can cause problems in the logout and login processes. To disable it run the following command:

 

2.7 Authorized MAC Addresses

Para que la validación de los usuarios funcione correctamente es necesario identificar los NAS o suplicantes que podrán realizar peticiones de autenticación a los servidores radius. En este caso se deben añadir todas las direcciones MAC del interfaz WiFi de los Access Point que radiarán el SSID configurado.

These MAC addresses can be obtained accessing to Wireless > Access Points > Radios > Base Radio MAC (it is the same MAC address for 2.4Ghz and 5GHz).

 

3 - Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Platform Enterprise Module.

3.1 Captive portal + MAC Authentication configuration

To enable MAC authentication it is necessary to edit the WLAN where we want to apply it and make the following configuration:

 

Security > Layer 2 Tab

  • MAC Filtering: Enabled

Security > Layer 3 > Layer 3 security Tab:

  • On MAC Filter failure: Enabled

Advanced tab, make sure of:

  • Enable Session Timeout: Disabled

3.2 MAC Authentication configuration

To create an SSID dedicated to MAC Authentication validation only, go to the WLANs section to create a new WLAN or modify an existing one. To create it:Type: WLAN

  • Profile Name: determine the name of the WLAN.

  • SSID: configure SSID for example Mac_Auth_Guest

Once the WLAN has been created, in the profile edition go to the first tab General and enable the SSID as it is disabled by default.

In the Security > Layer 2 tab, configure the following parameters:

  • Layer 2 Security: None

  • MAC Filtering: Enable

In the Security > Layer 3 tab, configure the following parameters:

  • Layer 3 Security:  Web Policy

    • Marcar la opción: On MAC Filter failure

  • Preauthentication ACL: None

  • Over-ride Global Config: Disable

In the AAA Servers tab select the previously created radius servers, both Authentication and Accounting, to do the following configuration:

  • Link the radius servers created in point 2.1 of this guide

  • Pestaña Advanced, make sure:

    • Enable Session Timeout: Disabled

  • Allow AAA Override: Enabled

  • Client user idle timeout (15-100000): It is recommended between 600 and 900 seconds

After making all the changes described above, click on Apply to save the configuration.

3.3 Identity PSK Configuration

Some devices that connect to our networks, especially IoT devices, do not have the ability to make connections through secure validations such as 802.1X and therefore connect through WPA-PSK validations. This type of validation has security drawbacks since the key is unique and any device can connect. Cisco's Identity PSK functionality allows two-factor authentication through MAC filtering and PSK keys, which can be assigned per device or device groups, enabling large-scale security and control. To configure Identity PSK:

Cisco WLC Configuration

Go to the WLANs section and create a new WLAN or configure an existing one and go to the Security > Layer2 tab:

  • Layer 2 Security: WPA+WPA2

  • WPA+WPA2 Parametrers: WPA2 Policy

 

 

 

 

 

 

 

  • Authentication Key Management: PSK Enable

  • PSK Format: Introducir clave PSK

 

Then go to AAA Servers:

  • Authentication Servers: Enabled

    • Server 1: Configured in point 2.1 of the manual.

    • Server 2: Configured in point 2.1 of the manual.

  • Accounting Servers: Enabled

    • Server 1: Configured in point 2.1 of the manual.

    • Server 2: Configured in point 2.1 of the manual.

  • Radius Server Accounting

    • Interium Update: Enabled

    • Interim Interval: 600

Then in the Advanced tab

  • Allow AAA Override: Enabled

 

Octopus platform configuration > Access Profile

Radius attributes to configure:

  • cisco-av-pair = “psk-mode=ascii”

  • cisco-av-pair += “psk=password”

 

Possible to combine with local policy with the attribute

  • cisco-av-pair += “role=policyCiscoWLC”

3.4 Configuration of Access Profiles

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packets, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cisco. Although the most common and proprietary Cisco radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

They define speed limits for a given session, both upstream and downstream. It is necessary to configure all four.

Kilobyte

Airespace-Guest-Role-Name

Assignment of a QoS Role Name, previously created in Cisco Catalyst 9800.

 

Airespace-ACL-Name

Assignment of an Access Control List, previously created in Cisco Catalyst 9800.

 

cisco-av-pair

String with many possibilities

 

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

QoS Role Name Assignment: Although the configuration parameters can be sent directly from the radius server, it is also possible to assign a QoS Role, which can be associated from the platform with the radius Airespace-Guest-Role-Name attribute.

 

Wireless > QoS > Roles > Per-User Bandwidth Contracts (kbps):

  • Average Data Rate: Average data rate for TCP traffic per user.

  • Burst Data Rate: Maximum data rate for TCP traffic per user.

  • Average Real-Time Rate: Average real-time data rate for UDP traffic per user.

  • Burst Real-Time Rate: Maximum real-time data rate for UDP traffic per user.

 

ACL Name Assignment: It is also possible to assign from the Octopus platform the ACL that would apply to a specific user connected to the WLAN. To create them follow the steps in section 2.2.