Cisco WLC
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Cisco WLC for integration with Octopus Platform.
1- Pre-requisites
Prior to any configuration, it is advisable to check the Cisco WLC version and upgrade to version 8.2.100.0 or higher for local mode configurations and 8.7 or higher in flexconnect mode. This is because in these versions it is allowed to configure ACLs from domain names or url-domain which brings several advantages.
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 Radius Server
Radius Authentication
The next step is to configure the Radius Server parameters to which the user authentication requests will be sent. Access to Security > AAA > RADIUS > Authentication and configure the following parameters:
Auth Called Station ID Type: AP MAC Address:SSID
MAC Delimiter: Hyphen
After configuring these parameters click on the New button to add the first Radius Server configuring the following fields:
Server IP Address: <IP_Radius_1>
Server Secret Format: ASCII
Shared Secret: <Secret>
Confirm Shared Secret: <Secret>
Port Number: 1812
Server Status: Enabled
Server Timeout: 3 seconds
Then, add the second Radius Server:
Server IP Address: <IP_Radius_2>
Server Secret Format: ASCII
Shared Secret: <Secret>
Confirm Shared Secret: <Secret>
Port Number: 1812
Server Status: Enabled
Server Timeout: 3 seconds
Radius Accounting
Access Security > AAA > RADIUS > Accounting and configure the following global parameters:
Auth Called Station ID Type: AP MAC Address:SSID
MAC Delimiter: Hyphen
Click on the New button to add the first radius server by configuring the following fields:
Server IP Address: <IP_Radius_1>
Shared Secret Format: ASCII
Shared Secret: <Secret>
Confirm Shared Secret: <Secret>
Port Number: 1813
Server Status: Enabled
Server Timeout: 3 seconds
Add the second Radius Server:
Server IP Address: <IP_Radius_2>
Shared Secret Format: ASCII
Shared Secret: <Secret>
Confirm Shared Secret: <Secret>
Port Number: 1813
Server Status: Enabled
Server Timeout: 3 seconds
Other configuration
To allow simultaneous connections from several devices with the same username and have the limit managed by the radius server, go to Security > AAA > User Login Policies and configure:
Max Concurrent Logins for a user name: 0
2.2 Access Control List
It is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. In this case, the most simple way to add the domains is executing a script. If you prefer to add the ACL list using the user interface, it is possible to do it in Security > Access Control Lists.
Create ACL
config acl create WALLEDGARDEN_GUEST
Add free access to the Captive portal and basic domains:
config acl url-domain add <dominio_captive_portal> WALLEDGARDEN_GUEST
config acl url-domain add google-analytics.com WALLEDGARDEN_GUEST
config acl url-domain add docubleclick.net WALLEDGARDEN_GUEST
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
Review the configuration and apply changes
Configuration detail:
show acl detailed WALLEDGARDEN_GUESTIf after reviewing the configuration all the parameters are correct, execute the following commands to save the changes.
2.3 WLAN Settings
First, on the Controller tab:
Fast SSID change: Enable.
The next step in the WLANs section is to create a new WLAN or modify an existing one where we want to associate the captive portal. To create it:
Type: WLAN
Profile Name: set the Profile Name.
SSID: SSID name that will be visible to the wireless users.
Dentro de la configuración de la WLAN realizar la siguiente configuración:
General
Once these parameters are configured, please click Apply to create the WLAN. Then, follow the steps described below to finish the configuration of this WLAN.
SSID: Name of the SSID.
Status: Enabled
Layer 2
In the Security > Layer 2 tab, set the following parameter:
Layer 2 Security: None
Layer 3
EIn the Security > Layer 3 tab, set the following parameters:
Layer 3 Security: Web Policy
Marcar la opción: Authentication
Preauthentication ACL: Select the ACL list created before.
Over-ride Global Config: Enable
Web Auth Type: External (Re-direct to external server)
URL (check section 2.4 for the url redirection to be http or https):
http option: http://<captive_portal_domain>/login/hotspot/cisco
https option: https://<captive_portal_domain>/login/hotspot/cisco
AAA Servers
In the Security > AAA Servers tab, select the Radius Authentication and Accounting Servers created before. To do it, please perform the following configuration:
Authentication Servers
Marcar la casilla Enabled
Server 1: select the Radius Server with the IP address <IP_Radius_1>
Server 2: select the Radius Server with the IP address <IP_Radius_2>
Accounting Servers
Marcar la casilla Enabled
Server 1: select the Radius Server with the IP address <IP_Radius_1>
Server 2: select the Radius Server with the IP address <IP_Radius_2>
Radius Server Accounting
Interim Update: check this box
Interim Interval: 600
Advanced Configuration
Finally, go to Advanced tab and perform the following configuration:
Allow AAA Override: Enabled
Enable Session timeout: Enabled. Fill in a value, although it will actually be overwritten from the radius server.
Client user idle timeout (15-100000): It is recommended between 600 and 900 seconds
After having accomplished these changes, click Apply to save the configuration.
2.4 Option configuration login process: HTTP or HTTPS
There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.
Opción HTTP
It is advisable to make some changes to the controller settings to improve the end user experience. To do this, access Management and configure the following parameters:
WebAuth SecureWeb: Disabled
HTTPS Redirection: Disabled
It is advised to disable the option WebAuth SecureWeb because if this option is enable it would appear a security warning.
In addition, it is advised to disabled the HTTPS redirection option. Taking into consideration the Cisco notice about the HTTPS redirection, it can cause a bad user experience because the old web browser versions detect it as a "Man in the middle" error.
If you make any changes in this section it will be necessary to save them and restart the controller to apply this configuration.
HTTPS option
If you choose to configure this secure validation option, it is very important to know that a DNS resolution is required between the subdomain associated with the certificate and the virtual IP of the controller, otherwise the validations will not be redirected to the WLC and authentication errors will occur. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.
Firstly, it is necessary to load a new certificate associated to the subdomain name to make the login. Certificates are offered, for which it will be necessary to configure and start an FTP transfer with the following commands:
If everything is correct, then it will be necessary to enable HTTPS authentication. To do this, access to Management > HTTP-HTTPS and configure the parameter
WebAuth SecureWeb: Enabled
Once enabled the sending of user credentials via HTTPS is necessary to change the DNS Name of the Cisco WLC to match the Domain Name included in the certificate provided. To do that, access to Controller > Interfaces and edit the Virtual Interface to modify the following parameter
Once the changes have been made it will be necessary to save the configuration and restart the controller so that all the changes made are applied correctly.
2.5 FlexConnect configuration option
APs configuration with Flexconnect mode
Enter each of the APs that appear in the Wireless tab > Access Points > General tab.
AP mode: FlexConnect
High Avalilability tab
Primary Controller: <WLC name>
FlexConnect tab
VLAN Support: enabled
Native VLAN ID: <vlan management APs>
Click on the Apply button and repeat these steps for each of the installed APs.
FlexConnect Group configuration
To configure the APs you need to create a FlexConnect Group by going to the Wireless tab > FlexConnect Groups and click on New to add a new group.
Group Name: <group name>
Within the created group, go to General > FlexConnect APs tab
Click on Add AP and add all those we want to assign to the group.
WLAN VLAN mapping Tab
WLAN Id: Identifier of the WLAN guest to be applied.
Vlan Id: VLAN identifier assigned to the WLAN.
FlexConnect Access Control List configuration
For the user validation process to work correctly, it is necessary to allow access to certain domains. The easiest way to do this is to load a small script to create the ACLs, although it is also possible to do this through the graphical interface in Security > Access Control Lists > FlexConnect ACLs. Below are the steps to follow to create the ACL by connecting to the computer via SSH or console.
Create ACL
Add permissions for Captive Portal and basic domains:
Review the configuration and apply changes
Configuration detail:
If after reviewing the configuration all the parameters are correct, execute the following commands to save the changes.
Assign the ACL in WLAN
In the WLAN > Layer 3 > Preauthentication ACL edition, modify the following parameters:
WebAuth FlexAcl: Select the ACL created earlier for the FlexConnect configuration
2.6 Other configurations
To allow VPN clients full authentication without the need for web-auth security, and avoid connection drops run the following commands:
Disable logout pop-up just logged in. If the browser does not have the pop-up blocker enabled, it can cause problems in the logout and login processes. To disable it run the following command:
2.7 Authorized MAC Addresses
Para que la validación de los usuarios funcione correctamente es necesario identificar los NAS o suplicantes que podrán realizar peticiones de autenticación a los servidores radius. En este caso se deben añadir todas las direcciones MAC del interfaz WiFi de los Access Point que radiarán el SSID configurado.
These MAC addresses can be obtained accessing to Wireless > Access Points > Radios > Base Radio MAC (it is the same MAC address for 2.4Ghz and 5GHz).
3 - Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Platform Enterprise Module.
3.1 Captive portal + MAC Authentication configuration
To enable MAC authentication it is necessary to edit the WLAN where we want to apply it and make the following configuration:
Security > Layer 2 Tab
MAC Filtering: Enabled
Security > Layer 3 > Layer 3 security Tab:
On MAC Filter failure: Enabled
Advanced tab, make sure of:
Enable Session Timeout: Disabled
3.2 MAC Authentication configuration
To create an SSID dedicated to MAC Authentication validation only, go to the WLANs section to create a new WLAN or modify an existing one. To create it:Type: WLAN
Profile Name: determine the name of the WLAN.
SSID: configure SSID for example Mac_Auth_Guest
Once the WLAN has been created, in the profile edition go to the first tab General and enable the SSID as it is disabled by default.
In the Security > Layer 2 tab, configure the following parameters:
Layer 2 Security: None
MAC Filtering: Enable
In the Security > Layer 3 tab, configure the following parameters:
Layer 3 Security: Web Policy
Marcar la opción: On MAC Filter failure
Preauthentication ACL: None
Over-ride Global Config: Disable
In the AAA Servers tab select the previously created radius servers, both Authentication and Accounting, to do the following configuration:
Link the radius servers created in point 2.1 of this guide
Pestaña Advanced, make sure:
Enable Session Timeout: Disabled
Allow AAA Override: Enabled
Client user idle timeout (15-100000): It is recommended between 600 and 900 seconds
After making all the changes described above, click on Apply to save the configuration.
3.3 Identity PSK Configuration
Some devices that connect to our networks, especially IoT devices, do not have the ability to make connections through secure validations such as 802.1X and therefore connect through WPA-PSK validations. This type of validation has security drawbacks since the key is unique and any device can connect. Cisco's Identity PSK functionality allows two-factor authentication through MAC filtering and PSK keys, which can be assigned per device or device groups, enabling large-scale security and control. To configure Identity PSK:
Cisco WLC Configuration
Go to the WLANs section and create a new WLAN or configure an existing one and go to the Security > Layer2 tab:
Layer 2 Security: WPA+WPA2
WPA+WPA2 Parametrers: WPA2 Policy
Authentication Key Management: PSK Enable
PSK Format: Introducir clave PSK
Then go to AAA Servers:
Authentication Servers: Enabled
Server 1: Configured in point 2.1 of the manual.
Server 2: Configured in point 2.1 of the manual.
Accounting Servers: Enabled
Server 1: Configured in point 2.1 of the manual.
Server 2: Configured in point 2.1 of the manual.
Radius Server Accounting
Interium Update: Enabled
Interim Interval: 600
Then in the Advanced tab
Allow AAA Override: Enabled
Octopus platform configuration > Access Profile
Radius attributes to configure:
cisco-av-pair = “psk-mode=ascii”
cisco-av-pair += “psk=password”
Possible to combine with local policy with the attribute
cisco-av-pair += “role=policyCiscoWLC”
3.4 Configuration of Access Profiles
Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packets, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cisco. Although the most common and proprietary Cisco radius dictionaries are available, the following is a list of some of the most interesting ones:
Attribute | Description | Format |
|---|---|---|
Airespace-Data-Bandwidth-Average-Contract Airespace-Real-Time-Bandwidth-Average-Contract Airespace-Data-Bandwidth-Burst-Contract Airespace-Real-Time-Bandwidth-Burst-Contract | They define speed limits for a given session, both upstream and downstream. It is necessary to configure all four. | Kilobyte |
Airespace-Guest-Role-Name | Assignment of a QoS Role Name, previously created in Cisco Catalyst 9800. |
|
Airespace-ACL-Name | Assignment of an Access Control List, previously created in Cisco Catalyst 9800. |
|
cisco-av-pair | String with many possibilities |
|
Reply-Message | Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ... |
|
Example of an Access Profile configuration with the attributes explained above:
QoS Role Name Assignment: Although the configuration parameters can be sent directly from the radius server, it is also possible to assign a QoS Role, which can be associated from the platform with the radius Airespace-Guest-Role-Name attribute.
Wireless > QoS > Roles > Per-User Bandwidth Contracts (kbps):
Average Data Rate: Average data rate for TCP traffic per user.
Burst Data Rate: Maximum data rate for TCP traffic per user.
Average Real-Time Rate: Average real-time data rate for UDP traffic per user.
Burst Real-Time Rate: Maximum real-time data rate for UDP traffic per user.
ACL Name Assignment: It is also possible to assign from the Octopus platform the ACL that would apply to a specific user connected to the WLAN. To create them follow the steps in section 2.2.