Cisco Catalyst 9800 Captive WiFi Setup

  1. Overview
  2. WiFi Hardware
  3. Cisco Catalyst 9800 Captive WiFi Setup

How to Enable CaptiveWiFi with Cisco WLC 9800 (Local Mode)

Before You Start

You'll need:

  • GUI or CLI access to your Cisco Catalyst 9800 WLC

  • Your CaptiveWiFi dashboard credentials

  • Your network's IP addressing scheme and guest VLAN ID

  • RADIUS details from your CaptiveWiFi dashboard (server IPs, ports, shared secret)

Log in to your CaptiveWiFi dashboard and go to Integrations > RADIUS before starting. Keep your RADIUS server IPs, ports, and shared secret to hand throughout this process.

Step 1 — Create Your Location in CaptiveWiFi

Log in to your CaptiveWiFi dashboard.

Go to Locations and create a new location for this venue.

Enter the venue name and details and save.

Navigate to Integrations > Hardware > Cisco 9800 to retrieve:

  • Your portal redirect URL

  • RADIUS server IPs (primary and secondary)

  • RADIUS shared secret

  • Portal IPv4 address

Keep this page open — you will reference it throughout the steps below.

Step 2 — Configure the Global Parameter Map

This step is required before anything else. The global parameter map sets the virtual IP the WLC uses to intercept guest traffic and trigger the portal redirect.

Go to Configuration > Security > Web Auth.

Select the global parameter map from the list.

Set the following:

  • Virtual IPv4 Address: 192.0.2.1

  • Trustpoint: select your WLC certificate if available

  • Enable HTTP server for Web Auth: enabled (required if HTTP is globally disabled on the WLC)

Save and apply.

Step 3 — Create the CaptiveWiFi Parameter Map

Still in Configuration > Security > Web Auth, click + Add.

Name it CaptiveWiFi.

Under the General tab, set:

  • Type: Webauth

  • Maximum HTTP connections: 200

  • Init-State Timeout: 300 seconds

Under the Advanced tab, set the following under Redirect to external server:

  • Redirect URL for login: your CaptiveWiFi portal URL (from your dashboard)

  • Redirect On-Success: your CaptiveWiFi Connected URL (from your dashboard)

  • Redirect On-Failure: your CaptiveWiFi portal URL

  • Redirect Append for AP MAC Address: ap_mac

  • Redirect Append for Client MAC Address: client_mac

  • Redirect Append for WLAN SSID: wlan

  • Portal IPv4 Address: as provided in your CaptiveWiFi dashboard

Click Update & Apply.

Step 4 — Add the URL Filter (Pre-Auth)

Go to Configuration > Security > URL Filters.

Click + Add and configure:

  • List name: CaptiveWiFi-PreAuth

  • Type: PRE-AUTH

  • Action: PERMIT

  • URL: your CaptiveWiFi portal domain (e.g. getonline.captivewifi.io)

This allows guest devices to reach the login portal before they have authenticated. Save.

Step 5 — Add RADIUS Servers

Go to Configuration > Security > AAA > Servers / Groups > RADIUS > Servers.

Click + Add for each RADIUS server provided in your CaptiveWiFi dashboard:

Primary server:

  • Name: CaptiveWiFi-RADIUS-1

  • Server address: primary IP from your dashboard

  • Auth port: 1812

  • Shared secret: as provided in your dashboard

Secondary server is Optional

  • Name: CaptiveWiFi-RADIUS-2

  • Server address: secondary IP from your dashboard

  • Auth port: 1812

  • Shared secret: as provided in your dashboard

Then go to RADIUS > Server Groups, click + Add, name it CaptiveWiFi-Group, and add both servers.

Step 6 — Configure AAA Method Lists

Go to Configuration > Security > AAA > AAA Method List.

Create the following three method lists:

Authentication:

  • Name: CaptiveWiFi-Auth

  • Type: login

  • Method: group CaptiveWiFi-Group

Authorisation:

  • Name: default

  • Type: network

  • Method: group CaptiveWiFi-Group

Note: the authorisation list must be named default for local web authentication to function correctly on the 9800.

Accounting:

  • Name: CaptiveWiFi-Acct

  • Type: identity

  • Method: start-stop, group CaptiveWiFi-Group

Step 7 — Create the Guest SSID (WLAN Profile)

Go to Configuration > Tags & Profiles > WLANs.

Click + Add and configure:

General tab:

  • Profile name: CaptiveWiFi-Guest

  • SSID: your guest network name (e.g. Venue Guest WiFi)

  • Status: Enabled

  • Broadcast SSID: Enabled

Security tab > Layer 2:

  • Disable WPA2 and WPA3 — these are enabled by default and must be explicitly turned off

  • Set to None (open network)

Security tab > Layer 3:

  • Web Policy: enabled

  • Web Auth: selected

  • Web Auth parameter map: CaptiveWiFi (created in Step 3)

  • Authentication list: CaptiveWiFi-Auth

  • PreAuthentication ACL - IPv4: leave blank unless you have created a custom ACL — the WLC will auto-generate one based on the portal IP entered in Step 3

Save the WLAN profile.

Step 8 — Create the Policy Profile

Go to Configuration > Tags & Profiles > Policy.

Click + Add and configure:

General tab:

  • Policy name: CaptiveWiFi-Policy

  • Status: Enabled

Access Policies tab:

  • VLAN: your guest VLAN ID

Advanced tab:

  • URL filter: CaptiveWiFi-PreAuth (created in Step 4)

  • Accounting list: CaptiveWiFi-Acct

Save.

Step 9 — Create the Policy Tag

Go to Configuration > Tags & Profiles > Tags > Policy.

Click + Add and name it CaptiveWiFi-Tag.

Under WLAN-Policy maps, click + Add and map:

  • WLAN profile: CaptiveWiFi-Guest

  • Policy profile: CaptiveWiFi-Policy

Save.

Step 10 — Apply the Tag to Your Access Points

Go to Configuration > Wireless > Access Points.

Select each AP that should broadcast the guest SSID.

Under Tags, set the Policy Tag to CaptiveWiFi-Tag.

Save and apply.

Step 11 — Save the Configuration

Changes on the 9800 apply immediately but will not survive a reboot unless saved.

Go to Administration > Software Management or run the following in CLI:

write memory

Do this after completing all steps above.

Step 12 — Test and Verify

Connect a test device to the guest SSID.

The browser should redirect automatically to your CaptiveWiFi portal.

Complete the login flow and confirm the guest appears in your CaptiveWiFi dashboard under Live Guests.

To verify the RADIUS connection from CLI before testing:

test aaa group CaptiveWiFi-Group username test password test new-code

A response of User successfully authenticated confirms RADIUS is reachable and the shared secret is correct.

Troubleshooting

Portal not showing: Check the virtual IP is set to 192.0.2.1 in the global parameter map. Confirm the redirect URL in the CaptiveWiFi parameter map matches exactly what is shown in your dashboard. Ensure HTTP is enabled — check ip http server is active or Enable HTTP server for Web Auth is ticked in the global parameter map.

Certificate warning on connection: This is expected on first setup. The WLC uses a self-signed certificate by default which browsers will flag. To resolve this, install a trusted SSL certificate on the WLC. Contact your CaptiveWiFi account manager for guidance or refer to Cisco's CSR certificate guide for the 9800.

RADIUS authentication failing: Double-check the shared secret matches exactly on both the WLC and in your CaptiveWiFi dashboard. Confirm the WLC management IP is whitelisted as a NAS client in your CaptiveWiFi settings. Run the test command in Step 12 to isolate the issue.

Guests not appearing in dashboard: Confirm RADIUS accounting is enabled and the accounting method list is correctly attached to the policy profile. Check that the guest VLAN has a route to the internet and to the CaptiveWiFi RADIUS servers.

SSID not broadcasting: Confirm the policy tag has been applied to the correct APs and that the WLAN profile status is set to Enabled. Check that WPA/WPA2 has been fully disabled on the WLAN — a partially configured security setting can prevent the SSID from broadcasting.

For support contact us at hello@captivewifi.com or visit captivewifi.com.

Was this article helpful?