CAPTIVE WIFI HELP CENTRE
Installation Guides > Cisco > Cisco Catalyst 9800
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CISCO CATALYST 9800 — SETUP GUIDE
This guide walks you through connecting your Cisco Catalyst 9800
Wireless Controller to Captive WiFi.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
COMPATIBILITY
This guide applies to the Cisco Catalyst 9800-CL Wireless Controller.
Tested and confirmed working on:
Cisco Catalyst 9800-CL (set up on KVM)
— Firmware versions up to 17.3.4c
Cisco AIR-CAP3702I-E-K9
— Versions compatible with the controller (installed as the AP provisions)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
BEFORE YOU START
Log in to your controller's administration panel with root permissions
and navigate to the Network section.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 1 — CONFIGURE WEB AUTH
Go to: Configuration > Security > Web Auth
Open the Global profile and confirm that Virtual IPv4 Address is set to:
192.0.2.1
Press Apply.
Now click Add to create a new parameter-map profile with the following
settings:
Parameter-map name: sw_webauth
Maximum HTTP connections: 200
Init-State Timeout: 3600
Type: webauth
Press Apply to Device.
Click into the new profile you just created and configure it as follows.
On the General tab:
Banner Type: None
Captive Bypass Portal: Leave unchecked
Disable Success Window: Enabled
Disable Logout Window: Enabled
Sleeping Client Status: Enabled
Sleeping Client Timeout: 720
On the Advanced tab:
Redirect for log-in: WiFi Splash URL
Redirect On-Success: Connected URL
Redirect On-Failure: WiFi Splash URL
Redirect Append for AP MAC Address: ap_mac
Redirect Append for Client MAC Address: client_mac
Redirect Append for WLAN SSID: wlan_ssid
Portal IPv4 Address: 138.68.152.191
Click Update & Apply.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 2 — CONFIGURE AAA / RADIUS
Go to: Configuration > Security > AAA > Servers / Groups > Servers
Click + Add and enter the following:
Name: captive_radius
Server Address: Email support
PAC Key: Leave unchecked
Key Type: Clear Text
Key: Email Support
Confirm Key: As above
Auth Port: 1812
Server Timeout: 10
Retry Count: 3
Support for CoA: Enabled
Press Apply to Device.
Now go to the Server Groups tab and click + Add:
Name: guest_radius
Group Type: RADIUS
MAC-Delimiter: hyphen
MAC-Filtering: none
Dead-Time (mins): Leave default (5)
Assigned Servers: captive_radius
Source Interface VLAN ID: none
Press Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 3 — SET UP AAA METHOD LISTS
Go to: Configuration > Security > AAA > AAA Method List
Make sure Authentication is selected and click + Add.
On the General tab:
Method List Name: guest_auth
Type: login
Group Type: group
Assigned Server Groups: guest_radius
Press Apply to Device.
Now switch to the Accounting tab on the left and click + Add:
Method List Name: guest_acct
Type: identity
Assigned Server Groups: guest_radius
Press Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 4 — CONFIGURE AAA ADVANCED SETTINGS
Go to: Configuration > Security > AAA > AAA Advanced
Make sure you are in Global Config and click Show Advanced Settings.
Find the Radius Attributes section and configure as follows.
Accounting:
Call Station ID: ap-macaddress-ssid
Call Station ID Case: upper
MAC-Delimiter: hyphen
Username Case: lower
Username Delimiter: none
Authentication:
Call Station ID: ap-macaddress-ssid
Call Station ID Case: upper
MAC-Delimiter: hyphen
Press Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 5 — CREATE URL FILTER (PRE-AUTH ALLOWLIST)
Go to: Configuration > Security > URL Filters
Click + Add:
List Name: guest_url_filter
Type: PRE_AUTH
Action: PERMIT
Add the following URLs to the list:
captivewifi.fra1.digitaloceanspaces.com
getonline.captivewifi.io
Press Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 6 — CONFIGURE YOUR WLAN
Go to: Configuration > Tags & Policies > WLANs
Click + Add or edit your existing WLAN.
On the General tab:
Profile Name: [your profile name]
SSID: [your SSID name]
Status: Enabled
Radio Policy: All
Broadcast SSID: Enabled
On the Security — Layer 2 tab:
Layer 2 Security Mode: None
MAC Filtering: Disabled
(Leave everything else as default)
On the Security — Layer 3 tab, click Show Advanced Settings and set:
Web Policy: Enabled
Web Auth Parameter Map: sw_webauth
Authentication List: guest_auth
On Mac Filter Failure: Disabled
Splash Web Redirect: Disabled
Press Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 7 — CREATE POLICY PROFILE
Go to: Configuration > Tags & Profiles > Policy
Click + Add. Leave all settings at default except the following.
On the General tab:
Name: guest_policy
Status: Enabled
On the Access Policies tab:
URL Filters: guest_url_filter
On the Advanced tab:
Session Timeout: 43200
Idle Timeout: 3600
Allow AAA Override: Enabled
Accounting List: guest_acct
Click Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 8 — CREATE POLICY TAG
Go to: Configuration > Tags & Profiles > Tags
Click + Add:
Name: admi
WLAN Profile: [your WiFi name]
Policy Profile: guest_policy
Click Apply to Device.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 9 — ENABLE HTTP ACCESS
Go to: Administration > Management > HTTP/HTTPS/Netconf
Confirm that both HTTP Access and HTTPS Access are set to Enabled.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 10 — DISABLE SECURE WEBAUTH (CLI)
This step must be completed via the controller's command line interface.
Run the following commands:
enable
configure terminal
parameter-map type webauth global
webauth-http-enable
secure-webauth-disable
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
NEED HELP?
If you run into any issues during setup, get in touch with the
Captive WiFi support team and we'll walk you through it.
Book a call: https://calendly.com/adams_diary/15m-captive-chat
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━