This guide shows how to configure a Cisco Systems WLC controllers in order to use it as External Splash Page provider with Amplespot.

Please note:

  • This guide assumes that you have experience working with the Cisco WLC
  • Your controller must be running version 7.6 or above

Prerequisites

This article applies to all Cisco WLC controllers. The configuration procedure has been performed and tested for the version 9-8-0-152-0.

To integrate the Cisco WLC controller with the Amplespot, it is necessary that the controller is able to reach internet via the ports: TCP/80, TCP/443, UDP/1812, UDP/1813

If you would like to use the secure version of Amplespot Captive Portal (over https) - make sure you have correct SSL certificate installed on the controller.

IMPORTANT:
For all RADIUS and Captive Portal configuration settings visit this Settings Page.

Add your Cisco Access Points to Amplespot WiFi Admin Portal

Head to your Amplespot account and if you haven't already, create Zones for your Access Points. Or you can use the default Zone and change your settings later.

Once you created all nessesary Zones, note the Base Radio MAC address(es) of your Cisco Access Points together with their names.

Now head to Amplespot WiFi Admin Portal, click on Access Points in the left-hand menu and then on Add new Unmanaged Access Point

Select the Access Point make and model, type in MAC Address and Name, Select the Country and the Captive Portal Zone where you would like to add this Access Point. You will be able to move your access point to other Zones later.

!! IMPORTANT!! Make sure that the name of the SSID used by the Captive Portal Zone you are selecting exactly corresponds to the name of WLAN SSID in Cisco WLC.

Repeat this step for all Access Points you want to use with Amplespot.

Setup RADIUS servers for Authentication

Login to your WLC graphical user interface, select SECURITY on the top menu, click on AAA, then RADIUS, then Authentication on the left-hand menu.

Click New... button to add new RADIUS server for authentication:

Create two RADIUS Authentication Servers with following settings:

Primary Authentication Server:

Server Index (Priority): any priority
Server IP Address(Ipv4/Ipv6): 34.248.253.134
Shared Secret: <in amplespot admin portal>
Port Number: 1812
Server Status: Enabled
Support for RFC 3576: Enabled
Server Timeout: 2 seconds

Secondary Authentication Server:

Server Index (Priority): any priority lower than server 1
Server IP Address(Ipv4/Ipv6): 34.248.3.17
Shared Secret: <in amplespot admin portal>
Port Number: 1812
Server Status: Enabled
Support for RFC 3576: Enabled
Server Timeout: 2 seconds

Setup RADIUS attributes format. Set: 

Auth Called Station ID Type: AP MAC Addess:SSID
MAC Delimiter: Hypen

If you already use RADIUS Authentication servers with other settings and need to set attributes format to be different from what this article requires - please contact Amplespot Support.

!!! IMPORTANT !!! Click Apply button to save your changes.

Setup RADIUS servers for Accounting

Go to SECURITY on the top menu, click on AAA, then RADIUS, then Accounting on the left-hand menu. Click New... button to add new RADIUS server for accounting:

Create two RADIUS Accounting Servers with following settings:

Primary Accounting Server:

Server Index (Priority): <any>
Server IP Address(Ipv4/Ipv6): [see settings page]
Shared Secret: [see settings page]
Port Number: 1813
Server Status: Enabled
Server Timeout: 2 seconds
Network User: Enable
IPSec: Disabled

Secondary Accounting Server:

Server Index (Priority): <any>
Server IP Address(Ipv4/Ipv6): [see settings page]
Shared Secret: [see settings page]
Port Number: 1813
Server Status: Enabled
Server Timeout: 2 seconds
Network User: Enable
IPSec: Disabled

Setup RADIUS attributes format. Set: 

Auth Called Station ID Type: AP MAC Addess:SSID
MAC Delimiter: Hypen

Click Apply button to save your changes.

Configure Access Control Lists (ACL)

PLEASE NOTE:

  • For Access Points in FlexConnect Mode, complete the following steps under the FlexConnect ACLs. Create two rules per IP (for Inbound and Outbound)
  • For Access Points not in FlexConnect Mode, complete the following steps under Access Control Lists. Create one rule per IP.

You will need to create ACLs in order to permit access of unauthenticated WiFi clients to: 

  1. Amplespot Captive Portal servers;
  2. Social login pages hosted by Google, Facebook, and others (depending on your Captive Portal login options; 
  3. Other content such as external CSS styles or fonts used in Splash Pages hosted by Amplespot.

You can find the list of Walled Garden domains for Amplespot Captive Portal as well as for Social Logins in this documentation article. Please note this list might change from time to time as third-parties (Google, Facebook etc) may update their services.

Older versions Cisco WLC do not support DNS-based Access Control Lists newer versions support them via CLI configurations only. They are apparently supported (for non-FlexConnect access lists only) starting from version 7.6 but plenty of bugs are reported, so test carefully.

Example DNS-based Access List:

(Cisco Controller) config>acl create amplespot-dns-cp-in
acl url-domain add *.amplespot.com amplespot-dns-cp-in
acl url-domain add *.fontawesome.com amplespot-dns-cp-in
acl url-domain add *.google-analytics.com amplespot-dns-cp-in
acl url-domain add *.googletagmanager.com amplespot-dns-cp-in
acl url-domain add api.mailgun.net amplespot-dns-cp-in


IP-based Access List:

At the time of writing, IP addresses for Amplespot's Captive Portal service, cp.amplespot.com is the following, however, please check this yourself by running an nslookup:

52.209.11.75
52.214.110.34

You can create IP-based ACLs by going to SECURITY, expanding Access Control Lists  and clicking Access Control Lists

Configure the following settings:

  • Access Control List Name: Whatever you want e.g amplespot-nonflex-in
  • ACL Type: IPv4

Click Apply to Save

Click on the ACL you just created 

And then click on Add New Rule

Enter the following:

  • Sequence: 1
  • Source: IP Address
  • IP Address: <Insert Domain IP>
  • Netmask: 255.255.255.255
  • Destination: Any
  • Protocol: ICP
  • DSCP: Any
  • Direction: Any
  • Action: Permit

Click Apply to Save

Repeat this for all of the DNS entries in Amplespot's Walled Garden list, replacing the DNS with their corresponding IP addresses or create DNS-based ACLs via CLI (recommended!)

If you are using your access points in the FlexConnect mode, then you only need to create the FlexConnect ACLs.

Create Web Login Page

Go to SECURITY on the top menu, expand Web Auth and click on Web Login Page and fill in the fields with the following information:

  • Web Authentication Type: External
  • Web Authentication Type: <leave this blank for user to be redirected to original request URL or populate with URL of your choice>
  • External Webauth URL:

    If your controller has a valid SSL certificate:
    https://cp.amplespot.com/cswlc/

    If your controller does not have a valid SSL certificate: http://cp.amplespot.com/cswlc/

!IMPORTANT!

If your controller does not have a valid SSL certificate you need to change Web Auth redirect URL to be non-https so web users dont get ssl warning:

(Cisco Controller) >config network web-auth secureweb disable
You must reboot for the change to take effect.


Go to MANAGEMENT on the top menu in the top menu and then click on HTTP-HTTPS on the left-hand side menu. 

Under WebAuth SecureWeb use the drop down box to select:

Disabled: If your controller does not have a valid SSL certificate
Enabled: If your controller has a valid SSL certificate

Configure WLANs

Go to WLANs on the top menu, select Create New on the right-side of the page and click Go to create new WLAN. 

You can also edit an existing WLAN if you want to start using it with Amplespot.

Create new WLAN:

  • Type: WAN
  • Profile Name: <name of your SSID>
  • SSID: <name of your SSID>
  • ID: <Next free ID from the list or another one depending on your other settings>

Click Apply to Save and proceed to configure

This will open the General tab of WLAN edit page. Click the Security tab, then the Layer 2 tab and enter the following:

  • Layer 2 Security: None

On the Layer 3 tab enter the following:

  • Layer 3 Security: Web Policy
  • Authentication: Selected
  • Pre-authentication ACL (IPv4): <amplespot-nonflex-in or another ACL you might have created>

PLEASE NOTE - if your Access Points are in Flex Connect Mode then you will need to use the drop-down box next to WebAuth FlexACL (see last section of this manual)

On the AAA Servers tab enter the following information:

  • Radius Server Overwrite interface: Enabled
  • Interface Priority: WLAN
  • Authentication Servers: Enabled
  • Server 1 IP: (see this doc), Port: 1812
  • Accounting Servers: Enabled
  • Server 1 IP: (see this doc), Port: 1813
  • <repeat for Server 2>
  • Radius Server Accounting; Interim Update: Ticked, Interval: 540
  • Authentication priority order for web-auth user (Not Used): LOCAL, LDAP
  • Authentication priority order for web-auth user (Order Used For Authentication): RADIUS

On the Advanced tab enter the following information:

  • Allow AAA Override: Ticked

Note, enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

PLEASE NOTE: If you are using FlexConnect, scroll down and tick FlexConnect Local Switching

Click Apply to Save

Go back to the General tab of WLAN edit page. Change status of WLAN to Enabled 

We are finally done, select Apply to save the configuration at the top right. Once you have saved your changes - reboot your controller.

FlexConnect Mode

If your access points are in the FlexConnect mode do the following:

Connect to WLC controller via SSH and enter configuration mode by typing config in the shell prompt. You will see the following prompt:

(Cisco Controller) config>

now enter following commands (one block at the time) to create flexconnect acl called AmplespotWebAuth:

flexconnect acl create AmplespotWebAuth
flexconnect acl apply AmplespotWebAuth

flexconnect acl rule add AmplespotWebAuth 1
flexconnect acl rule add AmplespotWebAuth 2
flexconnect acl rule add AmplespotWebAuth 3
flexconnect acl rule add AmplespotWebAuth 4
flexconnect acl rule add AmplespotWebAuth 5
flexconnect acl rule add AmplespotWebAuth 6
flexconnect acl rule add AmplespotWebAuth 7
flexconnect acl rule add AmplespotWebAuth 8
flexconnect acl rule add AmplespotWebAuth 9
flexconnect acl rule add AmplespotWebAuth 10
flexconnect acl rule add AmplespotWebAuth 11
flexconnect acl rule add AmplespotWebAuth 12
flexconnect acl rule add AmplespotWebAuth 13
flexconnect acl rule add AmplespotWebAuth 14
flexconnect acl rule add AmplespotWebAuth 15
flexconnect acl rule add AmplespotWebAuth 16
flexconnect acl rule add AmplespotWebAuth 17
flexconnect acl rule add AmplespotWebAuth 18
flexconnect acl rule add AmplespotWebAuth 19
flexconnect acl rule add AmplespotWebAuth 20
flexconnect acl rule add AmplespotWebAuth 21
flexconnect acl rule add AmplespotWebAuth 22
flexconnect acl rule add AmplespotWebAuth 23

flexconnect acl rule action AmplespotWebAuth 1 permit
flexconnect acl rule action AmplespotWebAuth 2 permit
flexconnect acl rule action AmplespotWebAuth 3 permit
flexconnect acl rule action AmplespotWebAuth 4 permit
flexconnect acl rule action AmplespotWebAuth 5 permit
flexconnect acl rule action AmplespotWebAuth 6 permit
flexconnect acl rule action AmplespotWebAuth 7 permit
flexconnect acl rule action AmplespotWebAuth 8 permit
flexconnect acl rule action AmplespotWebAuth 9 permit
flexconnect acl rule action AmplespotWebAuth 10 permit
flexconnect acl rule action AmplespotWebAuth 11 permit
flexconnect acl rule action AmplespotWebAuth 12 permit
flexconnect acl rule action AmplespotWebAuth 13 permit
flexconnect acl rule action AmplespotWebAuth 14 permit
flexconnect acl rule action AmplespotWebAuth 15 permit
flexconnect acl rule action AmplespotWebAuth 16 permit
flexconnect acl rule action AmplespotWebAuth 17 permit
flexconnect acl rule action AmplespotWebAuth 18 permit
flexconnect acl rule action AmplespotWebAuth 19 permit  
flexconnect acl rule action AmplespotWebAuth 20 permit
flexconnect acl rule action AmplespotWebAuth 21 permit
flexconnect acl rule action AmplespotWebAuth 22 permit
flexconnect acl rule action AmplespotWebAuth 23 deny
 
flexconnect acl rule destination address AmplespotWebAuth 1 13.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 2 52.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 3 54.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 4 70.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 5 34.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 6 35.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 7 143.204.0.0 255.255.0.0
flexconnect acl rule destination address AmplespotWebAuth 8 204.246.0.0 255.255.0.0
flexconnect acl rule destination address AmplespotWebAuth 9 205.251.0.0 255.255.0.0
flexconnect acl rule destination address AmplespotWebAuth 10 216.137.32.0 255.255.224.0
flexconnect acl rule destination address AmplespotWebAuth 11 18.216.170.128 255.255.255.128
 
flexconnect acl rule destination port range AmplespotWebAuth 1 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 2 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 3 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 4 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 5 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 6 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 7 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 8 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 9 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 10 0 65535
flexconnect acl rule destination port range AmplespotWebAuth 11 0 65535
 
flexconnect acl rule source address AmplespotWebAuth 12 13.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 13 52.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 14 54.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 15 70.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 16 34.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 17 35.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 18 143.204.0.0 255.255.0.0
flexconnect acl rule source address AmplespotWebAuth 19 204.246.0.0 255.255.0.0
flexconnect acl rule source address AmplespotWebAuth 20 205.251.0.0 255.255.0.0
flexconnect acl rule source address AmplespotWebAuth 21 216.137.32.0 255.255.224.0
flexconnect acl rule source address AmplespotWebAuth 22 18.216.170.128 255.255.255.128
flexconnect acl rule source address AmplespotWebAuth 23 0.0.0.0 0.0.0.0
 
flexconnect acl rule source port range AmplespotWebAuth 12 0 65535
flexconnect acl rule source port range AmplespotWebAuth 13 0 65535
flexconnect acl rule source port range AmplespotWebAuth 14 0 65535
flexconnect acl rule source port range AmplespotWebAuth 15 0 65535
flexconnect acl rule source port range AmplespotWebAuth 16 0 65535
flexconnect acl rule source port range AmplespotWebAuth 17 0 65535
flexconnect acl rule source port range AmplespotWebAuth 18 0 65535
flexconnect acl rule source port range AmplespotWebAuth 19 0 65535
flexconnect acl rule source port range AmplespotWebAuth 20 0 65535
flexconnect acl rule source port range AmplespotWebAuth 21 0 65535
flexconnect acl rule source port range AmplespotWebAuth 22 0 65535
flexconnect acl rule source port range AmplespotWebAuth 23 0 65535
 
flexconnect acl rule dscp AmplespotWebAuth 1  Any  
flexconnect acl rule dscp AmplespotWebAuth 2  Any  
flexconnect acl rule dscp AmplespotWebAuth 3  Any  
flexconnect acl rule dscp AmplespotWebAuth 4  Any  
flexconnect acl rule dscp AmplespotWebAuth 5  Any  
flexconnect acl rule dscp AmplespotWebAuth 6  Any  
flexconnect acl rule dscp AmplespotWebAuth 7  Any  
flexconnect acl rule dscp AmplespotWebAuth 8  Any  
flexconnect acl rule dscp AmplespotWebAuth 9  Any  
flexconnect acl rule dscp AmplespotWebAuth 10  Any
flexconnect acl rule dscp AmplespotWebAuth 11  Any
flexconnect acl rule dscp AmplespotWebAuth 12  Any
flexconnect acl rule dscp AmplespotWebAuth 13  Any
flexconnect acl rule dscp AmplespotWebAuth 14  Any
flexconnect acl rule dscp AmplespotWebAuth 15  Any
flexconnect acl rule dscp AmplespotWebAuth 16  Any
flexconnect acl rule dscp AmplespotWebAuth 17  Any
flexconnect acl rule dscp AmplespotWebAuth 18  Any
flexconnect acl rule dscp AmplespotWebAuth 19  Any
flexconnect acl rule dscp AmplespotWebAuth 20  Any
flexconnect acl rule dscp AmplespotWebAuth 21  Any
flexconnect acl rule dscp AmplespotWebAuth 22  Any
flexconnect acl rule dscp AmplespotWebAuth 23  Any
 
flexconnect acl rule protocol AmplespotWebAuth 1  Any  
flexconnect acl rule protocol AmplespotWebAuth 2  Any  
flexconnect acl rule protocol AmplespotWebAuth 3  Any
flexconnect acl rule protocol AmplespotWebAuth 4  Any
flexconnect acl rule protocol AmplespotWebAuth 5  Any  
flexconnect acl rule protocol AmplespotWebAuth 6  Any  
flexconnect acl rule protocol AmplespotWebAuth 7  Any  
flexconnect acl rule protocol AmplespotWebAuth 8  Any  
flexconnect acl rule protocol AmplespotWebAuth 9  Any
flexconnect acl rule protocol AmplespotWebAuth 10  Any
flexconnect acl rule protocol AmplespotWebAuth 11  Any
flexconnect acl rule protocol AmplespotWebAuth 12  Any
flexconnect acl rule protocol AmplespotWebAuth 13  Any
flexconnect acl rule protocol AmplespotWebAuth 14  Any
flexconnect acl rule protocol AmplespotWebAuth 15  Any
flexconnect acl rule protocol AmplespotWebAuth 16  Any
flexconnect acl rule protocol AmplespotWebAuth 17  Any
flexconnect acl rule protocol AmplespotWebAuth 18  Any
flexconnect acl rule protocol AmplespotWebAuth 19  Any
flexconnect acl rule protocol AmplespotWebAuth 20  Any
flexconnect acl rule protocol AmplespotWebAuth 21  Any
flexconnect acl rule protocol AmplespotWebAuth 22  Any
flexconnect acl rule protocol AmplespotWebAuth 23  Any

Once completed, go to WLANs, open the WLAN you are configuring to use with Amplespot and set WebAuth FlexAcl to AmplespotWebAuth

Please contact support of you hit problems configuring FlexConnect Access Lists.

Did this answer your question?