Cisco WLC

This guide shows how to configure a Cisco Systems WLC controller to use it as External Splash Page provider with Amplespot.

Please note:

  • This guide assumes that you have experience working with the Cisco WLC
  • Your controller must be running version 7.6 or above

Prerequisites

  • This article applies to all Cisco WLC controllers. The configuration procedure has been performed and tested for the version 9-8-0-152-0. 
  • To integrate the Cisco WLC controller with the Amplespot, it is necessary that the controller is able to reach internet via the ports: TCP/80, TCP/443, UDP/1812, UDP/1813
  • If you would like to use the secure version of Amplespot Captive Portal (over https) - make sure you have a correct SSL certificate installed on the controller.

Important note:

For all RADIUS and Captive Portal, configuration settings visit RADIUS SETTINGS CONFIGURATION PAGE

1. Add your Cisco Access Points to Amplespot Admin Dashboard

Head to Amplespot Admin Dashboard and if you haven't already, create Zones for your Access Points. Or you can use the default Zone and change your settings later.

Once you created all necessary Zones, note the Base Radio MAC address(es) of your Cisco Access Points together with their names.

Now head to Amplespot Admin Dashboard, click on Access Points in the left-hand menu and then on Add new Unmanaged Access Point

Select the Access Points' make and model, type in MAC Address and Name, Select the Country and the Captive Portal Zone where you would like to add this Access Point. You will be able to move your access point to other Zones later.

Make sure that the name of the SSID of the Zone you are selecting fully corresponds to the name of the WLAN SSID configured in the Cisco WLC.

Repeat this step for all Access Points you want to use with Amplespot.

2. Setup RADIUS servers for Authentication

Login to your WLC graphical user interface, select  SECURITY on the top menu, click on AAA, then RADIUS, then Authentication on the left-hand menu.

Click  New... button to add new RADIUS server for authentication:

Create two RADIUS Authentication Servers with the following settings:

Primary Authentication Server:

Server Index (Priority): any priority
Server IP Address(Ipv4/Ipv6): <get in amplespot admin dashboard>
Shared Secret: <get in amplespot admin dashboard>
Port Number: 1812
Server Status: Enabled
Support for RFC 3576: Enabled
Server Timeout: 2 seconds
	

Repeat this step for the Secondary authentication server.

Setup RADIUS attributes format: 

Auth Called Station ID Type: [AP MAC Addess: SSID]
MAC Delimiter: Hyphen

If you already use RADIUS Authentication servers with other settings and need to set attributes format to be different from what this article requires - please contact Amplespot Support.

Click Apply button to save your changes.

3. Setup RADIUS servers for Accounting

Go to  SECURITY on the top menu, click on AAA, then RADIUS, then Accounting on the left-hand menu. Click New... button to add new RADIUS server for accounting:

Create two RADIUS Accounting Servers with the following settings:

Primary Accounting Server:

Server Index (Priority): <any>
Server IP Address(Ipv4/Ipv6): <get in amplespot admin dashboard>
Shared Secret: <get in amplespot admin dashboard>
Port Number: 1813
Server Status: Enabled
Server Timeout: 2 seconds
Network User: Enable
IPSec: Disabled
	

Repeat this step for the Secondary accounting server.

Setup RADIUS attributes format: 

Auth Called Station ID Type: [AP MAC Addess: SSID] 
MAC Delimiter: Hyphen

Click  Apply button to save your changes.

4. Configure Access Control Lists (ACL)

PLEASE NOTE:

  • For Access Points in FlexConnect Mode, complete steps under the FlexConnect ACLs. Create two rules per IP (for Inbound and Outbound)
  • For Access Points which are not in FlexConnect Mode, complete steps under Access Control Lists. Create one rule per IP.

You will need to create ACLs in order to permit access of unauthenticated WiFi clients to the following resources: 

  1. Amplespot Captive Portal servers;
  2. Social login pages hosted by Google, Facebook, and others (depending on your Captive Portal login options; 
  3. Other content such as external CSS styles or fonts you may want to use in your Splash Pages.

We call these resources " Walled Garden", get list of what you will need to allow from this documentation article. Please note this list might change from time to time as third-parties (Google, Facebook etc) may update their services.

IP based vs Domain based ACLs:

  • Older versions Cisco WLC do not support DNS-based Access Control Lists (ACLs) newer versions support them via CLI configurations only. 
  • DNS-based ACLs are supported for non-FlexConnect access lists only starting from version 7.6 but plenty of bugs are reported, so test carefully.

EXAMPLE A: DNS-based Access List:

(Cisco Controller) config>acl create amplespot-dns-cp-in
acl url-domain add *.amplespot.com amplespot-dns-cp-in
acl url-domain add *.fontawesome.com amplespot-dns-cp-in
acl url-domain add *.google-analytics.com amplespot-dns-cp-in
acl url-domain add *.googletagmanager.com amplespot-dns-cp-in
acl url-domain add api.mailgun.net amplespot-dns-cp-in
<...><br>
	

EXAMPLE B: IP-based Access List:

(Cisco Controller) config>acl create amplespot-nonflex-in
52.209.11.75
52.214.110.34
<...><br>
	

You can also create IP-based ACLs by going to  SECURITY, expanding Access Control Lists and clicking Access Control Lists

Configure the following settings:

Access Control List Name: Whatever you want e.g amplespot-nonflex-in
ACL Type: IPv4

Click  Apply to Save

Click on the ACL you just created 

And then click on  Add New Rule

Configure as per following:

Sequence: 1
Source: IP Address
IP Address: <Insert Domain IP>
Netmask: 255.255.255.255
Destination: Any
Protocol: ICP
DSCP: Any
Direction: Any
Action: Permit

Click  Apply to Save

Repeat this for all of the DNS entries in Amplespot's Walled Garden list, replacing the DNS with their corresponding IP addresses or create DNS-based ACLs via CLI (recommended!)

If you are using your access points in the FlexConnect mode, then you only need to create the FlexConnect ACLs.

5. Create Web Login Page

Go to  SECURITY on the top menu, expand Web Auth and click on Web Login Page and fill in the fields with the following information:

Web Authentication Type: External
Web Authentication Type: <leave this blank for user to be redirected to original request URL or populate with URL of your choice>
External Webauth URL: If your controller has a valid SSL certificate: https://cp.amplespot.com/cswlc/If your controller does not have a valid SSL certificate: http://cp.amplespot.com/cswlc

If your controller does not have a valid SSL certificate you need to change Web Auth redirect URL to be non-https so web users dont get ssl warning.

Option1: Change SSL setting via CLI: 

(Cisco Controller) config> network web-auth secureweb disable
	

You must reboot for the change to take effect.

Option2: Change SSL setting via WLC web interface:

  • Go to  MANAGEMENT on the top menu on the top menu and then click on HTTP-HTTPS on the left-hand side menu. 
  • Under WebAuth SecureWeb use the drop down box to select:  

Disabled: If your controller does not have a valid SSL certificate
Enabled: If your controller has a valid SSL certificate

6. Configure WLANs

Go to  WLANs on the top menu, select Create New on the right side of the page and click Go to create new WLAN. 

You can also edit an existing WLAN if you want to start using it with Amplespot.

Create new WLAN:

Type: WAN Profile Name: <name of your SSID> 
SSID: <name of your SSID> 
ID: <Next free ID from the list or another one depending on your other settings>

Click  Apply to Save and proceed to configure

This will open the General tab of the WLAN edit page. 

Click the  Security tab, then the Layer 2 tab and enter the following:

Layer 2 Security: None

On the Layer 3 tab set configuration as per following:

Layer 3 Security: Web Policy
Authentication: Selected
Pre-authentication ACL (IPv4): <amplespot-nonflex-in or another ACL name you used>

If your Access Points are in Flex Connect Mode then you will need to use the drop-down box next to WebAuth FlexACL (see the last section of this manual

On the AAA Servers tab set configuration as per following:

Radius Server Overwrite interface: Enabled
Interface Priority: WLAN
Authentication Servers: Enabled
Server 1 IP: <see in Amplespot Admin Dashboard>
Accounting Servers: Enabled
Server 1 IP: <see in Amplespot Admin Dashboard>, Port: 1813
Server 2 IP: <see in Amplespot Admin Dashboard>, Port: 1813
Radius Server Accounting; Interim Update: Ticked, Interval: 540
Authentication priority order for web-auth user (Not Used): LOCAL, LDAP
Authentication priority order for web-auth user (Order Used For Authentication): RADIUS

On the Advanced tab enter the following:

Allow AAA Override: Ticked`

Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to the WFi users.

PLEASE NOTE: If you are using FlexConnect, scroll down and tick FlexConnect Local Switching

Click  Apply to Save

Go back to the  General tab of the WLAN edit page. Change status of WLAN to Enabled 

We are finally done, click  Apply to save the configuration at the top right. 

Once you have saved your changes - reboot your controller.

FlexConnect Mode

If your access points are in the FlexConnect mode do the following:

1. Connect to WLC controller via SSH and enter configuration mode by typing config in the shell prompt. You will see the following prompt:

<code>(Cisco Controller) config><br>
	

2. Enter the following commands (one block at the time) to create flexconnect ACL called AmplespotWebAuth. Change this ACL to reflect IP addresses you need to enable.

flexconnect acl create AmplespotWebAuth
flexconnect acl apply AmplespotWebAuth 
	
flexconnect acl rule add AmplespotWebAuth 1 
flexconnect acl rule add AmplespotWebAuth 2 
flexconnect acl rule add AmplespotWebAuth 3 
flexconnect acl rule add AmplespotWebAuth 4 
flexconnect acl rule add AmplespotWebAuth 5 
flexconnect acl rule add AmplespotWebAuth 6 
flexconnect acl rule add AmplespotWebAuth 7 
flexconnect acl rule add AmplespotWebAuth 8 
flexconnect acl rule add AmplespotWebAuth 9
flexconnect acl rule add AmplespotWebAuth 10
flexconnect acl rule add AmplespotWebAuth 11
flexconnect acl rule add AmplespotWebAuth 12
flexconnect acl rule add AmplespotWebAuth 13
flexconnect acl rule add AmplespotWebAuth 14
flexconnect acl rule add AmplespotWebAuth 15
flexconnect acl rule add AmplespotWebAuth 16
flexconnect acl rule add AmplespotWebAuth 17
flexconnect acl rule add AmplespotWebAuth 18
flexconnect acl rule add AmplespotWebAuth 19
flexconnect acl rule add AmplespotWebAuth 20
flexconnect acl rule add AmplespotWebAuth 21
flexconnect acl rule add AmplespotWebAuth 22
flexconnect acl rule add AmplespotWebAuth 23

flexconnect acl rule action AmplespotWebAuth 1 permit
flexconnect acl rule action AmplespotWebAuth 2 permit
flexconnect acl rule action AmplespotWebAuth 3 permit
flexconnect acl rule action AmplespotWebAuth 4 permit
flexconnect acl rule action AmplespotWebAuth 5 permit
flexconnect acl rule action AmplespotWebAuth 6 permit
flexconnect acl rule action AmplespotWebAuth 7 permit
flexconnect acl rule action AmplespotWebAuth 8 permit
flexconnect acl rule action AmplespotWebAuth 9 permit
flexconnect acl rule action AmplespotWebAuth 10 permit
flexconnect acl rule action AmplespotWebAuth 11 permit
flexconnect acl rule action AmplespotWebAuth 12 permit
flexconnect acl rule action AmplespotWebAuth 13 permit
flexconnect acl rule action AmplespotWebAuth 14 permit
flexconnect acl rule action AmplespotWebAuth 15 permit
flexconnect acl rule action AmplespotWebAuth 16 permit
flexconnect acl rule action AmplespotWebAuth 17 permit 
flexconnect acl rule action AmplespotWebAuth 18 permit 
flexconnect acl rule action AmplespotWebAuth 19 permit  
flexconnect acl rule action AmplespotWebAuth 20 permit 
flexconnect acl rule action AmplespotWebAuth 21 permit 
flexconnect acl rule action AmplespotWebAuth 22 permit 
flexconnect acl rule action AmplespotWebAuth 23 deny
 
flexconnect acl rule destination address AmplespotWebAuth 1 13.0.0.0 255.0.0.0 
flexconnect acl rule destination address AmplespotWebAuth 2 52.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 3 54.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 4 70.0.0.0 255.0.0.0
flexconnect acl rule destination address AmplespotWebAuth 5 34.0.0.0 255.0.0.0 
flexconnect acl rule destination address AmplespotWebAuth 6 35.0.0.0 255.0.0.0 
flexconnect acl rule destination address AmplespotWebAuth 7 143.204.0.0 255.255.0.0
flexconnect acl rule destination address AmplespotWebAuth 8 204.246.0.0 255.255.0.0 
flexconnect acl rule destination address AmplespotWebAuth 9 205.251.0.0 255.255.0.0
flexconnect acl rule destination address AmplespotWebAuth 10 216.137.32.0 255.255.224.0 
flexconnect acl rule destination address AmplespotWebAuth 11 18.216.170.128 255.255.255.128
 
flexconnect acl rule destination port range AmplespotWebAuth 1 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 2 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 3 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 4 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 5 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 6 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 7 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 8 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 9 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 10 0 65535 
flexconnect acl rule destination port range AmplespotWebAuth 11 0 65535 
 
flexconnect acl rule source address AmplespotWebAuth 12 13.0.0.0 255.0.0.0 
flexconnect acl rule source address AmplespotWebAuth 13 52.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 14 54.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 15 70.0.0.0 255.0.0.0
flexconnect acl rule source address AmplespotWebAuth 16 34.0.0.0 255.0.0.0 
flexconnect acl rule source address AmplespotWebAuth 17 35.0.0.0 255.0.0.0 
flexconnect acl rule source address AmplespotWebAuth 18 143.204.0.0 255.255.0.0
flexconnect acl rule source address AmplespotWebAuth 19 204.246.0.0 255.255.0.0 
flexconnect acl rule source address AmplespotWebAuth 20 205.251.0.0 255.255.0.0
flexconnect acl rule source address AmplespotWebAuth 21 216.137.32.0 255.255.224.0 
flexconnect acl rule source address AmplespotWebAuth 22 18.216.170.128 255.255.255.128
flexconnect acl rule source address AmplespotWebAuth 23 0.0.0.0 0.0.0.0
 
flexconnect acl rule source port range AmplespotWebAuth 12 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 13 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 14 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 15 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 16 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 17 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 18 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 19 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 20 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 21 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 22 0 65535 
flexconnect acl rule source port range AmplespotWebAuth 23 0 65535 
 
flexconnect acl rule dscp AmplespotWebAuth 1  Any  
flexconnect acl rule dscp AmplespotWebAuth 2  Any  
flexconnect acl rule dscp AmplespotWebAuth 3  Any  
flexconnect acl rule dscp AmplespotWebAuth 4  Any  
flexconnect acl rule dscp AmplespotWebAuth 5  Any  
flexconnect acl rule dscp AmplespotWebAuth 6  Any  
flexconnect acl rule dscp AmplespotWebAuth 7  Any  
flexconnect acl rule dscp AmplespotWebAuth 8  Any  
flexconnect acl rule dscp AmplespotWebAuth 9  Any  
flexconnect acl rule dscp AmplespotWebAuth 10  Any 
flexconnect acl rule dscp AmplespotWebAuth 11  Any 
flexconnect acl rule dscp AmplespotWebAuth 12  Any 
flexconnect acl rule dscp AmplespotWebAuth 13  Any 
flexconnect acl rule dscp AmplespotWebAuth 14  Any 
flexconnect acl rule dscp AmplespotWebAuth 15  Any 
flexconnect acl rule dscp AmplespotWebAuth 16  Any 
flexconnect acl rule dscp AmplespotWebAuth 17  Any 
flexconnect acl rule dscp AmplespotWebAuth 18  Any 
flexconnect acl rule dscp AmplespotWebAuth 19  Any 
flexconnect acl rule dscp AmplespotWebAuth 20  Any 
flexconnect acl rule dscp AmplespotWebAuth 21  Any 
flexconnect acl rule dscp AmplespotWebAuth 22  Any 
flexconnect acl rule dscp AmplespotWebAuth 23  Any 
 
flexconnect acl rule protocol AmplespotWebAuth 1  Any  
flexconnect acl rule protocol AmplespotWebAuth 2  Any  
flexconnect acl rule protocol AmplespotWebAuth 3  Any
flexconnect acl rule protocol AmplespotWebAuth 4  Any
flexconnect acl rule protocol AmplespotWebAuth 5  Any  
flexconnect acl rule protocol AmplespotWebAuth 6  Any  
flexconnect acl rule protocol AmplespotWebAuth 7  Any  
flexconnect acl rule protocol AmplespotWebAuth 8  Any  
flexconnect acl rule protocol AmplespotWebAuth 9  Any 
flexconnect acl rule protocol AmplespotWebAuth 10  Any
flexconnect acl rule protocol AmplespotWebAuth 11  Any
flexconnect acl rule protocol AmplespotWebAuth 12  Any
flexconnect acl rule protocol AmplespotWebAuth 13  Any
flexconnect acl rule protocol AmplespotWebAuth 14  Any
flexconnect acl rule protocol AmplespotWebAuth 15  Any
flexconnect acl rule protocol AmplespotWebAuth 16  Any
flexconnect acl rule protocol AmplespotWebAuth 17  Any
flexconnect acl rule protocol AmplespotWebAuth 18  Any
flexconnect acl rule protocol AmplespotWebAuth 19  Any
flexconnect acl rule protocol AmplespotWebAuth 20  Any
flexconnect acl rule protocol AmplespotWebAuth 21  Any
flexconnect acl rule protocol AmplespotWebAuth 22  Any
flexconnect acl rule protocol AmplespotWebAuth 23  Any<br>
	

Once completed, go to WLANs, open the WLAN you are configuring to use with Amplespot and set WebAuth FlexAcl to AmplespotWebAuth

Please contact support if you hit problems configuring FlexConnect Access Lists.

You are done!