Cisco Catalyst 9800

Configure Cisco Catalyst 9800 Wireless LAN Controller with IronWiFi for enterprise-grade authentication. This guide provides CLI and GUI configuration for AAA RADIUS servers, web authentication parameter maps, pre-authentication ACLs, and Passpoint (Hotspot 2.0) profiles for guest and secure employee WiFi networks.

Prerequisites

In Cisco Catalyst 9800:

Cisco Catalyst 9800 WLC
Network connectivity between WLC and IronWiFi RADIUS servers
CLI access to the WLC

In IronWiFi Console (complete these first):

Create a Network in IronWiFi Console
Create a Captive Portal with vendor Cisco
Note the following details:
- Primary and Backup RADIUS server IP addresses
- RADIUS ports (
```
{AUTH_PORT}
```
  for authentication,
```
{ACCT_PORT}
```
  for accounting)
- Shared secret
- Splash Page URL

WLC Configuration

Step 1: Configure AAA

Add RADIUS Server

radius server IRONWIFI-PRIMARY
 address ipv4 {PRIMARY_IP} auth-port {AUTH_PORT} acct-port {ACCT_PORT}
 key {SHARED_SECRET}

radius server IRONWIFI-BACKUP
 address ipv4 {BACKUP_IP} auth-port {AUTH_PORT} acct-port {ACCT_PORT}
 key {SHARED_SECRET}

Create Server Group

aaa group server radius IRONWIFI
 server name IRONWIFI-PRIMARY
 server name IRONWIFI-BACKUP

Configure AAA Methods

aaa authentication dot1x IRONWIFI-DOT1X group IRONWIFI
aaa authorization network IRONWIFI-AUTHZ group IRONWIFI
aaa accounting identity IRONWIFI-ACCT start-stop group IRONWIFI

Step 2: Configure WLAN

Create WLAN Profile

wlan GUEST-WIFI 1 GUEST-WIFI
 security web-auth
 security web-auth authentication-list IRONWIFI-DOT1X
 security web-auth parameter-map global
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2 ciphers aes
 no shutdown

Step 3: Configure Web Auth Parameter Map

parameter-map type webauth global
 type webauth
 redirect for-login {SPLASH_PAGE_URL}
 redirect portal ipv4 107.178.250.42

Step 4: Configure ACL

Create pre-auth ACL:

ip access-list extended IRONWIFI-PREAUTH
 permit ip any host 107.178.250.42
 permit ip host 107.178.250.42 any
 permit udp any any eq domain
 permit udp any eq domain any
 deny ip any any

Required Walled Garden Entries

In addition to the IronWiFi splash page IP (107.178.250.42) and DNS entries above, you may need to add entries for authentication providers and payment processors:

Provider	Required Entries
Google	`.google.com` , `.googleapis.com` , `*.gstatic.com` , `accounts.google.com`
Facebook	`.facebook.com` , `.fbcdn.net` , `connect.facebook.net` , `facebook.com`
LinkedIn	`.linkedin.com` , `.licdn.com` , `linkedin.com`
Twitter/X	`.twitter.com` , `.twimg.com` , `twitter.com` , `*.x.com` , `x.com`
Apple	`.apple.com` , `.icloud.com` , `appleid.apple.com`
Microsoft Entra ID	`.microsoft.com` , `.microsoftonline.com` , `*.msftauth.net` , `login.microsoftonline.com`
Stripe	`*.stripe.com` , `js.stripe.com`
PayPal	`.paypal.com` , `.paypalobjects.com`
Twilio (SMS)	`*.twilio.com`

Step 5: Apply Configuration

wlan GUEST-WIFI
 security web-auth acl IRONWIFI-PREAUTH

Passpoint Configuration

The following configuration enables Hotspot 2.0 (Passpoint) for seamless authentication:

Configure Hotspot 2.0

wireless hotspot anqp-server IRONWIFI-HS20
 domain-name ironwifi.net

wireless hotspot dot11u-profile IRONWIFI-DOT11U
 access-network-type chargeable-public-network
 network-auth-type 00
 venue-name IronWiFi Hotspot
 venue-type business.office
 hessid-enable

wireless hotspot hs2-profile IRONWIFI-HS2
 access-network-type chargeable-public-network
 anqp-server IRONWIFI-HS20
 dot11u-profile IRONWIFI-DOT11U

Apply to WLAN

wlan PASSPOINT-WIFI 2 PASSPOINT
 hotspot hs2-profile IRONWIFI-HS2
 security dot1x authentication-list IRONWIFI-DOT1X

WPA-Enterprise Configuration

The following configuration is for 802.1X authentication without web authentication:

wlan SECURE-WIFI 3 SECURE-WIFI
 security dot1x authentication-list IRONWIFI-DOT1X
 security wpa wpa2
 security wpa wpa2 ciphers aes
 security wpa akm dot1x
 no shutdown

Verification Commands

After completing the configuration steps above, verify everything works correctly.

Check RADIUS server status:

show aaa servers

Check WLAN configuration:

show wlan summary
show wlan name GUEST-WIFI

Check client status:

show wireless client summary
show wireless client mac-address {MAC} detail

Troubleshooting

If testing reveals issues, use this section to diagnose common problems:

Symptom	Cause	Solution
RADIUS not responding	Network connectivity issue	Verify connectivity: `ping {RADIUS_IP}`
RADIUS not responding	Server configuration error	Check server status: `show aaa servers`
RADIUS not responding	Incorrect shared secret	Verify shared secret matches IronWiFi Console
RADIUS not responding	Firewall blocking RADIUS	Check firewall rules allow UDP `{AUTH_PORT}` - `{ACCT_PORT}`
Web Auth not redirecting	ACL not applied	Verify ACL is applied to WLAN
Web Auth not redirecting	Parameter-map misconfigured	Check parameter-map configuration
Web Auth not redirecting	Incorrect redirect URL	Ensure redirect URL is correct
Web Auth not redirecting	Cannot reach splash page	Test client can reach 107.178.250.42
Authentication failures	Invalid credentials	Check RADIUS logs in IronWiFi Console
Authentication failures	WLC configuration issue	Review WLC debugging: `debug aaa all` and `debug web-auth all`
Authentication failures	User account problem	Verify user credentials in IronWiFi Console

For this vendor

Cisco Catalyst Passpoint

Shared configuration

Was this page helpful?

Prerequisites​

In Cisco Catalyst 9800:​

In IronWiFi Console (complete these first):​

WLC Configuration​

Step 1: Configure AAA​

Add RADIUS Server​

Create Server Group​

Configure AAA Methods​

Step 2: Configure WLAN​

Create WLAN Profile​

Step 3: Configure Web Auth Parameter Map​

Step 4: Configure ACL​

Required Walled Garden Entries​

Step 5: Apply Configuration​

Passpoint Configuration​

Configure Hotspot 2.0​

Apply to WLAN​

WPA-Enterprise Configuration​

Verification Commands​

Troubleshooting​

Related Topics​