Cisco WLC

Integrate Cisco AireOS Wireless LAN Controller with IronWiFi's RADIUS authentication services for guest and enterprise WiFi. This guide covers RADIUS server configuration, WLAN security profiles, web authentication setup, pre-authentication ACLs, and WPA-Enterprise deployment for secure network access.

Prerequisites

In Cisco WLC:

Cisco WLC running AireOS
Network connectivity to IronWiFi RADIUS servers
Administrative access to WLC (GUI or CLI)

In IronWiFi Console (complete these first):

Create a Network in IronWiFi Console
Create a Captive Portal with vendor Cisco WLC
Note the following details:
- Primary and Backup RADIUS server IP addresses
- Customer authentication and accounting ports (displayed in Network Settings)
- Shared secret
- Splash Page URL

WLC Configuration via GUI

Step 1: Add RADIUS Servers

Navigate to SECURITY → AAA → RADIUS → Authentication
Click New
Configure primary server:
- Server Address:
```
{Primary IP}
```
- Port Number:
```
{Customer Authentication Port}
```
- Shared Secret:
```
{Shared secret}
```
- Server Status: Enabled
Add backup server similarly

Step 2: Add RADIUS Accounting

Navigate to SECURITY → AAA → RADIUS → Accounting
Add servers with your customer accounting port (displayed in Network Settings)

Step 3: Create WLAN

Navigate to WLANs → Create New
Configure:
- Profile Name: Guest-WiFi
- SSID: Guest-WiFi
- Status: Enabled

Step 4: Configure Security

Select your WLAN
Go to Security → Layer 2
- Layer 2 Security: None (for captive portal)
Go to Security → Layer 3
- Layer 3 Security: Web Policy
- Web Policy Type: External (redirect to external server)
- Preauthentication ACL: Select or create ACL

Step 5: Configure AAA Servers

Go to Security → AAA Servers
Enable Authentication Servers and Accounting Servers
Select the IronWiFi RADIUS servers

Step 6: Configure Web Auth

Navigate to SECURITY → Web Auth → Web Login Page
Set Web Authentication Type: External
Set Redirect URL after Login:
```
{Splash Page URL}
```

Pre-Authentication ACL

Create ACL for pre-auth access:

Navigate to SECURITY → Access Control Lists → Access Control Lists
Create new ACL named "IronWiFi-PreAuth"
Add rules:
- Permit IP to 107.178.250.42
- Permit DNS (UDP 53)
- Deny all

Required Walled Garden Entries

In addition to the IronWiFi splash page IP (107.178.250.42), you may need to add entries for authentication providers and payment processors:

Provider	Required Entries
Google	`.google.com` , `.googleapis.com` , `*.gstatic.com` , `accounts.google.com`
Facebook	`.facebook.com` , `.fbcdn.net` , `connect.facebook.net` , `facebook.com`
LinkedIn	`.linkedin.com` , `.licdn.com` , `linkedin.com`
Twitter/X	`.twitter.com` , `.twimg.com` , `twitter.com` , `*.x.com` , `x.com`
Apple	`.apple.com` , `.icloud.com` , `appleid.apple.com`
Microsoft Entra ID	`.microsoft.com` , `.microsoftonline.com` , `*.msftauth.net` , `login.microsoftonline.com`
Stripe	`*.stripe.com` , `js.stripe.com`
PayPal	`.paypal.com` , `.paypalobjects.com`
Twilio (SMS)	`*.twilio.com`

WPA-Enterprise Configuration

The following configuration is for 802.1X authentication without captive portal:

Create WLAN
Security → Layer 2: WPA+WPA2
Authentication Key Management: 802.1X
Security → AAA Servers: Enable and select IronWiFi servers

CLI Configuration

RADIUS Servers

config radius auth add 1 {PRIMARY_IP} {AUTH_PORT} ascii {SECRET}
config radius auth add 2 {BACKUP_IP} {AUTH_PORT} ascii {SECRET}
config radius acct add 1 {PRIMARY_IP} {ACCT_PORT} ascii {SECRET}
config radius acct add 2 {BACKUP_IP} {ACCT_PORT} ascii {SECRET}

WLAN Configuration

config wlan create 1 Guest-WiFi Guest-WiFi
config wlan security web-auth enable 1
config wlan security web-auth server-precedence 1 local radius
config wlan radius_server auth add 1 1
config wlan radius_server auth add 1 2
config wlan radius_server acct add 1 1
config wlan enable 1

Web Auth

config custom-web webauth-type external
config custom-web redirecturl {SPLASH_URL}

Verification

After completing the configuration steps above, verify everything works correctly:

show radius summary
show radius auth statistics
show wlan 1
show client summary

Troubleshooting

If testing reveals issues, use this section to diagnose common problems:

Symptom	Cause	Solution
Clients not redirecting to splash page	Layer 3 security not set to Web Policy	Verify Layer 3 security is set to Web Policy
Clients not redirecting to splash page	Pre-auth ACL blocking splash page	Check pre-auth ACL allows splash page access (107.178.250.42)
Clients not redirecting to splash page	Incorrect redirect URL	Confirm redirect URL is correct in Web Auth settings
RADIUS timeouts	Network connectivity issue	Test connectivity to RADIUS servers using ping
RADIUS timeouts	Incorrect shared secret	Verify shared secret matches IronWiFi Console
RADIUS timeouts	Firewall blocking RADIUS	Check firewall rules allow UDP traffic on your customer authentication and accounting ports
RADIUS timeouts	Server issues	Review RADIUS statistics: `show radius auth statistics`
Authentication failures	Invalid credentials	Check user credentials in IronWiFi Console
Authentication failures	RADIUS communication issue	Enable RADIUS debugging: `debug aaa all enable`
Authentication failures	Configuration mismatch	Review IronWiFi authentication logs

For this vendor

Cisco WLC Passpoint

Shared configuration

Was this page helpful?

Prerequisites​

In Cisco WLC:​

In IronWiFi Console (complete these first):​

WLC Configuration via GUI​

Step 1: Add RADIUS Servers​

Step 2: Add RADIUS Accounting​

Step 3: Create WLAN​

Step 4: Configure Security​

Step 5: Configure AAA Servers​

Step 6: Configure Web Auth​

Pre-Authentication ACL​

Required Walled Garden Entries​

WPA-Enterprise Configuration​

CLI Configuration​

RADIUS Servers​

WLAN Configuration​

Web Auth​

Verification​

Troubleshooting​

Related Topics​