Skip to main contentSkip to search
Skip to main content

Cisco WLC - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on Cisco AireOS WLC or Catalyst 9800 wireless controllers to enable automatic WiFi authentication through IronWiFi's cloud RADIUS service. This provides seamless WPA2/WPA3-Enterprise connections without manual network selection or splash pages.

Supported Platforms

  • Cisco AireOS WLC - 5520, 8540, 3504, vWLC
  • Cisco Catalyst 9800 - 9800-40, 9800-80, 9800-CL
  • Cisco Embedded Wireless Controller

Prerequisites

In Cisco WLC:

  • Cisco WLC with AireOS 8.5+ or IOS-XE 17.x+
  • Access points supporting Hotspot 2.0 (Wave 2 or later)
  • Network connectivity to IronWiFi RADIUS servers

In IronWiFi Console (complete these first):

  1. Log in to IronWiFi Management Console
  2. Navigate to Networks > select your network
  3. Enable Passpoint
  4. Note the RADIUS details and Passpoint configuration:
    • RADIUS Server IP
    • RADIUS Secret
    • Authentication Port: Customer Authentication Port
    • Accounting Port: Customer Accounting Port

AireOS WLC Configuration

Web Interface Configuration

Step 1: Configure RADIUS Server

  1. Log in to WLC web interface

  2. Go to Security > AAA > RADIUS > Authentication

  3. Click New

  4. Configure:

    • Server Index: 1
    • Server IP Address: IronWiFi RADIUS IP
    • Shared Secret: Your RADIUS secret
    • Port Number: Customer Authentication Port
    • Server Status: Enabled

  5. Click Apply

  6. Go to Accounting and add accounting server:

    • Same IP, customer accounting port

Step 2: Create WLAN

  1. Go to WLANs
  2. Click Create New
  3. Configure:
    • Profile Name: Passpoint
    • SSID: Passpoint
    • ID: Select available ID
  4. Click Apply

Step 3: Configure WLAN Security

  1. Edit the new WLAN
  2. Go to Security > Layer 2:
    • Layer 2 Security: WPA+WPA2
    • WPA2 Policy: Enabled
    • WPA2 Encryption: AES
    • Auth Key Mgmt: 802.1X
  3. Go to Security > AAA Servers:
    • Authentication Servers: Select IronWiFi server
    • Accounting Servers: Select IronWiFi server

Step 4: Enable Hotspot 2.0

  1. Go to Advanced tab
  2. Find Hotspot 2.0 section
  3. Enable Hotspot 2.0
  4. Configure:

General:

  • Hotspot 2.0 Enable: Enabled
  • DGAF Disable: Disabled

Step 5: Configure 802.11u

  1. Go to Wireless > 802.11u
  2. Enable 802.11u
  3. Configure:

Network Settings:

  • Internet Access: Enabled
  • Network Type: Free public network
  • ASRA: Disabled

Venue Information:

  • Venue Group: Business
  • Venue Type: Unspecified
  • Venue Name: Your Location (Language: eng)

Step 6: Configure Roaming Consortium

  1. In 802.11u settings, find Roaming Consortium
  2. Add OIs:

Step 7: Configure NAI Realm

  1. Go to NAI Realm section
  2. Add realm:
    • NAI Realm: ironwifi.com
    • EAP Method: EAP-TTLS
    • Inner Auth: PAP

Step 8: Configure Domain

  1. In Hotspot 2.0 settings
  2. Add Domain Name: 
    ironwifi.net

AireOS CLI Configuration

Catalyst 9800 Configuration

Web Interface (WebUI)

Configure RADIUS

  1. Go to Configuration > Security > AAA
  2. Click Servers/Groups > RADIUS
  3. Add server:
    • Name: IronWiFi
    • IP Address: IronWiFi RADIUS IP
    • Key: Your shared secret
    • Auth Port: Customer Authentication Port
    • Acct Port: Customer Accounting Port

Create Server Group

  1. Go to Server Groups
  2. Create new group
  3. Add IronWiFi server to group

Configure Policy Profile

  1. Go to Configuration > Tags & Profiles > Policy
  2. Create new policy profile
  3. Configure AAA settings to use IronWiFi

Configure WLAN

  1. Go to Configuration > Tags & Profiles > WLANs

  2. Create new WLAN:

    • Profile Name: Passpoint
    • SSID: Passpoint
    • Status: Enabled

  3. In Security tab:

    • Layer 2: WPA2
    • Auth Key Management: 802.1X

  4. In Advanced tab:

    • Enable Hotspot 2.0

Configure Hotspot 2.0

  1. Go to Configuration > Wireless > Hotspot 2.0
  2. Create HS2.0 Profile:

General Settings:

  • Profile Name: IronWiFi-Passpoint
  • Internet Access: Enabled
  • Network Type: Free public

Venue:

  • Venue Group: Business
  • Venue Type: Unspecified

Domain:

  • Add: 
    ironwifi.net

Roaming Consortium:

  • Add: 
    5A03BA0000
  • Add: 
    004096

NAI Realm:

  • Realm: ironwifi.com
  • EAP Method: EAP-TTLS
  • Inner Auth: PAP
  1. Assign profile to WLAN

Catalyst 9800 CLI Configuration

Troubleshooting

Common Issues

Network Not Discovered

  1. Verify Hotspot 2.0 is enabled on WLAN
  2. Check 802.11u configuration
  3. Verify GAS/ANQP frames are being sent
  4. Check client Passpoint support

Authentication Failures

  1. Test RADIUS connectivity
  2. Verify NAI realm configuration
  3. Check IronWiFi logs for details
  4. Verify EAP method configuration

Debug Commands (AireOS)

Debug Commands (Catalyst 9800)

Best Practices

  1. Use Wave 2 APs: Ensure APs support Hotspot 2.0
  2. Firmware: Keep WLC and APs on supported versions
  3. Testing: Test with multiple device types
  4. Monitoring: Monitor authentication success rates
  5. Redundancy: Configure backup RADIUS servers

Same vendor

Standards & reference

Was this page helpful?