Cisco Catalyst 9800 - Passpoint configuration

Cisco Catalyst 9800 - Passpoint configuration

Prerequisites

  1. Access to the Cisco WLC Dashboard as a user with administrative privileges.
  2. Information about the assigned RADIUS servers (Server IP address, port numbers, shared secrets):
    1. Email or document that contains this information

      OR

    2. Access to the IronWiFi Management Console - Sign in or Open Account

Log in to the Cisco Catalyst 9800 Series Wireless Controller Dashboard

To start the configuration process, log in to the Cisco Catalyst 9800-CL Wireless Controller Dashboard as admin.  For existing environments with additional users, log in as a user with administrative privileges.

 

 

The Cisco Catalyst 9800-CL Wireless Controller Dashboard appears. Your access points are displayed.

 

Note: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.

Set up a secure RADIUS connection

It’s important to set up a secure RADIUS connection between the wireless LAN controller and IronWiFi. We recommend that you create a primary and a secondary RADIUS server for high availability. Then create a server group and add those servers to the group.  

Add RADIUS authentication and accounting servers

  1. Select Configuration > Security > AAA from the menu on the left side of the Dashboard.
    The AAA page appears.
  2. Make sure that RADIUS and Servers are selected.Ubiquiti passpoint configuration - 2023-02-01T082815.316
  3. Click + Add under Servers/Groups.
    The Create AAA Radius Server dialog box appears.
    35.189.111.2 (16)
  4. Enter a Name, such as “Primary_radius”.
  5. For the Server Address enter the IP address of the Primary Radius server (from the Console)
  6. For Key, enter the value that will be communicated by IronWiFi, then enter the same value for Confirm Key.
  7. Verify that Auth Port is auth port from the Console (RADIUS authentication) and Acct Port is acct port from the Console (RADIUS accounting).
  8. For Server Timeout, enter “30” seconds. This is the maximum timeout as recommended in RFC 5080.
  9. Click Apply to Device on the bottom right.
    You return to the AAA page where the server you added is listed.
    Ubiquiti passpoint configuration - 2023-02-01T083120.555
  10. To review or edit server values, select the server in the list.
    35.189.111.2 (17)
  11. Repeat steps 3-10 to add the Secondary RADIUS server (from the Console)

Add a RADIUS server group

Using a server group, you can separate IronWiFi authentication requests from the rest of your network. If you don’t create a server group, the controller will send authentication requests to the default server group, which might contain servers that aren’t associated with IronWiFi.

  1. Navigate to Configuration > Security > AAA.
  2. On the AAA page, under Servers/Groups, select the Server Groups tab.
  3. Make sure that RADIUS and Server Groups are selected.
  4. Click + Add under Servers/Groups.The Create AAA Radius ServerGroup dialog box appears.
    mceclip3.png
  5. Enter a Name, such as “IronWiFi_RADIUS”.
  6. Select all of your RADIUS servers under Available Servers.
  7. Click > to move the servers to Assigned Servers.
Click Apply to Device on the bottom right.
You see a message indicating that the configuration was saved. You return to the AAA page where the server group you added is listed.
RADIUS

Create AAA Method List

  1. Navigate to Configuration > Security > AAA > AAA Method List
  2. Select the Authentication tab and click + Add
    The Quick Setup : AAA Authentication box appears.
    2-2
  3. Enter a Method List Name, such as “guest_auth”.
  4. For the category Type select dot1x from the drop-down menu.
  5. For the category Group Type select group from the drop-down menu.
  6. Select all of the RADIUS servers group previously created under Available Server Groups.
  7. Click > to move the servers to Assigned Servers Groups.
  8. Click Apply to Device on the bottom right.
  9. Select the Accouting tab on the left and click + Add
    The Quick Setup : AAA Accouting box appears.
  10. Enter a Method List Name, such as “guest_acct”.
  11. For the category Type select identity from the drop-down menu.
  12. Select all of the RADIUS servers group previously created under Available Server Groups.
  13. Click > to move the servers to Assigned Servers Groups.
  14. Click Apply to Device on the bottom right.

 

Configure the WLAN AA Policy

  1. Navigate to Configuration > Security > Wireless AAA Policy
  2. Click + Add
    The Add Wireless AAA Policy dialog appears.
3-2

3.  Enter a Policy Name such as "IronWiFi"
4.  On NAS-ID Option 1 select AP MAC Address

4-1
5. Click Apply to Device on the bottom right.

 

Configure Hotspot 2.0

Hotspot 2.0 allows mobile devices to join a WiFi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.

Configure ANQP Server Parameters

Access Network Query Protocol (ANQP) provides a range of information, such as IP address type and availability, and roaming partners accessible through a hotspot.

  1. Select Configuration > Wireless > Hotspot/OpenRoaming from the menu on the left side of the Dashboard.




The Hotspot/OpenRoaming page appears.

mceclip6.png

2.  Click + Add under ANQP Servers.
The Add New ANQP Server dialog box appears. The General/OpenRoaming tab is selected.

Ubiquiti passpoint configuration - 2023-02-07T132407.195

 

General/OpenRoaming settings

 

  1. In the Add New ANQP Server dialog box, enter a Name for the server, such as “IronWiFi”.
  2. Check the box next to Internet Access.
  3. For Network Type, select Free Public.


Ubiquiti passpoint configuration - 2023-02-01T085116.018

4.  In the NAI Realms section on the bottom left, click + Add.
The Add NAI Realm page appears.


5.  For NAI Realm Name, enter the value associated with your home network domain, as provided in the IronWiFi dashboard
6.  For EAP Method, select eap-ttls.
An EAP-TTLS dialog box appears.
7.  Select inner-auth-non-eap, and check to box next to mschap2. T
his is the EAP authentication method.
8.  Click Save at the bottom of the EAP-TLS dialog box.
9.  Click Apply to Device at the bottom of the Add NAI Realm dialog box.

You see your real, such as "ironwifi.net" listed as an NAI realm.

Ubiquiti passpoint configuration 64
10.  To enable also OpenRoaming, in the Roaming OIs section on the top right, enter “AA146B0000” for Roaming OI.
11.  Click + Add.
12.  Repeat the same steps to add also the Roaming OIs "AA146B".
You see the RCOI under Assigned ROI :: Beacon State.
13.  Check the box next to Beacon State. This includes the RCOI in access point broadcasts.

Ubiquiti passpoint configuration - 2023-02-09T114610.440
14.  In the Domains section, enter your home network domain, as provided in the IronWiFi dashboard, such as “ironwifi.net” for Domain Name
15.  Click + Add.

You see the domain name in the Domain Name list.


Server Settings

 

1.  Still on the  Add New ANQP Server dialog box, select Server Settings at the top.
The Server Settings page appears.

2.  In the WAN Metrics section, set the parameters as appropriate for your network. Don’t leave these values blank.
3.  Set Link Status to Up.
4.  Don’t enable Full Capacity Link unless you want to block devices from connecting. This setting tells devices that there’s no bandwidth available so devices will refuse to connect.

5.  Click Apply to Device at the bottom right.

You see a message indicating that the configuration was saved. You return to the Hotspot/OpenRoaming page where the ANQP server you added is listed.


Configure the Wireless LAN Profile

To configure the wireless LAN, you create an SSID to identify the wireless LAN. Then you associate the security profile and RADIUS servers with the wireless LAN.

Create the SSID

1.  Select Configuration > Tags & Profiles > WLANs from the menu on the left side of the Dashboard.

The WLANs page appears.


2.  Click + Add.
The Add WLAN dialog box appears. The General tab is selected.


3.  Enter a Profile Name, such as, “IronWiFi”.
4.  For SSID, enter your SSID name, such as “IronWiFi”.
5.  Change Status to Enabled.
6.  Click Apply to Device on the bottom right.

10a

You see a message indicating that the configuration was saved. You return to the WLANs page where the wireless LAN you added is listed.

Ubiquiti passpoint configuration - 2023-02-01T085632.051

 

Associate the security profile and RADIUS servers with the wireless LAN

 

1.  Navigate to Configuration > Tags & Profiles > WLANs.
2.  Select the wireless LAN you added. The Edit WLAN page appears.
3.  Select Security at the top. The Layer2 tab is selected.


4.  For Layer 2 Security Mode, select WPA + WPA2 (default).
Note: do not use a security level lower than “WPA2 + WPA3”, otherwise you might get a “Security Weak” error on iOS.


5.  Verify that the boxes next to these security options are checked:
WPA2 Policy
WPA2 Encryption AES(CCMP128)
Auth Key Mgmt 802.1x


6.  Select AAA at the top.
7.  Select the Authentication list created earlier from the drop down menu, “guest_auth”.

mceclip15.png

Configure Policy Profile

 

A Policy Profile enables you to assign parameters like VLAN, Access Controls List [ACLs], Quality of Service [QoS].

1.  Navigate to Configuration > Tags & Profiles > Policy > ADD+
2.  The Add Policy Profile page appears.


radius3

 

3.  Enter a Policy Name, such as, “IronWiFi”
4.  Enter a Policy Description, such as, “IronWiFi”
5.  Enable the Status of this profile by clicking on the category.


12a

6.  Still on the  Add Policy Profile dialog box, select Access Policies option at the top.

The Access Policies page appears as below:

radius4

 

7.  Enter the VLAN ID allocated for IronWiFi WLAN, in case of default VLAN type the number 1. DO NOT leave this field blank or select default from the drop down menu.

mceclip17.png


8.  Still on the  Add Policy Profile dialog box, select Advanced option at the top.

The Advanced Option page appears:

9.  Under the WLAN Timeout section, uncheck the Client Exclusion Timeout option
mceclip1.png
10.  Under Hotspot Server option (Top right) select the Hotspot Server name configured earlier, “IronWiFi”.
13a
11. Under AAA Policy (Bottom Left) check the box next to Allow AAA Override and 
as Policy Name select the Wireless AAA Policy created before (e.g. "IronWiFi")
as a Accounting List select the Accounting List created before (e.g. IronWiFi")

14a


12.  Click Apply to Device at the bottom right.


Configure Policy Tag

 

A Policy tag is configured to connect the WLAN Profile to the Policy Profile.

1.  Navigate to Configuration > Tags & Profiles > Tags > Policy > ADD
2.  The Add Policy Tag dialogue box appears.


radius 5

 

3.  Enter a Profile Name, such as, “IronWiFi”.
4.  For Description, enter “IronWiFi”.
5.  Click on ADD under WLAN-POLICY Maps

6.  Select the WLAN Profile configured earlier from the drop down menu option ("IronWiFi").
7.  Select the Policy Profile configured earlier from the drop down menu option ("IronWiFi").

15a

 

8.  Click on the check mark below mceclip21.png & Save & Apply to Device on the bottom right.

Assign Policy Tag

To deploy configured policies to the Access Points each Policy Tag should be attached to the required Access Point.

1.  Navigate to Configuration > Wireless Setup > Advanced > Start Now > Apply

image 0008

2.  Click on Tag APs (Bottom Right) of the page  mceclip22.png

Ubiquiti passpoint configuration - 2023-02-01T090135.196

3.  Select the Access Points to be tagged and +Tag APs from the Top of the page
4.  The Tag APs dialogue box appears

5.  For Policy select the Policy Tag configured earlier from the drop down menu.

17a

6.  Click Save & Apply to Device on the bottom right.

 

 

AT&T MNC / MCC Configuration


1. Select Configuration > Wireless > Hotspot/Openroaming from the menu on the left
side of the Dashboard.

Screenshot 2023-02-01 6.06.32 PM

The Hotspot/OpenRoaming page appears.

Ubiquiti passpoint configuration - 2023-02-09T120134.266

2. Click + Add under ANQP Servers.
The Add New ANQP Server dialog box appears. The General/OpenRoaming tab is
selected.

Ubiquiti passpoint configuration - 2023-02-09T120734.222

3. To add MCC/MNC codes for cellular based authentication select the 3GPP menu from
the top

image-047

4. Click on the +Add button and insert the MCC/MNC code under the 3GPP Network
Details. Each set of code to be inserted one at a time.

image-048

5. Click on the ‘Check mark’ to register the entered MCC/MNC code pair. Repeat the
process for Step 2 & 3 to add the following codes.
● MCC (310) ; MNC (410)
● MCC (310) ; MNC (280)
● MCC (310) ; MNC (150)
● MCC (313) ; MNC (100)

image-049

6. Click Apply to Device at the bottom right.


You see a message indicating that the configuration was saved. You return to the
Hotspot/OpenRoaming page where the ANQP server you added is listed.

    • Related Articles

    • Cisco Catalyst

      IronWiFi Console Configuration Log into the IronWiFi console or register for free Create a new network After that, create a new captive portal, with vendor Cisco catalyst Access Point Configuration Open a web browser and log in to your Cisco Catalyst ...

    • Cisco WLC 9800

      This page will guide you through the Captive Portal configuration for Cisco WLC 9800 hardware / VM and authentication via IronWiFi. IronWiFi Console Configuration Log into the IronWiFi console or register for free Create a new network After that, ...

    • Cisco WLC 8.5 - Passpoint configuration

      Prerequisites Access to the Cisco WLC Dashboard as a user with administrative privileges. Cisco access points and wireless LAN controller are deployed. Controller has basic networking configured and has the licenses required. Access points are ...

    • OpenWrt - Passpoint configuration

      Prerequisites OpenWrt compatible device with Passpoint-capable wireless device (PHY). OpenWrt 21.02, or newer, including wpad (hostapd) built with hs20 option. Full version of iw package in OpenWrt. 802.1x infrastructure (RADIUS server). Information ...

    • OpenWiFi - Passpoint configuration

      Prerequisites Access to the Controller as a user with administrative privileges. Supported OpenWiFi device - this solution has been tested with EdgeCore EAP101 Information about the assigned RADIUS servers (Server IP address, port numbers, shared ...