Cisco Mobility Express

Cisco Mobility Express

This page explains configuration of Captive Portal with authentication through IronWiFi for the Cisco Mobility Express.

IronWiFi Console Configuration

  1. Log into the IronWiFi console or register for free
  2. Create a new network
  3. After that, create a new captive portal, with vendor Cisco Mobility Express

Access Point Configuration

NOTE: You are required to use firmware v8.7.102.0 or above in order to continue.

Log in to your ME web interface and click the "Switch to Expert View" button at the top right.

On the left, click Management > Admin Accounts and then the RADIUS header. Configure with:

  • Authentication Call Station ID Type - AP MAC Address:SSID
  • Authentication MAC Delimiter - Hyphen
  • Accounting Call Station ID Type - AP MAC Address:SSID
  • Accounting MAC Delimiter - Hyphen

Click Apply. Next, click Add RADIUS Authentication Server. Configure with:

  • State - Enabled
  • Server IP Address - get this value from the IronWiFi console
  • Shared Secret - get this value from the IronWiFi console
  • Confirm Shared Secret - get this value from the IronWiFi console
  • Port Number - get this value from the IronWiFi console

Click Apply to Save. Next, click Add RADIUS Authentication Server again Configure with:

  • State - Enabled
  • Server IP Address -get this value from the IronWiFi console
  • Shared Secret -get this value from the IronWiFi console
  • Confirm Shared Secret - get this value from the IronWiFi console
  • Port Number - get this value from the IronWiFi console

Click Apply to Save. Next, click Add RADIUS Accounting Server. Configure with:

  • State - Enabled
  • Server IP Address - get this value from the IronWiFi console
  • Shared Secret - get this value from the IronWiFi console
  • Confirm Shared Secret - get this value from the IronWiFi console
  • Port Number - get this value from the IronWiFi console

Click Apply to Save. Next, click Add RADIUS Accounting Server again. Configure with:

  • State - Enabled
  • Server IP Address - get this value from the IronWiFi console
  • Shared Secret - get this value from the IronWiFi console
  • Confirm Shared Secret - get this value from the IronWiFi console
  • Port Number - get this value from the IronWiFi console

Click Apply to Save. Next, on the left, click Wireless Settings > WLANs. Click Add New and configure with:

On the General tab:

  • Profile Name - Guest WiFi
  • SSID - Guest WiFi (or whatever you wish)
  • Admin State - Enabled
  • Radio Policy - ALL
  • Broadcast SSID - Yes

On the WLAN Security tab:

  • Guest Network - Yes
  • Captive Network Assistant - Yes
  • Captive Portal - External Splash page
  • Captive Portal URL - get this value from the IronWiFi console
  • Access Type - RADIUS

Under the RADIUS Server header, click Add RADIUS Authentication Server and select the first server IP you previously added. Click Apply. Next, click Add RADIUS Authentication Server again and select the second server IP you previously added. Click Apply.

Next, click Add RADIUS Accounting Server and select the first server IP you previously added. Click Apply. Next, click Add RADIUS Accounting Server again and select the second server IP you previously added. Click Apply.

Under the Pre Auth ACLs header, click Add URL Rules and configure with:

  • URL - ironwifi.com
  • Action - Permit

Under the Advanced tab:

  • Allow AAA Override - Yes

Click Apply to Save config. At the top right, be sure to click the Save Configuration button to avoid losing changes. Finally, you'll need to SSH or console to the ME AP and type the following commands in "enable" mode:

  • config network web-auth https-redirect disable
  • config network web-auth secureweb disable

Additionally, we need to prevent users from trying to log in to the ME GUI via RADIUS. Provided you have only added the two RADIUS servers above and don't have any others configured, run the following commands:

  • config radius auth management 1 disable
  • config radius auth management 2 disable

After applying the commands above you will need to reboot the controller. Type the below commands:

  • save config
  • reset system

The ME AP will now reboot and be ready for use.

NOTE: You need to add all the AP Base MACs to the portal. To see these, type show ap join stats summary all from the SSH or command line.

! You must also install a valid SSL certificate on your controller/AP, in order to avoid authentication issues !

    • Related Articles

    • Cisco WLC 9800

      This page will guide you through the Captive Portal configuration for Cisco WLC 9800 hardware / VM and authentication via IronWiFi. IronWiFi Console Configuration Log into the IronWiFi console or register for free Create a new network After that, ...

    • Cisco WLC

      This page explains the configuration of the Cisco Wireless LAN Controller to work with IronWifi Captive Portal. IronWiFi Console Configuration Log into the IronWiFi console or register for free Create a new network After that, create a new captive ...

    • Cisco Meraki

      This page explains the configuration of Cisco Meraki wireless access points for external Captive Portal and RADIUS server authentication. IronWiFi Console Configuration Log into the IronWiFi console or register for free Create a new network After ...

    • Cisco Catalyst

      IronWiFi Console Configuration Log into the IronWiFi console or register for free Create a new network After that, create a new captive portal, with vendor Cisco catalyst Access Point Configuration Open a web browser and log in to your Cisco Catalyst ...

    • Cisco WLC 8.5 - Passpoint configuration

      Prerequisites Access to the Cisco WLC Dashboard as a user with administrative privileges. Cisco access points and wireless LAN controller are deployed. Controller has basic networking configured and has the licenses required. Access points are ...