Cisco Catalyst 9800
Configure Cisco Catalyst 9800 Wireless LAN Controller with IronWifi for enterprise-grade authentication. This guide provides CLI and GUI configuration for AAA RADIUS servers, web authentication parameter maps, pre-authentication ACLs, and Passpoint (Hotspot 2.0) profiles for guest and secure employee WiFi networks.
Prerequisites
In Cisco Catalyst 9800:
- Cisco Catalyst 9800 WLC
- Network connectivity between WLC and IronWifi RADIUS servers
- CLI access to the WLC
In IronWifi Console (complete these first):
- Create a Network in IronWifi Console
- Create a Captive Portal with vendor Cisco
- Note the following details:
- Primary and Backup RADIUS server IP addresses
- RADIUS ports (1812 for authentication, 1813 for accounting)
- Shared secret
- Splash Page URL
WLC Configuration
Step 1: Configure AAA
Add RADIUS Server
radius server IRONWIFI-PRIMARY
address ipv4 {PRIMARY_IP} auth-port 1812 acct-port 1813
key {SHARED_SECRET}
radius server IRONWIFI-BACKUP
address ipv4 {BACKUP_IP} auth-port 1812 acct-port 1813
key {SHARED_SECRET}
Create Server Group
aaa group server radius IRONWIFI
server name IRONWIFI-PRIMARY
server name IRONWIFI-BACKUP
Configure AAA Methods
aaa authentication dot1x IRONWIFI-DOT1X group IRONWIFI
aaa authorization network IRONWIFI-AUTHZ group IRONWIFI
aaa accounting identity IRONWIFI-ACCT start-stop group IRONWIFI
Step 2: Configure WLAN
Create WLAN Profile
wlan GUEST-WIFI 1 GUEST-WIFI
security web-auth
security web-auth authentication-list IRONWIFI-DOT1X
security web-auth parameter-map global
no security wpa
no security wpa akm dot1x
no security wpa wpa2 ciphers aes
no shutdown
Step 3: Configure Web Auth Parameter Map
parameter-map type webauth global
type webauth
redirect for-login {SPLASH_PAGE_URL}
redirect portal ipv4 107.178.250.42
Step 4: Configure ACL
Create pre-auth ACL:
ip access-list extended IRONWIFI-PREAUTH
permit ip any host 107.178.250.42
permit ip host 107.178.250.42 any
permit udp any any eq domain
permit udp any eq domain any
deny ip any any
Required Walled Garden Entries
In addition to the IronWifi splash page IP (107.178.250.42) and DNS entries above, you may need to add entries for authentication providers and payment processors:
| Provider | Required Entries |
|---|---|
*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com | |
*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com | |
*.linkedin.com, *.licdn.com, linkedin.com | |
| Twitter/X | *.twitter.com, *.twimg.com, twitter.com, *.x.com, x.com |
| Apple | *.apple.com, *.icloud.com, appleid.apple.com |
| Microsoft/Azure AD | *.microsoft.com, *.microsoftonline.com, *.msftauth.net, login.microsoftonline.com |
| Stripe | *.stripe.com, js.stripe.com |
| PayPal | *.paypal.com, *.paypalobjects.com |
| Twilio (SMS) | *.twilio.com |
Step 5: Apply Configuration
wlan GUEST-WIFI
security web-auth acl IRONWIFI-PREAUTH
Passpoint Configuration
The following configuration enables Hotspot 2.0 (Passpoint) for seamless authentication:
Configure Hotspot 2.0
wireless hotspot anqp-server IRONWIFI-HS20
domain-name ironwifi.net
wireless hotspot dot11u-profile IRONWIFI-DOT11U
access-network-type chargeable-public-network
network-auth-type 00
venue-name IronWiFi Hotspot
venue-type business.office
hessid-enable
wireless hotspot hs2-profile IRONWIFI-HS2
access-network-type chargeable-public-network
anqp-server IRONWIFI-HS20
dot11u-profile IRONWIFI-DOT11U
Apply to WLAN
wlan PASSPOINT-WIFI 2 PASSPOINT
hotspot hs2-profile IRONWIFI-HS2
security dot1x authentication-list IRONWIFI-DOT1X
WPA-Enterprise Configuration
The following configuration is for 802.1X authentication without web authentication:
wlan SECURE-WIFI 3 SECURE-WIFI
security dot1x authentication-list IRONWIFI-DOT1X
security wpa wpa2
security wpa wpa2 ciphers aes
security wpa akm dot1x
no shutdown
Verification Commands
After completing the configuration steps above, verify everything works correctly.
Check RADIUS server status:
show aaa servers
Check WLAN configuration:
show wlan summary
show wlan name GUEST-WIFI
Check client status:
show wireless client summary
show wireless client mac-address {MAC} detail
Troubleshooting
If testing reveals issues, use this section to diagnose common problems:
| Symptom | Cause | Solution |
|---|---|---|
| RADIUS not responding | Network connectivity issue | Verify connectivity: ping {RADIUS_IP} |
| RADIUS not responding | Server configuration error | Check server status: show aaa servers |
| RADIUS not responding | Incorrect shared secret | Verify shared secret matches IronWifi Console |
| RADIUS not responding | Firewall blocking RADIUS | Check firewall rules allow UDP 1812-1813 |
| Web Auth not redirecting | ACL not applied | Verify ACL is applied to WLAN |
| Web Auth not redirecting | Parameter-map misconfigured | Check parameter-map configuration |
| Web Auth not redirecting | Incorrect redirect URL | Ensure redirect URL is correct |
| Web Auth not redirecting | Cannot reach splash page | Test client can reach 107.178.250.42 |
| Authentication failures | Invalid credentials | Check RADIUS logs in IronWifi Console |
| Authentication failures | WLC configuration issue | Review WLC debugging: debug aaa all and debug web-auth all |
| Authentication failures | User account problem | Verify user credentials in IronWifi Console |
Related Topics
- Cisco WLC - Configuration guide for AireOS WLC
- Cisco Mobility Express - Configuration guide for Mobility Express
- Passpoint Onboarding - Complete Hotspot 2.0 configuration guide