Cisco Mobility Express

Configure Cisco Mobility Express access points with IronWifi for lightweight wireless management. This guide covers RADIUS server configuration, external splash page integration, pre-authentication access lists, and WPA-Enterprise setup for guest captive portal and secure employee WiFi without dedicated hardware controllers.

Overview

Cisco Mobility Express is a lightweight wireless controller solution that runs on Cisco Aironet access points, providing enterprise-grade wireless management without requiring a dedicated hardware controller.

Prerequisites

In Cisco Mobility Express:

Cisco Mobility Express-enabled access point
Network connectivity between AP and IronWifi RADIUS servers
Administrative access to Mobility Express web interface

In IronWifi Console (complete these first):

Create a Network in IronWifi Console
Create a Captive Portal with vendor Cisco
Note the following details:
- Primary and Backup RADIUS server IP addresses
- RADIUS ports (1812 for authentication, 1813 for accounting)
- Shared secret
- Splash Page URL

Mobility Express Configuration

Access the Management Interface

Connect to the Mobility Express management network
Navigate to the web interface (typically https://[AP_IP])
Log in with administrator credentials

Step 1: Configure RADIUS Server

Navigate to Wireless Settings → RADIUS
Click Add RADIUS Server
Configure:
- Server IP Address: {Primary IP}
- Shared Secret: {Shared secret}
- Port: 1812
- Server Type: Authentication
Add accounting server with port 1813
Add backup servers

Step 2: Create Guest WLAN

Navigate to Wireless Settings → WLANs
Click Add new WLAN
Configure:
- Profile Name: Guest-WiFi
- SSID: Guest-WiFi
- Status: Enabled

Step 3: Configure WLAN Security

Select Security tab
Configure:
- Guest Network: Yes
- Captive Portal: External Splash Page
- Splash Page URL: {IronWifi Splash URL}
- Authentication Server: Select IronWifi server
- Accounting Server: Select IronWifi server

Step 4: Configure Pre-Auth Access

Add to the allowed list:

107.178.250.42
DNS servers
Additional authentication provider domains

Required Walled Garden Entries

In addition to the IronWifi splash page IP (107.178.250.42) and DNS servers, you may need to add entries for authentication providers and payment processors:

Provider	Required Entries
Google	`.google.com`, `.googleapis.com`, `*.gstatic.com`, `accounts.google.com`
Facebook	`.facebook.com`, `.fbcdn.net`, `connect.facebook.net`, `facebook.com`
LinkedIn	`.linkedin.com`, `.licdn.com`, `linkedin.com`
Twitter/X	`.twitter.com`, `.twimg.com`, `twitter.com`, `*.x.com`, `x.com`
Apple	`.apple.com`, `.icloud.com`, `appleid.apple.com`
Microsoft/Azure AD	`.microsoft.com`, `.microsoftonline.com`, `*.msftauth.net`, `login.microsoftonline.com`
Stripe	`*.stripe.com`, `js.stripe.com`
PayPal	`.paypal.com`, `.paypalobjects.com`
Twilio (SMS)	`*.twilio.com`

WPA-Enterprise Setup

The following configuration is for 802.1X authentication without captive portal:

Create new WLAN
Security settings:
- Guest Network: No
- Security Type: WPA2 Enterprise
- Authentication Server: IronWifi
Configure client supplicants with RADIUS credentials

Expert Mode Configuration

The following configurations require Expert Mode for advanced settings:

Navigate to Management → Admin Accounts
Enable Expert Mode
Access additional configuration options

ACL Configuration (Expert Mode)

Create pre-authentication ACL:

Navigate to Security → Access Control Lists
Create new ACL
Add permit rules for:
- IronWifi splash page (107.178.250.42)
- DNS
- DHCP

Verification

After completing the configuration steps above, verify everything works correctly.

Check WLAN Status

Navigate to Monitoring → Wireless
View active WLANs and client count

Check Client Status

Navigate to Monitoring → Clients
View connected clients and authentication status

Troubleshooting

If testing reveals issues, use this section to diagnose common problems:

Symptom	Cause	Solution
Captive Portal not appearing	External Splash Page not enabled	Verify External Splash Page is enabled in WLAN settings
Captive Portal not appearing	Incorrect Splash Page URL	Check Splash Page URL is correct in WLAN settings
Captive Portal not appearing	Pre-auth access blocking splash page	Confirm pre-auth access allows splash page (107.178.250.42)
Captive Portal not appearing	Browser caching issue	Test from incognito/private browser window
RADIUS authentication failing	Incorrect server configuration	Verify RADIUS server IP and port in Mobility Express
RADIUS authentication failing	Shared secret mismatch	Check shared secret matches IronWifi Console
RADIUS authentication failing	Network connectivity issue	Ensure network connectivity to RADIUS servers
RADIUS authentication failing	Server or user issue	Review logs in IronWifi Console
Clients stuck in Web Auth	Captive portal timeout	Check captive portal timeout settings
Clients stuck in Web Auth	Accounting not enabled	Verify accounting is enabled in WLAN settings
Clients stuck in Web Auth	Client device issue	Review client device captive portal detection settings

Cisco WLC - Configuration guide for AireOS WLC
Cisco Catalyst 9800 - Configuration guide for Catalyst 9800 WLC
Passpoint Onboarding - Hotspot 2.0 configuration guide

Overview​

Prerequisites​

In Cisco Mobility Express:​

In IronWifi Console (complete these first):​

Mobility Express Configuration​

Access the Management Interface​

Step 1: Configure RADIUS Server​

Step 2: Create Guest WLAN​

Step 3: Configure WLAN Security​

Step 4: Configure Pre-Auth Access​

Required Walled Garden Entries​

WPA-Enterprise Setup​

Expert Mode Configuration​

ACL Configuration (Expert Mode)​

Verification​

Check WLAN Status​

Check Client Status​

Troubleshooting​

Related Topics​