Cisco WLC - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on Cisco AireOS WLC or Catalyst 9800 wireless controllers to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This provides seamless WPA2/WPA3-Enterprise connections without manual network selection or splash pages.

Supported Platforms

Cisco AireOS WLC - 5520, 8540, 3504, vWLC
Cisco Catalyst 9800 - 9800-40, 9800-80, 9800-CL
Cisco Embedded Wireless Controller

Prerequisites

In Cisco WLC:

Cisco WLC with AireOS 8.5+ or IOS-XE 17.x+
Access points supporting Hotspot 2.0 (Wave 2 or later)
Network connectivity to IronWifi RADIUS servers

In IronWifi Console (complete these first):

Log in to IronWifi Management Console
Navigate to Networks > select your network
Enable Passpoint
Note the RADIUS details and Passpoint configuration:
- RADIUS Server IP
- RADIUS Secret
- Authentication Port: 1812
- Accounting Port: 1813

AireOS WLC Configuration

Web Interface Configuration

Step 1: Configure RADIUS Server

Log in to WLC web interface
Go to Security > AAA > RADIUS > Authentication
Click New
Configure:
- Server Index: 1
- Server IP Address: IronWifi RADIUS IP
- Shared Secret: Your RADIUS secret
- Port Number: 1812
- Server Status: Enabled
Click Apply
Go to Accounting and add accounting server:
- Same IP, port 1813

Step 2: Create WLAN

Go to WLANs
Click Create New
Configure:
- Profile Name: Passpoint
- SSID: Passpoint
- ID: Select available ID
Click Apply

Step 3: Configure WLAN Security

Edit the new WLAN
Go to Security > Layer 2:
- Layer 2 Security: WPA+WPA2
- WPA2 Policy: Enabled
- WPA2 Encryption: AES
- Auth Key Mgmt: 802.1X
Go to Security > AAA Servers:
- Authentication Servers: Select IronWifi server
- Accounting Servers: Select IronWifi server

Step 4: Enable Hotspot 2.0

Go to Advanced tab
Find Hotspot 2.0 section
Enable Hotspot 2.0
Configure:

General:

Hotspot 2.0 Enable: Enabled
DGAF Disable: Disabled

Step 5: Configure 802.11u

Go to Wireless > 802.11u
Enable 802.11u
Configure:

Network Settings:

Internet Access: Enabled
Network Type: Free public network
ASRA: Disabled

Venue Information:

Venue Group: Business
Venue Type: Unspecified
Venue Name: Your Location (Language: eng)

Step 6: Configure Roaming Consortium

In 802.11u settings, find Roaming Consortium
Add OIs:
```
5A03BA0000
004096
```

Step 7: Configure NAI Realm

Go to NAI Realm section
Add realm:
- NAI Realm: ironwifi.com
- EAP Method: EAP-TTLS
- Inner Auth: PAP

Step 8: Configure Domain

In Hotspot 2.0 settings
Add Domain Name: ironwifi.net

AireOS CLI Configuration

# Configure RADIUS server
config radius auth add 1 1.2.3.4 1812 ascii your-secret
config radius auth enable 1
config radius acct add 1 1.2.3.4 1813 ascii your-secret
config radius acct enable 1

# Create WLAN
config wlan create 1 Passpoint Passpoint
config wlan security wpa wpa2 enable 1
config wlan security wpa wpa2 ciphers aes enable 1
config wlan security wpa akm 802.1x enable 1
config wlan radius_server auth add 1 1
config wlan radius_server acct add 1 1
config wlan enable 1

# Enable 802.11u
config wlan hotspot dot11u enable 1
config wlan hotspot dot11u internet-access enable 1
config wlan hotspot dot11u network-type free-public 1
config wlan hotspot dot11u venue-group business 1
config wlan hotspot dot11u venue-type unspecified 1

# Configure Roaming Consortium
config wlan hotspot dot11u roam-oi add 1 5A03BA0000 beacon
config wlan hotspot dot11u roam-oi add 1 004096

# Configure NAI Realm
config wlan hotspot dot11u nai-realm add 1 ironwifi.com
config wlan hotspot dot11u nai-realm eap-method add 1 ironwifi.com eap-ttls

# Configure Domain
config wlan hotspot dot11u domain add 1 ironwifi.net

# Enable Hotspot 2.0
config wlan hotspot hs2 enable 1

Catalyst 9800 Configuration

Web Interface (WebUI)

Configure RADIUS

Go to Configuration > Security > AAA
Click Servers/Groups > RADIUS
Add server:
- Name: IronWifi
- IP Address: IronWifi RADIUS IP
- Key: Your shared secret
- Auth Port: 1812
- Acct Port: 1813

Create Server Group

Go to Server Groups
Create new group
Add IronWifi server to group

Configure Policy Profile

Go to Configuration > Tags & Profiles > Policy
Create new policy profile
Configure AAA settings to use IronWifi

Configure WLAN

Go to Configuration > Tags & Profiles > WLANs
Create new WLAN:
- Profile Name: Passpoint
- SSID: Passpoint
- Status: Enabled
In Security tab:
- Layer 2: WPA2
- Auth Key Management: 802.1X
In Advanced tab:
- Enable Hotspot 2.0

Configure Hotspot 2.0

Go to Configuration > Wireless > Hotspot 2.0
Create HS2.0 Profile:

General Settings:

Profile Name: IronWifi-Passpoint
Internet Access: Enabled
Network Type: Free public

Venue:

Venue Group: Business
Venue Type: Unspecified

Domain:

Add: ironwifi.net

Roaming Consortium:

Add: 5A03BA0000
Add: 004096

NAI Realm:

Realm: ironwifi.com
EAP Method: EAP-TTLS
Inner Auth: PAP

Assign profile to WLAN

Catalyst 9800 CLI Configuration

! RADIUS Configuration
radius server IronWifi
 address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
 key your-secret

aaa group server radius IronWifi-Group
 server name IronWifi

aaa authentication dot1x default group IronWifi-Group
aaa authorization network default group IronWifi-Group
aaa accounting identity default start-stop group IronWifi-Group

! Hotspot 2.0 Configuration
wireless hotspot anqp-server IronWifi-ANQP
 network-type free-public
 internet
 venue-group business
 venue-type unspecified
 domain-name ironwifi.net
 nai-realm ironwifi.com
   eap-method eap-ttls
     inner-auth-type pap
 roaming-oi 5A03BA0000
 roaming-oi 004096

wireless profile hotspot2 IronWifi-Passpoint
 anqp-server IronWifi-ANQP
 hs2-profile enable

! WLAN Configuration
wlan Passpoint 1 Passpoint
 security wpa psk set-key ascii 0 disabled
 security wpa wpa2
 security wpa akm dot1x
 security dot1x authentication-list default
 hotspot2 IronWifi-Passpoint
 no shutdown

! Policy Profile
wireless profile policy Passpoint-Policy
 description Passpoint Policy Profile
 aaa-override
 nac
 vlan VLAN_ID
 no shutdown

! Tag Configuration
wireless tag policy Passpoint-Tag
 wlan Passpoint policy Passpoint-Policy

Troubleshooting

Common Issues

Network Not Discovered

Verify Hotspot 2.0 is enabled on WLAN
Check 802.11u configuration
Verify GAS/ANQP frames are being sent
Check client Passpoint support

Authentication Failures

Test RADIUS connectivity
Verify NAI realm configuration
Check IronWifi logs for details
Verify EAP method configuration

Debug Commands (AireOS)

# Show Hotspot 2.0 configuration
show wlan hotspot

# Show 802.11u configuration
show wlan 1 hotspot dot11u

# Debug Hotspot 2.0
debug hotspot all enable

# Show RADIUS statistics
show radius summary

# Show client details
show client detail MAC_ADDRESS

Debug Commands (Catalyst 9800)

# Show Hotspot 2.0 configuration
show wireless profile hotspot2 detailed IronWifi-Passpoint

# Show ANQP server
show wireless hotspot anqp-server detailed IronWifi-ANQP

# Debug commands
debug wireless hotspot2

# Show client
show wireless client mac-address MAC detail

Best Practices

Use Wave 2 APs: Ensure APs support Hotspot 2.0
Firmware: Keep WLC and APs on supported versions
Testing: Test with multiple device types
Monitoring: Monitor authentication success rates
Redundancy: Configure backup RADIUS servers

Supported Platforms​

Prerequisites​

In Cisco WLC:​

In IronWifi Console (complete these first):​

AireOS WLC Configuration​

Web Interface Configuration​

Step 1: Configure RADIUS Server​

Step 2: Create WLAN​

Step 3: Configure WLAN Security​

Step 4: Enable Hotspot 2.0​

Step 5: Configure 802.11u​

Step 6: Configure Roaming Consortium​

Step 7: Configure NAI Realm​

Step 8: Configure Domain​

AireOS CLI Configuration​

Catalyst 9800 Configuration​

Web Interface (WebUI)​

Configure RADIUS​

Create Server Group​

Configure Policy Profile​

Configure WLAN​

Configure Hotspot 2.0​

Catalyst 9800 CLI Configuration​

Troubleshooting​

Common Issues​

Network Not Discovered​

Authentication Failures​

Debug Commands (AireOS)​

Debug Commands (Catalyst 9800)​

Best Practices​

Related Topics​