Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1883
Views
1
Helpful
5
Replies

Captive Portal and Virtual Wireless Lan Controller

enrico.becchetti
Frequent Visitor
Frequent Visitor

‎06-11-2025 05:49 AM

Hi all
in the wifi network created with 22 AP 1850 Mobility Express 8.10.196 with Virtual Wireless Controller I have to make a WLAN with captive portal. I would like to know if there is documentation and if the accounts can be local.

Thanks

Best Regards

Enrico

Labels:
0 Helpful
5 Replies 5

Rich R
VIP
VIP

‎06-12-2025 02:22 PM

Hi @enrico.becchetti 

First you should clarify which type of WLC you intend to use - Mobility Express or vWLC? You cannot use both.
ME supports only Flexconnect Local Switching and runs on one or more APs. It's effectively AireOS WLC with minimal features.
vWLC can support very limited central switching but is not recommended so should also only be used with Flexconnect Local Switching. You will need a server to run vWLC.

Check out these technotes:
Understand Web Authentication on AireOS Wireless LAN Controllers
Configure AireOS Wireless LAN Controller Web Authentication
If you search you will also find various blogs and videos with examples too.


------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

enrico.becchetti
Frequent Visitor
Frequent Visitor

‎06-17-2025 10:09 AM

Dear @Rich R 

I need to add more details to explain better my case.

All AP have a Cisco Mobility Express firmware version 8.10.196.0
and one of these is the master for managing the infrastructure.

The master if I understood correctly is the one that runs the virtual wireless lan controller on which I connect via web to manage my network.

The captive portal wifi network is only for a few users 10-20.
I set a BSSID with an internal web page the default one and local authentication.

it seem that work fine.

I don't know Flexconnect Local Switching.

In this scenario can I change the X509 certificates of the 192.0.2.1 portal to avoid warnings on the CA?

Thanks

Best Regards

Enrico

0 Helpful

Rich R
VIP
VIP
In response to enrico.becchetti

‎06-17-2025 03:02 PM

Hi @enrico.becchetti 

Ok so you are using Mobility Express. 
That means you are already using Flexconnect Local Switching because it is mandatory/the only option, with ME.
For more on Flexconnect see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/FlexConnect_DG.html
Client traffic exits the AP directly to a VLAN on the AP switch port instead of being tunnelled to the WLC over CAPWAP (Central switching).

> can I change the X509 certificates of the 192.0.2.1 portal to avoid warnings on the CA?
Yes - but it is not supported in the ME GUI - you must use the CLI.  See:
https://community.cisco.com/t5/wireless/mobility-express-how-to-install-third-party-certificate/td-p/3914426

FYI: Virtual Wireless Controller (aka vWLC) is a separate WLC product: 
https://www.cisco.com/c/en/us/products/collateral/wireless/virtual-wireless-controller/data_sheet_c78-714543.html

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

enrico.becchetti
Frequent Visitor
Frequent Visitor
In response to Rich R

‎06-17-2025 08:54 PM

Hi @Rich R 

Can I use let's encrypt ? 

Can you tell more information about the ip address 192.0.2.1 that is embedded in webauth

portal ? Can I change it ? How can I assigne my portal hostname to this ip address ? 

Thanks in advance for your patience.

Best Regards

Enrico

0 Helpful

Rich R
VIP
VIP
In response to enrico.becchetti

‎06-20-2025 02:41 AM

Hi Enrico

Can I use let's encrypt ? 
There are no restrictions on what certificate you use but remember that the certificate's root CA must be trusted by the client.  So as long as you are sure all your clients will trust them that will be fine.  See:
https://letsencrypt.org/docs/certificate-compatibility/

Can you tell more information about the ip address 192.0.2.1 that is embedded in webauth portal ?
That is the WLC virtual IP which is used for captive portal interception of http traffic from the client. 
From: https://networklessons.com/cisco/ccna-200-301/cisco-wireless-lan-controller-wlc-basic-configuration

Virtual Gateway IP Address: The WLC has a virtual interface that it uses for mobility management. This includes DHCP relay, guest web authentication, VPN termination, and some other features.  The WLC only uses this IP address in communication between the WLC and wireless clients. It has to be a valid IP address but shouldn’t be an IP address that is in use on the Internet or your LAN. The 192.0.2.0/24 network is assigned as “TEST-NET-1,” so it’s a safe choice.

Can I change it ? Yes
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_DF234EBAE04D4AE0AED9C18DD4ED0234
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html

How can I assign my portal hostname to this ip address ? DNS.  For example: mywlc.mydomain.com -> 192.0.2.1 then the client should be redirected to https://mywlc.mydomain.com
Your certificate subject name and DNS name must match the domain mywlc.mydomain.com otherwise you will get security errors for invalid certificate.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card