cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
820
Views
1
Helpful
5
Replies

Captive Portal and Virtual Wireless Lan Controller

Hi all
in the wifi network created with 22 AP 1850 Mobility Express 8.10.196 with Virtual Wireless Controller I have to make a WLAN with captive portal. I would like to know if there is documentation and if the accounts can be local.

Thanks

Best Regards

Enrico

5 Replies 5

Rich R
VIP
VIP

Hi @enrico.becchetti 

First you should clarify which type of WLC you intend to use - Mobility Express or vWLC? You cannot use both.
ME supports only Flexconnect Local Switching and runs on one or more APs. It's effectively AireOS WLC with minimal features.
vWLC can support very limited central switching but is not recommended so should also only be used with Flexconnect Local Switching. You will need a server to run vWLC.

Check out these technotes:
Understand Web Authentication on AireOS Wireless LAN Controllers
Configure AireOS Wireless LAN Controller Web Authentication
If you search you will also find various blogs and videos with examples too.


Dear @Rich R 

I need to add more details to explain better my case.

All AP have a Cisco Mobility Express firmware version 8.10.196.0
and one of these is the master for managing the infrastructure.

The master if I understood correctly is the one that runs the virtual wireless lan controller on which I connect via web to manage my network.

The captive portal wifi network is only for a few users 10-20.
I set a BSSID with an internal web page the default one and local authentication.

it seem that work fine.

I don't know Flexconnect Local Switching.

In this scenario can I change the X509 certificates of the 192.0.2.1 portal to avoid warnings on the CA?

Thanks

Best Regards

Enrico

Hi @enrico.becchetti 

Ok so you are using Mobility Express. 
That means you are already using Flexconnect Local Switching because it is mandatory/the only option, with ME.
For more on Flexconnect see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/FlexConnect_DG.html
Client traffic exits the AP directly to a VLAN on the AP switch port instead of being tunnelled to the WLC over CAPWAP (Central switching).

> can I change the X509 certificates of the 192.0.2.1 portal to avoid warnings on the CA?
Yes - but it is not supported in the ME GUI - you must use the CLI.  See:
https://community.cisco.com/t5/wireless/mobility-express-how-to-install-third-party-certificate/td-p/3914426

FYI: Virtual Wireless Controller (aka vWLC) is a separate WLC product: 
https://www.cisco.com/c/en/us/products/collateral/wireless/virtual-wireless-controller/data_sheet_c78-714543.html

Hi @Rich R 

Can I use let's encrypt ? 

Can you tell more information about the ip address 192.0.2.1 that is embedded in webauth

portal ? Can I change it ? How can I assigne my portal hostname to this ip address ? 

Thanks in advance for your patience.

Best Regards

Enrico

Hi Enrico

Can I use let's encrypt ? 
There are no restrictions on what certificate you use but remember that the certificate's root CA must be trusted by the client.  So as long as you are sure all your clients will trust them that will be fine.  See:
https://letsencrypt.org/docs/certificate-compatibility/

Can you tell more information about the ip address 192.0.2.1 that is embedded in webauth portal ?
That is the WLC virtual IP which is used for captive portal interception of http traffic from the client. 
From: https://networklessons.com/cisco/ccna-200-301/cisco-wireless-lan-controller-wlc-basic-configuration

Virtual Gateway IP Address: The WLC has a virtual interface that it uses for mobility management. This includes DHCP relay, guest web authentication, VPN termination, and some other features.  The WLC only uses this IP address in communication between the WLC and wireless clients. It has to be a valid IP address but shouldn’t be an IP address that is in use on the Internet or your LAN. The 192.0.2.0/24 network is assigned as “TEST-NET-1,” so it’s a safe choice.

Can I change it ? Yes
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_DF234EBAE04D4AE0AED9C18DD4ED0234
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html

How can I assign my portal hostname to this ip address ? DNS.  For example: mywlc.mydomain.com -> 192.0.2.1 then the client should be redirected to https://mywlc.mydomain.com
Your certificate subject name and DNS name must match the domain mywlc.mydomain.com otherwise you will get security errors for invalid certificate.

Review Cisco Networking for a $25 gift card