06-11-2025 05:49 AM
Hi all
in the wifi network created with 22 AP 1850 Mobility Express 8.10.196 with Virtual Wireless Controller I have to make a WLAN with captive portal. I would like to know if there is documentation and if the accounts can be local.
Thanks
Best Regards
Enrico
06-12-2025 02:22 PM
First you should clarify which type of WLC you intend to use - Mobility Express or vWLC? You cannot use both.
ME supports only Flexconnect Local Switching and runs on one or more APs. It's effectively AireOS WLC with minimal features.
vWLC can support very limited central switching but is not recommended so should also only be used with Flexconnect Local Switching. You will need a server to run vWLC.
Check out these technotes:
Understand Web Authentication on AireOS Wireless LAN Controllers
Configure AireOS Wireless LAN Controller Web Authentication
If you search you will also find various blogs and videos with examples too.
06-17-2025 10:09 AM
Dear @Rich R
I need to add more details to explain better my case.
All AP have a Cisco Mobility Express firmware version 8.10.196.0
and one of these is the master for managing the infrastructure.
The master if I understood correctly is the one that runs the virtual wireless lan controller on which I connect via web to manage my network.
The captive portal wifi network is only for a few users 10-20.
I set a BSSID with an internal web page the default one and local authentication.
it seem that work fine.
I don't know Flexconnect Local Switching.
In this scenario can I change the X509 certificates of the 192.0.2.1 portal to avoid warnings on the CA?
Thanks
Best Regards
Enrico
06-17-2025 03:02 PM
Ok so you are using Mobility Express.
That means you are already using Flexconnect Local Switching because it is mandatory/the only option, with ME.
For more on Flexconnect see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/FlexConnect_DG.html
Client traffic exits the AP directly to a VLAN on the AP switch port instead of being tunnelled to the WLC over CAPWAP (Central switching).
> can I change the X509 certificates of the 192.0.2.1 portal to avoid warnings on the CA?
Yes - but it is not supported in the ME GUI - you must use the CLI. See:
https://community.cisco.com/t5/wireless/mobility-express-how-to-install-third-party-certificate/td-p/3914426
FYI: Virtual Wireless Controller (aka vWLC) is a separate WLC product:
https://www.cisco.com/c/en/us/products/collateral/wireless/virtual-wireless-controller/data_sheet_c78-714543.html
06-17-2025 08:54 PM
Hi @Rich R
Can I use let's encrypt ?
Can you tell more information about the ip address 192.0.2.1 that is embedded in webauth
portal ? Can I change it ? How can I assigne my portal hostname to this ip address ?
Thanks in advance for your patience.
Best Regards
Enrico
06-20-2025 02:41 AM
Hi Enrico
Can I use let's encrypt ?
There are no restrictions on what certificate you use but remember that the certificate's root CA must be trusted by the client. So as long as you are sure all your clients will trust them that will be fine. See:
https://letsencrypt.org/docs/certificate-compatibility/
Can you tell more information about the ip address 192.0.2.1 that is embedded in webauth portal ?
That is the WLC virtual IP which is used for captive portal interception of http traffic from the client.
From: https://networklessons.com/cisco/ccna-200-301/cisco-wireless-lan-controller-wlc-basic-configuration
Virtual Gateway IP Address: The WLC has a virtual interface that it uses for mobility management. This includes DHCP relay, guest web authentication, VPN termination, and some other features. The WLC only uses this IP address in communication between the WLC and wireless clients. It has to be a valid IP address but shouldn’t be an IP address that is in use on the Internet or your LAN. The 192.0.2.0/24 network is assigned as “TEST-NET-1,” so it’s a safe choice.
Can I change it ? Yes
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_DF234EBAE04D4AE0AED9C18DD4ED0234
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html
How can I assign my portal hostname to this ip address ? DNS. For example: mywlc.mydomain.com -> 192.0.2.1 then the client should be redirected to https://mywlc.mydomain.com
Your certificate subject name and DNS name must match the domain mywlc.mydomain.com otherwise you will get security errors for invalid certificate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide