cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26563
Views
9
Helpful
22
Replies

Cisco WLC and Packetfence Captive Portal configuration Guide

Saad Raza Khan
Level 1
Level 1

Hello ,

i am configuring Cisco vWLC and its working fine ,internet is running smooth

I need to configure Packet fence Captive portal for my company Guest users.Captive portal via self registration and also interconnect with SMS gateway to provide credentials to guest users.

Any techie here install packet fence and any configuration examples have it.

22 Replies 22

Saad Raza Khan
Level 1
Level 1

Hi ,

Any one ,pls update on it.

Regards

Saad

Hi,

We have a working setup using Cisco WLC (wism2) running 7.6.130 with PacketFence 6.3 which works very well.

Authentication is done using webauth on the WLC's with a redirect to the captive portal on the packetfence server. We do not use the SMS authentication but use local users/active directory for authentication in our portal.

For setup instructions you should look at the packetfence documentation. They have good documentation on the WLC setup as well as what you need to do on the packetfence server:

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Gu...

This explains the basics of what you need on the WLC as well as in packetfence to interact with the WLC. 

Hi,

I have the same document and configure the cisco WLC according to document. but confused about configuration on packetfence...I am looking for step by step configuration of Packetfence server.

Can you pls share the snapshot of your WLC and Packetfence server.i ll recheck my config.

I'll share a quick overview of the basics from what we have setup.

First, define the packetfence server under SECURITY - > RADIUS on your WLC (in both authentication and accounting). Make sure that you enable support for RFC3576 (this is important! It is used for Radius CoA which packetfence uses to authorize/deauthorize users) As a side note on RFC3576, some WLC versions (atleast <8.x) use port 1700 instead of the standard port which is 3799. If your WLC uses 1700 then you'll need to set this on the packetfence server (see later in this text).

Once the radius servers are defined (for packetfence) you need to define two ACL lists under Security -> Access Control Lists -> Access Control Lists. These define what is allowed then the user is unregistered and what is allowed then user is registered. 

I have two, Pre-Auth-For-WebRedirect which allows traffic to my packetfence portal as well as DNS, DHCP  and ICMP.

Then we have an ACL to allow all traffic called Authorize_any

Define the wireless network you want to use the captive portal with.

Security is handled by MAC filtering (WLC 8.2 and higher can use WPA2-PSK in conjuction with mac filtering if needed).

Configure the Security settings for the SSID as follows

Under Advanced settings for the WLAN you need to make sure that NAC State is set to Radius NAC/ISE NAC (depending on which WLC version you are running. In 8.2 and higher I think it's ISE NAC)

Redirect to the captive portal is handling using the Radius NAC which sends the relevant URL to redirect.

Now that the WLC basics are setup you'll need to start looking at your packetfence server. I am assuming that you have a working packetfence installation (if not, set it up using the documentation on the packetfence.org webpage)

Under Configuration -> Network -> Switches you need to define your WLC's

Note that I have set Controller port to 1700 here since my WLC's are running 7.6 and this uses 1700 for CoA instead of 3799 which is the standard port (see previous comment about this)

Under Roles in the switch config you will need to define the vlans that are mapped to your roles

Then you define the ACL's that are used for each role when in that state:

And lastly you define the URL of the captive portal to redirect.

Use in the format : https://yourpacketfence.server/$session_id

Lastly go to the RADIUS settings on the switch and setup the Radius secret used for packetfence (which you'll use in your WLC to communicate with the radius server).

This should cover the basics. You will also need to configure your authentication sources in packetfence as well as your captive portal. All of this can be found in the packetfence documentation.

Hi,

i ll apply this config and get back to you. what happened with this config

Good luck! One last thing, if you use a production DHCP for IP assignment you'll need to forward these to the packetfence server.

I've done this by adding the packetfence server to the ip helpers setup on my guest vlan on the switch. This sends a copy of the dhcp request from the client to the packetfence server.

Packetfence needs to know this so make sure that it's set.

Hi Michel,

I am also setting up cisco wlc 5508 with packetfence for Guest access.Can you please share your email here i need to discuss more elaboration of the case.

Regards,

As I'm very busy with my normal job I'm unable to do support on this. I will ofcourse try to answer what I can here on the forum so please post any questions you might have here.

The documentation provided by packetfence is quite good both with regards to the packetfence and cisco wlc configuration so if you haven't gone through that already I suggest that you do. If you are experiencing any specific issues I might be able to assist though if I've encountered the myself.

Also, the packetfence mailing list is very good with support from the Developers.

regards

Michel

Hi Michel,

I have configured the packetfence according to your guide and but when i go to connect the SSID. its directly connect and reach the internet and not redirected toward web auth page.

i cant find any logs and anything else to troubleshoot. pls check my config which i have shared in snapshot and suggest

Regards

Saad

I've sent you a message here so please read that. You'll find my email there if you'd like to contact me directly.

regards

Michel

Hi ,

Do you have any idea how to integrate WLC using routed network mode in packetfence ?

I have only used packetfence in out-of-band mode (webauth) so I don't have any experience with using it inline in routed mode. I suggest you try the packetfence mailing list or try to figure it out using the available documentation from packetfence.

Hi ,

Can you please paste snapshots or guide me about captive portal settings in packetfence.There is very  little about the captive portal settings in the guides.

Review Cisco Networking for a $25 gift card