Home Knowledge Base SecureW2 Documentation Web Authentication Configuration in Cisco Catalyst 98xx WLC

Web Authentication Configuration in Cisco Catalyst 98xx WLC

1. Introduction

Web Auth Wi-Fi for Cloud IDPs empowers authorized end-users to use their enterprise identities like Azure AD, Okta, Google, OneLogin, or any other SAML vendors to log into your network. This feature is mainly used to onboard users’ devices or unmanaged devices onto the secure Wi-Fi network after a Single Sign-On event.

It works by presenting a captive portal when users join the network, and after their credentials are validated, they are authorized access to the network. The MAC Address is saved for subsequent authentications. This also helps admins to understand and track the users and devices using the network.

This document describes how to configure Web Auth Wi-Fi for Cloud Core Providers in the JoinNow Management Portal and integrate it with Cisco Catalyst 98xx WLC.

2. Prerequisites

The following are the prerequisites to integrate the JoinNow CloudRADIUS server with Cisco Catalyst 98xx:

  1. Active subscription to the JoinNow Management Portal and CloudRADIUS.
  2. Cisco Catalyst 98xx Series Wireless LAN Controllers

3. Configuring JoinNow Management Portal

3.1 Creating a Core Provider

A Core Provider is the system that proves a user’s or device’s identity. Creating a core provider in the JoinNow Management Portal tells the Cloud Connector system how to verify user credentials and register the MAC address of the onboarding device.

To create a core provider, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to the Integration Hub > Core Platforms.
  3. Click Add.
  4. In the Name field, enter the name of the core provider.
  5. In the Description field, enter a suitable description for the core provider.
  6. From the Type drop-down list, select Okta SAML.
  7. Click Save.

4. Cisco Catalyst 98xx WLC Configuration

The following are the high-level steps to be configured on the Cisco wireless controller to enable Web Authentication:

  • Adding a Server in Cisco
  • Adding AAA Method List
  • Creating the WebAuth Parameter
  • Policy Configuration in Cisco
  • Creating the Broadcasting SSID

4.1 Adding a RADIUS Server in Cisco

The RADIUS configurations from JoinNow are configured in Cisco to enable the AAA set-up in the wireless controller.

  1. Log in to the Cisco Catalyst 9800-L Wireless Controller portal.
  2. Navigate to Configuration > Security > AAA.
  3. Under Servers/Groups, click RADIUS in the Servers tab and then click the +Add button to create a new server.
  4. On the Create AAA RADIUS Server window, configure the following details:
    1. In the Name field, enter the name of the RADIUS server.
    2. To obtain the AAA configuration details from the JoinNow Management Portal, navigate to RADIUS > RADIUS Configuration. Copy the Primary IP Address, Authentication Port, Accounting Port, and Shared Secret values.
    3. For the Server Address field, enter the Primary IP Address value obtained from the JoinNow Management Portal.
    4. For the Auth Port field, enter the Authentication Port value obtained from the JoinNow Management Portal.
    5. For the Acct Port field, enter the Accounting Port value obtained from the JoinNow Management Portal.
    6. For the Key and Confirm Key fields, enter the Shared Secret value obtained from the JoinNow Management Portal.
    7. In the Server Timeout field, enter the duration in seconds.
    8. In the Retry Count field, enter the desired number of retry attempts.
    9. Use the Support for CoA toggle button to enable or disable change of authorization (CoA).
    10. Click Apply to Device.

4.1.1 Adding RADIUS Server to a Server Group

To add the server to a server group:

  1. Navigate to Configuration > Security > AAA.
  2. Under Servers/Groups, click RADIUS in the Server Groups tab and then click the +Add button to create a new server group.
  3. On the Create AAA RADIUS Server pop-up window, configure the following details:
    1. In the Name field, enter the name of the server group.
    2. From the Available Servers list, add the server created in the Adding a RADIUS Server in Cisco section to the Assigned Servers list.


    3. Click Apply to Device.

4.2 Adding AAA Method List

AAA method list helps in mapping server details with the broadcasting SSID. For setting up CNA bypass using Cisco, two types of AAA method lists should be configured:

  • Login – for Web Auth authentication
  • Dot1x – For RADIUS authentication.

4.2.1 Creating a Login Type AAA Method List

To create an AAA method list for Login, perform the following steps:

  1. Navigate to Configuration > Security > AAA.
  2. Under the AAA Method List tab, click Authentication and then click + Add.
  3. In the Method List Name field, enter a name for your AAA Authentication.
  4. From the Type drop-down, select login.
  5. From the Available Server Groups list, add the server group created in the Adding RADIUS Server to a Server Group section to the Assigned Server Groups list.


  6. Click Apply to Device.

4.2.2 Creating a dot1x Type AAA Method List

To create an AAA method list for dot1x, perform the following steps:

  1. Navigate to Configuration > Security > AAA.

  2. Under the AAA Method List tab, click Authentication and then click + Add.
  3. In the Method List Name field, enter a name for your AAA Authentication.
  4. From the Type drop-down, select dot1x.
  5. From the Available Server Groups list, add the server group created in Adding RADIUS Server to a Server Group to Assigned Server Groups list.


  6. Click Apply to Device.

4.3 Creating the WebAuth Parameter

The Web Auth parameter is configured with the redirect URL, which will lead the customers to the landing page.

  1. Navigate to Configuration > Security > Web Auth.
  2. Click + Add to create a new Web Auth Parameter.
  3. In the Create Web Auth Parameter pop-up window, enter a name for the parameter map in the Parameter-map name field.
  4. In the Maximum HTTP connections field, enter the maximum number of HTTP connections you want to allow. The valid range is 1-200.
  5. In the Init-State Timeout field, enter the duration after which the init-state timer should expire if the user fails to enter valid credentials on the login page. The range is 60-3932100 seconds.
  6. In the Type drop-down list, select the Webauth option that appears during the login process.
  7. Click Apply to Device. The newly created parameter map appears in the list of parameter maps on the Web Auth page.
  8. On the Web Auth page, click the name of the parameter map that you created earlier (refer to step 2).
  9. In the Edit Web Auth Parameter pop-up window that appears, navigate to the Advanced tab.
  10. Under the Redirect to external server section, in the Redirect URL for log-in field, enter the URL with which the user will be routed to the Landing page.

    To create the Landing URL, perform the following steps:
    1. Log in to the JoinNow Management Portal.
    2. Navigate to Device Onboarding > Web Authentication.
    3. In the Basic section, enter the name of the Web Authentication in the Name field.
    4. In the Display Description field, enter a suitable description for the Web Authentication.
    5. From the Vendor drop-down list, select Cisco Meraki.
    6. Click Save.
    7. Click the Configuration tab.
    8. In the URL field, enter https://192.0.2.1/login.html. This redirect URL is specific to Cisco.

    9. Click the Authentication tab.
    10. In the Authentication section, from the Core Provider drop-down list, select the core provider created earlier in the Creating a CoreProvider section.

    11. Click Update.
    12. On the Web Authentication page, click the Open landing page icon and copy the landing page URL.
  11. In the Redirect Append for AP MAC Address field, enter the variable – ap_mac
  12. In the Redirect Append for Client MAC Address field, enter the variable – client_mac
  13. In the Redirect Append for WLAN SSID field, enter the variable – ssid
  14. Click Update & Apply.

4.3.1 Configuring the URL Filter List

To configure the URL Filter List, perform the following steps:

  1. Navigate to Configuration > Security > URL Filters.
  2. On the URL Filters page, click the + Add button.
  3. On the Add URL Filters pop-up window, configure the following details:
    1. In the List Name field, enter a name for the URL filter list.
    2. From the Type drop-down list, select PRE-AUTH.
    3. In the Action field, enable the PERMIT button.
    4. In the URLs field, enter the ACL to allow the URLs.
    5. Click Apply to Device.

4.4 Policy Configuration in Cisco

Policy configuration in Cisco involves mapping the SSID with a policy that is essential for broadcasting the network via the Access point.

4.4.1 Creating a Wireless Policy Profile

  1. Navigate to Configuration > Tags & Profiles > Policy.
  2. On the Policy page, click + Add.
  3. On the Add Policy Profile window, under the General tab, enter a name for the policy profile in the Name field.
  4. Toggle the Status button to ENABLED state.
  5. Click the Access Policies tab and configure the following details:
    1. In the URL Filters section, from the Pre Auth drop-down list, select the Pre-Auth url filter created in the Configuring the URL Filter List section.

  6. Click Apply to Device.

4.4.2 Configuring a Policy Tag

  1. Navigate to Configuration > Tags & Profiles > Tags.
  2. In the Policy Tags page, click + Add.
  3. On the Add Policy Tag pop-up window, in the Name field, enter a name for the policy tag.
  4. Expand WLAN-POLICY Maps and click + Add.
  5. From the WLAN Profile drop-down list, select the SSID profile created in the Configuring the Broadcasting SSID section.
  6. From the Policy Profile drop-down list, select the policy created in the Creating a Policy Profile section.
  7. Click the button with a tick mark to save the WLAN and Policy profiles.


  8. Click Apply to Device.
  9. To view the assigned Policy tag, perform the following steps:
    1. Navigate to Configuration > Tags & Profiles > WLANs.
    2. Click the WLAN profile created earlier in the Configuring the Broadcasting SSID section.
    3. Click the Add To Policy Tags tab. The Policy Tags are assigned to the WLAN profile, as shown in the screenshot below.

4.5 Configuring the Broadcasting SSID

The broadcasting SSID is the open network that the device connects to before being authenticated into the secure network.

To create a WLAN, perform the following steps:

  1. Navigate to  Configuration > Tags & Profiles > WLANs.
  2. Click + Add to create a new WLAN Profile.
  3. On the Add WLAN pop-up window, in the General tab, enter the profile name in the Profile Name field.
  4. In the SSID field, enter the SSID name. By default, the profile name entered in the previous step is automatically used as the SSID. You can either use this default name or enter a new one.
  5. In the WLAN ID field, enter a valid ID between 1 and 4096. This field is automatically populated by the system with an available ID. You may assign a new ID if needed.
  6. Toggle the Status button to ENABLED state.
  7. If the Broadcast SSID is disabled, click the toggle button to enable the SSID broadcast, making it visible to all wireless clients within range.
  8. Go to the Security tab, then under the Layer2 tab, in the Layer 2 Security Mode drop-down list, choose None. For web authentication, disable all Layer 2 security features.
  9. Under the Layer3 tab, select the Web Policy checkbox.
  10. From the Web Auth Parameter Map drop-down list, select the parameter map you created earlier in the Creating the WebAuth Parameter section.
  11. From the Authentication List drop-down list, select the authentication list you created in the Creating a Login Type AAA Method List section.

  12. Click the AAA tab.
  13. From the Authentication List drop-down list, select the dot1x Authentication Method List created in the Creating a dot1x Type AAA Method List section.

  14. Click Apply to Device.

4.6 Sample WiFi Onboarding Steps

  1. Connect to the open guest network.
  2. Click Join now.
  3. On the Landing Page, enter the user credentials required to log in. You will be directed to an SSO page if the Identity Store is a third-party Identity Provider.
  4. Upon successful authentication, users will be redirected to the configured URL/website.
More Cisco Explainers