Configuration for Cisco Catalyst

The following instructions outline how to setup a Cisco Catalyst controller for the Smart WiFi Platform.  This guide covers details such as configuring RADIUS, URL Filters, tags and policies profiles and WLANs.  This guide assumes that your Cisco Catalyst is already operational and on a live network. Please make sure any firewall rules, web content filters, and other security measures have been configured to interface with the platform.

Checklist before proceeding with the Cisco Catalyst configuration

  1. HTTP and HTTPS access must be open to the controller for this integration to work.
  2. The BASE RADIO MAC of all APs that will be broadcasting the Guest WiFi signal need to be reported to support to avoid guests being served a hotspot deactivated message.

  1. Login to your Cisco Catalyst portal
  2. At the top right, click the Settings icons and enable the Expert mode.
  3. Click on Configuration > Security > Web Auth on the left and click into the global profile. Configure with-
    1. Virutal IPv4 Address:
  4. Click on Configuration > Security > Web Auth on the left, add a profile profile and configure with-
    1. Parameter-map name: smart_wifi
    2. Maximum HTTP connections: 200
    3. Init-State Timeout: 3600
    4. Type: Webauth
    5. Click apply to device to save.
  5. Click on the profile you just created and configure with
    1. Under General
      1. Banner type: none
      2. Turn-on Consent with Email: Disabled
      3. Captive Bypass  Portal: Disabled
      4. Disable Success Window: Enabled
      5. Disable Logout Window: Enabled
      6. Sleeping Client Status: Enabled
      7. Sleeping Client Timeout: 720
    2. Under Advanced
      1. Redirect for log-in: You will receive this
      2. Redirect for log-in: You will receive this
      3. Redirect on failure: blank
      4. Redirect Append for AP MAC Address: ap_mac
      5. Redirect Append for Client Mac Address: client_mac
      6. Redirect Append for WLAN SSID: wlan_ssid
      7. Portal IPv4 Address:
    3. Click Apply to save.
  6. On the left click on Configuration > Security > AAA. Select the Servers /Groups tab click Add and configure with:
    1. Name: smartwifi1
    2. IPv4/IPv6 Server Address: You will receive this
    3. Keytype: 0
    4. Key: You will receive this
    5. Confirm Key: Same as key above
    6. Auth Port: 1812
    7. Acct Port: 1813
    8. Server Timeout: 10
    9. Retry Count: 3
    10. Support for CoA: Disabled
  7. Click Apply to Device to save. Then click Add again and configure with:
    1. Name: smartwifi2
    2. IPv4/IPv6 Server Address: You will receive this
    3. Keytype: 0
    4. Key: You will receive this
    5. Confirm Key: Same as key above
    6. Auth Port: 1812
    7. Acct Port: 1813
    8. Server Timeout: 10
    9. Retry Count: 3
    10. Support for CoA: Disabled
  8. Click apply to Device to save.
  9. Click  on the Server Groups tab and click Add. Configure with:
    1. Name: smartRadius
    2. Group Type: RADIUS
    3. MAC-Deliminter: hyphen
    4. MAC-Filtering: none
    5. Assigned Servers: smartWiFi1, smartWiFi2
  10. Click Apply to Device to save.
  11. Click the AAA Method List. Click add and configure with.
    1. Method List Name: smart_auth
    2. Type: login
    3. Group Type: group
    4. Assigned Server Groups: smartRadius
  12. Click Apply to Device to save.
  13. Click the Accounting menu. Click add and configure with
    1. Method List Name: smart_acct
    2. Type: identity
    3. Assigned Server Groups: smartRadius
  14. Click apply to Device to save.
  15. Click the AAA Advanced tab and then click Show Advanced settings option. Configure both Authentication and Accounting with.
    1. Call Station  ID: ap-macaddress-ssid
    2. Call Station ID Case: upper
    3. MAC-Delimiter: hypen
    4. Username Case: lower
    5. Username Delimiter: none
  16. Click Apply to Device to save.
  17. Next on the left click Configuration > Tags and Policies > Click Add or Edit an existing WLAN and configure with the following:
    1. General tab
      1. Profile Name: Smart WiFi
      2. SSID: Smart WiFi
      3. Status: Enabled
      4. Radio Policy: All
      5. Broadcast: SSID
    2. Security > Layer 2
      1. Layer 2 Security Mode: None
      2. MAC Filtering: Disabled
      3. Security > Layer 3
      4. Web Policy: Enabled
      5. Web Auth Parameter Map: smart_wifi
      6. Authentication List: smartRadius
      7. On MAC Filter Failure: Disabled
      8. Splash Web Redirect: Disabled
      9. IPv4  ACL: Empty
      10. Apply to Device to Save.
      11. On the left click Configuration > Security > URL Filters. Click add and configure with:
        1. List Name: smartfilter
        2. Type: PRE_AUTH
        3. Action: PERMIT
        4. Add the wildcard walled garden entries following Catalyst specifications
        5. You may receive additional entries that must be added to the URL filter by support.
      12. Click Apply to save.
      13. On the left click Configuration > Security > Wireless AAA Policy. Click create new policy
        1. Name: You will be provided this
        2. NAS-ID Option 1: AP Policy Tag
        3. Click apply to save.
      14. On the left click Configuration > Tags & Policies > Policy. Click Add leaving all settings the same apart from the following.
        1. On the General tab:
          1. Name: smart_policy
          2. Status: Enabled
        2. Access Policies
          1. URL Filters: smartFilter
        3. Advanced Tab: scroll down to the AAA Policy section
          1. Session Timeout:
          2. Idle Timeout:
          3. Allow AAA Override: enabled
          4. Policy Name: Use the Wireless AAA policy created in step 13
          5. Accounting List: smartRadius
        4. Click Apply to device.
      15. Now using the panel to the left select Configuration > Tags &  Policies > Tags. Click Add and configure with
        1. Name: smart_tag
        2. WLAN Profile: Smart WiFi
        3. Policy Profile: smart_policy
  18. The final step is to disable secure webauth. You will need to login to the controller and enter configuration(enable) mode and run the following commands.
    1. parameter-map type webauth global
    2. webauth-http-enable
    3. secure-webauth-disable

Troubleshooting Splash page

  1. If devices are redirected but the page fails to load please ensure the URL Filter has been properly configured and assigned to the access policy.
  2. If devices load the splash page properly but after pressing connect the splash page is loaded again please ensure the RADIUS secret was correct applied for the Authentication profile
  3. If an  iOS device refuses to open the CNA but other devices are functioning as expected please review this article.
  4. If Apple devices are not triggering the captive portal assistant but other devices are please see this article on Bypass Apple CNA
  5. If devices are receiving a SSL Certificate error please see this article regarding Manufacturer SSL

Disclaimer on hardware configuration guides in the KB:

This equipment has been integrated and tested in our labs with the Smart WiFi Platform using the firmware versions below.

Software version 17.03.02a

LIMITED HARDWARE SUPPORT: Hardware manufacturers frequently make changes to firmware, controllers and GUI’s. The information below may be out of date or images may be different and is to be used as a general reference guide. We do offer additional limited support to help with trouble-shooting and we highly recommend that you have a hardware support agreement and/or access to a hardware support engineering representative from the manufacturer.


Updated on January 5, 2024

Was this article helpful?

Related Articles