EN 
 
www.SAMURAJ-cz.com 
01.12.2025 Iva WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco WLC C9800 - konfigurace obecných vlastností a autentizace

Cisco WLC C9800 - configuration of general properties and authentication

| Petr Bouška - Samuraj |
The second part of the series dedicated to the configuration of the Cisco Catalyst 9800 Wireless Controller, which is built on Cisco IOS XE. We will look at the configuration of areas that are not directly related to wireless networks, but are preparation or support for them. It will be about the configuration of the physical WLC, its network interfaces, network services, management interface. General settings for Wi-Fi such as Device Classification and AVC. Authentication options for logging into WLC management and WLAN. And we will briefly describe Web Authentication.
displayed: 16 544x (3 089 CZ, 13 455 EN) | Comments [0]

Note: The description in the article is based on Cisco Catalyst 9800-L Wireless Controller with Cisco IOS XE Cupertino version 17.9.3 (currently recommended version). To which are connected access points Cisco Catalyst 9164I AP.

WLC Configuration

When transitioning from AireOS WLC to Catalyst 9800, you can use the Configuration Migration tool.

Installation mode

There are two options for how the Cisco IOS XE image can run. For most situations, Install mode is better than Bundle mode. We can see which mode the WLC is running in at the end of the CLI output.

WLC#show version

...
Installation mode is INSTALL

Ethernet Interface (port)

  • Configuration - Interface - Ethernet

The C9800-L-C controller is equipped with a series of ports for connecting to LAN.

  • 4x RJ-45 2.5G/1G Multigigabit Ethernet
  • 2x RJ-45 10G/Multigigabit Ethernet

And additional ports for management and operation.

  • Console Port
  • Service Port for Out-of-band management
  • Redundancy Port (RP) for cluster
WLC C9800 WebUI - Configuration - Interface - Ethernet

Logical Interface

  • Configuration - Interface - Logical

We can combine physical ports into a logical interface using Port Channel (Link Aggregation Group - LAG), which is recommended. We can then (in practice, we must) set the interface to Trunk mode and thus connect the controller to all necessary networks (allowing only needed VLANs).

Note: The entire configuration can be done in the traditional Cisco IOS way in CLI.

L2 VLAN

  • Configuration - Layer2 - VLAN - VLAN

If the APs are running in standard Local Mode (Central Switching), we must configure VLANs that we later map to SSID. L3 interface (SVI) is not necessary (as it was in AireOS), so WLC doesn't need to have an IP address in networks (VLANs) to which clients connect via WLAN. We need SVI for management (WMI).

Wireless Management Interface (WMI)

  • Configuration - Interface - Wireless
  • Configuration - Layer2 - VLAN - SVI

C9800 has only one L3 management interface. It serves for access to management (GUI, CLI). WMI terminates all CAPWAP traffic from access points and is the default source interface for control traffic from WLC. It's also an AP Manager interface. It's recommended to use Switched VLAN Interface (SVI).

Cisco recommends that WMI be in a different VLAN than APs. Communication between them must then be routed. APs can find WLC using DHCP option 43 or DNS record CISCO-CAPWAP-CONTROLLER.company.local.

Network Time Protocol (NTP)

  • Administration - Time

NTP synchronization is needed for many functions. We set the server, under Change Date and Time we set Daylight Savings (last Sunday March 01:00 - last Sunday October 01:00).

DHCP bridging and DHCP relay

By default, wireless network (WLAN) clients obtain IP addresses from DHCP. On C9800, DHCP bridging works by default (and recommended), where client DHCP traffic is sent unchanged to the VLAN mapped to the SSID.

Usually, there's no DHCP server in the client VLAN, so it's recommended to use DHCP Relay on the switch (router). Cisco uses the command ip helper-address on the VLAN interface.

HTTP/HTTPS/VTY access

  • Administration - Management - HTTP/HTTPS/Netconf/VTY

From version 17.3, the configuration of WebUI (Web user interface) and Web Authentication (web portal for WLAN authentication) is separated, so it's recommended to disable HTTP access to administration. We can set a certificate and timeouts. And also configure VTY (virtual ports for SSH access). For web access and VTY, we can set the authentication method (e.g., using RADIUS).

WLC C9800 WebUI - Administration - Management - HTTP/HTTPS/Netconf/VTY

High Availability - WLC cluster

  • Administration - Device - Redundancy

We can connect two controllers into a cluster, where one is active and the other is standby. High Availability (HA) allows reducing wireless network outages due to WLC failure. The HA Stateful Switch Over (SSO) feature allows APs to create a CAPWAP tunnel with the active WLC. The active controller shares a copy of the AP and client database with the standby. If the active WLC fails, the standby takes over. APs remain connected as well as clients.

Because all interfaces are configured only on the active box but are synchronized with the standby, the same set of interfaces is configured on both WLCs. After connection, the standby WLC is no longer accessible under its WMI IP address.

Physically, the boxes are connected using the Redundancy Port (RP). IP addresses from the zeroconf addresses range (APIPA) are automatically set. We can use RMI + RP configuration, where communication also occurs through the management network (WMI) using a virtual RMI interface. Redundancy Management Interface (RMI) is used for dual-active detection and monitoring of standby controllers. We must set an IP address on each box.

Switching active and standby controllers (switchover) can be done in CLI (it restarts the active WLC):

WLC1#redundancy force-switchover

Global Wi-Fi Settings

Wireless Global

  • Configuration - Wireless - Wireless Global

Certain global settings for wireless network. For example:

  • Management Via Wireless - allows connection to administration (web, SSH) from WiFi network, it's recommended not to allow
  • Device Classification - turns on Local Client Profiling, which detects client type by analyzing DHCP and HTTP requests, a useful feature that shows us certain information about clients

Application Visibility and Control (AVC)

  • Configuration - Services - Application Visibility

AVC classifies applications using Cisco Deep Packet Inspection (DPI) technique with Network-Based Application Recognition (NBAR) engine. After enabling (on individual Policy Profile), we get information about traffic in the wireless network. We can also create policies and drop or mark traffic.

  • Monitoring - Services - Application Visibility

In monitoring, we see information about traffic.

Client exclusion

  • Configuration - Security - Wireless Protection Policies - Client Exclusion Policies

When repeated incorrect authentication, association, or IP address theft occurs, a client can be excluded (blocked) for a certain time. In the global policy, we can set which events cause client exclusion. Actual enabling and setting of exclusion time is done on Policy Profile.

Rogue Policies

  • Configuration - Security - Wireless Protection Policies - Rogue Policies

Rogue wireless devices can attack our wireless network. Attackers can perform DoS (denial-of-service) attacks, man-in-the-middle, hijack legitimate clients, etc. As a defense, we can create Rogue Policies and Rogue AP Rules and set channels to scan.

Cisco recommends setting Rogue Detection Security Level to High as a minimum. We can also enable Infrastructure Management Protection Frame (MFP) and AP Impersonation Detection, where individual APs check control frames of other APs.

  • Configuration - Radio Configurations - RRM

For each band, we set Channel List channels to scan. It's recommended to use All Channels or Country Channels.

Disabling low transmission rates

  • Configuration - Radio Configurations - Network - 5 GHz Band and 2.4 GHz Band
  • Configuration - Tags & Profiles - RF/Radio - RF - default-rf-profile-6ghz

It's recommended to disable low transmission rates in individual bands. This reduces the speed of the entire network (beacons are sent on the lowest mandatory band), but care must be taken when disabling and testing. For 2.4 GHz, we can disable 1, 2, and 5.5 Mbps (possibly 6, 9, and 11 Mbps, because we probably don't use IEEE 802.11b anymore) and set 11 Mbps to Supported (instead of Mandatory). For 5 GHz and 6 GHz, we can disable 6 and 9 Mbps (possibly 12 and 18 Mbps).

The configuration location depends on how we have set the RF Tag, whether we use global settings.

Minor settings

  • Administration - DNS
  • Configuration - Security - PKI Management - Trustpoints / Add Certificate (PKCS12 - Desktop)
  • Administration - Management - SNMP
  • Troubleshooting - Syslog - Manage Syslog Servers
  • Administration - Smart Call Home
  • Licensing

Authentication and Authorization

For access to WLC management via SSH or web interface, as well as for user login to individual WLANs, we need to address authentication and authorization. We can create local users or use an authentication server (AAA), typically RADIUS, TACACS+, or LDAP.

If we use Microsoft Network Policy Server, the related article on how to set up Microsoft NPS as RADIUS for WiFi might be useful.

Local accounts

  • Administration - User Administration

We create users (administrators) for access to WLC administration (Privilege: Admin), we can create a user who creates accounts for Web Auth (Privilege: Lobby Admin) or directly accounts that can log in to WLAN using Web Auth (Privilege: Read Only). Guest accounts can be created in Configuration - Security - Guest User.

Note: There's a difference whether an account is created by Lobby Admin or we create it in administration (primarily in account validity). It's well visible in the CLI output.

Addresses for MAC Filtering

  • Configuration - Security - AAA - AAA Advanced - Device Authentication

If we use local MAC Filtering (a list of allowed MAC addresses for connection) on some WLAN, we can define individual addresses here.

Note: An important insight from practice. If we also set a WLAN Profile Name for a MAC address, this device will only connect to the given WLAN. It will not be able to authenticate to WLANs where MAC Filtering is not used.

Authentication Servers - AAA

  • Configuration - Security - AAA

A RADIUS server is often used, which we will address here. The configuration process may be as follows (we can also use the AAA Wizard):

  • Servers / Groups - Servers - we enter individual servers
  • Servers / Groups - Server Groups - we combine servers into a group
  • AAA Method List - we create AAA methods as needed, Group Type can be local (local accounts) or group (external RADIUS), we choose different types according to usage
    • Authentication - login for Web Auth or access to administration, dot1x for 802.1x authentication of users to WLAN
    • Authorization - exec for authorization to administration, network for MAC Filtering
  • We use AAA methods in various places of the configuration, primarily in WLAN settings and SSH and web access
WLC C9800 WebUI - Configuration - Security - AAA - AAA Method List

For those experienced with Cisco IOS, it might be easier to use CLI (same as for setting up VTY, web, etc.). An outline of possibilities:

aaa authentication login AdminLogin local group COMPANYradius
aaa authentication dot1x AuthDomain group COMPANYradius
aaa authorization exec AdminLogin local group COMPANYradius
aaa authorization network AuthDomain group COMPANYradius
aaa group server radius COMPANYradius
server name COMPANYradius1
radius server COMPANYradius1

Note: In AAA Method List, we can enter two authentication methods, as seen in the first command. Then, local authentication is tried first, and if unsuccessful, the defined RADIUS server is used. If we enter it in reverse, RADIUS is used, and if it doesn't respond, the local database is used.

Web Authentication (Web Auth)

Web authentication is often used for guest access. It's a Layer 3 security solution. The network itself is set to Open Security, meaning it doesn't use any encryption or authentication. After connecting to the WLAN, users are automatically redirected to a web page (referred to as a Captive Portal), where they must authenticate. Until we're logged in, browsers inform us that network login is required.

Creating Guest Accounts

The administrator can create login accounts in Configuration - Security - Guest User, but more likely we'll create a special account with Lobby Admin privileges. This user (for example, at reception) logs into the WLC web interface, where they have access to a limited GUI for managing Guest Users. Accounts are created with limited validity, after which they are deleted. Besides local accounts, RADIUS or LDAP can also be used.

WLC C9800 WebUI - Lobby Admin - Add Guest User

Note: Here we focus on Local Web Authentication, where the WLC's internal web page is used for authentication. Another option is External Web Authentication, where there's a redirect to an external web server (authentication still occurs on the WLC). Or Central Web Authentication, which typically uses ISE, which performs the authentication.

Configuring Web Auth Parameters

  • Configuration - Security - Web Auth

By modifying the global Parameter Map, or by creating our own (here we set only part of the parameters), we can change the behavior of web authentication.

Some parameters are:

  • Virtual IPv4 Address - virtual IP address on which the internal login web page runs, default 192.0.2.1
  • Virtual IPv4 Hostname - DNS name for Virtual IPv4 Address, we must set up the translation on our DNS server
  • Trustpoint - certificate for HTTPS, to prevent users from getting warnings, it must be trustworthy and match the hostname
  • Web Auth intercept HTTPs, Enable HTTP server for Web Auth - we turn on for local Web Auth
  • Banner Title - text displayed as the title on the login page, default Welcome to the Cisco Web-Authentication network
  • Banner Type, Banner Text - when we choose banner text, it's displayed below the title on the login page, we can also use a file stored in Flash, there's an issue with Czech characters (either they display incorrectly or the setting doesn't work at all), default Cisco is pleased to provide web-authentication infrastructure for your network. Please login.
  • Disable Cisco Logo - we remove the Cisco logo display on the login page
  • Type - standard is Webauth, performs authentication with username and password, another option Consent offers only Accept and Deny buttons, Webconsent combines both
WLC C9800 interní webová stránka Local Web Authentication

The image above shows the default internal login page. For this, we can modify Banner Title, Banner Text and Disable Cisco Logo.

On the Advanced tab, we can set up redirection to an external web server (External Web Authentication) or customized web pages (Customized Local Web Authentication), which we upload to the WLC's Flash memory. To create custom pages, we can use the ancient template Wireless Lan Controller Web Authentication Bundle.

Enabling Web Auth on WLAN

We set up Web Auth on the WLAN Profile under Security - Layer3, item Web Policy. In the Show Advanced Settings section, we can also set Preauthentication ACL, which controls what communications are allowed before the user is authenticated. We create this in Configuration - Security - ACL.

In practice, it's also necessary to increase the Session Timeout in the Policy Profile - Advanced settings. By default, it's 30 minutes, and after expiration, users must log in again on the portal.

Author:

Related articles:

Cisco WLC

The Wireless LAN Controller is a Cisco device for central management of WiFi networks (access points). The articles describe the function and configuration of Cisco wireless networks. From Access Points (i.e. access points), to WLC, Wireless Control System (WCS) and Cisco Prime Infrastructure.

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)