Configure Wireless Controllers in the Wireless Network
When you first launch Wireless Setup and select a flow, you are asked to configure a Wireless Controller. Wireless Setup pushes the necessary settings to the Wireless Controller to support the type of flow you are configuring.
-
The Wireless Controller must be a Cisco Wireless Controller running AireOS 8.x or higher.
-
Virtual Wireless Controller doesn’t support DNS based ACLs.
-
Configure your Wireless Controller for the interface VLANS (networks) that you plan to use in your Wireless Setup deployment. By default, the Wireless Controller has a management interface, but we recommend that you configure other interfaces for your guest and secure access (employee) networks.
-
For the Guest flow, an ACL_WEBAUTH_REDIRECT ACL is used to redirect guest devices to either a Hotspot or Credentialed Portal to acceptance of an AUP (hotspot), to log in, or to create credentials. After the Guest is authorized, they are permitted access (ACCESS-ACCEPT). You can use ACLs on the Wireless Controller to restrict guest permissions. To do so, create an ACL on the Wireless Controller, and use that ACL in your guest permission authorization profile. To allow access to the Cisco ISE success page, add this ACL to the Wireless Controller. For more information about creating restrictive ACLs, see https://communities.cisco.com/docs/DOC-68169.
-
Wireless Setup configures a WLAN for each flow. Once you have configured a WLAN for a flow, that WLAN is not available for any other flow. The only exception to this is if you configured a WLAN for self-registration flow, and later you decided to use this WLAN for a sponsored guest flow, which handles both self-registration and sponsoring of guests.
If you run Wireless Setup in a production environment, your configurations may disconnect some existing users.
-
If you configure a flow in Wireless Setup with a Wireless Controller, do not remove that Wireless Controller in Cisco ISE.
-
If you have already configured a Wireless Controller in Cisco ISE, but you didn't configure a shared secret in the RADIUS Options, then you must add a shared secret before using that Wireless Controller in Wireless Setup.
-
If you already configured a Wireless Controller in Cisco ISE, and you configured a shared secret, then don't configure a different shared secret with Wireless Setup. The Wireless Setup and the Cisco ISE secret passwords must match. The WLAN that you select is disabled throughout the flow, but it can be re-enabled at the end of the flow by clicking the Go Live button.
-
Remote LAN: If your network has a remote LAN, Wireless Setup fails when it tries to use a VLAN ID that is already assigned to your remote LAN. To work around this, either remove the remote LAN, or create the VLANs that you plan to use on the Wireless Controller before you run Wireless Setup. In Wireless Setup, you can enable those existing VLANs for flows.
-
FlexConnect: Flexconnect Local Switch and Flexconnect ACLs are configured by Wireless Setup, but they are not used or supported. Wireless Setup only works with Flexconnect Centralized or Local Mode Access Points and SSIDs.
Example of Wireless Configuration
The following extraction from a Wireless Controller log shows an example of the configuration that Wireless Setup does when you configure a flow.
"config radius auth add 1 192.168.201.228 1812 ascii cisco"
"config radius auth disable 1"
"config radius auth rfc3576 enable 1"
"config radius auth management 1 disable"
"config radius auth enable 1"
"config radius acct add 1 192.168.201.228 1813 ascii cisco"
"config radius acct enable 1"
"config acl create ACL_WEBAUTH_REDIRECT"
"config acl rule add ACL_WEBAUTH_REDIRECT 1"
"config acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config acl rule source port range ACL_WEBAUTH_REDIRECT 1 53 53"
"config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17"
"config acl rule add ACL_WEBAUTH_REDIRECT 1"
"config acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config acl rule destination port range ACL_WEBAUTH_REDIRECT 1 53 53"
"config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17"
"config acl rule add ACL_WEBAUTH_REDIRECT 1"
"config acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config acl rule source address ACL_WEBAUTH_REDIRECT 1 192.168.201.228 255.255.255.255"
"config acl rule add ACL_WEBAUTH_REDIRECT 1"
"config acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config acl rule destination address ACL_WEBAUTH_REDIRECT 1 192.168.201.228 255.255.255.255"
"config acl apply ACL_WEBAUTH_REDIRECT"
"show flexconnect acl summary"
"config flexconnect acl create ACL_WEBAUTH_REDIRECT"
"config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1"
"config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT 1 53 53"
"config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 17"
"config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1"
"config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT 1 53 53"
"config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 17"
"config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1"
"config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config flexconnect acl rule source address ACL_WEBAUTH_REDIRECT 1 192.168.201.228 255.255.255.255"
"config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1"
"config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit"
"config flexconnect acl rule destination address ACL_WEBAUTH_REDIRECT 1 192.168.201.228 255.255.255.255"
"config flexconnect acl apply ACL_WEBAUTH_REDIRECT"