Configuration Examples for Web-Based Authentication

Example for Configuring Local Web Authentication in Local Mode

  1. Configure authentication and authorization method lists.

    Device>enable
Device#configure terminal
Device(config)#aaa new-model
Device(config)#aaa authentication login WIRELESS_LWA_AUTHENTICATION local
Device(config)#aaa authorization network WIRELESS_LWA_AUTHORIZATION local

  2. Creates guest user credentials.

    Device(config)#user-name guest
Device(config-user-name)#password cisco123
Device(config-user-name)#exit

  3. Configure the global parameter map.

    Device(config)#parameter-map type webauth global
Device(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1
Device(config-params-parameter-map)#webauth-http-enable
Device(config-params-parameter-map)#intercept-https-enable
Device(config-params-parameter-map)#trustpoint WEBAUTH
Device(config-params-parameter-map)#exit

  4. Configure the named parameter map.

    Device(config)#parameter-map type webauth LWA_PARAMETER_MAP
Device(config-params-parameter-map)#banner file flash:webauth_banner.html
Device(config-params-parameter-map)#type webauth
Device(config-params-parameter-map)#exit

  5. Configure WLAN security parameters.

    Device(config)#wlan WLAN_LWA_LOCAL 15 WLAN_LWA_LOCAL
Device(config-wlan)#no security wpa
Device(config-wlan)#no security wpa wpa2 ciphers aes
Device(config-wlan)#no security wpa akm dot1x
Device(config-wlan)#security web-auth
Device(config-wlan)#security web-auth authentication-list WIRELESS_LWA_AUTHENTICATION
Device(config-wlan)#security web-auth authorization-list WIRELESS_LWA_AUTHORIZATION
Device(config-wlan)#security web-auth parameter-map LWA_PARAMETER_MAP
Device(config-wlan)#exit

  6. Configure wireless policy profile.

    Device(config)#wireless profile policy WLAN_LWA_LOCAL
Device(config-wireless-policy)#vlan 100
Device(config-wireless-policy)# no shutdown
Device(config-wlan)#exit

  7. Create a policy tag.

    Device(config)#wireless tag policy LWA_POLICY_TAG
Device(config-policy-tag)#wlan WLAN_LWA_LOCAL policy WLAN_LWA_LOCAL
Device(config-wlan)#exit

  8. Configure a site tag.

    Device(config)#wireless tag site SITE_LWA
Device(config-site-tag)#exit

  9. Assign the policy tag to an Access Point.

    Device(config)#ap 28ac.9eb7.7220
Device(config-ap-tag)#policy-tag LWA_POLICY_TAG
Device(config-ap-tag)#site-tag SITE_LWA
Device(config-ap-tag)#exit

Example for Configuring Local Web Authentication in Flex Mode

  1. Configure authentication and authorization method lists.

    Device>enable
Device#configure terminal
Device(config)#aaa new-model
Device(config)#aaa authentication login LOCAL_WEBAUTH local
Device(config)#aaa authorization network LOCAL_WEBAUTH local

  2. Creates guest user credentials.

    Device(config)#user-name guest
Device(config-user-name)#password cisco123
Device(config-user-name)#exit

  3. Configure the global parameter map.

    Device(config)#parameter-map type webauth global
Device(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1
Device(config-params-parameter-map)#virtual-ip ipv6 fd:1:1::1
Device(config-params-parameter-map)#webauth-http-enable
Device(config-params-parameter-map)#intercept-https-enable
Device(config-params-parameter-map)#trustpoint WEBAUTH
Device(config-params-parameter-map)#exit

  4. Configure the named parameter map.

    Device(config)#parameter-map type webauth PARAM-INTERNAL-AUTH
Device(config-params-parameter-map)#type webauth
Device(config-params-parameter-map)#exit

  5. Configure WLAN security parameters.

    Device(config)#wlan FLEX_LWA 11 FLEX_LWA
Device(config-wlan)#no security wpa
Device(config-wlan)#no security wpa akm dot1x
Device(config-wlan)#wpa wpa2
Device(config-wlan)#no security wpa wpa2 ciphers aes
Device(config-wlan)#security web-auth
Device(config-wlan)#security web-auth authentication-list LOCAL_WEBAUTH
Device(config-wlan)#security web-auth authorization-list LOCAL_WEBAUTH
Device(config-wlan)#security web-auth parameter-map PARAM-INTERNAL-AUTH
Device(config-wlan)#no shutdown
Device(config-wlan)#exit

  6. Configure wireless policy profile.

    Device(config)#wireless profile policy FLEX_LWA
Device(config-wireless-policy)#no central association
Device(config-wireless-policy)#no central switching
Device(config-wireless-policy)#vlan 100
Device(config-wireless-policy)#no shutdown
Device(config-wlan)#exit

  7. Create a policy tag.

    Device(config)#wireless tag policy LWA_POLICY_FLEX
Device(config-policy-tag)#wlan FLEX_LWA policy FLEX_LWA
Device(config-wlan)#exit

  8. Configure a site tag.

    Device(config)#wireless tag site LWA_FLEX_SITE
Device(config-site-tag)#no local-site
Device(config-site-tag)#exit

  9. Assign the policy tag to an Access Point.

    Device(config)#ap 28ac.9eb7.7220
Device(config-ap-tag)#policy-tag LWA_POLICY_FLEX
Device(config-ap-tag)#site-tag LWA_FLEX_SITE
Device(config-ap-tag)#exit

Example for Configuring Local Web Authentication in Local Mode

  1. Configure authentication and authorization method lists.

    Device>enable
Device#configure terminal
Device(config)#aaa new-model
Device(config)#aaa authentication login WIRELESS_LWA_AUTHENTICATION local
Device(config)#aaa authorization network WIRELESS_LWA_AUTHORIZATION local

  2. Creates guest user credentials.

    Device(config)#user-name guest
Device(config-user-name)#password cisco123
Device(config-user-name)#exit

  3. Configure the global parameter map.

    Device(config)#parameter-map type webauth global
Device(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1
Device(config-params-parameter-map)#webauth-http-enable
Device(config-params-parameter-map)#intercept-https-enable
Device(config-params-parameter-map)#trustpoint WEBAUTH
Device(config-params-parameter-map)#exit

  4. Configure the named parameter map.

    Device(config)#parameter-map type webauth LWA_PARAMETER_MAP
Device(config-params-parameter-map)#banner file flash:webauth_banner.html
Device(config-params-parameter-map)#type webauth
Device(config-params-parameter-map)#exit

  5. Configure WLAN security parameters.

    Device(config)#wlan WLAN_LWA_LOCAL 15 WLAN_LWA_LOCAL
Device(config-wlan)#no security wpa
Device(config-wlan)#no security wpa wpa2 ciphers aes
Device(config-wlan)#no security wpa akm dot1x
Device(config-wlan)#security web-auth
Device(config-wlan)#security web-auth authentication-list WIRELESS_LWA_AUTHENTICATION
Device(config-wlan)#security web-auth authorization-list WIRELESS_LWA_AUTHORIZATION
Device(config-wlan)#security web-auth parameter-map LWA_PARAMETER_MAP
Device(config-wlan)#exit

  6. Configure wireless policy profile.

    Device(config)#wireless profile policy WLAN_LWA_LOCAL
Device(config-wireless-policy)#vlan 100
Device(config-wireless-policy)# no shutdown
Device(config-wlan)#exit

  7. Create a policy tag.

    Device(config)#wireless tag policy LWA_POLICY_TAG
Device(config-policy-tag)#wlan WLAN_LWA_LOCAL policy WLAN_LWA_LOCAL
Device(config-wlan)#exit

  8. Configure a site tag.

    Device(config)#wireless tag site SITE_LWA
Device(config-site-tag)#exit

  9. Assign the policy tag to an Access Point.

    Device(config)#ap 28ac.9eb7.7220
Device(config-ap-tag)#policy-tag LWA_POLICY_TAG
Device(config-ap-tag)#site-tag SITE_LWA
Device(config-ap-tag)#exit

Example for Configuring External Web Authentication in Flex Mode

  1. Configure authentication and authorization method lists.

    Device>enable
Device#configure terminal
Device(config)#aaa new-model
Device(config)#aaa authentication login LOCAL_WEBAUTH local
Device(config)#aaa authorization network LOCAL_WEBAUTH local

  2. Create guest user credentials.

    Device(config)#user-name guest
Device(config-user-name)#password cisco123
Device(config-user-name)#exit

  3. Configure guest VLAN.

    Device(config)#vlan 2331
Device(config-vlan)#name GUEST
Device(config-vlan)#exit

  4. Configure the global parameter map.

    Device(config)#parameter-map type webauth global
Device(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1
Device(config-params-parameter-map)#virtual-ip ipv6 fd:1:1::1
Device(config-params-parameter-map)#webauth-http-enable
Device(config-params-parameter-map)#intercept-https-enable
Device(config-params-parameter-map)#trustpoint WEBAUTH
Device(config-params-parameter-map)#exit

  5. Configure the named parameter map.

    Device(config)#parameter-map type webauth EWA_PARAMETER_MAP_FLEX
Device(config-params-parameter-map)#type consent
Device(config-params-parameter-map)#redirect for-login https://cisco.wifi-mx.com/p2/polarisred
Device(config-params-parameter-map)#redirect portal ipv4 107.20.217.46
Device(config-params-parameter-map)#redirect portal ipv6 2200:20:22:105::1
Device(config-params-parameter-map)#exit

  6. Configure preauthentication ACL.

    Device(config)#ip access-list extended ACL_ENGAGE
Device(config-ext-nacl)#permit ip any host 107.20.217.46
Device(config-ext-nacl)#permit ip host 107.20.217.46 any
Device(config-ext-nacl)#permit ip any host 54.235.122.137
Device(config-ext-nacl)#permit ip host 54.235.122.137 any
Device(config-ext-nacl)#permit udp any eq bootps any
Device(config-ext-nacl)#permit udp any any eq bootpc
Device(config-ext-nacl)#permit udp any eq bootpc any
Device(config-ext-nacl)#permit udp any eq domain any
Device(config-ext-nacl)#permit udp any any eq domain
Device(config-ext-nacl)#exit

  7. Configure WLAN security parameters.

    Device(config)#wlan DNASPACES 1 DNASPACES
Device(config-wlan)#ip access-group web ACL_ENGAGE
Device(config-wlan)#no security wpa
Device(config-wlan)#no security wpa akm dot1x
Device(config-wlan)#no security wpa wpa2 ciphers aes
Device(config-wlan)#security web-auth
Device(config-wlan)#security web-auth parameter-map EWA_PARAMETER_MAP_FLEX
Device(config-wlan)#security web-auth authentication-list LOCAL_WEBAUTH
Device(config-wlan)#security web-auth authorization-list LOCAL_WEBAUTH
Device(config-wlan)#no shutdown
Device(config-wlan)#exit

  8. Define URL Filter list.

    Device(config)#urlfilter list EWA_PREAUTH_FLEX
Device(config-urlfilter-params)#action permit
Device(config-urlfilter-params)#url fonts.gstatic.com
Device(config-urlfilter-params)#url fonts.googleapis.com
Device(config-urlfilter-params)#url qa-dnaspaces.io
Device(config-urlfilter-params)#exit

  9. Configure wireless policy profile.

    Device(config)#wireless profile policy EWA_PROFILE_FLEX
Device(config-wireless-policy)#no central association
Device(config-wireless-policy)#no central switching
Device(config-wireless-policy)#vlan GUEST
Device(config-wireless-policy)#no shutdown
Device(config-wlan)#exit

  10. Apply URL Filter list to flex profile

    Device(config)#wireless profile flex EWA_FLEX_PROFILE
Device(config-wireless-flex-profile)#acl-policy ACL_ENGAGE
Device(config-wireless-flex-profile-acl)# urlfilter list EWA_PREAUTH_FLEX
Device(config-wireless-flex-profile-acl)# end

  11. Create a policy tag.

    Device(config)#wireless tag policy EWA_POLICY_FLEX
Device(config-policy-tag)#wlan EWA_FLEX policy EWA_PROFILE_FLEX
Device(config-wlan)#exit

  12. Configure a site tag.

    Device(config)#wireless tag site EWA_FLEX_SITE
Device(config-site-tag)#flex-profile EWA_FLEX_PROFILE
Device(config-site-tag)#no local-site
Device(config-site-tag)#exit

  13. Assign the policy tag to an Access Point.

    Device(config)#ap 28ac.9eb7.7220
Device(config-ap-tag)#policy-tag EWA_POLICY_FLEX
Device(config-ap-tag)#site-tag EWA_FLEX_SITE
Device(config-ap-tag)#exit