Cisco Systems controllers configuration

Cisco 5500 Series

Tested versions:

ModelTypeFirmware versionDescription
5508
2504
controllerAirOS version 7.6.120.0
5520controllerAirOS version 8.2.100.0(bandwidth per client)

This solution for 5500 Series is similar to 2500 Series. Therefore, this manual does not contain a detailed step-by-step guide for a complete setup. Only the settings needed for SOCIFI are described below.

The solution uses WalledGarden type ACL/IP rules, based on fixed defined IP host addresses and large open subnets for external service usage. This solution is not fully valid with WalledGarden functionality based on domain names, it partly replaces it. Due to dynamic IP address-assigning to external services provided by WalledGarden (not static IP addresses), some information may become unavailable and may restrict functions. Therefore, it needs to regularly supervise list of ACL IP addresses and subnets and record all changes to it. 

Setting

ACL - preACL

To achieve proper functionalities, you need to define a preACL list of allowed IP addresses. Allowed IP addresses have to be reachable by the system without any authentication. Cisco does not support DNS Walled Garden so far. In the tab below there are defined a list of needed IP addresses and subnets for every service.

SOCIFISOCIFI's CDNGoogleFacebook/InstagramTwitterLinkedIn
54.246.88.74 / 255.255.255.255
52.51.203.246 / 255.255.255.255
54.204.47.201 / 255.255.255.255
52.44.151.156 / 255.255.255.255
54.232.124.137 / 255.255.255.255
54.232.88.133 / 255.255.255.255
54.251.110.178 / 255.255.255.255
13.32.0.0 / 255.254.0.0
13.35.0.0 / 255.255.0.0
13.54.63.128 / 255.255.255.192
13.59.250.0 / 255.255.255.192
13.224.0.0 / 255.252.0.0
34.195.252.0 / 255.255.255.0
35.162.63.192 / 255.255.255.192
52.15.127.128 / 255.255.255.192
52.46.0.0 / 255.255.192.0
52.52.191.128 / 255.255.255.192
52.57.254.0 / 255.255.255.0
52.66.194.128 / 255.255.255.192
52.78.247.128 / 255.255.255.192
52.84.0.0 / 255.254.0.0
52.199.127.192 / 255.255.255.192
52.212.248.0 / 255.255.255.192
52.220.191.0 / 255.255.255.192
52.222.128.0 / 255.255.128.0
54.182.0.0 / 255.255.0.0
54.192.0.0 / 255.255.0.0
54.230.0.0 / 255.255.0.0
54.233.255.128 / 255.255.255.192
54.239.128.0 / 255.255.192.0
54.239.192.0 / 255.255.224.0
54.240.128.0 / 255.255.192.0
70.132.0.0 / 255.255.192.0
71.152.0.0 / 255.255.128.0
99.84.0.0 / 255.255.0.0
143.204.0.0 / 255.255.0.0
204.246.164.0 / 255.255.252.0
204.246.168.0 / 255.255.252.0
204.246.174.0 / 255.255.254.0
204.246.176.0 / 255.255.240.0
205.251.192.0 / 255.255.224.0
205.251.249.0 / 255.255.255.0
205.251.250.0 / 255.255.254.0
205.251.252.0 / 255.255.254.0
205.251.254.0 / 255.255.255.0
216.137.32.0 / 255.255.224.0

216.239.32.0 / 255.255.224.0
64.233.160.0 / 255.255.224.0
66.249.64.0 / 255.255.224.0
72.14.192.0 / 255.255.192.0
209.85.128.0 / 255.255.128.0
66.102.0.0 / 255.255.240.0
74.125.0.0 / 255.255.0.0
64.18.0.0 / 255.255.240.0
207.126.144.0 / 255.255.240.0
173.194.0.0 / 255.255.0.0
216.58.192.0 / 255.255.224.0 108.177.8.0 / 255.255.248.0 172.217.0.0 / 255.255.224.0 108.177.96.0 / 255.255.224.0


31.13.24.0 / 255.255.248.0 31.13.64.0 / 255.255.192.0 45.64.40.0 / 255.255.252.0 66.220.144.0 / 255.255.240.0 69.63.176.0 / 255.255.240.0 69.171.224.0 / 255.255.224.0 74.119.76.0 / 255.255.252.0 103.4.96.0 / 255.255.252.0 129.134.0.0 / 255.255.0.0 157.240.0.0 / 255.255.0.0 173.252.64.0 / 255.255.192.0 179.60.192.0 / 255.255.252.0 185.60.216.0 / 255.255.252.0 204.15.20.0 / 255.255.252.069.12.56.0 / 255.255.248.0 103.252.112.0 / 255.255.252.0 104.244.40.0 / 255.255.248.0 185.45.4.0 / 255.255.248.0 188.64.224.0 / 255.255.248.0 192.44.68.0 / 255.255.254.0 192.48.236.0 / 255.255.254.0 192.133.76.0 / 255.255.252.0 199.16.156.0 / 255.255.252.0 199.59.148.0 / 255.255.252.0 199.69.58.0 / 255.255.254.0 199.96.56.0 / 255.255.248.0 202.160.128.0 / 255.255.252.0 192.229.128.0 / 255.255.128.0 93.184.208.0 /255.255.240.091.225.248.0 / 255.255.254.0
103.20.94.0 / 255.255.254.0
108.174.0.0 / 255.255.252.0
108.174.4.0 / 255.255.255.0
108.174.8.0 / 255.255.252.0
108.174.12.0 / 255.255.254.0
144.2.0.0 / 255.255.252.0
144.2.192.0 / 255.255.255.0
216.52.16.0 / 255.255.254.0
216.52.18.0 / 255.255.255.0
216.52.20.0 / 255.255.254.0
216.52.22.0 / 255.255.255.0
65.156.227.0 / 255.255.255.0
8.39.53.0 / 255.255.255.0
185.63.144.0 / 255.255.255.0
185.63.147.0 / 255.255.255.0
199.101.161.0 / 255.255.255.0
64.152.25.0 / 255.255.255.0
8.22.161.0 / 255.255.255.0

Each IP host (subnet) has be defined in two ways (IN/OUT). Set of ACL is called preACL_permit.

Example of host rules "52.51.203.246 / 255.255.255.255":

config acl rule add preACL_permit 1 
config acl rule source port range preACL_permit 1 0 65535 
config acl rule direction preACL_permit 1 in 
config acl rule action preACL_permit 1 permit 
config acl rule destination port range preACL_permit 1 0 65535 
config acl rule destination address preACL_permit 1 52.51.203.246 255.255.255.255 

config acl rule add preACL_permit 2 
config acl rule source port range preACL_permit 2 0 65535 
config acl rule source address preACL_permit 2 52.51.203.246 255.255.255.255 
config acl rule direction preACL_permit 2 out 
config acl rule action preACL_permit 2 permit 
config acl rule destination port range preACL_permit 2 0 65535 


In the end, you need to create and apply a set of ACL rules:

config acl create preACL_permit 
config acl apply preACL_permit 

Related pages


 

Webpage authentication


To redirect to external web portal uses the following commands:

config custom-web ext-webauth-url http://connect-ip.socifi.com 
config custom-web webauth-type external 

Note: The ext-webauth-url has been changed from http://connect.socifi.com to http://connect-ip.socifi.com 

 ... and switch of PopUp logout window (this cannot be done via web interface)

config custom-web logout-popup disable 
RADIUS


You must set Auth and Acc part in the basic settings of authentication thru radius server. For European radius servers use following IP addresses:

PriorityIPDNS name
primary52.209.184.212rad-1-euw-1.socifi.com
secondary52.50.155.202rad-2-euw-1.socifi.com


We recommend to use this set of RADIUS servers:
 


 List of RADIUS according to your location:
 For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

 For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

 For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.



Auth settings provide:

config radius auth add 1 52.209.184.212 1812 ascii socifi
config radius auth retransmit-timeout 1 2 
config radius auth network 1 enable 
config radius auth management 1 enable 
config radius auth mac-delimiter colon 
config radius auth enable 1 

config radius auth add 2 52.50.155.202 1812 ascii socifi
config radius auth retransmit-timeout 2 2 
config radius auth network 2 enable 
config radius auth management 2 enable 
config radius auth mac-delimiter colon 
config radius auth enable 2 


... and Acc settings provide:

config radius acct add 1 52.209.184.212 1813 ascii socifi
config radius acct retransmit-timeout 1 2 
config radius acct network 1 enable 
config radius acct mac-delimiter colon 
config radius acct enable 1 

config radius acct add 2 52.50.155.202 1813 ascii socifi
config radius acct retransmit-timeout 2 2 
config radius acct network 2 enable 
config radius acct mac-delimiter colon 
config radius acct enable 2 
Wireless - WLAN


Wi-Fi settings is regular, the only exception is to turn off all WEP and WAP authentication. Wi-Fi is set as "Open" without any key and any authentication. 

Authentication is added via external WEP portal, RADIUS and preACL as follows (example for WLANID=1):


config wlan security web-passthrough acl 1 preACL_permit 

config wlan security web-auth acl 1 preACL_permit

config wlan security web-auth server-precedence 1 local radius ldap
config wlan security web-auth enable 1 

config wlan radius_server auth add 1 1 
config wlan radius_server overwrite-interface enable 1 
config wlan radius_server acct add 1 1 
config wlan radius_server acct interim-update enable 1 
config wlan radius_server acct interim-update 600 1  

"Allow AAA Override" has to be enabled in the "Advanced" tab. This will enable Bandwidth Limit Management.

For the WLC identification in the log system must be set NAS-ID on General page:


The MAC address can be found on the page "CONTROLLER / Inventory" as "Burned-in MAC Address" The value This value consists of "Cisco" and "MAC Address" fields. The values have to be separated by the underline. Example:  "Cisco_64:D8:14:DB:09:C0". 


Interface - virtual address

You need to check the Virtual address IP settings. The address can be any, shall be used for re-verification.

Example:

config interface address virtual 10.0.3.1 

Network management - web-auth secure


In the end, you need to forbid SSL version 
virtual web login page

config network web-auth secureweb disable 

You need to reboot the device to make sure all changes take effect. Without the reboot, the WLC will not work properly.

 

Add a new hotspot to SOCIFI Dashboard

You will need to add MAC addresses of  the controller and all AP's.

To add this equipment, please select Cisco Wireless Control System as the hardware type when adding a new hotspot.

For devices with AirOS version 8.5. and higher, please select Cisco Wireless Control System 8.5


Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 7: Click Save

Note: Newly added hotspot are marked as  (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as  (Active) within an hour. Get your first connections to test if it works properly. 


Related pages