Technical notes

  • This feature has been tested and validated on a Cisco WLC 3504 with software version and

  • DNS and DHCP service shall be provided by the customer.

  • VLANs used for Guest and shall be routed on the customer network.

1. Configure the Cloudi-Fi Radius server

On Cisco WLC GUI, go to Security > AAA > Radius > Authentication

Auth Called Station ID Type : AP MAC Address :SSID

Then click on « New » to add Cloudi-Fi Radius server:

  • Server Address :

  • Shared secret will be provided to IT contact.

  • Port number : 1812

  • Uncheck « Management » to avoid issue to login on the Cisco WLC GUI.

Click on Apply

Nota : Make sure to allow this flow on your firewalls

2. Create Access-lists (ACLs)

2.1 Creation of 2 ACLs

  • A Pre-Auth ACL to allow the user to access to Cloudi-Fi portal (and eventually Social networks connectors if enabled in your captive portal)

  • An Auth ACL for authenticated users

2.1 Auth ACL

We recommend to create a « Permit Any » in this ACL to leverage Cloudi-Fi security partner (if subscribed)

2.2 Pre-auth ACL

This ACL will allow the user to access to the Cloudi-Fi portal, the Zscaler Cloud and the DNS servers.

With Cisco WLC (firmware above 8.2.100) when NOT using FlexConnect, it is possible to use DNS-based ACLs. First, create your ACL and then click on Add-Remove URL to set your domains.

URLs will be provided by Cloudi-Fi support.

If you cannot use URL ACL, you have to create standard ACL and allow IP ranges.

Below are the minimum ACL for Cloudi-Fi. I you have Social Network connectors on your captive portal, Cloudi-Fi Support will provide you more IP ranges to allow.

*Nota : in ACL 1 and 2, replace DNS_SERVER_IP by your DNS server IP.

3. Create Interfaces for Guest Users

We will create an interface with dedicated VLAN for Guest users.

In Cisco WLC GUI, go to Controller > Interfaces > New

Guest interface

Fill the name, port numbers, network information (VLAN, IP, Mask, Gateway) and your primary DHCP.

4. WLAN creation

We will now create the Guest/Employee WLAN.
In Cisco WLC Controller, go to WLANs > WLANs > Create new

4.1 General

In the General tab, fill the profile and SSID name, select your Guest interface and check Broadcast SSID.

Fill your Cloudi-Fi company Key as NAS-ID. Cloudi-Fi company key is available in the Cloudi-Fi admin interface > Settings > Company Key

Click Apply.

4.2 Security L3

In the Security tab > Layer3

  • - Set the Layer 3 Security to Web Policy

  • - Set the Captive Network Assistant Bypass to Disable

  • - Check « Authentication »

  • - For the Preauthentication ACL , apply your IPv4

ACL ONLY if you are in « Local mode », or your Flex-

  • - Check Sleeping client Enable and configure the timer to be equal to the Cloudi-Fi portal

  • - Check Override Global Config Enable

  • - Set Web Auth Type to External (Re-direct to external server)

  • - Fill the Redirect URL with the URL with your dedicated Cloudi-Fi URL.

  • - Click Apply

4.3 Security AAA Servers

In the Security tab > AAA Servers

  • Check « RADIUS Server Overwrite interface »

  • Enable « Authentication Servers » and select Cloudi-Fi Radius server

  • Keep only « RADIUS » in the Authentication priority order for web-auth user

4.4 Advanced

In Advanced tab :

  • Check « Allow AAA Override »

5. Disable HTTPS Redirect

During the authentication workflow, the user is redirected on the Cisco WLC virtual interface to authenticated by the controller.

To avoid certificate error, we recommend to disable HTTPS Redirect.

6. Export Access Points Base MAC-Addresses

If you have a central WLC which lanage severals sites, and want to create only 1 SSID for all your locations, Cloudi-Fi needsthe Base Mac-addresss of each locations in order to determine from where the Guest user is connected.

To export Base MAC-Addresses, open a CLI on the WLC Controler and run this command :

show ap join stats summary all

Then provide this export to Cloudi-Fi Support (

Did this answer your question?