Configuring Cisco WLC Controllers

Purpose of this document

  • This document should be used in conjunction with Cisco WLC user guide for configuring your Cisco WLC gateways in WiOS. Please refer to WiOS administrator guide and Cisco WLC user guide for detail information.
  • It assumes that the user has basic knowledge of networking including configuring subnet mask, RADIUS setting, default gateway and DNS configuration.
  • In order to configure Cisco WLC you will need a public IP address, Subnet mask, default gateway and DNS information given to you by your Internet Service Provider. Please keep this information handy while setting up your gateway.
  • Configuring WiOS you will need the WAN public IP address, MAC address, RADIUS secret and serial number  of your Cisco WLC gateway.
  • You need an active WiOS account. Please contact Wifi-soft sales to create your WiOS account.

WiOS Setup

Add New Network:

  1. Open a web browser and type and press Enter. Welcome screen of WiOS Cloud appears.

  2. Click the Networks link under Network Administration section.

  3. Click on the + sign in the top right corner tab. The New Network page appears.


Fields and Buttons


Network Name

Enter the name of your network/hotspot

Device Type

Select the device type (Cisco Controller) of your hotspot gateway or controller


Select the type of venue


Displays the address of the network. You need to use the map to locate your address on the map. If you know the address, type the address in the search box on the map and click on search button. The map will display the marker for the address. If you unable to find the exact address, drag the map so the marker is pointing to correct location on the map.


The country where the hotspot is located.


The latitude of the network location


The longitude of the network location


Click Submit button to save the changes.

Once the network is added, go back to the List Network page and locate the network that you have recently added.

Then, click on the edit button for the given network.

At the bottom of the page, you will find the Enable hotspot option.

Check this option to enable hotspot for this network. The hotspot settings appear below the form.


Fields & Buttons


Enable hotspot

Check this option if you want to enable hotspot service for this network.


Enable autologin for this location. Autologin helps end users connect to hotspot automatically without having to login each time. The MAC address of the device is used to identify the device on the network and system automatically validates the MAC address of the device and authenticates it. Please note that you need to enable Mac Authentication feature in the WLC settings.

Validity Period

The time period for autologin to remain active. After the given period, the autologin entry is deleted and user will have to relogin.

Auto MAC Capture

Instructs the system to capture the user's MAC address automatically during first login. This option will ensure that user will remain online even if he has disconnected on the network for some time.


Auto generated NAS ID for the gateway. This NAS Id should be added to the gateway so it can authenticate with the system. You need to copy the NAD ID and enter it in the gateway settings.


Shared secret between gateway and RADIUS server. You need to add the secret to the gateway. The secret is used to encrypt the communication between gateway and RADIUS server. You need to copy the shared secret and enter it in the RADIUS settings of the gateway.

IP Address

Enter the Public IP address of the gateway if you know it. Otherwise use the default one.


Select the plan based on your requirements. The plan will restrict the number of concurrent devices allowed on the network.

Interim Interval

Enter the interim interval for the accounting packets in seconds. Sometime this setting needs to be done on the gateway.

Once the hotspot is enabled, WiOS will be ready to start accepting AAA requests from the gateway/controller. When the hotspot is added, WiOS will automatically add a default captive portal for the hotspot. You may go an edit the captive portal and customize it as per your requirements.

Now you will need to design a captive portal for your hotspot and generate a URL that can be configured in the gateway/controller's settings.

Please refer to the captive portal design guide for steps to design your custom captive portal.

WLC Setup

We have assumed that you have properly connected your WLC gateway a broadband connection that has a static public IP address. Additionally, your WLC gateway admin interface is accessible either via the LAN interface or via the public WAN interface as shown in the figure below.


Next, verify if virtual interface is created or not.

In the Cisco WLC web UI top menu, click the Controller tab, in the left navigation pane click Interfaces. On the interfaces page ensure an interface named virtual exists and is configured with a non-routable IP address.


On the same interfaces page, ensure a separate VLAN is configured with required IP address configurations as per the local network.


Next step is to create preauthentication access control list.

In the Cisco WLC web UI top menu click Security tab, in the left navigation click Access Control Lists and then Access Control Lists. In the access control list window that is displayed click New in the top right corner. In the access control list new window enter a name in  the Access Control Lists Name field, select the acl type ipv4 and click apply.

In the Access Control Lists window that is displayed, click the name of the newly created accesss control list. In the Access Control Lists Edit window that is displayed, click Add New Rule in the top right corner.

Define the access control list rules that will allow clients to access an external we server.

The first rule will be a permit rule in the outbound direction for TCP packets with the source IP address of the external web server, click Apply.

The second rule will be a permit rule in the inbound direction for TCP packets with the destination IP address of external web server, click Apply.

The third rule will be a permit rule in the outbound direction for TCP packets with the source IP address of the external radius server, click Apply.

The forth rule will be a permit rule in the inbound direction for TCP packets with the source IP address of the external radius server, click Apply.

Like wise add IP addresses of all the servers that needs to be accessible by client device in Preauthentication mode.

This completes the configuration of Preauthentication access control lists.

Next step is to configure Cisco WLC for external web authentication.

In the Cisco WLC web UI top menu click the security tab, in the left navigation pane, click Web Auth and then Web Login Page. In the Web Login Page that is dispayed choose External from the web authentication type drop down list.


In the Redirect Url after login, enter the URL of the page to which the end user should be redirected after successful authentication. In the External WebAuth URL, enter thePortal page URL configured on WIOS server, click apply and then click ok in the message dialogue box.

Next step is to configure WLC to use external radius server for authentication.
In the  Cisco WLC web UI top menu, click the Security tab, in the left navigation pane click Radius and then Authentication to display a list of configured radius servers.

In the Radius Authntication Servers window that is displayed, click new at the top right corner. In the Radius Authentication Servers New window, enter the radius server IP address. Please contact Wifi-soft for the correct IP address of your RADIUS server. (WIOS -

Enter the desired Shared secret. Please remember this secret since you will need it while configuring your gateway in WiOS, and then enter again to confirm.

Retain the port number at the default value (1812). 

Choose Enabled from Server Status drop down list.
Select Enable for Network User.

Retain the default values for all the other parameters, click Apply.


Same way, will need to add Accounting Server as well.
Enter the same Radius server IP, shared secret and for port number, please enter 1813, click Apply.

Next step is to configure WLAN with the radius server.

In the Cisco WLC web UI top menu, click the WLANs tab to display the list of configured WLANs. In the WLANs window, select Create New and click on Go.

Enter the Name for the WLAN profile and click apply.

On the WLANs window click the WLAN ID of the configured WLAN configured above. In the WLANs Edit window that is displayed, click the General tab and configure SSID in the SSID text field and check Enabled for Status check box.

Also ensure Broadcast SSID is also Enabled

Configure appropriate NAS-ID. Please contact Wi-fi Soft Support to get NAS ID, click Apply.

Then click on Security tab and then Layer 2. Ensure Layer 2 Security is set to none from the drop down list.

Next click on Layer 3. Select Web Policy from the Layer 3 Security drop down list.

Choose none from Captive Network Assistant Bypass and the select Authentication.

Select preauthentication access control list created earlier from the Preauthentication ACL drop down list, and leave everything else to default.

Next click the Security tab and then AAA Servers tab. In the Radius Servers area, choose the configured radius server from the Authentication Servers drop down list. Choose the configured radius server from the Accounting Servers drop down list.


Enable Interim Update Under Radius Server Accounting and set 600 as Interim Interval in Seconds.

Under Authentication priority order for web-auth user, put RADIUS at the top in Order Used For Authentication, click Apply.


This concludes the WLC configuration with external radius server.

Have more questions? Submit a request


Please sign in to leave a comment.