Cisco WLC

(For Version 8.0.120.0)

CoA
Setup Guide
Disclaimer

THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL
INFORMATION PURPOSES ONLY. GLOBAL REACH AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS
ERROR-FREE, ACCURATE OR RELIABLE. GLOBAL REACH RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO
THE MATERIAL AT ANY TIME.

Limitation of Liability

IN NO EVENT SHALL GLOBAL REACH BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR
CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR
ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF,
THE MATERIAL.

VERSION 1.0 PUBLISHED DECEMBER 2015

Page 2 of 15

Global Reach Technology Ltd Commercial in Confidence

IMPORTANT - BEFORE YOU START
Before attempting to integrate your hardware controller in to Odyssys, please ensure that ALL of the following
requirements are in place;

• You have a controller installed in an environment where compatible Access Points are configured to
work with the controller, i.e - DNS, DHCP options configured correctly

Your client environment is configured to allow network clients to;

• Associate to an Access Point

• Obtain an IP address

• Access to the internet

The following components are required to be configured and working in your environment before attempting
integration with Odyssys;

• DHCP Server

• DNS Server

• Firewall NAT

PLEASE NOTE -

This is a technical document and as such, integration of your hardware with Odyssys should only be handled by
trained individuals.

TECH NOTE
Odyssys does not use standard RADIUS ports, therefore please make sure you allow the ports in your firewall,
defined in your manager.odyssys.net Captive Portal settings.

Page 3 of 15

Global Reach Technology Ltd Commercial in Confidence

GETTING STARTED WITH ODYSSYS

Before you attempt to configure your Cisco Wireless LAN Controller (WLC) for use with CoA authentication and
Odyssys, you will first need to create your own captive portal.

1. First, navigate to https://manager.odyssys.net and log in using your assigned Customer ID, username and
password.
2. Select Captive Portals > Captive Portals from the left-hand menu and click Create Captive Portal.

You should complete the form as follows:

Name: An arbitrary name for your captive portal.

RADIUS Shared Secret: Either keep the automatically generated shared secret or create your own
Hardware Vendor: Set this to Cisco WLC
Pre Auth ACL – This must match the Access Control List (ACL) you create in your Cisco WLAN controller (step
10)

Click Create to confirm.

Page 4 of 15

Global Reach Technology Ltd Commercial in Confidence

3. Select the Captive Portal you have just created to view it’s details under the General Info tab.

Page 5 of 15

Global Reach Technology Ltd Commercial in Confidence

CONFIGURING ODYSSYS WITHIN THE Cisco WLC
AAA RADIUS Configuration

1. Log into the Cisco WLC.

2. Click on the Security tab from the top menu and select AAA then RADIUS and then Authentication from the
menu located on the left-hand side of the page, and then select New from the upper right corner of the RADIUS
Authentication Servers page.

TECH NOTE: Ensure the your Auth Called Station ID Type is set to AP MAC Address: SSID and your MAC
delimiter is set to Hyphen.

3. Click the New… button, and enter the Authentication RADIUS settings obtained from Odyssys (under the
General Info tab of the Captive Portal you created earlier) The mandatory fields are as follows:

Server IP Adress: IP address of Odyssys Primary RADIUS Server

Shared Secret: Shared Secret Password
Confirmed Shared Secret: Shared Secret Password
Port Number: RADIUS Authentication port
Support for RFC 3576: Select Enabled from the dropdown.

Click the Apply button once complete.

4. Repeat steps 2 and 3 again for the Secondary RADIUS Server IP addresses, remembering to click "Apply" when
complete to save the settings.

Page 6 of 15

Global Reach Technology Ltd Commercial in Confidence

5. Still within the SECURITY tab and menu, select "Accounting" in the RADIUS sub-menu and then click "New"
located in the upper right corner of the RADIUS Accounting Servers window.

TECH NOTE: Ensure the your Acct Called Station ID Type is set to AP MAC Address: SSID and your MAC
delimiter is set to Hyphen.

6. Enter in the RADIUS Accounting settings listed below from the Captive Portal section of Odyssys:

Server IP Adress: IP address of Odyssys Primary RADIUS Server

Shared Secret: Shared Secret Password
Confirmed Shared Secret: Shared Secret Password
Port Number: RADIUS Accounting port (this is different to the Authentication Port Number)

Click the Apply button once complete

7. Repeat steps 5 and 6 for the Secondary RADIUS Server IP address remembering to click "Apply" when complete
to save.

Page 7 of 15

Global Reach Technology Ltd Commercial in Confidence

Access Control List Configuration

8. Still within the SECURITY tab and menu, select "Access Control Lists" and then "Access Control Lists" from the
sub-menu.

9. Click on "New..." in the upper right corner of the Access Control Lists window.

10. Enter the name of the Pre Authentication Access Control List and click Apply to save the settings. Remember
this must exactly match the Pre Auth ACL value set in Odyssys in step 2 of this guide.

11. Click the ACL you have just created and click the Add New Rule button.

Page 8 of 15

Global Reach Technology Ltd Commercial in Confidence

12. Complete the highlighted fields with the information provided below, creating a new rule for each sequence
number.

The fields that need to be modified are "Sequence", "Source", "Destination" and "Action". The "Protocol",
"DSCP" and "Direction" fields should be left as default.

Sequence: 1
Source: IP 54.246.95.205 Mask 255.255.255.255
Destination: Any
Action: Permit

Sequence: 2
Source: Any
Destination: IP 54.246.95.205 255.255.255.255
Action: Permit

Sequence: 3
Source: IP 54.243.42.241 Mask 255.255.255.255
Destination: Any
Action: Permit

Sequence: 4
Source: Any
Destination: IP 54.243.42.241 Mask 255.255.255.255
Action: Permit

Sequence: 5
Source: Any
Destination: IP 54.247.108.6 Mask 255.255.255.255
Action: Permit

Sequence: 6
Source: IP 54.247.108.6 Mask 255.255.255.255
Destination: Any
Action: Permit

Below is how the Access Control List will look after all of the above settings have been entered.

Page 9 of 15

Global Reach Technology Ltd Commercial in Confidence

WLAN Configuration

13. Select the WLANs tab from the top menu, select Create New from the drop down list in the upper right of the
page, and click Go.

14. Enter a Profile Name and the SSID that will be broadcast (these can be the same). The Profile Name is used for
administrative purposes and the SSID will be the Wi-Fi name users connect to. Click Apply when complete to
save the settings.

15. Select the Security tab under the settings for your WLAN and apply the following settings.
Layer 2
Layer 2 Security: None
Mac Filtering: Tick the checkbox

Layer 3
Layer 3 Security: None

AAA Servers
RADIUS Servers: Tick the Enabled checkbox for both Authentication and Accounting Servers. Then from the
Server 1 and Server 2 dropdown boxes select the Primary & Secondary Authenticaiton and Accounting servers
configured in steps 3 – 7 of this guide.
RADIUS Server Accounting: Tick the Interim Update checkbox and set an Interim Interval of 180.
Authentication Priority order for web-auth user: Move both Local and LDAP into the the Not Used box,
leaving only RADIUS at the used authenitcation type.

Page 10 of 15

Global Reach Technology Ltd Commercial in Confidence

16. Select the Advanced tab under the settings for your WLAN and apply the following settings.
NAC
Nac State: Select Radius NAC from the dropdown.

17. Click Apply to save your settings. Then return to the General tab to enable your SSID now that configuration is
complete.

Page 11 of 15

Global Reach Technology Ltd Commercial in Confidence

ACCESS CONTROL LIST ADDRESSES
Odyssys
54.246.95.205
54.243.42.241

Twitter
api.twitter.com
*.twimg.com

Google
74.125.29.84
74.125.226.243
74.125.228.10
74.125.228.74
74.125.228.111
130.111.19.240
173.194.74.95

Facebook
*.facebook.com
*.akamaihd.net
*.fbcdn.net
connect.facebook.com

LinkedIn
8.247.88.225
23.202.203.120
64.94.107.57
138.108.7.20
216.52.242.80
216.52.242.86

PayPal Express Checkout

173.0.82.77/32
92.122.246.85/32
66.117.29.34/32
216.113.188.89/32
66.235.147.113/32

If you wish to disable Apple's Captive Assistant please add the following to your walled garden
www.apple.com
www.airport.us
www.ibook.info
www.thinkdifferent.us
www.itools.info
www.appleiphonecell.com
captive.apple.com

Page 12 of 15

Global Reach Technology Ltd Commercial in Confidence

FREQUENTLY ASKED QUESTIONS

Q. I want to add different authentication provider types, how do I do this?

A. Please see our Odyssys Authentication guide for further information.

Q. I need more information on how to setup Odyssys

A. Please see our Odyssys setup guide.

Page 13 of 15

Global Reach Technology Ltd Commercial in Confidence

GLOSSARY
ACL - Access Control List

AAA - Authentication, Authorization, and Accounting

DHCP - Dynamic Host Configuration Protocol

DNS - Domain Name Service

NAT - Network Address Translation

PORT - A process-specific or an application-specific software construct serving as a communication endpoint, which

is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and
Transmission Control Protocol (TCP)

RADIUS - Remote Authentication Dial In User Service (RADIUS)

SHARED SECRET - A single password shared between two devices

SSID - Service Set Identifier - A unique identifier for your Wi-Fi service

WLAN - Wireless Local Area Network

WLC - Wireless Local Area Network Controller

Page 14 of 15

Global Reach Technology Ltd Commercial in Confidence

Global Reach Technology Ltd
Craven House, 121 Kingsway
London WC2B 6PA
T +44 (0) 20 7831 5630
info@globalreachtech.com

Copyright © Global Reach Technology Limited

All rights reserved.
Global Reach and the Global Reach logo
are registered trademarks.