Cisco WLC 9800 controllers provide enterprise-grade wireless management with advanced security and performance features. Integrating Spotipo's external captive portal with your WLC 9800 adds email capture, social login, and guest WiFi management capabilities while maintaining Cisco's robust network infrastructure.
This guide walks you through configuring Cisco WLC 9800 to work with Spotipo's cloud authentication system using RADIUS servers, web authentication parameters, and WLAN security settings. The setup requires valid SSL certificates and takes approximately 30-45 minutes to complete.
What you'll accomplish:
Create a Cisco WLC site in Spotipo and generate RADIUS credentials
Configure RADIUS authentication and accounting servers on WLC 9800
Set up web authentication with external portal redirection
Configure WLAN security settings for guest access
Optionally enable Facebook login with pre-authentication ACL
What you'll need:
Cisco WLC 9800 controller with admin access
Valid SSL certificate installed on WLC (self-signed certificates trigger security warnings)
CLI access for optional Facebook ACL configuration
Active Spotipo account (start free trial)
Important limitation: Cisco WLC doesn't support FQDN ACLs, so payment options with Stripe are not supported on this platform.
Add a Site
On our spotipo website, create a site. Make sure that the router type is set to "Cisco WLC"
Once you have created your Site, go to Settings -> WLC Config and remember generated configuration details.
Configure Spotipo Radius Authentication/Accounting server
On your WLC GUI, go to Configuration -> Secruity -> AAA -> Servere/Groups -> RADIUS. Add a new Radius server and configure it like pictured below.
Name: Spotipo-Radius
Server Address: 34.77.150.10
Leave the Auth and Acct port at 1812 and 1813 which are default values.
To find the Key, find the RADIUS SECRET listed on the Spotipo website, and copy it in the key field.
If you want to add the backup server, do the same steps as before, simply use the Server Address 35.205.248.64 . For Key, use the same RADIUS Secret as before.
Once you have created RADIUS entries, you need to add them to a server group.
Once you've configured RADIUS servers, go to AAA Method list
Create a new Authentication method list called spotipo_local_auth. Make sure That the Type is login and the Group type is set to local.
Also, make sure that your Radius Server Group is assigned to this method list.
Next, go to Authorization, and repeat the same steps. Make sure the type is network and Group Type is local
Also, create a default Accounting Method list called default. Make sure type is network.
Configure WebAuth to use Spotipo as the External Portal
Go to Configuration ->Security -> WebAuth. First select the global parameter. Make sure that Virtual IPv4 Address is set. It doesn't have to be a specific address. 192.0.2.1 is the default.
For Trustpoint, make sure you have a valid SSL certificate set . If you use a self signed certificate, users will get prompted with the unsafe message while trying to authenticate.
Also, make sure to have Web Auth intercept HTTPs and Enable HTTP server for Web Auth turned on.
|| If you're using a valid SSL certificate, you must use a Hostname different from the Cisco WLC management Hostname
After you've configured global webauth, create a new parameter. Call it spotipo_webauth (or anything you'd like).
Make sure that the type is set to webauth and disable the Success and Logout Windows as well as the Cisco Logo.
Go to the Advanced tab. Make sure to use the URL provided on the Spotipo website under Splash URL. And use that under the Redirect URL for login.
Configure the rest like pictured below. Make sure that the portal IPV4 Address is set to 107.178.247.148, as that is the IP address of app.spotipo.com
Configuring WLAN
Go to Configuration -> Tags & Profiles -> WLANs If you've already created a WLAN, open it. If not, create one by pressing the Add button.
Under Security, make sure that the Layer 2 security is set to none.
Under Layer 3. Make sure that the Web Policy is turned on. Set the Web Auth Parameter Map to the one we created previously (Spotipo_Webauth).
Also, make sure that the Authentication list is set to the spotipo_local_auth that we've created earlier.
Optional: Create External Access list for allowing Facebook login
If you want your users to log in with their Facebook profile, or if you'd like to enable paid wifi, you will need to allow additional ip addresses by creating an external ACL.
Since there are a lot of addresses that need to be allowed, we suggest using a CLI for this part of the setup, but everything can also be achieved by going to Configuraiton -> Security -> ACL and creating a new Access List there.
For allowing Facebook, copy these commands to your WLC's terminal.
config terminal ip access-list extended Spotipo-preauth permit ip any 129.134.0.0 0.0.255.255 permit ip any 157.240.0.0 0.0.255.255 permit ip any 173.252.64.0 0.0.63.255 permit ip any 179.60.192.0 0.0.3.255 permit ip any 185.60.216.0 0.0.3.255 permit ip any 204.15.20.0 0.0.3.255 permit ip any 31.13.24.0 0.0.7.255 permit ip any 31.13.64.0 0.0.63.255 permit ip any 45.64.40.0 0.0.3.255 permit ip any 66.220.144.0 0.0.15.255 permit ip any 69.63.176.0 0.0.15.255 permit ip any 69.171.224.0 0.0.31.255 permit ip any 74.119.76.0 0.0.3.255 permit ip any 103.4.96.0 0.0.3.255 deny ip any any exit
Make sure to save the configuration.
write memory
Once these addresses are allowed, assign this ACL to the WLAN you're using for a captive portal.
Go to Configuration -> Tags & Profiles -> WLANs select the WLAN you're using for the captive portal.
After that, go to:
Security -> Layer 3 -> Show advanced settings -> Preauthentication ACL -> IPv4 - Spotipo-preauth
Your Cisco WLC 9800 Captive Portal Is Now Active
Once you've configured RADIUS servers, web authentication parameters, and WLAN security settings, guests connecting to your WLAN will be redirected to Spotipo's captive portal for authentication. You can now capture guest data, run marketing campaigns, and manage guest WiFi access through your Cisco WLC 9800 infrastructure.
What to do next:
Test the captive portal by connecting a device to your configured WLAN
Customize your splash page design in Spotipo dashboard to match your branding
Set up email marketing integrations to automatically sync guest contacts
SSL certificate requirement: Valid SSL certificates are essential for secure captive portal operation. Self-signed certificates cause browser security warnings that reduce guest conversion rates. If using a valid certificate, ensure you use a hostname different from your WLC management hostname.
Common Cisco WLC 9800 setup issues:
Portal not redirecting: Verify web auth parameter map is assigned to WLAN and redirect URL matches Spotipo splash URL
Authentication failures: Ensure RADIUS secret matches Spotipo settings exactly (case-sensitive)
SSL warnings: Install valid SSL certificate instead of self-signed certificate
Facebook login not working: Verify pre-authentication ACL includes all Facebook IP ranges
Still having trouble enabling Spotipo on Cisco WLC 9800? Contact Spotipo support via live chat or email us at [email protected], we'll help troubleshoot your specific WLC 9800 configuration.