Cisco WLC Integration (Catalyst 9800 & AireOS)

Connect CaptiFi to your Cisco wireless LAN controller (WLC) using Central Web Authentication (CWA) — the same ISE-style flow, with CaptiFi acting as the RADIUS server.

Both WLC operating systems are supported:

Your controller	OS	Follow
Catalyst 9800 (appliance, cloud, embedded)	IOS-XE 17.x	Steps 1–4 below
5500 / 8500 / virtual WLC (e.g. serving Aironet 2700s)	AireOS 8.x	Steps 1–2 below, then the AireOS section

Important

The redirect ACL name and RADIUS settings must be entered exactly as shown. Cisco 9800 configuration varies by IOS-XE version — if you get stuck, email support@captifi.io and we'll walk through it with you.

Prerequisites

Cisco Catalyst 9800 (IOS-XE 17.x) or AireOS WLC (8.x — 5500/8500/vWLC)
Access points joined and operational
Admin access to the WLC (GUI or CLI)
A CaptiFi account with a Cisco site created (contact support and we'll set this up — you'll receive a config pack containing your RADIUS shared secret, NAS identifier and all the values below)

How It Works

A guest connects to your open guest SSID
The WLC sends MAC authentication (MAB) to CaptiFi's RADIUS server
Unknown guests are accepted into a quarantine state with a redirect to your CaptiFi splash page
The guest completes the splash form — CaptiFi authorises their MAC and tells your WLC to re-check the session (CoA on 9800, Disconnect-Request/PoD on AireOS)
The WLC re-authenticates the session and the guest gets full internet access

Where does the splash page come from?

You never hard-code a splash URL on a Cisco WLC. CaptiFi returns the redirect URL dynamically in the RADIUS reply (url-redirect attribute), pointing the guest at https://app.captifi.io/guest/cisco?site_id=YOUR_SITE_ID — your branded splash page, configured in the CaptiFi dashboard's Splash Manager. The exact URL for your site is shown in your config pack.

Step 1: Add the CaptiFi RADIUS Server

On the WLC: Configuration → Security → AAA → Servers/Groups → RADIUS → Servers → Add

Setting	Value
Server Address	`radius.captifi.io`
Auth Port	`1812`
Accounting Port	`1813`
Shared Secret	Provided by CaptiFi (in your config pack / dashboard's Cisco Setup Guide)
Support for CoA	Enabled

CLI equivalent:

radius server CAPTIFI
 address ipv4 <resolved-ip-of-radius.captifi.io> auth-port 1812 acct-port 1813
 key <YOUR_SHARED_SECRET>

aaa server radius dynamic-author
 client <radius-server-ip> server-key <YOUR_SHARED_SECRET>

Then create a server group and method lists:

aaa group server radius CAPTIFI_GROUP
 server name CAPTIFI

aaa authorization network CAPTIFI_AUTHZ group CAPTIFI_GROUP
aaa accounting identity CAPTIFI_ACCT start-stop group CAPTIFI_GROUP

Step 2: Create the Redirect ACL

The ACL named CAPTIFI_REDIRECT controls which traffic is intercepted (redirected to the splash) versus allowed through pre-authentication.

ip access-list extended CAPTIFI_REDIRECT
 10 deny udp any any eq domain
 20 deny udp any eq domain any
 30 deny tcp any host <app.captifi.io IP> eq 443
 40 deny tcp any host <captifi.io IP> eq 443
 100 permit tcp any any eq www
 110 permit tcp any any eq 443

How Cisco redirect ACLs work

In a CWA redirect ACL, deny = do NOT redirect (allow through) and permit = intercept & redirect. DNS and the CaptiFi domains must be deny (reachable), all other web traffic permit (redirected).

The ACL name must be exactly CAPTIFI_REDIRECT — CaptiFi returns this name in the url-redirect-acl av-pair.

Step 3: Configure the Guest WLAN for MAB

Configuration → Tags & Profiles → WLANs → Add

Create your guest SSID with Security → Layer 2 → None (open)
Enable MAC Filtering and select the CAPTIFI_AUTHZ authorization list
In the Policy Profile for this WLAN:
- Enable AAA Override
- Set NAC State to Enabled with NAC Type RADIUS
- Select the CAPTIFI_ACCT accounting list
Apply the policy profile to your guest WLAN via the policy tag

CLI equivalent (key lines):

wlan GUEST_WIFI 10 "Free WiFi"
 mac-filtering CAPTIFI_AUTHZ
 no security wpa
 no shutdown

wireless profile policy GUEST_POLICY
 aaa-override
 nac
 accounting-list CAPTIFI_ACCT
 no shutdown

Step 4: Test

Connect a phone to the guest SSID
The CaptiFi splash page should appear automatically (or open a browser to any HTTP site)
Complete the splash form — full internet access should be granted within a few seconds (the CoA + re-auth round trip)
Check your CaptiFi dashboard — the guest appears in your guest log

Troubleshooting

Issue	Solution
No splash page appears	Verify MAC filtering points at the CaptiFi authorization list and the WLC can reach `radius.captifi.io:1812` (UDP)
Splash page won't load	Check the redirect ACL `deny` entries for DNS and the CaptiFi hosts — guests must be able to reach `app.captifi.io` pre-auth
Guest stuck after submitting form	CoA/PoD may be blocked — verify dynamic authorization is enabled and the right UDP port is open inbound from CaptiFi to the WLC (1700 on 9800, 3799 on AireOS)
"RADIUS server not responding"	Check the shared secret matches exactly; verify no firewall blocks UDP 1812/1813 outbound
Works once, then guests re-prompted	Session timeout — CaptiFi returns the session length from your site settings; check minutes authorised in your dashboard
ACL errors in logs	The ACL name must be exactly `CAPTIFI_REDIRECT` (case-sensitive)

Useful debug commands:

show wireless client mac-address <mac> detail
debug aaa authorization
show access-lists CAPTIFI_REDIRECT

AireOS Configuration (legacy WLCs)

AireOS (5500/8500/virtual WLC running 8.x) uses the same CaptiFi RADIUS settings but a different GUI. After completing Steps 1–2 conceptually (RADIUS server + pre-auth ACL), configure:

1. Add the RADIUS server

Security → AAA → RADIUS → Authentication → New

Setting	Value
Server IP Address	resolved IP of `radius.captifi.io`
Shared Secret	from your config pack
Port	`1812`
Support for CoA	Enabled

Repeat under Accounting with port 1813.

2. Create the pre-auth ACL

Security → Access Control Lists → New — create an ACL (e.g. CAPTIFI_PREAUTH) that permits: DNS (UDP 53 both directions) and HTTPS to app.captifi.io + captifi.io. AireOS pre-auth ACLs use normal permit/allow semantics (unlike 9800 redirect ACLs).

3. Configure the guest WLAN

WLANs → your guest SSID:

Security → Layer 2: None + MAC Filtering enabled
Security → Layer 3: None
Security → AAA Servers: select the CaptiFi RADIUS server for Authentication and Accounting
Advanced: Allow AAA Override enabled, NAC State = RADIUS NAC

4. Session bump

After a guest completes the splash, CaptiFi sends a RADIUS Disconnect-Request (Packet of Disconnect) to your WLC on UDP 3799. The client silently re-associates, re-runs MAC auth and is granted full access. Make sure UDP 3799 is open inbound from CaptiFi to the WLC management IP.

Next Steps

Need Help?

Cisco 9800 deployments vary widely. We're happy to jump on a call and configure it with your network team:

Email: support@captifi.io
Live Chat: Available on captifi.io

Cisco WLC Integration (Catalyst 9800 & AireOS) ​

Prerequisites ​

How It Works ​

Step 1: Add the CaptiFi RADIUS Server ​

Step 2: Create the Redirect ACL ​

Step 3: Configure the Guest WLAN for MAB ​

Step 4: Test ​

Troubleshooting ​

AireOS Configuration (legacy WLCs) ​

1. Add the RADIUS server ​

2. Create the pre-auth ACL ​

3. Configure the guest WLAN ​

4. Session bump ​

Next Steps ​

Need Help? ​