C9800 Web Authentication and Captive Portal Configuration
Web authentication on the Cisco Catalyst 9800 Wireless LAN Controller provides a flexible way to authenticate guest users, implement bring-your-own-device (BYOD) policies, and create controlled network access through captive portals. Whether you're running a simple hotspot for visitors or a complex enterprise network with multiple authentication tiers, understanding the C9800's web authentication capabilities is critical to your deployment strategy.
This guide walks you through the different web authentication methods available on the C9800, configuration approaches for each, certificate requirements, and practical examples you can deploy today.
Web Authentication Types on C9800
The C9800 supports four primary web authentication methods, each suited to different use cases and deployment models. The key differences center on where the portal is hosted, who performs the authentication, and how redirect logic works.
| Method | Portal Hosting | Auth Server | Redirect Logic | Best For |
|---|---|---|---|---|
| Local Web Auth (LWA) | C9800 controller (built-in or custom) | Local database or RADIUS | Automatic HTTP redirect to controller | Small to medium deployments; simple guest access |
| External Web Auth (EWA) | External portal server | External authentication system | Redirect to external portal URL; return to controller | Existing portal infrastructure; custom branding |
| Central Web Auth (CWA) | ISE or external RADIUS server (via redirect) | ISE/RADIUS; CoA-driven | ISE redirects client; CoA grants access | Enterprise deployments with ISE/policy framework |
| Consent/Passthrough Web Auth | C9800 controller (simplified) | No credential entry required | User clicks "agree" to accept terms | Quick guest access; AUP acceptance |
Local Web Authentication (LWA)
Local Web Authentication is the most straightforward approach and ideal if you don't have existing portal infrastructure. The C9800 controller itself hosts the portal pages and performs authentication decisions. You can use either the built-in default portal or upload custom HTML pages for branding.
Basic LWA Flow
When a client connects to an LWA-enabled WLAN, the controller intercepts HTTP requests and redirects them to the built-in portal. After successful authentication, the client receives a session token and can access the network (subject to policy rules). The controller maintains the session until the client disconnects or the session times out.
Parameter Map Configuration (GUI)
Start by creating a parameter map that defines the portal behavior:
- Navigate to Configuration > Security > Web Auth
- Click Add
- Enter a parameter map name (e.g., "guest-portal")
- Set Maximum HTTP Connections to limit concurrent sessions
- Configure Init-State Timeout (how long a client can sit on the login page before being disconnected)
- Choose the Banner Type (Banner Text, File Name, or none)
- Enter the Virtual IP Address for the portal (the IP clients redirect to)
- Configure redirect behavior for success, failure, and external redirects
- Click Update & Apply
Virtual IP Configuration
The virtual IP is critical in LWA. This is a non-routable IP address that the controller uses to intercept and redirect traffic. Clients see this IP when redirected to the portal. Configure it in the same parameter map where you set other portal properties. A common choice is 192.168.1.254 or another address in your management subnet that does not conflict with actual routing.
CLI-Based LWA Configuration
Device# configure terminal
Device(config)# parameter-map type webauth guest-portal
Device(config-params-webauth)# virtual-ip 192.168.1.254
Device(config-params-webauth)# max-http-connections 100
Device(config-params-webauth)# inactivity-timeout 600
Device(config-params-webauth)# type webauth
Device(config-params-webauth)# banner-text C Welcome to Guest Network
Device(config-params-webauth)# end
Applying LWA to a WLAN
Once the parameter map is created, apply it to a WLAN:
Device# configure terminal
Device(config)# wlan guest-wlan 20 Guest-SSID
Device(config-wlan)# no security wpa
Device(config-wlan)# security web-auth
Device(config-wlan)# security web-auth authentication-list local
Device(config-wlan)# security web-auth parameter-map guest-portal
Device(config-wlan)# end
Custom Portal Pages
If you want to move beyond the default portal, you can upload custom HTML files. The controller stores these pages in flash memory and serves them during web authentication. This allows you to match corporate branding, display company logos, and include custom terms-of-use text.
Upload custom pages via the GUI under Configuration > Security > Web Auth, then in the parameter map, select File Name as the banner type and specify the path to your custom file (e.g., bootflash:login.html). Supported files include login pages, success pages, expiry pages, and failure pages.
External Web Authentication (EWA)
External Web Authentication redirects clients to a portal hosted outside the C9800 controller. This is useful when you already have a captive portal solution (such as a third-party gateway or your own web server) and want to integrate with the C9800's redirect capabilities.
EWA Configuration Steps
- Create an access control list (ACL) to allow clients to reach the external portal before authentication
- Define a parameter map with the external portal URL
- Configure pre-auth ACL on the WLAN to permit DNS and DHCP traffic
- Apply the parameter map to the WLAN
Example: EWA with External Portal
Device(config)# parameter-map type webauth external-portal
Device(config-params-webauth)# type webauth
Device(config-params-webauth)# redirect for-login http://portal.example.com/login
Device(config-params-webauth)# redirect portal ipv4 10.1.1.100
Device(config-params-webauth)# end
In this example, the controller redirects clients to http://portal.example.com/login. The "redirect portal ipv4" command specifies the IP address of the external portal server (needed when using FQDN to avoid DNS lookups before authentication).
Pre-Authentication ACL for EWA
Before a client authenticates, it must be able to reach the external portal. Create a pre-auth ACL that permits traffic to the portal server and allows DNS/DHCP:
Device(config)# access-list 100 permit udp any any eq 53
Device(config)# access-list 100 permit udp any any eq 67
Device(config)# access-list 100 permit tcp any host 10.1.1.100 eq 80
Device(config)# access-list 100 permit tcp any host 10.1.1.100 eq 443
Device(config)# access-list 100 deny ip any any
Device(config)#
Device(config)# wlan guest-external 21 Guest-External
Device(config-wlan)# no security wpa
Device(config-wlan)# security web-auth
Device(config-wlan)# security web-auth parameter-map external-portal
Device(config-wlan)# ip access-group web preauth
Device(config-wlan)# end
Central Web Authentication (CWA) with ISE
Central Web Authentication integrates the C9800 with Cisco Identity Services Engine (ISE) or another RADIUS server. ISE acts as both the authentication backend and the portal host, providing policy-based access control and detailed logging. CWA uses RADIUS Change of Authorization (CoA) to dynamically grant or deny network access after authentication.
CWA Architecture
In a CWA deployment, the flow is as follows:
- Client associates and attempts to access a resource
- C9800 applies a pre-auth policy (limited access ACL)
- C9800 redirects HTTP traffic to ISE portal URL
- User authenticates at ISE portal
- ISE sends CoA (Change of Authorization) to the C9800
- C9800 grants full network access to the authenticated client
Configuring CWA
To set up CWA, you need:
- ISE configured as a RADIUS server on the C9800
- A parameter map with the ISE portal URL
- A WLAN with web-auth enabled and pointing to the CWA parameter map
- A pre-auth ACL to restrict traffic until authentication
- AAA override enabled in the policy profile to allow CoA
Device(config)# parameter-map type webauth cwa-ise
Device(config-params-webauth)# type webauth
Device(config-params-webauth)# redirect for-login https://ise.example.com:8443/portal
Device(config-params-webauth)# redirect portal ipv4 192.168.10.50
Device(config-params-webauth)# end
Device(config)#
Device(config)# aaa server radius dynamic-author
Device(config-radius-dyauth)# server-key cisco123
Device(config-radius-dyauth)# exit
Device(config)#
Device(config)# wlan corporate-guest 30 Corporate-Guest
Device(config-wlan)# no security wpa
Device(config-wlan)# security web-auth
Device(config-wlan)# security web-auth parameter-map cwa-ise
Device(config-wlan)# ip access-group preauth-cwa preauth
Device(config-wlan)# end
ISE sends CoA requests back to the controller's dynamic authorization port (typically UDP 3799). Ensure your firewall permits this traffic between ISE and the C9800 management interface.
Consent and Passthrough Web Authentication
For situations where you need guest access with minimal friction (such as a simple terms-of-use acceptance), consent-based web auth requires no credentials. Clients simply click "I Agree" on a page and receive network access. This is configured similarly to standard LWA but with type set to "consent" instead of "webauth".
Device(config)# parameter-map type webauth consent-portal
Device(config-params-webauth)# type consent
Device(config-params-webauth)# banner-text C By connecting you agree to our Acceptable Use Policy
Device(config-params-webauth)# virtual-ip 192.168.1.254
Device(config-params-webauth)# end
Certificate Configuration for HTTPS
Modern browsers require HTTPS for portal access to avoid certificate warnings. Configure a trustpoint on the C9800 so it can present a domain-specific certificate during portal redirects.
Importing a Certificate
First, obtain a certificate (either self-signed or from a CA) and import it to the controller:
Device# configure terminal
Device(config)# crypto pki trustpoint portal-cert
Device(config-pki-tp)# enrollment pkcs12
Device(config-pki-tp)# exit
Device(config)#
Device(config)# crypto pki import portal-cert pkcs12 tftp://10.1.1.50/portal.p12 cisco123
Device(config)# end
Device# show crypto pki certificates
After importing, the certificate appears in the output. Note the trustpoint name (e.g., "portal-cert"). Assign this trustpoint in the parameter map under the security settings to ensure HTTPS portals use the correct certificate.
Self-Signed Certificates
If you're building a lab environment or have full control over client configurations, a self-signed certificate is adequate. Generate one on the controller:
Device# configure terminal
Device(config)# crypto pki trustpoint self-signed-portal
Device(config-pki-tp)# enrollment selfsigned
Device(config-pki-tp)# subject-name cn=portal.internal.company.com ou=IT o=Company c=US
Device(config-pki-tp)# exit
Device(config)#
Device(config)# crypto pki enroll self-signed-portal
Device(config)# end
Pre-Authentication ACLs
Before clients authenticate, they typically have zero network access. A pre-auth ACL defines what traffic is permitted during this phase. This almost always includes DHCP (UDP 67/68) and DNS (UDP 53, TCP 53) so clients can obtain an IP and resolve the portal FQDN.
Building a Pre-Auth ACL
Device(config)# access-list 150 permit udp any any eq 67
Device(config)# access-list 150 permit udp any any eq 68
Device(config)# access-list 150 permit udp any any eq 53
Device(config)# access-list 150 permit tcp any any eq 53
Device(config)# access-list 150 permit icmp any any
Device(config)# access-list 150 deny ip any any
Device(config)#
Device(config)# wlan guest 50 Guest-Network
Device(config-wlan)# ip access-group guest-preauth preauth
Device(config-wlan)# security web-auth parameter-map guest-portal
Device(config-wlan)# end
The final "deny ip any any" ensures no traffic outside the permitted set reaches the network while authentication is pending. Clients can still reach the portal because the portal redirect happens at Layer 3 before the ACL is applied to subsequent traffic.
HTTP and HTTPS for Web Authentication
The C9800 supports both HTTP and HTTPS for portal access. Using HTTPS prevents credentials from being transmitted in the clear and provides a trust anchor for clients (if they trust the certificate). The controller requires at least one IP HTTP server or IP HTTPS server configured:
Device(config)# ip http server
Device(config)# ip http secure-server
Device(config)# parameter-map type webauth my-portal
Device(config-params-webauth)# webauth-https-enable
Device(config-params-webauth)# trustpoint portal-cert
Device(config-params-webauth)# end
When webauth-https-enable is set, the controller redirects clients to HTTPS instead of HTTP. The trustpoint points to the certificate to use during the handshake.
Verification Commands
After configuration, verify that web authentication is operating correctly:
Device# show parameter-map type webauth
Parameter Map Type: webauth
global
parameter-map type webauth guest-portal
Web Auth Type: webauth
Virtual IP: 192.168.1.254
Banner Type: Text
Max HTTP Connections: 100
Inactivity Timeout: 600 seconds
Init-State Timeout: 300 seconds
Check active web authentication sessions per WLAN:
Device# show wireless client mac detail
This displays client state, including whether the client is in the "Web Auth Pending" state or has completed authentication.
View access lists applied to a WLAN:
Device# show ip access-lists
Verify parameter map configuration:
Device# show running-config | section parameter-map
Configuration Example: Simple LWA with Internal Portal
Here is a complete, minimal configuration for a guest network with LWA using the controller's built-in portal:
Device# configure terminal
Device(config)# ip http server
Device(config)# ip http secure-server
Device(config)#
Device(config)# crypto pki trustpoint web-auth-cert
Device(config-pki-tp)# enrollment selfsigned
Device(config-pki-tp)# subject-name cn=portal.company.com
Device(config-pki-tp)# exit
Device(config)# crypto pki enroll web-auth-cert
Device(config)#
Device(config)# parameter-map type webauth default-guest
Device(config-params-webauth)# type webauth
Device(config-params-webauth)# virtual-ip 192.168.100.254
Device(config-params-webauth)# max-http-connections 80
Device(config-params-webauth)# inactivity-timeout 1800
Device(config-params-webauth)# webauth-https-enable
Device(config-params-webauth)# trustpoint web-auth-cert
Device(config-params-webauth)# banner-text C Welcome to Guest Network
Device(config-params-webauth)# end
Device(config)#
Device(config)# access-list 101 permit udp any any eq 67
Device(config)# access-list 101 permit udp any any eq 68
Device(config)# access-list 101 permit udp any any eq 53
Device(config)# access-list 101 permit tcp any any eq 53
Device(config)# access-list 101 deny ip any any
Device(config)#
Device(config)# wlan guest-network 100 Guest
Device(config-wlan)# no security wpa
Device(config-wlan)# security web-auth
Device(config-wlan)# security web-auth authentication-list local
Device(config-wlan)# security web-auth parameter-map default-guest
Device(config-wlan)# ip access-group 101 preauth
Device(config-wlan)# end
Device(config)# end
Device# write memory
This configuration creates a guest WLAN named "Guest" that requires web authentication. Clients receive DHCP, can resolve DNS, but cannot access any other resources until they authenticate at the portal using local credentials. (Configure local users separately under AAA if not already done.)
Configuration Example: CWA with ISE
A more advanced example using Cisco ISE for authentication and policy control:
Device# configure terminal
Device(config)# ip http secure-server
Device(config)#
Device(config)# radius server ISE-Server
Device(config-radius-server)# address ipv4 192.168.10.50 auth-port 1812 acct-port 1813
Device(config-radius-server)# key cisco123
Device(config-radius-server)# exit
Device(config)#
Device(config)# aaa server radius dynamic-author
Device(config-radius-dyauth)# server-key cisco123
Device(config-radius-dyauth)# exit
Device(config)#
Device(config)# aaa group server radius ISE-Servers
Device(config-sg-radius)# server name ISE-Server
Device(config-sg-radius)# exit
Device(config)#
Device(config)# aaa authentication login default group ISE-Servers
Device(config)#
Device(config)# parameter-map type webauth ise-cwa
Device(config-params-webauth)# type webauth
Device(config-params-webauth)# redirect for-login https://192.168.10.50:8443/portal/
Device(config-params-webauth)# redirect portal ipv4 192.168.10.50
Device(config-params-webauth)# webauth-https-enable
Device(config-params-webauth)# end
Device(config)#
Device(config)# access-list 200 permit udp any any eq 67
Device(config)# access-list 200 permit udp any any eq 68
Device(config)# access-list 200 permit udp any any eq 53
Device(config)# access-list 200 permit tcp any any eq 53
Device(config)# access-list 200 deny ip any any
Device(config)#
Device(config)# wlan employee-guest 110 Employee-Guest
Device(config-wlan)# no security wpa
Device(config-wlan)# security web-auth
Device(config-wlan)# security web-auth parameter-map ise-cwa
Device(config-wlan)# ip access-group 200 preauth
Device(config-wlan)# end
Device(config)# end
Device# write memory
In this example, ISE serves the portal page at https://192.168.10.50:8443/portal/. After a user authenticates, ISE sends a CoA to the C9800, which grants the client access. All accounting and policy decisions remain under ISE control, providing centralized visibility and compliance auditing.
Key Takeaways
Web authentication on the C9800 is a powerful mechanism for controlling guest access, enforcing acceptable-use policies, and integrating with enterprise authentication frameworks like ISE. Here are the essential points to remember:
- Choose the right method for your scale: LWA is simple and sufficient for small networks; CWA with ISE provides policy-based control for enterprise environments; EWA bridges existing portal infrastructure.
- Always configure HTTPS: Use a trustpoint with at least a self-signed certificate to prevent browser warnings and protect credentials in transit.
- Pre-auth ACLs are your first line of defense: Permit only DHCP and DNS before authentication; everything else is implicitly denied until the client completes the web auth flow.
- Virtual IP addresses are essential for LWA: The virtual IP is the redirect target clients see. Choose an address that does not conflict with production routing.
- Verify with "show" commands: Use "show parameter-map type webauth," "show wireless client mac," and "show ip access-lists" to confirm your configuration matches intent.
- CWA requires dynamic authorization enabled: Configure "aaa server radius dynamic-author" and the server-key parameter so ISE can push CoA messages back to the controller.
- Custom portal pages enhance branding: Upload custom HTML for login, success, and failure pages to maintain consistent user experience and organizational messaging.
- Session timeouts balance security and usability: Short inactivity timeouts (300–600 seconds) are secure but may frustrate users; longer timeouts (1800+ seconds) are more convenient but represent a window for unauthorized use.
With these tools and configurations in hand, you can deploy web authentication that meets your organization's access control requirements while maintaining a seamless user experience for guests and contractors.