Skip to main content
Skip table of contents

Cisco Spaces Captive Portal Runbook

OVERVIEW

With the standard expectation of users to always be connected to the internet no matter where they are, it is paramount that users can be connected securely and seamlessly.

This Cisco validated runbook will look at Captive Portals to onboard customers.

A captive portal is the first touchpoint with your business for customers on Wi-Fi. It provides an opportunity to engage with customers who connect to Wi-Fi, offer relevant information, drive monetization, and potentially acquire customer information. Captive portals enable businesses to choose from multiple authentication mechanisms and deliver targeted experiences based on business rules. They can recognize repeat visitors and deliver customized offers, enhancing customer engagement and loyalty.

SUPPORT AND ONBOARDING

Please follow the link below to find out about the different ways to get support for Cisco Spaces.

Support Info Link

PREREQUISITES

This Cisco validated runbook is designed only as a follow on from the Spaces OS Runbook. If you have not completed that runbook yet, please go back and ensure that the deployment has been validated against that before continuing here.

General Prerequisites

Captive Portal requires the following prerequisites met:

  • An active Cisco Spaces account.

  • A Cisco wireless network. Both controller-based (Cisco AireOS or Cisco Catalyst wireless controller) and cloud-based (Cisco Meraki) networks are supported.

  • Add the wireless network to your Cisco Spaces account.

    • For controller-based architecture, the Cisco Spaces Connector must be used.

    • For Cisco Meraki networks, add the Cisco Meraki account to your Cisco Spaces account.

IMPLEMENTATION

The process of setting up a Captive Portal requires two important tasks of i) Wireless Infrastructure Configuration and subsequently, ii) Captive Portal Configuration.

The Wireless Infrastructure Configuration ensures the underlying network is ready to host a Captive Portal setup. Once the Wireless Infrastructure configuration has been completed, the Captive Portal Configuration steps can commence on Cisco Spaces dashboard.

Wireless Infrastructure Configuration

Setting up Wireless Infrastructure for Captive Portal requires the following steps:

  1. Configure webauths parameters

  2. Configure ACLs

  3. Configure AAA servers

  4. Configure SSID

Please refer to the relevant Wireless Infrastructure instructions based on the controller in your network.

Meraki Wireless Infrastructure Configuration

Click the arrow to expand content related to Meraki Wireless Infrastructure Configuration.

Meraki Wireless Infrastructure Configuration

Click here for a video guided demo

Step 1: Edit / Create SSID in Meraki

This step is needed if a new SSID needs to be created for a Captive Portal, so that it can be imported into Cisco Spaces.

  1. In the Meraki Dashboard, Navigate to the Wireless > Access Control

image-20250311-021058.png

  1. Create or edit the SSID that is needed for Captive Portal access.

  1. In the Security area, choose Mac-based access control (no encryption).

image-20250311-022632.png

  1. In the Splash page area, choose Click-through.

Step 2: Import the SSID in Cisco Spaces

  1. In Cisco Spaces dashboard, navigate to Captive Portals application:

image-20250306-022921.png

  1. Then: SSID -> Import / Configure SSID -> Meraki
    Choose the organization.

image-20250306-033248.png

image-20250306-034203.png
image-20250306-033400.png

If the sync is not complete yet, you will not see the SSID. In which case, wait until sync is complete and try again to see the SSID. It may take up to 2hrs for the sync to complete.

  1. If the synch is completed and SSIDs are visible, choose the SSID and click Import.

  2. Once imported, click Configure Manually and choose the appropriate Wireless Infrastructure for relevant instructions. In this case, it will be Cisco Meraki.

  3. Click the Configure SSID tab and note important information regarding Wall garden and the Custom Splash Page URL. These details will need to be configured on the Meraki dashboard in later steps.

    Wall Garden

    Splash Page URL

    image-20250312-041112.png

  4. Click the Configure Radius Server tab and note details of the Radius authentication and accounting servers for configuration in the following steps.

Radius Authentication

Host

34.197.146.105
34.228.1.95

Port

1812

Secret Key

**************

Radius Accounting

Host

34.197.146.105
34.228.1.95

Port

1813

Secret Key

**************

Step 3: Configuration in Meraki

  1. In the Meraki dashboard, navigate to Wireless > Access Control Radius servers area, click Add server, and in the fields that appear configure the radius server details for authentication. Add the following servers separately:

  1. In the Radius accounting servers area, click Add server, and in the fields that appear configure the radius server details for accounting. Add the following servers separately:

  1. From the "Radius attribute specifying group policy name" drop-down list, choose Filter-Id.

  1. Under Advanced splash settings, enter the Walled garden details.

  1. Save the changes

  2. Navigate to Wireless > Configuration > Splash Page. Choose the correct SSID for configuring.

  3. In the Custom Splash URL area, choose “Or provide a URL where users will be redirected” and paste the Splash page URL copied earlier from Cisco Spaces.

image-20250312-044052.png

  1. Save the changes.

Step 4: Configuration in Meraki

  1. In the Cisco Meraki dashboard, click Network-wide > Group Policies

  1. Click Add a Group

  2. In the New Group window that appears, enter a name for the group. Note this name exactly, since it will be needed in Cisco Spaces rules when provisioning seamless authentication.

You have to configure this name as the policy name in the Cisco Spaces dashboard. If you are specifying the group name as "CaptiveBypass", this policy name will act as the default policy name for all the Captive Portal rules. That is, if you are not specifying a policy name for a Captive Portal rule for which the "Seamlessly Internet Provision" is opted, the policy name "CaptiveBypass" will be applied for that rule.

  1. From the Bandwidth drop-down list, choose the required option, and specify the Internet bandwidth to be provisioned for the customers.

  2. From the Splash drop-down list, choose Bypass.

  1. Save Changes

Catalyst Wireless Infrastructure Configuration

Click the arrow to expand content related to Catalyst Wireless Infrastructure Configuration.

Catalyst Wireless Infrastructure Configuration


For detailed instructions on setting on Cisco Spaces Captive Portal with Catalyst 9800 WLC, please refer to the configuration guide here.

Please note, Catalyst 9800 Wireless Controller must have a trusted certificate installed tied to the virtual int ip/dns entry.

Learn more

If further assistance is needed with the trusted certificate, please raised a TAC case with the Cisco Wireless team.


Click here for a video guided demo

Create the Access Control List

  1. Log into Catalyst 9800 Wireless Controller.

  2. Create the ACL by adding URL filters.
    a. Choose Configuration > Security > URL Filter.
    b. In the URL Filters window, click Add.
    c. In the List Name field, enter the list name.
    d. Change the status of Action to Permit.
    e. In the URLs field, enter the splash page domain, found in Cisco Spaces Captive Portals > SSIDs > Catalyst 9800 Wireless Controller > SSIDs > Configure Manually.


    Add the following domains, if you want to enable social authentication:
    *.fbcdn.net
    *.licdn.com
    *.licdn.net
    *.twimg.com
    *.gstatic.com
    *.twitter.com
    *.akamaihd.net
    *.facebook.com
    *.facebook.net
    *.linkedin.com
    ssl.gstatic.com
    *.googleapis.com
    *.googleapis.com
    static.licdn.com
    *.accounts.google.com
    *.connect.facebook.net
    oauth.googleusercontent.com

    f. Choose Configuration > Tags and Profiles > Policy.
    g. In the Policy Profile window, click default-policy-profile.
    h. In the Edit Policy Profile window, click the Access Policies tab.
    i. In the URL Filters area, from the Pre Auth drop-down list, choose the previously created ACL.
    j. Click Update & Apply to Device.
    g. In the URL field that appears, enter the Cisco Spaces splash URL (for your organisation) - the same as the one in the previous step 2e:

    https://splash.dnaspaces.io/**/*******

If you are using the EMEA portal, use https://splash.dnaspaces.eu/**/***** or http://splash.ciscospaces.sg/**/**** for APAC portal



Create the URL Filter Configuration

  1. Log into Catalyst 9800 Wireless Controller.

  2. Navigate to Configuration -> Security -> URL Filters, click +Add and configure the list name, select PRE-AUTH as the type, action as PERMIT and the URL splash.dnaspaces.io (or .eu if you are using the EMEA portal or splash.ciscospaces.sg for APAC portal)


Create the Web Auth Parameter (without RADIUS Server on Cisco Spaces)

To create the Web Auth Parameter Map , perform the following steps:

  1. Navigate to Configuration > Security > Web Auth, Click +Add to create a new parameter map. In the window that pops-up configure the parameter map name, and select Consent as the type.

  2. Click on the parameter map configured in the previous step, navigate to the Advanced tab, and enter the Redirect for log-in URL, Append for AP MAC Address, Append for Client MAC Address, Append for WLAN SSID and portal IPv4 Address as follows and then click Update & Apply.

a. Redirect for Log-in = <Specific URL for the customer tenant goes here>

b. Redirect Append for AP MAC Address = ap_mac

c. Redirect Append for Client MAC Address = client_mac

d. Redirect Append for WLAN SSID = wlan

e. Portal IPV4 Address = 34.235.248.212 (please perform an nslookup to splash.dnaspaces.io and use one of these values)

Alternatively, if your Spaces is using the EMEA or APAC portal, use the following:
For EMEA, use splash.dnaspaces.eu and IP address: 34.353.175.120
For APAC, use splash.ciscospaces.sg and IP address: 13.250.197.154

Create the Web Auth Parameter Map (with RADIUS Server on Cisco Spaces)

To create the Web Auth Parameter Map , perform the following steps:

  1. Navigate to Configuration > Security > Web Auth, Click +Add, and configure the parameter map name, and select webauth as the type.

  2. Click on the parameter map configured in the previous step, navigate to the Advanced tab, and enter the Redirect for log-in URL, Append for AP MAC Address, Append for Client MAC Address, Append for WLAN SSID and portal IPv4 Address as follows and then click Update & Apply.

a. Redirect for Log-in = <Specific URL for the customer tenant goes here>

b. Redirect Append for AP MAC Address = ap_mac

c. Redirect Append for Client MAC Address = client_mac

d. Redirect Append for WLAN SSID = wlan

e. Portal IPV4 Address = 34.235.248.212 (please perform an nslookup to splash.dnaspaces.io and use one of these values)

Alternatively, if your Spaces is using the EMEA or APAC portal, use the following:
For EMEA, use http://splash.dnaspaces.eu and IP address: 34.353.175.120
For APAC, use http://splash.ciscospaces.sg and IP address: 13.250.197.154

Create the SSID

  1. Choose Configuration > Tags and Profiles > WLANs.

  2. Click Add.

  3. On the General tab, in the Profile Name field, enter the profile name.

  4. In the SSID field, enter the SSID name defined at Step 1.

  5. Set the status as Enabled.

  6. Click the Security tab, and then click the Layer2 tab.

  7. From the Layer 2 Security Mode drop-down list, choose None.

  8. Click the Layer3 tab.

  9. Check the Web Policy check box.

  10. From the WebAuth Parameter Map drop-down list, choose the Web Auth Parameter Map created at step 2.

  11. Click Save & Apply to Device.

Configure Radius Server

To provide an additional layer of security for your portal, the Cisco Spaces supports radius-authentication for the internet provisioning on the captive portals.

Step 1 - Configure Radius Server

  1. Log into Catalyst 9800 Wireless Controller.

  2. Configure the RADIUS server.

We highly recommend to use RADIUS authentication for captive portals. The following features work only if you configure RADIUS authentication.

a. Seamless Internet Provisioning.

b. Extended session duration.

c. Deny Internet.

  1. Choose Configuration > Security > AAA.

  2. In the Authentication Authorization and Accounting window, click the Servers/Groups tab.

  3. Choose Radius > Servers, and click Add.

  4. In the Name field, enter a name for the radius server.

  5. In the IPv4 / IPv6 Server Address field, enter the radius server address.

You can configure only the Cisco Spaces radius servers. To view the radius server IP address and secret key, in the Cisco Spaces dashboard, click the Captive Portal app. Click SSIDs, and then click the Configure Manually link for the Cisco Catalyst SSID created at Step 1. In the window that appears, the radius server details will be listed in the Radius Server Configuration section. Configure both the primary and secondary radius server IPs.You can also contact the Cisco Spaces support team.

  1. In the Key field, enter the key: ************* and confirm it in the Confirm Key field.

  2. In the Auth Port field, enter 1812.

  3. In the Acct Port field, enter 1813.

  4. Click Save & Apply to Device. The server added will be available in Servers list.

  5. Choose Radius > Server Groups, and click Add.

  6. In the Name field, enter a name.

  7. From the MAC-Delimiter drop-down list, choose hyphen.

  8. From the MAC-Filtering drop-down list, choose mac.

  9. Move the radius server previously created from “Available Servers” to “Assigned Servers” using the arrow button.

  10. Click Save & Apply to Device.

  11. In the Authentication Authorization and Accounting window, click the AAA Method List tab.

  12. Click Authentication, and click Add and specify the following details:

    1. In the Method List Name field, enter the method list name.

    2. From the Type drop-down list, choose Login

    3. From the Group Type drop-down list, choose Group.

    4. Move the server group created earlier (point 12. to point 17.) from Available Server Groups to Assigned Servers Groups, and click Save & Apply to Device.

  13. On the AAA Method List tab, click Authorization, and click Add, and specify the following details:

    1. In the Method List Name field, enter the method list name.

    2. From the Type drop-down list, choose Network.

    3. From the Group Type drop-down list, choose group.

    4. Move the server group previously created (point 12. to point 17.) from Available Servers to Assigned Servers using the arrow button, and click Save & Apply to Device.

  14. On the AAA Method List tab, click Accounting, and click Add, and specify the following details:

    1. In the Method List Name field, enter the method list name.

    2. From the Type drop-down list, choose Identity.

    3. From the Group Type drop-down list, choose group.

    4. Move the server group previously created (point 12. to point 17.) from Available Servers to Assigned Servers using the arrow button, and click Save & Apply to Device.

Step 2 - Enable L3 and L2 authentication (Mac Filtering)

Make sure Type is selected as webauth in parameter-map for RADIUS Authentication.

To configure L3 and L2 authentication, ensure that you have created the SSIDs and have done all the configurations at step 5. You can then import the SSIDs to Cisco Spaces, and configure captive portals for SSIDs using the Captive Portal Rule.

  1. Choose Configuration > Tags and Profiles > WLANs.

  2. Click the SSID for which you want to configure L2 and L3 Authentication.

  3. In the Edit WLAN window, click the Security tab.

  4. On the Layer3 tab, from the Authentication drop-down list, choose the radius authentication configured previously.

  5. On the Layer2 tab, to enable Mac Filtering, check the MAC Filtering check box.

  6. From the Authorization List drop-down list that appears, choose the authorization server created previously.

  7. Click Show Advanced Settings.

  8. Check the On Mac Filter Failure check box.

  9. Click Update & Apply to Device.

  10. Choose Configuration > Tags and Profiles > Policy.

  11. Click default-policy-profile.

  12. On the Advanced tab, in the AAA Policy area, check the Allow AAA Override check box.

  13. Ensure that default aaa policy is selected from the Policy Name drop-down list.

  14. Click Update & Apply to Device.

Step 3 - Enable Radius Accounting

  1. Choose Configuration > Tags and Profiles > Policy.

  2. Click default-policy-profile.

  3. On the Advanced tab, from the Account List drop-down list, choose the accounting server created previously.

  4. Click Update & Apply to Device.

Captive Portal Configuration (No Authentication)

Once the Wireless Infrastructure has been setup. Configuring the Captivate Portal requires the following tasks:

  1. Create or Import Portal

  2. Set authentication and data capture settings

  3. Configure rules and triggers

For a video guided demo, please see the links below:

How to Setup Instant Portals

How to Configure Captive Portal Rules

Create a Portal

  1. In Cisco Spaces, navigate to Captive Portal App -> Portal

  1. Either create a new portal or use one of the templates like Covid-19 specific templates. If using a templates, select a template and duplicate it for editing.

  1. Enter a name for the portal and select the locations where this portal will be used. Select Next

  1. Select the authentication type as per need. For no specific authentications need, select No Authentication as an example.

For other Captive Portal Authentication methods, please refer to our Knowledge Article: [Coming Soon]


  1. Choose if Data Capture and User Agreements need to be displayed on the portal. Remain unselected if not needed.

  2. Choose if users need to specifically agree to opt-in the network. Put the opt-in message, choose the default behaviour.

  1. If you want to show a specific Data Capture form that users must complete, enable Data Capture.

  2. Multiple Fields are available to be chosen, and fields can be made mandatory to be completed by visitors.

  1. After all needed fields are chosen, click Next.

  2. Select and configure the Terms and Conditions as necessary. Choose whether to Enable Terms and Conditions, Enable Privacy Policy or Age Gating.

  1. Select Save and Configure Portal when done.

Edit the Captive Portal Settings

  1. Click the newly created portal to start editing it.

  1. In the Portal Editor window, edit as well as reorder all the modules on the side panel by dragging and dropping them in the desired sequence.

image-20250318-051423.png

  1. Type in any required welcome message. You can preview the look and feel of the Captive Portal page on the right-side Portal Preview panel that renders draft-changes live.


  1. Smart variables can also be added in the messages using $<key>.

Smart Variable

Description

$location

Location Name as per Hierarchy

$Address

Address of the location

$State

State of the location

$Zipcode

Zip Code of the location

$Country

County of the location

$City

City of the location

  1. These variables in this Portal Editor section pertains to the properties of the location where the client is connecting - i.e. which buildings, floor etc.

  2. The Landing page upon success can be edited by clicking Get Internet

  1. New modules can be added directly with additional content.

  1. Any previous configurations can be edited by clicking the pencil icon on top of the Portal Editor page.


Create Portal Rules

  1. Navigate to Cisco Spaces and then, Captive Portal App -> Captive Portal Rules

.png

  1. Create a new rule to make a specific rule to be triggered as needed by click Create New Rule.

  2. Enter a name for the rule. Select which SSID is this rule going to triggered against. The SSID should have already been imported / configured from earlier steps.

  1. Add a location against which this rule should be be triggered. At least one location level needs to be selected.

  1. Location needs to be chosen from existing location hierarchy and can be chosen all the way from entire campus levels all the way down to a single zone on a floor.

  1. Any mix of locations can be selected inc. AireOS, Catalyst or Meraki networks. Click Done once the networks are selected.

The rule will be triggered only if a client is connecting on an AP that exists in the selected location.

  1. In the Locations Section, if the location hierarchy has metadata tags in use, the rule can also be triggered against very specific locations. Example Use Case: Exclude “yet to open” sites and include “recently opened” sites for a new portal campaign.

  1. In the Identify section, multiple selections are available to be tweaked. Cisco Spaces saves mac-address used by clients to achieve these filters. The table below details the options:

Identify Filter

Function

Filter by Onboarding Status

Allows to chose a particular action or portal for visitors who have already completed captive portal authentications previously or not.

Filter by Opt-In Status

Allows to chose a particular action or portal for visitors who have specifically chosen to opt-in.

Filter by Tags

Captive Portals application and Location Personas application can tag visitors with specific tags based on their on-location behavior. This tags can be used to trigger a specific action or portal for specific visitors.

Filter by Previous Visits

Allows to chose a particular action or portal based on whether a client has come into a specific location at least a specific number or between a number of times in particular days or day ranges

image-20250319-040803.png

  1. In the Actions Section – multiple selections are available. The table below details the options:

Actions

Function

Show Captive Portal

A specific portal that is created can be chosen to be shown. Different rules can be created to show different types of portals

Seamlessly Provision Internet

This option can be used to avoid showing the portal and directly onboard visitors’ devices.
For Seamless Provisioning in Meraki – choose the exact group policy name which was provided in Meraki configuration earlier.

Deny Internet

This option can be used to reject the device association.

  1. Furthermore, a tag can be created to be assigned to visitors that match all the rules and get successfully onboarded to the network.

image-20250319-043123.png

  1. External APIs can be triggered when a new client is onboarded for the very first time. For triggering an API every time a client is successfully onboarded, ‘Enable for repeat visitors’ can be selected.

image-20250319-043606.png

These variables in this API section pertains to the properties of the visitor that is connecting. (Example: visitor name, gender etc.)

Many variables like email, name, address etc. are only available if they were captured for the same visitor using the Data Capture form in the portal.

The following Smart Variables are available in Captive Portals API:

Variable Details

Smart Variables

Location Name

$locationName

Email

$email

Address

$Address

Mac-address

$macaddress

Mobile

$mobile

State

$State

Encrypted Mac-address

$encryptedMacaddress

Gender

$gender

Zip Code

$Zipcode

Device subscriber ID

$deviceSubscruberId

Opt in Status

$optinstatus

Country

$Country

First Name

$firstName

URL

$URL

City

$City

Last Name

$lastName

Type

$Type

  1. View the overall created rule in the summary section on the right-side of the dashboard.

image-20250319-045058.png

  1. If satisfied with the rule, click Save & Publish.

image-20250319-045127.png

  1. Once the rule is pushed, the Captive Portal will show up as being Live in the Portal window.

FAQ

Which network firewall ports need to be open for a Captive Portal?

A Captive Portal will require a security policy configured on the network firewall to allow inbound traffic. By default, all inbound traffic is disallowed. Inbound communication happens through ports 1812 & 1813.

The firewall needs to be configured to allow bidirectional communication for the RADIUS protocol over ports 1812 and 1813.

  • Allow UDP traffic on:

    • Port 1812 (for Authentication)

    • Port 1813 (for Accounting)

  • Allow both inbound and outbound traffic for these ports.

  • Ensure that the UDP protocol is explicitly allowed, as RADIUS uses UDP by default.

Refer to the table below for all the required Firewall Rules for Captive Portal:

Source IP Address

Destination IP Address

Direction

Transport

Source Port

Destination Port

Protocol

Cisco AireOS Wireless Controller IP address

Connector

Unidirectional

UDP and TCP

Any

1812, 1813

Remote Authentication Dial-In User Service (RADIUS)

Connector

Any

Unidirectional

TCP

Any

2083

RADIUS over TLS (RADSEC)

Connector

Any

Unidirectional

TCP

Any

443

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close