How to enable Spotipo Cloud on Cisco WLC 9800 controller
Note: Since WLC doesn't support FQDN ACLs, payment option is unfortunately not supported with it
On our spotipo website, create a site. Make sure that the router type is set to "Cisco WLC"
Once you have created your Site, go to Settings -> WLC and create a new WLC Network by clicking the Add button.
Once the Site is created, your new network will contain some important data, that you will need later on in the configuration, so make sure to remember this part.
On your WLC GUI, go to Configuration -> Secruity -> AAA -> Servere/Groups -> RADIUS. Add a new Radius server and configure it like pictured below.
Name: Spotipo-Radius
Server Address: 34.77.150.10
Leave the Auth and Acct port at 1812 and 1813 which are default values.
To find the Key, find the RADIUS SECRET listed on the Spotipo website, and copy it in the key field.
If you want to add the backup server, do the same steps as before, simply use the Server Address 35.205.248.64 . For Key, use the same RADIUS Secret as before.
Once you have created RADIUS entries, you need to add them to a server group.
Once you've configured RADIUS servers, go to AAA Method list
Create a new Authentication method list called spotipo_local_auth. Make sure That the Type is login and the Group type is set to local.
Also, make sure that your Radius Server Group is assigned to this method list.
Next, go to Authorization, and repeat the same steps. Make sure the type is network and Group Type is local
Also, create a default Accounting Method list called default. Make sure type is network.
Go to Configuration ->Security -> WebAuth. First select the global parameter. Make sure that Virtual IPv4 Address is set. It doesn't have to be a specific address. 192.0.2.1 is the default.
For Trustpoint, make sure you have a valid SSL certificate set . If you use a self signed certificate, users will get prompted with the unsafe message while trying to authenticate.
Also, make sure to have Web Auth intercept HTTPs and Enable HTTP server for Web Auth turned on.
If you're using a valid SSL certificate, you must use a Hostname different from the Cisco WLC management Hostname
After you've configured global webauth, create a new parameter. Call it spotipo_webauth (or anything you'd like).
Make sure that the type is set to webauth and disable Success and Logout Window as well as Cisco Logo.
Go to Advanced tab. Make sure to use URL provided on the Spotipo website under Splash URL. And use that under Redirect URL for login.
Configure the rest like pictured below. Make sure that the portal IPV4 Address is set to 107.178.247.148 as that is the IP address of app.spotipo.com
Go to Configuration -> Tags & Profiles -> WLANs If you've already created a WLAN, open it. If not, create one by pressing the Add button.
Under Security, make sure that the Layer 2 security is set to none.
Under Layer 3. Make sure that the Web Policy is turned on. Set the Web Auth Parameter Map to the one we created previously (Spotipo_Webauth).
Also, make sure that the Authentication list is set to the spotipo_local_auth that we've created earlier.
If you want your users to log in with their Facebook profile, or if you'd like to enable paid wifi, you will need to allow additional ip addresses by creating an external ACL.
Since there are a lot of addresses that need to be allowed, we suggest using a CLI for this part of the setup, but everything can also be achieved by going to Configuraiton -> Security -> ACL and creating a new Access List there.
For allowing Facebook, copy these commands to your WLC's terminal.
Make sure to save the configuration.
write memory
Once these addresses are allowed, assign this ACL to the WLAN you're using for a captive portal.
Go to Configuration -> Tags & Profiles -> WLANs select the WLAN you're using for the captive portal.
After that, go to:
Security -> Layer 3 -> Show advanced settings -> Preauthentication ACL -> IPv4 - Spotipo-preauth
Add a Site
On our spotipo website, create a site. Make sure that the router type is set to "Cisco WLC"
Once you have created your Site, go to Settings -> WLC and create a new WLC Network by clicking the Add button.
Once the Site is created, your new network will contain some important data, that you will need later on in the configuration, so make sure to remember this part.
Configure Spotipo Radius Authentication/Accounting server
On your WLC GUI, go to Configuration -> Secruity -> AAA -> Servere/Groups -> RADIUS. Add a new Radius server and configure it like pictured below.
Name: Spotipo-Radius
Server Address: 34.77.150.10
Leave the Auth and Acct port at 1812 and 1813 which are default values.
To find the Key, find the RADIUS SECRET listed on the Spotipo website, and copy it in the key field.
If you want to add the backup server, do the same steps as before, simply use the Server Address 35.205.248.64 . For Key, use the same RADIUS Secret as before.
Once you have created RADIUS entries, you need to add them to a server group.
Once you've configured RADIUS servers, go to AAA Method list
Create a new Authentication method list called spotipo_local_auth. Make sure That the Type is login and the Group type is set to local.
Also, make sure that your Radius Server Group is assigned to this method list.
Next, go to Authorization, and repeat the same steps. Make sure the type is network and Group Type is local
Also, create a default Accounting Method list called default. Make sure type is network.
Configre WebAuth to use Spotipo as External Portal
Go to Configuration ->Security -> WebAuth. First select the global parameter. Make sure that Virtual IPv4 Address is set. It doesn't have to be a specific address. 192.0.2.1 is the default.
For Trustpoint, make sure you have a valid SSL certificate set . If you use a self signed certificate, users will get prompted with the unsafe message while trying to authenticate.
Also, make sure to have Web Auth intercept HTTPs and Enable HTTP server for Web Auth turned on.
If you're using a valid SSL certificate, you must use a Hostname different from the Cisco WLC management Hostname
After you've configured global webauth, create a new parameter. Call it spotipo_webauth (or anything you'd like).
Make sure that the type is set to webauth and disable Success and Logout Window as well as Cisco Logo.
Go to Advanced tab. Make sure to use URL provided on the Spotipo website under Splash URL. And use that under Redirect URL for login.
Configure the rest like pictured below. Make sure that the portal IPV4 Address is set to 107.178.247.148 as that is the IP address of app.spotipo.com
Configuring WLAN
Go to Configuration -> Tags & Profiles -> WLANs If you've already created a WLAN, open it. If not, create one by pressing the Add button.
Under Security, make sure that the Layer 2 security is set to none.
Under Layer 3. Make sure that the Web Policy is turned on. Set the Web Auth Parameter Map to the one we created previously (Spotipo_Webauth).
Also, make sure that the Authentication list is set to the spotipo_local_auth that we've created earlier.
Optional: Create External Access list for allowing Facebook login
If you want your users to log in with their Facebook profile, or if you'd like to enable paid wifi, you will need to allow additional ip addresses by creating an external ACL.
Since there are a lot of addresses that need to be allowed, we suggest using a CLI for this part of the setup, but everything can also be achieved by going to Configuraiton -> Security -> ACL and creating a new Access List there.
For allowing Facebook, copy these commands to your WLC's terminal.
config terminal
ip access-list extended Spotipo-preauth
permit ip any 129.134.0.0 0.0.255.255
permit ip any 157.240.0.0 0.0.255.255
permit ip any 173.252.64.0 0.0.63.255
permit ip any 179.60.192.0 0.0.3.255
permit ip any 185.60.216.0 0.0.3.255
permit ip any 204.15.20.0 0.0.3.255
permit ip any 31.13.24.0 0.0.7.255
permit ip any 31.13.64.0 0.0.63.255
permit ip any 45.64.40.0 0.0.3.255
permit ip any 66.220.144.0 0.0.15.255
permit ip any 69.63.176.0 0.0.15.255
permit ip any 69.171.224.0 0.0.31.255
permit ip any 74.119.76.0 0.0.3.255
permit ip any 103.4.96.0 0.0.3.255
deny ip any any
exitMake sure to save the configuration.
write memory
Once these addresses are allowed, assign this ACL to the WLAN you're using for a captive portal.
Go to Configuration -> Tags & Profiles -> WLANs select the WLAN you're using for the captive portal.
After that, go to:
Security -> Layer 3 -> Show advanced settings -> Preauthentication ACL -> IPv4 - Spotipo-preauth
Updated on: 12/03/2025
Thank you!