Wireless LAN Controller
Wireless LAN Controller access point management, WLAN policies, and FlexConnect configuration.
C9800 Architecture Overview
The C9800 runs IOS-XE. Configuration uses a tag-based model:
-
WLAN Profile — SSID name, security method, AAA
-
Policy Profile — VLAN, QoS, session timeout, ACLs
-
Policy Tag — binds WLAN to Policy Profile
-
Site Tag — local/flex mode, AP join profile
-
RF Tag — radio resource management parameters
An AP gets one Policy Tag, one Site Tag, and one RF Tag. These three tags determine everything about what the AP does.
WLAN Configuration
WLC(config)# wlan CORP-WIRELESS 1 CORP-WIRELESS
WLC(config-wlan)# security dot1x authentication-list ISE-DOT1X
WLC(config-wlan)# security wpa wpa3
WLC(config-wlan)# security wpa akm dot1x
WLC(config-wlan)# no shutdownWLC(config)# wlan GUEST 2 GUEST
WLC(config-wlan)# security wpa psk set-key ascii 0 <PSK>
WLC(config-wlan)# security wpa akm psk
WLC(config-wlan)# no shutdownPolicy Profile
WLC(config)# wireless profile policy CORP-POLICY
WLC(config-wireless-policy)# vlan 10
WLC(config-wireless-policy)# session-timeout 28800
WLC(config-wireless-policy)# aaa-override
WLC(config-wireless-policy)# nac
WLC(config-wireless-policy)# no shutdownaaa-override allows ISE to push VLAN, ACL, and QoS via RADIUS attributes, overriding the static policy. nac enables posture assessment and CoA support.
Tags
WLC(config)# wireless tag policy BUILDING-A-POLICY
WLC(config-policy-tag)# wlan CORP-WIRELESS policy CORP-POLICYWLC(config)# wireless tag site BUILDING-A-SITE
WLC(config-site-tag)# ap-profile BUILDING-A-JOIN
If you omit local-site under the site tag, APs operate in local mode (traffic tunneled to WLC). Add local-site for FlexConnect (local switching at the AP).
|
WLC(config)# wireless tag rf BUILDING-A-RF
WLC(config-rf-tag)# 24ghz-rf-policy LOW-DENSITY-24
WLC(config-rf-tag)# 5ghz-rf-policy HIGH-DENSITY-5WLC(config)# ap <AP-ETHERNET-MAC>
WLC(config-ap-tag)# policy-tag BUILDING-A-POLICY
WLC(config-ap-tag)# site-tag BUILDING-A-SITE
WLC(config-ap-tag)# rf-tag BUILDING-A-RF| Changing a tag on an AP causes it to disconnect and rejoin. Schedule tag changes during maintenance windows. |
AP Join Profile
WLC(config)# ap profile BUILDING-A-JOIN
WLC(config-ap-profile)# hyperlocation ble-beacon 0
WLC(config-ap-profile)# description "Building A APs"FlexConnect
WLC(config)# wireless tag site REMOTE-SITE
WLC(config-site-tag)# local-site
WLC(config-site-tag)# ap-profile REMOTE-JOIN
WLC(config)# wireless profile flex REMOTE-FLEX
WLC(config-wireless-flex)# native-vlan-id 1
WLC(config-wireless-flex)# vlan-name CORP-VLAN
WLC(config-wireless-flex-vlan)# vlan-id 10Show Commands
WLC# show ap summary (1)
WLC# show ap tag summary (2)
WLC# show ap name AP-BLDG-A-01 config general (3)
WLC# show ap uptime (4)| 1 | All APs with name, model, IP, state |
| 2 | Tag assignments per AP |
| 3 | Detailed config for a specific AP |
| 4 | AP uptime — useful for finding recent reboots |
WLC# show wlan summary (1)
WLC# show wireless profile policy summary (2)
WLC# show wireless tag policy summary (3)| 1 | All WLANs with ID, SSID, status, security |
| 2 | All policy profiles |
| 3 | Policy tag to WLAN/policy bindings |
WLC# show wireless client summary (1)
WLC# show wireless client mac-address <MAC> detail (2)
WLC# show wireless stats client detail (3)| 1 | All connected clients with AP, SSID, state |
| 2 | Deep dive on one client — VLAN, data rate, RSSI, auth method, policy applied |
| 3 | Aggregate client statistics |
WLC# show wireless stats ap join summary
WLC# show wireless stats client delete reason-codedelete reason-code shows why clients are disconnecting — deauth, idle timeout, roam, etc. Essential for troubleshooting user complaints.
Debugging Client Issues
WLC# debug wireless mac <CLIENT-MAC>
WLC# ! reproduce the issue
WLC# no debug wireless mac <CLIENT-MAC>This writes a per-client trace file to bootflash:. Retrieve it:
WLC# dir bootflash: | include <CLIENT-MAC>
WLC# more bootflash:ra_trace_MAC_<MAC>_<timestamp>.logRadioactive trace is the correct approach on C9800. Never use debug dot1x all on production — it traces every client on every AP.