WLC Configuration for VyOS Integration

1. Overview

This runbook documents the Catalyst 9800-CL Wireless LAN Controller configuration and ensures VyOS firewall supports all wireless traffic flows.

Component Value Notes

Active WLC

WLC-LAB (10.50.1.40)

kvm-01, 4 vCPU, 16GB RAM

Standby WLC

WLC-02 (10.50.1.41)

kvm-02, SSO HA ACTIVE (validated 2026-03-08)

HA Mode

SSO (Stateful Switchover)

Sub-second failover, port 9800

IOS-XE Version

17.15

Must match on both WLCs

Management VLAN

VLAN 100

10.50.1.0/24 subnet

PRE-MIGRATION CLEANUP REQUIRED

This runbook documents the current state. Before VyOS migration, address:

  1. VLAN Mismatch: WLC trunk missing VLAN 20 (Voice) and 999 (Quarantine)

  2. Legacy WLANs: Multiple overlapping WLAN/Policy configs need consolidation

  3. Certificate: HOME-ROOT-CA (Windows AD CS) → migrate to Vault PKI

2. Architecture

2.1. Traffic Flows Through VyOS

WLC Traffic Flows

2.2. SSO HA Architecture

See WLC HA SSO Deployment for full HA deployment.

WLC SSO HA Architecture

3. Phase 1: Document Current Configuration

3.1. 1.1 Capture Running Config

ssh 9800-wlc-01.inside.domusdigitalis.dev "show running-config" > /tmp/wlc-lab-config-$(date +%Y%m%d).txt

3.2. 1.2 Interface Configuration

Current State (from running-config 2026-02-24):

interface GigabitEthernet1
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10,30,40,100
 switchport mode trunk
 negotiation auto
!
interface Vlan100
 ip address 10.50.1.40 255.255.255.0
 no ip proxy-arp
!
ip route 0.0.0.0 0.0.0.0 10.50.1.1

VLAN MISMATCH - ACTION REQUIRED

Switch trunk (Te1/0/1, Te1/0/2): 10,20,30,40,100,999

WLC trunk (GigabitEthernet1): 10,30,40,100

Missing on WLC:

  • VLAN 20 (Voice) - Add if voice over WiFi needed

  • VLAN 999 (Quarantine) - Add for AAA-override auth-fail scenarios

3.3. 1.3 WLAN Configuration

ssh 9800-wlc-01.inside.domusdigitalis.dev "show wlan summary"

Current WLANs (Active):

ID Profile Name SSID Security VLAN

4

Domus-Secure

Domus-Secure

WPA2-Enterprise (802.1X)

10 (via policy)

5

Domus-IoT

Domus-IoT

WPA2-PSK + MAC filtering

40 (via policy)

3.3.1. WLAN: Domus-Secure (802.1X)

wlan Domus-Secure 4 Domus-Secure
 security dot1x authentication-list ISE-Auth
 no shutdown

3.3.2. WLAN: Domus-IoT (iPSK with MAC Filtering)

wlan Domus-IoT 5 Domus-IoT
 mac-filtering ISE-AuthZ
 security wpa psk set-key ascii 0 <PSK>
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown
Uses ISE-AuthZ for MAC filtering (iPSK lookup via ISE).

3.4. 1.4 Policy Profiles

ssh 9800-wlc-01.inside.domusdigitalis.dev "show wireless profile policy summary"

Active Policy Profiles:

Profile VLAN AAA Override NAC Accounting

POLICY-DOMUS_SECURE

10

Yes

Yes

ISE-ACCT

POLICY-DOMUS_IoT

40

Yes

No

None

Guest-Policy

30

Yes

Yes

ISE-ACCT

IoT-Policy

40

Yes

Yes

ISE-ACCT

VLAN10-Policy

10

Yes

Yes

ISE-ACCT

CLEANUP CANDIDATE: Multiple IoT policies exist (POLICY-DOMUS_IoT, IoT-Policy). Consider consolidating.

3.4.1. Policy: POLICY-DOMUS_SECURE

wireless profile policy POLICY-DOMUS_SECURE
 aaa-override
 accounting-list ISE-ACCT
 nac
 vlan 10
 no shutdown

3.4.2. Policy: POLICY-DOMUS_IoT

wireless profile policy POLICY-DOMUS_IoT
 aaa-override
 vlan 40
 no shutdown

3.5. 1.5 Policy Tags

ssh 9800-wlc-01.inside.domusdigitalis.dev "show wireless tag policy summary"

Current Policy Tags:

Tag Name WLAN → Policy Mappings Status

HomeRF-Tag

HomeRF→VLAN10, IoT_Net→IoT, Guest_Net→Guest

⚠️ STALE - WLANs deleted

default-policy-tag

Domus-Secure→SECURE, Domus-IoT→IoT, (+ stale refs)

Active (has stale refs)

TAG-DOMUS_SECURE

Domus-Secure→SECURE

Active

IoT-Tag

IoT-Net→IoT, DOMUS_IoT→IoT

⚠️ STALE - WLANs deleted

AP ASSIGNMENT ISSUE

The AP 78bc.1a36.82c0 is assigned to HomeRF-Tag which references deleted WLANs.

Reassign to default-policy-tag or create a clean tag.

3.5.1. Current AP Assignment

ap 78bc.1a36.82c0
 policy-tag HomeRF-Tag

3.6. 1.6 RADIUS/AAA Configuration

ssh 9800-wlc-01.inside.domusdigitalis.dev "show aaa servers"

AAA Configuration:

aaa group server radius ISE-GROUP
 server name ISE-1
 server name ISE-2
 ip radius source-interface Vlan100
 deadtime 5
 mac-delimiter hyphen
!
aaa authentication dot1x ISE-Auth group ISE-GROUP
aaa authorization network ISE-AuthZ group ISE-GROUP
aaa accounting identity ISE-ACCT start-stop group ISE-GROUP
aaa accounting network ISE-Acct start-stop group ISE-GROUP
!
aaa server radius dynamic-author
 client 10.50.1.20 server-key <RADIUS_KEY>

RADIUS Servers:

Name IP Address Purpose

ISE-1

10.50.1.20

Primary PSN

ISE-2

10.50.1.21

Secondary PSN
RADIUS keys stored in gopass: gopass show v3/domains/d000/network/radius

SECURITY NOTE: CoA client only configured for ISE-1 (10.50.1.20). Add ISE-2 for redundancy:

aaa server radius dynamic-author
 client 10.50.1.21 server-key <RADIUS_KEY>

3.7. 1.7 AP Summary

ssh 9800-wlc-01.inside.domusdigitalis.dev "show ap summary"

Current Access Points:

AP MAC Model Policy Tag Status

78bc.1a36.82c0

Catalyst 9120

HomeRF-Tag ⚠️

Registered

3.8. 1.8 Certificate Configuration

ssh 9800-wlc-01.inside.domusdigitalis.dev "show crypto pki certificates"

Current Certificates:

Trustpoint Issuer Expiry

WLC-MGMT-CERT

HOME-ROOT-CA (Windows AD CS)

2028-01-17

WLC_CA

Self-signed (internal)

2035-10-07

HOME-ROOT-CA

Windows AD CS

2036-01-13

CERTIFICATE MIGRATION REQUIRED

WLC uses HOME-ROOT-CA (Windows AD CS) for management certificate.

Target: Migrate to Vault PKI (DOMUS-ISSUING-CA)

See: Vault PKI Certificate Issuance

3.9. 1.9 RF Profiles

ssh 9800-wlc-01.inside.domusdigitalis.dev "show wireless profile rf summary"

Pre-configured density profiles available:

  • Low_Client_Density_rf_24gh / Low_Client_Density_rf_5gh

  • Typical_Client_Density_rf_24gh / Typical_Client_Density_rf_5gh

  • High_Client_Density_rf_24gh / High_Client_Density_rf_5gh

  • default-rf-profile-6ghz

4. Phase 2: VLAN and Configuration Alignment

Complete Phase 2 BEFORE VyOS migration. This ensures clean configuration and proper VLAN trunking.

4.1. 2.1 Add Missing VLANs to WLC Trunk

configure terminal
interface GigabitEthernet1
 switchport trunk allowed vlan add 20,999
end
write memory

Verify:

ssh 9800-wlc-01.inside.domusdigitalis.dev "show interfaces trunk"

Expected: 10,20,30,40,100,999

4.2. 2.2 Naming Convention Cleanup

Target Standard: DOMUS-* prefix for all profiles

Current Name Target Name Type

Domus-Secure

DOMUS-Secure

WLAN

Domus-IoT

DOMUS-IoT

WLAN

POLICY-DOMUS_SECURE

POLICY-DOMUS-Secure

Policy Profile

POLICY-DOMUS_IoT

POLICY-DOMUS-IoT

Policy Profile

Guest-Policy

POLICY-DOMUS-Guest

Policy Profile

IoT-Policy

DELETE (duplicate)

Policy Profile

VLAN10-Policy

DELETE (superseded by DOMUS-Secure)

Policy Profile

4.3. 2.3 Remove Stale Policy Tags

configure terminal
!
! Remove stale tags with deleted WLAN references
no wireless tag policy HomeRF-Tag
no wireless tag policy IoT-Tag
!
end
write memory

4.4. 2.4 Create Clean Policy Tag

configure terminal
!
wireless tag policy TAG-DOMUS-Home
 wlan DOMUS-Secure policy POLICY-DOMUS-Secure
 wlan DOMUS-IoT policy POLICY-DOMUS-IoT
 wlan DOMUS-Guest policy POLICY-DOMUS-Guest
!
end

4.5. 2.5 Reassign AP to Clean Tag

configure terminal
!
ap 78bc.1a36.82c0
 policy-tag TAG-DOMUS-Home
!
end
write memory

Verify:

ssh 9800-wlc-01.inside.domusdigitalis.dev "show ap tag summary"

4.6. 2.6 Add CoA Client for ISE-2 (HA)

configure terminal
aaa server radius dynamic-author
 client 10.50.1.21 server-key <RADIUS_KEY>
end
write memory

4.7. 2.7 Switch VLAN 666 (Native VLAN)

Current State on Switch:

vlan 666
 name Native
! Native VLAN (unused, shutdown)

KEEP VLAN 666 - This is a security best practice.

Using an unused native VLAN prevents VLAN hopping attacks (802.1Q double-tagging). Do NOT remove it.

5. Phase 3: VyOS Firewall Rules for Wireless

5.1. 3.1 Required Ports

VyOS must allow these traffic flows:

Direction Protocol/Port Source Destination

CAPWAP Control

UDP 5246

APs (any VLAN)

WLC (10.50.1.40, 10.50.1.41)

CAPWAP Data

UDP 5247

APs (any VLAN)

WLC (10.50.1.40, 10.50.1.41)

RADIUS Auth

UDP 1812

WLC

ISE (10.50.1.20, 10.50.1.21)

RADIUS Acct

UDP 1813

WLC

ISE (10.50.1.20, 10.50.1.21)

RADIUS CoA

UDP 1700, 3799

ISE

WLC

SSO/RP

TCP/UDP 9800

WLC-01

WLC-02

SSH

TCP 22

Admin workstations

WLC

HTTPS

TCP 443

Admin workstations

WLC

SNMP

UDP 161

Monitoring (Wazuh)

WLC

Syslog

UDP 514

WLC

Wazuh (10.50.1.134)

NTP

UDP 123

WLC

10.50.1.1

DNS

UDP/TCP 53

WLC

10.50.1.90

5.2. 3.2 VyOS Firewall Rules

Add to VyOS configuration (see vyos-deployment.adoc):

! CAPWAP from APs to WLC (within INFRA zone)
set firewall name INFRA-TO-INFRA rule 100 description "CAPWAP Control"
set firewall name INFRA-TO-INFRA rule 100 destination port 5246
set firewall name INFRA-TO-INFRA rule 100 protocol udp
set firewall name INFRA-TO-INFRA rule 100 action accept

set firewall name INFRA-TO-INFRA rule 101 description "CAPWAP Data"
set firewall name INFRA-TO-INFRA rule 101 destination port 5247
set firewall name INFRA-TO-INFRA rule 101 protocol udp
set firewall name INFRA-TO-INFRA rule 101 action accept

! SSO between WLC-01 and WLC-02
set firewall name INFRA-TO-INFRA rule 110 description "WLC SSO TCP"
set firewall name INFRA-TO-INFRA rule 110 destination port 9800
set firewall name INFRA-TO-INFRA rule 110 protocol tcp
set firewall name INFRA-TO-INFRA rule 110 action accept

set firewall name INFRA-TO-INFRA rule 111 description "WLC SSO UDP"
set firewall name INFRA-TO-INFRA rule 111 destination port 9800
set firewall name INFRA-TO-INFRA rule 111 protocol udp
set firewall name INFRA-TO-INFRA rule 111 action accept

! RADIUS from WLC to ISE
set firewall name INFRA-TO-SECURITY rule 100 description "RADIUS Auth"
set firewall name INFRA-TO-SECURITY rule 100 destination port 1812
set firewall name INFRA-TO-SECURITY rule 100 protocol udp
set firewall name INFRA-TO-SECURITY rule 100 action accept

set firewall name INFRA-TO-SECURITY rule 101 description "RADIUS Acct"
set firewall name INFRA-TO-SECURITY rule 101 destination port 1813
set firewall name INFRA-TO-SECURITY rule 101 protocol udp
set firewall name INFRA-TO-SECURITY rule 101 action accept

! CoA from ISE to WLC
set firewall name SECURITY-TO-INFRA rule 100 description "RADIUS CoA"
set firewall name SECURITY-TO-INFRA rule 100 destination port 1700,3799
set firewall name SECURITY-TO-INFRA rule 100 protocol udp
set firewall name SECURITY-TO-INFRA rule 100 action accept

6. Phase 4: WLC HA SSO (COMPLETED 2026-03-08)

HA SSO is now operational. WLC-01 (Active) and WLC-02 (Standby) are in SSO mode.

For detailed HA configuration procedures, see WLC HA SSO Deployment.

6.1. 4.1 Current HA Status

WLC Role HA Interface

WLC-01 (10.50.1.40)

ACTIVE

Gi2: 169.254.1.1/24

WLC-02 (10.50.1.41)

STANDBY HOT

Gi2: 169.254.1.2/24

Validated configuration (2-NIC with Gi2):

  • Both WLCs have 2 NICs: Gi1 (trunk) and Gi2 (HA)

  • HA uses link-local IPs (169.254.x.x) on Gi2

  • Management IP (.41) is NOT accessible when standby - normal SSO behavior

6.2. 4.2 Verify SSO

ssh 9800-wlc-01.inside.domusdigitalis.dev "show redundancy"

Expected output:

Redundant System Information :
                 Hardware Mode = Duplex
              Configured Redundancy Mode = sso
              Operating Redundancy Mode = sso

             Current Processor Information :
               Active Location = slot 1
        Current Software state = ACTIVE

             Peer Processor Information :
              Standby Location = slot 2
        Current Software state = STANDBY HOT
ssh 9800-wlc-01.inside.domusdigitalis.dev "show chassis redundancy ha-intf summary"

7. Phase 5: Post-Cutover Validation

After VyOS becomes primary gateway:

7.1. 5.1 WLC Connectivity

# From workstation
ping -c3 10.50.1.40
ssh 9800-wlc-01.inside.domusdigitalis.dev "show clock"

7.2. 5.2 AP Connectivity

ssh 9800-wlc-01.inside.domusdigitalis.dev "show ap summary"

All APs should show Registered state.

7.3. 5.3 CAPWAP Verification

ssh 9800-wlc-01.inside.domusdigitalis.dev "show ap capwap retransmit"

Low retransmit counts indicate healthy CAPWAP tunnels.

7.4. 5.4 Client Association

ssh 9800-wlc-01.inside.domusdigitalis.dev "show wireless client summary"

7.5. 5.5 RADIUS Connectivity

ssh 9800-wlc-01.inside.domusdigitalis.dev "test aaa group ISE-GROUP admin <password> new-code"

7.6. 5.6 SSO Health (If WLC-02 Deployed)

ssh 9800-wlc-01.inside.domusdigitalis.dev "show redundancy"
ssh 9800-wlc-01.inside.domusdigitalis.dev "show redundancy config-sync failures"

8. Phase 6: Monitoring and Observability

8.1. 6.1 Syslog to Wazuh

logging host 10.50.1.134
logging trap informational
logging source-interface GigabitEthernet1

8.2. 6.2 SNMP for Monitoring

snmp-server community public RO
snmp-server location "Home Enterprise - Wireless"
snmp-server contact "admin@inside.domusdigitalis.dev"

8.3. 6.3 Key Metrics to Monitor

Metric Show Command

AP count

show ap summary | count

Client count

show wireless client summary | count

Auth failures

show wireless stats client detail | include Auth

CAPWAP state

show ap capwap retransmit

SSO state

show redundancy

CPU/Memory

show processes cpu sorted | head

9. Rollback

9.1. If Wireless Breaks After VyOS Cutover

  1. Check VyOS firewall rules allow CAPWAP (UDP 5246, 5247)

  2. Check RADIUS connectivity (UDP 1812, 1813 to ISE)

  3. Check default gateway on WLC points to VyOS VIP

  4. Check DHCP Option 43 is configured for AP VLAN (required for AP WLC discovery)

# From WLC
ping 10.50.1.1
ping 10.50.1.20
ping 8.8.8.8

9.2. Emergency: Revert to pfSense

If VyOS must be rolled back, no WLC changes needed - gateway IP remains same.

10. Appendix A: Show Commands Reference

Command Purpose

show wlan summary

List all WLANs

show wireless profile policy summary

List policy profiles

show wireless profile flex summary

List flex profiles

show wireless tag site summary

List site tags

show wireless tag policy summary

List policy tags

show ap summary

List all APs with state

show ap tag summary

AP to tag mapping

show wireless client summary

List connected clients

show aaa servers

RADIUS server status

show redundancy

HA SSO status

show chassis redundancy ha-intf summary

RP interface status

11. Appendix B: Troubleshooting

11.1. AP Not Joining

DHCP Option 43 is REQUIRED for APs to discover WLC. Without it, APs will not join even if network connectivity is working. See VyOS Quick Ref - DHCP Option 43.
Troubleshooting Checklist

  • Verify AP can ping WLC IP (from AP console)

  • Check VyOS firewall allows CAPWAP (UDP 5246/5247) - see show firewall statistics

  • Check DHCP Option 43 is configured on AP VLAN

# On VyOS - verify Option 43 configured
show configuration commands | grep vendor-option

# Expected output:
# set service dhcp-server shared-network-name 'DATA' subnet '...' option vendor-option cisco suboption 241 hex-string '0a320128'
# On WLC - Check CAPWAP discovery
debug capwap events enable
debug capwap errors enable

# Check if AP can reach WLC
# (from AP console)
ping 10.50.1.40

11.2. Wireless Client DHCP Failing (IP Learn State)

DHCP RELAY REQUIRES SVI ON TARGET VLAN

If WLC policy profile has ipv4 dhcp server <IP> configured, WLC acts as DHCP relay. This requires the WLC to have an SVI (VLAN interface) on the client’s VLAN.

If WLC only has Vlan100 (management), DHCP relay will FAIL for other VLANs.
Symptom

Wireless clients authenticate successfully (ISE shows 5200 PASSED) but remain stuck in "IP Learn" state on WLC. Wired devices on same VLAN get DHCP normally.

Root Cause

Policy profile configured with DHCP relay:

wireless profile policy <name>
  ipv4 dhcp required         <-- Problem
  ipv4 dhcp server 10.50.X.1 <-- Problem
Diagnosis
# Check policy profile DHCP settings
show wireless profile policy detailed <policy-name> | include dhcp

# Working profile shows:
#   DHCP required: DISABLED
#   server address: 0.0.0.0

# Broken profile shows:
#   DHCP required: ENABLED
#   server address: 10.50.X.1
Fix
configure terminal
wireless profile policy <policy-name>
  shutdown
  no ipv4 dhcp required
  no ipv4 dhcp server
  no shutdown
  exit
write memory
Verification
# WLC - check client state
show wireless client mac-address <mac> detail | include State|VLAN|IPv4

# VyOS - check DHCP lease appeared
show dhcp server leases pool IOT

11.3. Client Auth Failing

# Check RADIUS
test aaa group ISE-RADIUS <user> <password> new-code

# Debug 802.1X
debug dot1x all

11.4. SSO Not Syncing

# Check sync failures
show redundancy config-sync failures

# Force re-sync
redundancy config-sync bulk

12. Related