WLC Commands

Commands for managing Cisco Catalyst 9800 Wireless LAN Controllers.

Prerequisites

Load secrets before using WLC commands:

dsource d000 dev/network

Required environment variables:

Variable Description Used By

WLC_IP

WLC IP or hostname

Both

WLC_USER

SSH username

SSH commands

WLC_PASS

SSH password

SSH commands

WLC_API_USER

RESTCONF API username

REST commands

WLC_API_PASS

RESTCONF API password

REST commands

WLAN Management (SSH)

List WLANs

netapi wlc wlans
netapi wlc wlans --json

Deploy Full SSID

The deploy-ssid command creates all required components for an SSID in one step:

  1. WLAN profile (security settings)

  2. Policy profile (VLAN assignment)

  3. Policy tag (maps WLAN to policy)

  4. Optionally assigns tags to APs

# Deploy 802.1X SSID for managed devices
netapi wlc deploy-ssid Domus-Secure --id 1 --vlan 10 \
    --security dot1x --auth-list ISE-AUTH \
    --ap AP-Office --ap AP-Living-Room

# Deploy WPA2-PSK SSID for IoT devices
netapi wlc deploy-ssid Domus-IoT --id 2 --vlan 40 \
    --security wpa2-psk --psk "IoTSecret123!"

# Deploy Guest SSID (open for captive portal)
netapi wlc deploy-ssid Domus-Guest --id 3 --vlan 50 \
    --security open

# Deploy VoIP SSID with WPA2-PSK
netapi wlc deploy-ssid Domus-Voice --id 4 --vlan 60 \
    --security wpa2-psk --psk "VoiceSecret!"

Options:

Option Description

--id, -i

WLAN ID (1-512)

--vlan, -v

Client VLAN

--security, -S

Security type: open, wpa2-psk, wpa3-psk, dot1x

--psk, -p

Pre-shared key (for PSK types)

--auth-list, -a

Authentication method list (for dot1x)

--ap

AP names to assign (repeatable)

--enabled/--disabled

Enable WLAN (default: enabled)

--no-save

Don’t save configuration

Create WLAN Profile (Manual)

For more control, create components separately:

# Create WLAN with 802.1X
netapi wlc create-wlan Domus-Secure --id 1 \
    --security dot1x --auth-list ISE-AUTH

# Create WLAN with WPA2-PSK
netapi wlc create-wlan Domus-IoT --id 2 \
    --security wpa2-psk --psk "SecretKey123"

Create Policy Profile

netapi wlc create-policy-profile POLICY-SECURE --vlan 10 --aaa-override
netapi wlc create-policy-profile POLICY-IOT --vlan 40

Create Policy Tag

netapi wlc create-policy-tag TAG-HOME \
    --map Domus-Secure:POLICY-SECURE \
    --map Domus-IoT:POLICY-IOT \
    --map Domus-Guest:POLICY-GUEST \
    --map Domus-Voice:POLICY-VOICE
Service Disruption Warning

Modifying policy tags causes a brief network disruption!

When you:

  • Add/remove a WLAN mapping to/from a policy tag

  • Change an AP’s policy tag assignment

  • Modify policy profile settings

The AP will briefly disconnect all clients (1-5 seconds) while reapplying the configuration.

In production environments (hospitals, factories, trading floors):

  1. Schedule changes during maintenance windows

  2. Notify users before making changes

  3. Have rollback procedures ready

  4. Consider using FlexConnect local switching to minimize impact

  5. Test changes in a lab environment first

For home networks: Warn family members before making wireless policy changes.

Assign Tags to AP

netapi wlc assign-ap-tag AP-Living-Room --policy-tag TAG-HOME --save
netapi wlc assign-ap-tag AP-Office --policy-tag TAG-HOME --save

Enable/Disable WLANs

netapi wlc enable-wlan-ssh Domus-Secure --save
netapi wlc disable-wlan-ssh Domus-Guest --save

Delete WLAN

netapi wlc delete-wlan-ssh Domus-Test --id 99 --force --save

List Policy Profiles and Tags

netapi wlc policy-profiles
netapi wlc policy-tags

System Information (REST API)

netapi wlc get-info
netapi wlc get-health

Access Points (REST API)

netapi wlc get-aps
netapi wlc get-ap AP-Office --json
netapi wlc reboot-ap AP-Office --force

Clients (REST API)

netapi wlc get-clients
netapi wlc get-client AA:BB:CC:DD:EE:FF
netapi wlc get-client-count
netapi wlc deauth-client AA:BB:CC:DD:EE:FF --force

WLANs (REST API)

netapi wlc get-wlans
netapi wlc enable-wlan 1
netapi wlc disable-wlan 1

RADIUS / AAA (SSH)

netapi wlc show radius-servers
netapi wlc show aaa-groups

netapi wlc add-radius-server --name ISE-02 --ip 10.50.1.21 \
    --key "SharedSecret" --aaa-group ISE-SERVERS --save

netapi wlc test-aaa --group ISE-SERVERS --user testuser --pass testpass

Raw Commands (SSH)

netapi wlc run "show wlan summary"
netapi wlc run "show ap summary"
netapi wlc run "show wireless client summary"

Certificate Management (SSH)

netapi wlc cert-list
netapi wlc cert-trustpoints

# Full certificate deployment
netapi wlc cert-deploy \
    --pkcs12 /tmp/wlc-cert/9800-wlc-01.p12 \
    --password WlcCert2026 \
    --ca-file /tmp/wlc-cert/HOME-ROOT-CA.pem \
    --trustpoint WLC-MGMT-CERT

Recommended SSID Setup

Based on best practices for a home network:

SSID Security Use Case VLAN

Domus-Secure

802.1X EAP-TLS

Managed workstations, high-trust devices

10

Domus-IoT

WPA2-PSK or MAB

Smart home, cameras, sensors

40

Domus-Guest

Captive portal / PSK

Visitors

50

Domus-Voice

802.1X or PSK

VoIP phones

60

Deploy All SSIDs

# Domus-Secure: 802.1X for managed devices
netapi wlc deploy-ssid Domus-Secure --id 1 --vlan 10 \
    --security dot1x --auth-list ISE-AUTH

# Domus-IoT: WPA2-PSK for IoT devices
netapi wlc deploy-ssid Domus-IoT --id 2 --vlan 40 \
    --security wpa2-psk --psk "IoTDevicesOnly2026!"

# Domus-Guest: Open (for captive portal) or simple PSK
netapi wlc deploy-ssid Domus-Guest --id 3 --vlan 50 \
    --security wpa2-psk --psk "GuestWiFi2026"

# Domus-Voice: WPA2-PSK for VoIP
netapi wlc deploy-ssid Domus-Voice --id 4 --vlan 60 \
    --security wpa2-psk --psk "VoIPPhones2026!"

# Create unified policy tag for all SSIDs
netapi wlc create-policy-tag TAG-DOMUS-HOME \
    --map Domus-Secure:POLICY-DOMUS_SECURE \
    --map Domus-IoT:POLICY-DOMUS_IOT \
    --map Domus-Guest:POLICY-DOMUS_GUEST \
    --map Domus-Voice:POLICY-DOMUS_VOICE \
    --save

# Assign to APs
netapi wlc assign-ap-tag AP-Living-Room --policy-tag TAG-DOMUS-HOME --save
netapi wlc assign-ap-tag AP-Office --policy-tag TAG-DOMUS-HOME --save
Family devices go on Domus-Secure with certificates, or Domus-IoT if they can’t do 802.1X.