WLC WLAN Commands
Commands
get-wlans
List all configured WLANs.
netapi wlc get-wlansID Profile SSID Status
--------------------------------------------------------------------
1 HomeRF HomeRF Enabled
2 IoT_Net IoT_Net Enabled
3 Guest_Net Guest_Net Enabled
4 Domus-Secure Domus-Secure Enabledcreate-wlan
Create a new WLAN profile.
netapi wlc create-wlan <PROFILE> --id <ID> [OPTIONS]Options
| Option | Default | Description |
|---|---|---|
|
Required |
WLAN ID (1-512) |
|
Profile name |
SSID broadcast name |
|
|
Security type: |
|
- |
Pre-shared key (for PSK security types) |
|
- |
Authentication method list (for dot1x) |
|
- |
MAC filtering list for iPSK (e.g., |
|
|
Enable WLAN after creation |
|
False |
Save configuration after creation |
Examples
netapi wlc create-wlan Guest-Network --id 10 \
--security wpa2-psk \
--psk "GuestPass2026!" \
--enabled --savenetapi wlc create-wlan Corp-Secure --id 1 \
--security dot1x \
--auth-list ISE-AUTH \
--enabled --savenetapi wlc create-wlan DOMUS_IoT --id 5 \
--security wpa2-psk \
--psk "FallbackPSK2026!" \
--mac-filtering ISE-AuthZ \
--enabled --saveiPSK (Identity PSK) Deployment
iPSK enables per-device pre-shared keys via RADIUS MAC authentication. Each device gets a unique PSK stored in the iPSK Manager database, providing device-level authentication without requiring 802.1X infrastructure on the endpoint.
Architecture
Device (MAC: AA:BB:CC:DD:EE:FF)
|
| 1. Associates to WLAN with fallback PSK
v
WLC (MAC-Filtering enabled)
|
| 2. RADIUS Access-Request (MAC as username)
v
ISE (Policy Set: IoT WIFI iPSK)
|
| 3. ODBC lookup to iPSK-Manager
v
iPSK-Manager MySQL Database
|
| 4. Returns: Cisco-AVPair = "psk=<device-specific-psk>"
v
WLC
|
| 5. Client re-authenticates with device-specific PSK
v
Device (Connected with unique PSK)Step-by-Step: Deploy DOMUS_IoT WLAN
1. Create WLAN on WLC
# Create the WLAN with MAC filtering
netapi wlc create-wlan DOMUS_IoT --id 5 \
--security wpa2-psk \
--psk "IoTFallback2026!" \
--mac-filtering ISE-AuthZ \
--enabled --save2. Create Policy Profile
# Create policy profile with AAA override for VLAN assignment
netapi wlc create-policy-profile POLICY-DOMUS_IoT \
--vlan 40 \
--aaa-override \
--save3. Verify ISE Policy Set
# Check IoT WIFI iPSK policy set exists
netapi ise get-policy-sets | grep -i iot
# Check authorization profile exists
netapi ise get-authz-profile Domus_IoT_Profile4. Add Device to iPSK-Manager
Via web portal (recommended):
-
Navigate to ipsk-manager.inside.domusdigitalis.dev
-
Add new endpoint with MAC address
-
Assign to appropriate endpoint group
-
PSK is auto-generated or manually set
Via MySQL direct:
# SSH to iPSK Manager
ssh ipsk-manager.inside.domusdigitalis.dev
# Add device
MAC="9C:83:06:CE:89:46"
NAME="Evan_Samsung"
PSK="DevicePSK2026!"
sudo mysql ipsk -e "
INSERT INTO endpoints (macAddress, password, pskValue, fullName, accountEnabled, createdDate)
VALUES ('$MAC', LOWER(REPLACE('$MAC',':','')), '$PSK', '$NAME', 1, NOW());
"See Also
-
Policy Profiles - Create policy profiles for WLAN
-
Authorization Profiles - ISE authz profiles
-
Auth History - Troubleshoot device authentication