WLC Commands

Commands for managing Cisco Catalyst 9800 Wireless LAN Controllers.

Prerequisites

Load secrets before using WLC commands:

dsource d000 dev/network

Required environment variables:

Variable Description Used By

Variable	Description	Used By
`WLC_IP`	WLC IP or hostname	Both
`WLC_USER`	SSH username	SSH commands
`WLC_PASS`	SSH password	SSH commands
`WLC_API_USER`	RESTCONF API username	REST commands
`WLC_API_PASS`	RESTCONF API password	REST commands

WLC_IP

WLC IP or hostname

Both

WLC_USER

SSH username

SSH commands

WLC_PASS

SSH password

SSH commands

WLC_API_USER

RESTCONF API username

REST commands

WLC_API_PASS

RESTCONF API password

REST commands

WLAN Management (SSH)

List WLANs

netapi wlc wlans
netapi wlc wlans --json

Deploy Full SSID

The deploy-ssid command creates all required components for an SSID in one step:

WLAN profile (security settings)
Policy profile (VLAN assignment)
Policy tag (maps WLAN to policy)
Optionally assigns tags to APs

# Deploy 802.1X SSID for managed devices
netapi wlc deploy-ssid Domus-Secure --id 1 --vlan 10 \
    --security dot1x --auth-list ISE-AUTH \
    --ap AP-Office --ap AP-Living-Room

# Deploy WPA2-PSK SSID for IoT devices
netapi wlc deploy-ssid Domus-IoT --id 2 --vlan 40 \
    --security wpa2-psk --psk "IoTSecret123!"

# Deploy Guest SSID (open for captive portal)
netapi wlc deploy-ssid Domus-Guest --id 3 --vlan 50 \
    --security open

# Deploy VoIP SSID with WPA2-PSK
netapi wlc deploy-ssid Domus-Voice --id 4 --vlan 60 \
    --security wpa2-psk --psk "VoiceSecret!"

Options:

Option Description

Option	Description
`--id, -i`	WLAN ID (1-512)
`--vlan, -v`	Client VLAN
`--security, -S`	Security type: `open`, `wpa2-psk`, `wpa3-psk`, `dot1x`
`--psk, -p`	Pre-shared key (for PSK types)
`--auth-list, -a`	Authentication method list (for dot1x)
`--ap`	AP names to assign (repeatable)
`--enabled/--disabled`	Enable WLAN (default: enabled)
`--no-save`	Don’t save configuration

--id, -i

WLAN ID (1-512)

--vlan, -v

Client VLAN

--security, -S

Security type: open, wpa2-psk, wpa3-psk, dot1x

--psk, -p

Pre-shared key (for PSK types)

--auth-list, -a

Authentication method list (for dot1x)

--ap

AP names to assign (repeatable)

--enabled/--disabled

Enable WLAN (default: enabled)

--no-save

Don’t save configuration

Create WLAN Profile (Manual)

For more control, create components separately:

# Create WLAN with 802.1X
netapi wlc create-wlan Domus-Secure --id 1 \
    --security dot1x --auth-list ISE-AUTH

# Create WLAN with WPA2-PSK
netapi wlc create-wlan Domus-IoT --id 2 \
    --security wpa2-psk --psk "SecretKey123"

Create Policy Profile

netapi wlc create-policy-profile POLICY-SECURE --vlan 10 --aaa-override
netapi wlc create-policy-profile POLICY-IOT --vlan 40

Create Policy Tag

netapi wlc create-policy-tag TAG-HOME \
    --map Domus-Secure:POLICY-SECURE \
    --map Domus-IoT:POLICY-IOT \
    --map Domus-Guest:POLICY-GUEST \
    --map Domus-Voice:POLICY-VOICE

Service Disruption Warning

Modifying policy tags causes a brief network disruption!

When you:

Add/remove a WLAN mapping to/from a policy tag
Change an AP’s policy tag assignment
Modify policy profile settings

The AP will briefly disconnect all clients (1-5 seconds) while reapplying the configuration.

In production environments (hospitals, factories, trading floors):

Schedule changes during maintenance windows
Notify users before making changes
Have rollback procedures ready
Consider using FlexConnect local switching to minimize impact
Test changes in a lab environment first

For home networks: Warn family members before making wireless policy changes.

Assign Tags to AP

netapi wlc assign-ap-tag AP-Living-Room --policy-tag TAG-HOME --save
netapi wlc assign-ap-tag AP-Office --policy-tag TAG-HOME --save

Enable/Disable WLANs

netapi wlc enable-wlan-ssh Domus-Secure --save
netapi wlc disable-wlan-ssh Domus-Guest --save

Delete WLAN

netapi wlc delete-wlan-ssh Domus-Test --id 99 --force --save

List Policy Profiles and Tags

netapi wlc policy-profiles
netapi wlc policy-tags

System Information (REST API)

netapi wlc get-info
netapi wlc get-health

Access Points (REST API)

netapi wlc get-aps
netapi wlc get-ap AP-Office --json
netapi wlc reboot-ap AP-Office --force

Clients (REST API)

netapi wlc get-clients
netapi wlc get-client AA:BB:CC:DD:EE:FF
netapi wlc get-client-count
netapi wlc deauth-client AA:BB:CC:DD:EE:FF --force

WLANs (REST API)

netapi wlc get-wlans
netapi wlc enable-wlan 1
netapi wlc disable-wlan 1

RADIUS / AAA (SSH)

netapi wlc show radius-servers
netapi wlc show aaa-groups

netapi wlc add-radius-server --name ISE-02 --ip 10.50.1.21 \
    --key "SharedSecret" --aaa-group ISE-SERVERS --save

netapi wlc test-aaa --group ISE-SERVERS --user testuser --pass testpass

Raw Commands (SSH)

netapi wlc run "show wlan summary"
netapi wlc run "show ap summary"
netapi wlc run "show wireless client summary"

Configuration Commands (SSH)

Send configuration mode commands to the WLC:

# Configure syslog
netapi wlc config "logging host 10.50.1.134" "logging trap informational" --save

# Multiple commands
netapi wlc config "ntp server 10.50.1.1" "clock timezone PST -8" --save

# Without save (must save manually later)
netapi wlc config "banner motd ^Authorized access only^"
netapi wlc save-config

Options:

Option Description

Option	Description
`--save, -s`	Save config after applying commands (write memory)

--save, -s

Save config after applying commands (write memory)

Certificate Management (SSH)

netapi wlc cert-list
netapi wlc cert-trustpoints

# Full certificate deployment
netapi wlc cert-deploy \
    --pkcs12 /tmp/wlc-cert/9800-wlc-01.p12 \
    --password WlcCert2026 \
    --ca-file /tmp/wlc-cert/HOME-ROOT-CA.pem \
    --trustpoint WLC-MGMT-CERT

Recommended SSID Setup

Based on best practices for a home network:

SSID Security Use Case VLAN

SSID	Security	Use Case	VLAN
`Domus-Secure`	802.1X EAP-TLS	Managed workstations, high-trust devices	10
`Domus-IoT`	WPA2-PSK or MAB	Smart home, cameras, sensors	40
`Domus-Guest`	Captive portal / PSK	Visitors	50
`Domus-Voice`	802.1X or PSK	VoIP phones	60

Domus-Secure

802.1X EAP-TLS

Managed workstations, high-trust devices

Domus-IoT

WPA2-PSK or MAB

Smart home, cameras, sensors

Domus-Guest

Captive portal / PSK

Visitors

Domus-Voice

802.1X or PSK

VoIP phones

Deploy All SSIDs

# Domus-Secure: 802.1X for managed devices
netapi wlc deploy-ssid Domus-Secure --id 1 --vlan 10 \
    --security dot1x --auth-list ISE-AUTH

# Domus-IoT: WPA2-PSK for IoT devices
netapi wlc deploy-ssid Domus-IoT --id 2 --vlan 40 \
    --security wpa2-psk --psk "IoTDevicesOnly2026!"

# Domus-Guest: Open (for captive portal) or simple PSK
netapi wlc deploy-ssid Domus-Guest --id 3 --vlan 50 \
    --security wpa2-psk --psk "GuestWiFi2026"

# Domus-Voice: WPA2-PSK for VoIP
netapi wlc deploy-ssid Domus-Voice --id 4 --vlan 60 \
    --security wpa2-psk --psk "VoIPPhones2026!"

# Create unified policy tag for all SSIDs
netapi wlc create-policy-tag TAG-DOMUS-HOME \
    --map Domus-Secure:POLICY-DOMUS_SECURE \
    --map Domus-IoT:POLICY-DOMUS_IOT \
    --map Domus-Guest:POLICY-DOMUS_GUEST \
    --map Domus-Voice:POLICY-DOMUS_VOICE \
    --save

# Assign to APs
netapi wlc assign-ap-tag AP-Living-Room --policy-tag TAG-DOMUS-HOME --save
netapi wlc assign-ap-tag AP-Office --policy-tag TAG-DOMUS-HOME --save

Family devices go on Domus-Secure with certificates, or Domus-IoT if they can’t do 802.1X.