How to Configure Cisco Catalyst 9800 WLC from Scratch
Cisco Catalyst 9800
Published by THE NETWORK DNA | Wireless Networking | Cisco CCNP / Enterprise Wireless
Introduction to Cisco Catalyst 9800 Wireless LAN Controller
The Cisco Catalyst 9800 Wireless LAN Controller (WLC) is Cisco's next-generation enterprise wireless controller platform built on IOS-XE operating system. It is designed to manage Cisco Access Points (APs) at scale, delivering high availability, advanced security, and seamless roaming across your wireless infrastructure.
Whether you are deploying the Cisco Catalyst 9800-L, 9800-40, 9800-80, or the 9800-CL (Cloud) virtual controller, the base configuration process follows the same logical steps. This guide walks you through configuring the Cisco Catalyst 9800 WLC from scratch — from initial setup to a fully operational wireless network.
Key Fact: The Cisco Catalyst 9800 WLC runs on Cisco IOS-XE, meaning network engineers familiar with IOS-XE on routers and switches will feel right at home with CLI configuration.
Cisco Catalyst 9800 WLC Models Overview
| Model | Type | Max APs | Best For |
|---|---|---|---|
| 9800-L | Hardware Appliance | 250 APs | Small to mid-size campus |
| 9800-40 | Hardware Appliance | 2000 APs | Medium to large campus |
| 9800-80 | Hardware Appliance | 6000 APs | Large enterprise or data center |
| 9800-CL | Virtual (Cloud) | Up to 6000 APs | Private or public cloud deployments |
Prerequisites Before You Begin
Before starting the Cisco Catalyst 9800 WLC configuration, make sure the following are ready:
- Cisco Catalyst 9800 WLC powered on and racked
- Console cable or SSH access to the management interface
- Management IP address plan (IP, subnet mask, default gateway)
- VLAN plan for management, AP, and client VLANs
- DHCP server available for AP and client IP assignments
- NTP server IP address for time synchronization
- SSID names and security requirements defined
- Access to Cisco IOS-XE software image if upgrade is needed
- AAA/RADIUS server details if using 802.1X authentication
Step 1 — Initial Day Zero Setup (First Boot Configuration)
When the Cisco Catalyst 9800 WLC boots for the first time, it launches a Day Zero Setup Wizard. You can complete initial setup via the console port or through the WebUI at the default IP address.
Note: The Cisco 9800-L default WebUI IP is 192.168.1.1 on the management port. Connect your laptop directly and browse to https://192.168.1.1 to access the Day Zero wizard via GUI.
Console-based Initial Configuration:
Would you like to enter the initial configuration dialog? [yes/no]: yes Enter host name [WLC]: C9800-WLC Enter enable secret: Cisco@12345 Enter enable password: Cisco@12345 Enter virtual terminal password: Cisco@12345 Configure SNMP Network Management? [yes]: no Enter interface name used to connect to the management network [GigabitEthernet0]: GigabitEthernet0 Configuring interface GigabitEthernet0: IP address for this interface: 192.168.100.10 Subnet mask for this interface: 255.255.255.0 Class C network is 192.168.100.0, 24 subnet bits Would you like to enable as a cluster controller? [yes/no]: no
Step 2 — Basic System Configuration (Hostname, Domain, Credentials)
After initial boot, connect via console or SSH and apply the foundational system configuration including hostname, domain name, enable secret, and local user accounts.
! Enter Global Configuration Mode C9800-WLC# configure terminal ! Set Hostname C9800-WLC(config)# hostname C9800-WLC ! Set Domain Name (required for SSH key generation) C9800-WLC(config)# ip domain-name netlabpro.local ! Set Enable Secret Password C9800-WLC(config)# enable secret Cisco@SecurePass123 ! Create Local Admin User Account C9800-WLC(config)# username admin privilege 15 secret Cisco@Admin123 ! Disable IP Domain Lookup to avoid DNS delay C9800-WLC(config)# no ip domain-lookup ! Set System Clock Timezone C9800-WLC(config)# clock timezone EST -5 0 ! Enable Password Encryption C9800-WLC(config)# service password-encryption C9800-WLC(config)# end C9800-WLC# write memory
Step 3 — Configure Management Interface (GigabitEthernet0)
The GigabitEthernet0 interface is the dedicated out-of-band management port on the Cisco Catalyst 9800. Configure it with a static IP address for SSH and WebUI access.
C9800-WLC(config)# interface GigabitEthernet0 C9800-WLC(config-if)# description OUT-OF-BAND-MANAGEMENT C9800-WLC(config-if)# ip address 192.168.100.10 255.255.255.0 C9800-WLC(config-if)# no shutdown C9800-WLC(config-if)# exit ! Configure Default Gateway for Management Traffic C9800-WLC(config)# ip route 0.0.0.0 0.0.0.0 192.168.100.1 C9800-WLC(config)# end C9800-WLC# write memory
Step 4 — Configure SSH and Enable WebUI Access
The Cisco Catalyst 9800 WLC supports both SSH CLI management and a powerful Web-based GUI (WebUI). Configure SSH for secure remote CLI access and enable the WebUI for graphical management.
! Generate RSA Keys for SSH (minimum 2048 bits) C9800-WLC(config)# crypto key generate rsa modulus 2048 ! Enable SSH Version 2 C9800-WLC(config)# ip ssh version 2 C9800-WLC(config)# ip ssh time-out 60 C9800-WLC(config)# ip ssh authentication-retries 3 ! Configure VTY Lines for SSH Access C9800-WLC(config)# line vty 0 15 C9800-WLC(config-line)# login local C9800-WLC(config-line)# transport input ssh C9800-WLC(config-line)# exec-timeout 15 0 C9800-WLC(config-line)# exit ! Enable HTTP and HTTPS for WebUI C9800-WLC(config)# ip http server C9800-WLC(config)# ip http secure-server C9800-WLC(config)# ip http authentication local C9800-WLC(config)# ip http max-connections 16 C9800-WLC(config)# end C9800-WLC# write memory
WebUI Access: Open a browser and navigate to https://192.168.100.10 — log in with the local admin credentials you created. The WebUI provides a full-featured dashboard for wireless management.
Step 5 — Configure NTP for Time Synchronization
Accurate time is critical on the Cisco 9800 WLC for logging, certificate validation, RADIUS authentication, and AP join operations. Always configure NTP before proceeding with wireless configuration.
! Configure NTP Server C9800-WLC(config)# ntp server 216.239.35.0 prefer C9800-WLC(config)# ntp server 216.239.35.4 ! Set Timezone (Eastern Standard Time) C9800-WLC(config)# clock timezone EST -5 0 C9800-WLC(config)# clock summer-time EDT recurring ! Verify NTP Status (run in exec mode) C9800-WLC# show ntp status C9800-WLC# show ntp associations C9800-WLC(config)# end C9800-WLC# write memory
Step 6 — Configure VLANs and Uplink Trunk Interface
The Cisco Catalyst 9800 WLC uses trunk interfaces to carry multiple VLANs for management, APs, and wireless client traffic. Configure the uplink trunk port and define required VLANs.
! Create VLANs C9800-WLC(config)# vlan 10 C9800-WLC(config-vlan)# name MANAGEMENT C9800-WLC(config-vlan)# exit C9800-WLC(config)# vlan 20 C9800-WLC(config-vlan)# name AP-VLAN C9800-WLC(config-vlan)# exit C9800-WLC(config)# vlan 30 C9800-WLC(config-vlan)# name CORP-WIFI-CLIENTS C9800-WLC(config-vlan)# exit C9800-WLC(config)# vlan 40 C9800-WLC(config-vlan)# name GUEST-WIFI-CLIENTS C9800-WLC(config-vlan)# exit ! Configure Uplink Trunk Port (connecting to distribution switch) C9800-WLC(config)# interface GigabitEthernet1 C9800-WLC(config-if)# description UPLINK-TO-DISTRIBUTION-SWITCH C9800-WLC(config-if)# switchport mode trunk C9800-WLC(config-if)# switchport trunk encapsulation dot1q C9800-WLC(config-if)# switchport trunk allowed vlan 10,20,30,40 C9800-WLC(config-if)# switchport trunk native vlan 10 C9800-WLC(config-if)# no shutdown C9800-WLC(config-if)# exit C9800-WLC(config)# end C9800-WLC# write memory
Step 7 — Configure Wireless Management Interface (SVI)
Create a Switched Virtual Interface (SVI) for the management VLAN. This is the IP address that APs will use to discover and join the WLC using CAPWAP.
! Create Management SVI (VLAN 10) C9800-WLC(config)# interface Vlan10 C9800-WLC(config-if)# description WIRELESS-MANAGEMENT-SVI C9800-WLC(config-if)# ip address 10.10.10.1 255.255.255.0 C9800-WLC(config-if)# no shutdown C9800-WLC(config-if)# exit ! Create AP VLAN SVI (VLAN 20) C9800-WLC(config)# interface Vlan20 C9800-WLC(config-if)# description AP-MANAGEMENT-SVI C9800-WLC(config-if)# ip address 10.20.20.1 255.255.255.0 C9800-WLC(config-if)# no shutdown C9800-WLC(config-if)# exit ! Configure Default Route C9800-WLC(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.254 C9800-WLC(config)# end C9800-WLC# write memory
Step 8 — Configure RF Profiles and AP Join Profile
On the Cisco Catalyst 9800 WLC, RF Profiles define radio frequency settings for 2.4 GHz and 5 GHz bands. The AP Join Profile controls how access points connect to the WLC.
Configure AP Join Profile:
! Create AP Join Profile C9800-WLC(config)# ap profile CORP-AP-JOIN-PROFILE C9800-WLC(config-ap-profile)# description Corporate AP Join Profile C9800-WLC(config-ap-profile)# mgmtuser username admin password 0 Cisco@AP123 secret 0 Cisco@AP123 C9800-WLC(config-ap-profile)# capwap-discovery type private C9800-WLC(config-ap-profile)# ntp ip 216.239.35.0 C9800-WLC(config-ap-profile)# ssh C9800-WLC(config-ap-profile)# exit C9800-WLC(config)# end C9800-WLC# write memory
Configure RF Profiles for 5 GHz and 2.4 GHz:
! RF Profile for 5 GHz Band C9800-WLC(config)# ap dot11 5ghz rf-profile CORP-5GHz-RF-PROFILE C9800-WLC(config-rf-profile)# description 5GHz RF Profile for Corporate C9800-WLC(config-rf-profile)# band-select probe-response C9800-WLC(config-rf-profile)# no shutdown C9800-WLC(config-rf-profile)# exit ! RF Profile for 2.4 GHz Band C9800-WLC(config)# ap dot11 24ghz rf-profile CORP-24GHz-RF-PROFILE C9800-WLC(config-rf-profile)# description 2.4GHz RF Profile for Corporate C9800-WLC(config-rf-profile)# no shutdown C9800-WLC(config-rf-profile)# exit C9800-WLC(config)# end C9800-WLC# write memory
Step 9 — Create Policy Profile and Policy Tag
The Cisco Catalyst 9800 WLC uses a tag-based architecture with Policy Tags, Site Tags, and RF Tags to map SSIDs to APs. The Policy Profile defines VLAN mappings and QoS settings for wireless clients.
Create Policy Profile for Corporate SSID:
! Create Corporate Policy Profile C9800-WLC(config)# wireless profile policy CORP-POLICY-PROFILE C9800-WLC(config-wireless-policy)# description Corporate Wireless Policy C9800-WLC(config-wireless-policy)# vlan CORP-WIFI-CLIENTS C9800-WLC(config-wireless-policy)# no shutdown C9800-WLC(config-wireless-policy)# exit ! Create Guest Policy Profile C9800-WLC(config)# wireless profile policy GUEST-POLICY-PROFILE C9800-WLC(config-wireless-policy)# description Guest Wireless Policy C9800-WLC(config-wireless-policy)# vlan GUEST-WIFI-CLIENTS C9800-WLC(config-wireless-policy)# no shutdown C9800-WLC(config-wireless-policy)# exit C9800-WLC(config)# end C9800-WLC# write memory
Step 10 — Create WLAN (SSID) Configuration
Now create the WLANs (SSIDs) — one for corporate employees using WPA3 or WPA2 PSK and one for guest users. Each WLAN maps to a policy profile and broadcasts on your access points.
Corporate WLAN with WPA2-PSK:
! Create Corporate SSID (WLAN ID 1) C9800-WLC(config)# wlan CORP-WIFI 1 CORP-WIFI C9800-WLC(config-wlan)# description Corporate Employee WiFi C9800-WLC(config-wlan)# security wpa psk set-key ascii 0 YourSecurePassword123 C9800-WLC(config-wlan)# security wpa akm psk C9800-WLC(config-wlan)# security wpa wpa2 C9800-WLC(config-wlan)# security wpa wpa2 ciphers aes C9800-WLC(config-wlan)# no security wpa wpa2 ciphers tkip C9800-WLC(config-wlan)# no shutdown C9800-WLC(config-wlan)# exit C9800-WLC(config)# end C9800-WLC# write memory
Guest WLAN with Open or PSK Security:
! Create Guest SSID (WLAN ID 2) C9800-WLC(config)# wlan GUEST-WIFI 2 GUEST-WIFI C9800-WLC(config-wlan)# description Guest WiFi Network C9800-WLC(config-wlan)# security wpa psk set-key ascii 0 GuestPass@2024 C9800-WLC(config-wlan)# security wpa akm psk C9800-WLC(config-wlan)# security wpa wpa2 C9800-WLC(config-wlan)# security wpa wpa2 ciphers aes C9800-WLC(config-wlan)# no shutdown C9800-WLC(config-wlan)# exit C9800-WLC(config)# end C9800-WLC# write memory
Step 11 — Create Policy Tag and Map WLANs to Policy Profiles
The Policy Tag is the glue that connects a WLAN (SSID) to a Policy Profile. Without a Policy Tag assignment, APs will not broadcast your SSIDs.
! Create Policy Tag C9800-WLC(config)# wireless tag policy CORP-POLICY-TAG C9800-WLC(config-policy-tag)# description Corporate Campus Policy Tag C9800-WLC(config-policy-tag)# wlan CORP-WIFI policy CORP-POLICY-PROFILE C9800-WLC(config-policy-tag)# wlan GUEST-WIFI policy GUEST-POLICY-PROFILE C9800-WLC(config-policy-tag)# exit C9800-WLC(config)# end C9800-WLC# write memory
Step 12 — Create Site Tag and RF Tag
The Site Tag defines the AP join profile and whether APs operate in Local mode or FlexConnect mode. The RF Tag maps the RF profiles to the access points for radio management.
Create Site Tag:
! Create Site Tag (Local Mode) C9800-WLC(config)# wireless tag site CORP-SITE-TAG C9800-WLC(config-site-tag)# description Corporate Site Tag - Local Mode C9800-WLC(config-site-tag)# ap-profile CORP-AP-JOIN-PROFILE C9800-WLC(config-site-tag)# no local-site C9800-WLC(config-site-tag)# exit C9800-WLC(config)# end C9800-WLC# write memory
Create RF Tag:
! Create RF Tag C9800-WLC(config)# wireless tag rf CORP-RF-TAG C9800-WLC(config-rf-tag)# description Corporate RF Tag C9800-WLC(config-rf-tag)# 24ghz-rf-policy CORP-24GHz-RF-PROFILE C9800-WLC(config-rf-tag)# 5ghz-rf-policy CORP-5GHz-RF-PROFILE C9800-WLC(config-rf-tag)# exit C9800-WLC(config)# end C9800-WLC# write memory
Step 13 — Assign Tags to Access Points
After your tags are created, assign the Policy Tag, Site Tag, and RF Tag to each access point using its MAC address. This tells the AP which SSIDs to broadcast and how to operate.
! Assign tags to a specific AP using its Ethernet MAC address C9800-WLC(config)# ap mac-address e4:aa:5d:12:34:56 C9800-WLC(config-ap-tag)# policy-tag CORP-POLICY-TAG C9800-WLC(config-ap-tag)# site-tag CORP-SITE-TAG C9800-WLC(config-ap-tag)# rf-tag CORP-RF-TAG C9800-WLC(config-ap-tag)# exit ! Assign tags to another AP C9800-WLC(config)# ap mac-address e4:aa:5d:78:90:ab C9800-WLC(config-ap-tag)# policy-tag CORP-POLICY-TAG C9800-WLC(config-ap-tag)# site-tag CORP-SITE-TAG C9800-WLC(config-ap-tag)# rf-tag CORP-RF-TAG C9800-WLC(config-ap-tag)# exit C9800-WLC(config)# end C9800-WLC# write memory
Pro Tip: You can also assign tags to APs using the WebUI under Configuration > Wireless > Access Points. Click on an AP, go to the Tags tab, and assign Policy, Site, and RF tags from the dropdown menus.
Step 14 — Configure DHCP for Wireless Clients (Optional)
If no external DHCP server is available, you can configure the Cisco 9800 WLC to act as a DHCP server for wireless clients. This is useful in lab environments or small deployments.
! DHCP Pool for Corporate Wireless Clients (VLAN 30) C9800-WLC(config)# ip dhcp pool CORP-WIFI-POOL C9800-WLC(dhcp-config)# network 10.30.30.0 255.255.255.0 C9800-WLC(dhcp-config)# default-router 10.30.30.1 C9800-WLC(dhcp-config)# dns-server 8.8.8.8 8.8.4.4 C9800-WLC(dhcp-config)# lease 0 8 0 C9800-WLC(dhcp-config)# exit ! DHCP Pool for Guest Wireless Clients (VLAN 40) C9800-WLC(config)# ip dhcp pool GUEST-WIFI-POOL C9800-WLC(dhcp-config)# network 10.40.40.0 255.255.255.0 C9800-WLC(dhcp-config)# default-router 10.40.40.1 C9800-WLC(dhcp-config)# dns-server 8.8.8.8 C9800-WLC(dhcp-config)# lease 0 4 0 C9800-WLC(dhcp-config)# exit ! Exclude gateway addresses from DHCP C9800-WLC(config)# ip dhcp excluded-address 10.30.30.1 10.30.30.20 C9800-WLC(config)# ip dhcp excluded-address 10.40.40.1 10.40.40.20 C9800-WLC(config)# end C9800-WLC# write memory
Step 15 — Configure Syslog for Centralized Logging
Configure Syslog to send WLC logs to a centralized log server. This is essential for monitoring, troubleshooting, and compliance in enterprise environments.
! Enable Logging with Timestamps C9800-WLC(config)# service timestamps log datetime msec localtime show-timezone C9800-WLC(config)# service timestamps debug datetime msec localtime show-timezone ! Configure Syslog Server C9800-WLC(config)# logging host 192.168.100.50 C9800-WLC(config)# logging trap informational C9800-WLC(config)# logging source-interface Vlan10 C9800-WLC(config)# logging buffered 100000 informational ! Configure Console Logging Level C9800-WLC(config)# logging console warnings C9800-WLC(config)# end C9800-WLC# write memory
Step 16 — Verify AP Join and Wireless Client Status
After completing the configuration, use these verification commands to confirm that APs have joined the WLC and wireless clients are connecting successfully.
AP Verification Commands:
! Show all joined Access Points C9800-WLC# show ap summary ! Show detailed info for a specific AP C9800-WLC# show ap name AP-FLOOR1 detail ! Show AP join statistics C9800-WLC# show ap join stats summary ! Show AP configuration tags assigned C9800-WLC# show ap tag summary ! Show AP CAPWAP tunnel status C9800-WLC# show capwap client rcb
Wireless Client Verification Commands:
! Show all wireless clients connected C9800-WLC# show wireless client summary ! Show detailed client information C9800-WLC# show wireless client mac-address aa:bb:cc:dd:ee:ff detail ! Show WLAN summary C9800-WLC# show wlan summary ! Show WLAN ID details C9800-WLC# show wlan id 1 ! Show wireless policy profile status C9800-WLC# show wireless profile policy detailed CORP-POLICY-PROFILE ! Show wireless tag policy C9800-WLC# show wireless tag policy detailed CORP-POLICY-TAG
General System Verification:
! Show system version and hardware C9800-WLC# show version ! Show interface status C9800-WLC# show interfaces status ! Show IP routing table C9800-WLC# show ip route ! Show running configuration C9800-WLC# show running-config ! Show NTP associations C9800-WLC# show ntp associations
Cisco 9800 WLC Tag-Based Architecture Explained
Understanding the Cisco 9800 WLC tag system is critical. Here is a simple breakdown of how all components connect together:
| Tag Type | Contains | Purpose |
|---|---|---|
| Policy Tag | WLAN to Policy Profile mapping | Defines which SSIDs an AP broadcasts and maps to client VLANs |
| Site Tag | AP Join Profile, Flex Profile | Defines AP operating mode (Local or FlexConnect) and join behavior |
| RF Tag | 2.4 GHz RF Profile, 5 GHz RF Profile | Defines radio frequency parameters for each band |
| Policy Profile | VLAN, QoS, ACL, Accounting | Defines how clients are placed into VLANs and treated on the network |
| AP Join Profile | NTP, SSH, CAPWAP settings | Controls how APs discover, join, and authenticate with the WLC |
Common Troubleshooting on Cisco Catalyst 9800 WLC
| Problem | Likely Cause | Fix |
|---|---|---|
| AP not joining WLC | No CAPWAP reachability or DHCP option 43 missing | Check AP IP, WLC reachability, configure DHCP option 43 |
| SSID not broadcasting | WLAN disabled or Policy Tag not assigned to AP | Enable WLAN, verify Policy Tag is correctly assigned to AP |
| Client gets wrong VLAN | Policy Profile VLAN misconfigured | Verify VLAN in Policy Profile matches intended client VLAN |
| Cannot access WebUI | HTTP server not enabled or wrong IP | Run ip http secure-server and verify management IP |
| AP in discovery state only | Certificate mismatch or NTP not synced | Verify NTP is configured and WLC certificate is valid |
| Clients not getting IP | DHCP server unreachable or not configured | Add IP helper-address on SVI or configure local DHCP pool |
Best Practices for Cisco Catalyst 9800 WLC Deployment
- Always configure NTP before deploying APs to avoid certificate validation issues
- Use LACP EtherChannel on WLC uplink ports for redundancy and bandwidth
- Separate management, AP, and client traffic into dedicated VLANs
- Use WPA3 or WPA2 AES only — never use TKIP in modern deployments
- Always assign all three tags — Policy Tag, Site Tag, and RF Tag — to every AP
- Enable High Availability (HA) with a secondary 9800 WLC for production deployments
- Use Cisco DNA Center for centralized management and automation at scale
- Regularly backup the running configuration using TFTP or SCP
- Enable RRM (Radio Resource Management) for automatic channel and power adjustment
- Monitor the WLC with SNMP and Syslog for proactive issue detection
Frequently Asked Questions — Cisco 9800 WLC
Q: What operating system does the Cisco Catalyst 9800 WLC run?
A: The Cisco Catalyst 9800 WLC runs on Cisco IOS-XE, the same OS used on Cisco routers and enterprise switches. This gives network engineers a familiar CLI experience.
Q: How do APs discover and join the Cisco 9800 WLC?
A: Cisco APs use the CAPWAP (Control and Provisioning of Wireless Access Points) protocol to discover and join the 9800 WLC. Discovery methods include DHCP option 43, DNS resolution of CISCO-CAPWAP-CONTROLLER, and local subnet broadcast.
Q: What is the difference between a Policy Tag, Site Tag, and RF Tag?
A: Policy Tag maps WLANs to Policy Profiles (client VLAN assignment). Site Tag defines AP operating mode and join profile. RF Tag maps radio frequency profiles to APs for 2.4 GHz and 5 GHz management.
Q: Can I manage the Cisco 9800 WLC without CLI?
A: Yes. The Cisco Catalyst 9800 WLC provides a full-featured WebUI (Web-based GUI) accessible via HTTPS. All configurations possible in CLI can also be done through the WebUI, making it accessible for engineers at all levels.
Q: Does the Cisco 9800 WLC support High Availability?
A: Yes. The 9800 WLC supports Stateful Switchover (SSO) with a secondary WLC. In SSO mode, client sessions are preserved during a failover with zero or near-zero disruption to wireless users.
Configuration Summary — Cisco 9800 WLC Quick Reference
Cisco Catalyst 9800 WLC Configuration Cheat Sheet
- Step 1: Day Zero Setup — Console or WebUI at 192.168.1.1
- Step 2: Hostname, domain, credentials — ip domain-name, username, enable secret
- Step 3: Management Interface — GigabitEthernet0 with static IP
- Step 4: SSH and WebUI — crypto key generate rsa, ip http secure-server
- Step 5: NTP — ntp server [IP] prefer
- Step 6: VLANs and Trunk — vlan [id], switchport mode trunk
- Step 7: Management SVI — interface Vlan10 with IP address
- Step 8: AP Join Profile and RF Profiles
- Step 9: Policy Profile — wireless profile policy [name] + vlan mapping
- Step 10: WLAN (SSID) — wlan [name] [id] [ssid] + security config
- Step 11: Policy Tag — wireless tag policy [name] + wlan to policy mapping
- Step 12: Site Tag and RF Tag creation
- Step 13: Assign Policy, Site, RF tags to APs by MAC address
- Verify: show ap summary | show wireless client summary | show wlan summary
Conclusion
The Cisco Catalyst 9800 Wireless LAN Controller is a powerful and flexible platform for enterprise wireless deployments. By following this step-by-step configuration guide — from initial Day Zero setup through WLAN creation and AP tag assignment — you can build a robust, scalable, and secure wireless infrastructure from scratch.
The key to success with the 9800 WLC is understanding the tag-based architecture — how Policy Tags, Site Tags, and RF Tags work together to deliver wireless services to your access points and users. Once mastered, this architecture makes the 9800 WLC one of the most flexible and scalable wireless controllers available in the industry today.
Found this guide helpful?
Share it with your network engineering team and drop a comment below with your Cisco 9800 WLC questions or configuration tips!
Tags and Keywords: Cisco Catalyst 9800 WLC, Cisco 9800 WLC Configuration, Cisco Wireless LAN Controller Setup, 9800-L Configuration, 9800-CL Setup, CAPWAP Configuration, Cisco IOS-XE WLC, Wireless Policy Profile, WLAN SSID Configuration Cisco, AP Join Profile 9800, Site Tag Policy Tag RF Tag, Cisco Enterprise Wireless, WLC from Scratch, Cisco Access Point Configuration, CCNP Wireless, Cisco DNA Center, FlexConnect 9800, 802.11ax WLC, Cisco Wi-Fi Controller Setup, WPA3 Cisco WLC
