How to Configure WLANs on the Cisco Catalyst 9800
If you're moving from an AireOS wireless controller to the Catalyst 9800, WLAN configuration looks different. Not harder—just fundamentally different. The C9800 uses a modular profile-and-tag architecture instead of the flat, monolithic WLAN definitions you may be accustomed to. This design gives you more flexibility to manage large, complex networks at scale, but it requires understanding how the pieces fit together.
In this article, we'll walk through the C9800 WLAN configuration model, from creating your first WLAN profile to assigning tags and verifying everything works. Whether you prefer the GUI or CLI, you'll find practical examples for both.
Why the C9800 Does Things Differently
The legacy AireOS controller had a global configuration mindset. If you needed to apply different settings to different access points, you often had to create separate AP groups—which meant duplicating configuration and managing multiple copies of the same WLAN with slight variations.
The C9800 was built to solve this problem. It uses profiles and tags to achieve reusability and modularity. You define a WLAN once (the profile), define a policy once (the policy profile), and then assign tags to access points—not WLAN instances. This means a single SSID can behave differently at different locations, and you can change behavior without restarting the controller or rebooting access points. In practice, this is a 20-25 second CAPWAP restart instead of a full 3-minute reboot cycle.
Understanding the WLAN Configuration Components
The C9800 WLAN configuration model consists of five main building blocks: profiles and three types of tags. Here's what each one does:
| Component | Purpose | Key Settings |
|---|---|---|
| WLAN Profile | Defines the SSID, WLAN ID, and security model | SSID name, WLAN ID (1-4096), security type (WPA2-PSK, WPA3, 802.1X, etc.), broadcast SSID, radio policy, band select |
| Policy Profile | Defines how clients are handled: VLAN assignment, QoS, authentication, AAA, session timeouts | VLAN assignment, central vs. local switching, session timeout, idle timeout, AAA override, RADIUS profiling, QoS settings |
| Policy Tag | Maps (binds) WLAN profiles to policy profiles; defines broadcast domain and AP group | Associated WLANs, associated policy profile, general settings, RLAN settings |
| Site Tag | Defines site-level settings: local vs. FlexConnect mode, AP join profile, FlexConnect profile, roaming domain | AP Join Profile, FlexConnect profile, Enable Local Site checkbox, Fabric CKIP Plane Name |
| RF Tag | Binds RF profiles for 2.4 GHz, 5 GHz, and 6 GHz radio bands to access points | RF Profile (2.4 GHz), RF Profile (5 GHz), RF Profile (6 GHz) |
Each access point is assigned exactly three tags: one policy tag, one site tag, and one RF tag. These tags determine the WLAN behavior, deployment model, and radio characteristics for that AP.
Creating a WLAN Profile
Start by creating the WLAN profile—the SSID and its security settings. You can do this via the GUI or CLI.
GUI Method
Navigate to Configuration > Tags & Profiles > WLANs, then click Add WLAN. Fill in the basics:
- Profile Name: A unique identifier for this WLAN profile (e.g.,
corp-main,guest-wpa3) - SSID: The SSID broadcast to clients
- WLAN ID: A number from 1 to 4096 (must be unique per C9800 deployment)
- Type: Select the security model
CLI Method
Enter global config mode and define the WLAN:
c9800(config)# wlan corporate 1 CorpNetwork
c9800(config-wlan)# shutdownThe first argument is the profile name, the second is the WLAN ID, and the third is the SSID. The shutdown command disables broadcasting until you assign it to a tag.
Security Options
The C9800 supports multiple security models. Choose one based on your deployment needs:
| Security Type | Use Case | CLI Command |
|---|---|---|
| WPA2-PSK | Pre-shared key authentication (simple, office/home) | security wpa wpa2 psk set-key ascii password |
| WPA2-Enterprise (802.1X) | RADIUS-based authentication (large enterprises) | security wpa wpa2 ciphers ccmp + AAA settings |
| WPA3-Personal | Modern PSK with Simultaneous Authentication of Equals (SAE) | security wpa wpa3 psk set-key ascii password |
| WPA3-Enterprise | RADIUS-based with 192-bit encryption (high-security) | security wpa wpa3 ciphers ccmp + AAA |
| Open | No security (guest networks, public hotspots) | security open |
| Enhanced Open (OWE) | Encrypted open network (modern guest networks) | security open owe |
Common WLAN Settings
After choosing security, configure these key options:
c9800(config-wlan)# broadcast-ssid
c9800(config-wlan)# band 2.4ghz 5ghz 6ghz
c9800(config-wlan)# band-selectbroadcast-ssid: Enable to advertise the SSID in beacons (enabled by default)band: Specify which frequency bands this WLAN operates onband-select: Let dual-band capable clients prefer 5/6 GHz
As of release 16.12.2+, WLANs must be explicitly mapped to a policy profile within a policy tag before they are broadcast. In earlier releases, a default WLAN was broadcast automatically. Now you control explicitly which SSIDs go live where.
Creating a Policy Profile
The policy profile controls how clients behave on the WLAN: which VLAN they use, whether traffic switches locally or centrally, session timeouts, QoS, and AAA overrides.
Basic CLI Configuration
c9800(config)# policy profile corporate-policy
c9800(config-policy)# vlan 100
c9800(config-policy)# central-switching
c9800(config-policy)# session-timeout 1800
c9800(config-policy)# idle-timeout 300vlan 100: Assign clients to VLAN 100central-switching: Traffic is routed through the C9800 (default for centralized deployments)local-switching: Traffic bridges locally on the AP (use for FlexConnect APs)session-timeout 1800: Force re-authentication after 30 minutesidle-timeout 300: Disconnect clients idle for 5 minutes
AAA and Radius Override
If you use RADIUS-based authentication, configure the AAA override to allow specific attributes from the RADIUS server to override local policy settings:
c9800(config-policy)# aaa-override
c9800(config-aaa-override)# aaa-attribute-list user-defined-acl vlan acl-nameThis is useful in deployments where RADIUS returns VLAN or ACL information per user. Without AAA override enabled, the C9800 honors preset values and ignores RADIUS attributes for those fields. This is a design choice: some deployments want centralized control; others want RADIUS to drive it.
QoS Settings
Configure QoS within the policy profile to mark traffic with a Differentiated Services Code Point (DSCP) or apply rate limiting:
c9800(config-policy)# qos-profile voice
c9800(config-policy)# rate-limit upstream 10000 downstream 10000Creating Tags and Binding Profiles
Tags are the connective tissue. They bind profiles to access points and define what gets broadcast where.
Policy Tag
A policy tag lists which WLAN profiles are broadcast and which policy profile governs them:
c9800(config)# policy tag corp-office
c9800(config-policy-tag)# wlan-name corporate
c9800(config-policy-tag)# policy-profile corporate-policyThe policy tag is equivalent to the broadcast domain in AireOS. It defines which SSIDs go together as a group and which policy (VLAN, AAA, QoS) applies to them.
Site Tag
The site tag defines site-level deployment settings. Is this a local-mode site or FlexConnect?
c9800(config)# site tag office-floor-1
c9800(config-site-tag)# ap-join-profile default-ap-profile
c9800(config-site-tag)# flex-profile default-flex-config
c9800(config-site-tag)# enable local site- If
enable local siteis checked, APs use local mode (central association, local switching for FlexConnect) - If unchecked, APs use FlexConnect mode (site-local CAPWAP registration, local data switching)
- The FlexConnect profile contains settings like VLAN-ACL mapping and local authentication
RF Tag
The RF tag binds radio frequency profiles (which control channel assignments, power, and band settings) to access points:
c9800(config)# rf tag office-rf
c9800(config-rf-tag)# profile 2.4ghz default-2.4ghz-profile
c9800(config-rf-tag)# profile 5ghz default-5ghz-profile
c9800(config-rf-tag)# profile 6ghz default-6ghz-profileBy default, the C9800 applies the default RF tag to all APs, which uses global 5 GHz and 2.4 GHz profiles. If you need different radio behavior in different locations (e.g., lower power in an RF-dense venue), create custom RF profiles and assign them via a custom RF tag.
Assigning Tags to Access Points
Once profiles and tags are created, assign all three tag types to each AP. You have three options: static assignment, filter-based assignment, or location-based assignment.
Static Assignment per AP
The most straightforward method is to assign tags directly to an AP by its Ethernet MAC address:
c9800(config)# ap name 3802.ca80.1901
c9800(config-ap)# ap-tag corp-office
c9800(config-ap)# site-tag office-floor-1
c9800(config-ap)# rf-tag office-rfView all AP tag assignments in the GUI under Configuration > Wireless > Access Points. A popup window shows WLANs, site subscriptions, and RF profiles for each AP.
Filter-Based Assignment (Regex)
For large deployments, use regular expressions to assign tags based on AP name patterns. Navigate to Configuration > Tags & Profiles > Tags, select the Filter tab, and define a rule:
Rule Name: floor1_aps
AP name regex: .*floor1.*
Assign: corp-office (policy tag), office-floor-1 (site tag), office-rf (RF tag)When an AP matching .*floor1.* joins the C9800, it is automatically assigned these tags. This is powerful for brownfield migrations from AireOS, where you already have a naming convention.
Location-Based Assignment (Basic Setup)
In the GUI, navigate to Configuration > Wireless Setup > Advanced and click Start Now. You can define location groups (e.g., "Floor 1", "Floor 2") and assign a tag combination to each location. The C9800 then automatically assigns tags to APs in that location.
Tag Persistence (Release 17.6+)
Starting in release 17.6, the C9800 supports tag persistence. When enabled globally, tag assignments are automatically saved to the AP's persistent storage. This means if an AP is moved between two C9800 controllers, it retains its assigned tags:
c9800(config)# ap tag persistency enableBefore release 17.6, you had to manually push tags to the AP in exec mode for each one. Now it's automatic.
The WLAN Wizard (Release 17.6.1+)
For simplified WLAN creation, use the WLAN Wizard. Navigate to Configuration > Wireless Setup > WLAN Wizard and follow the interactive flow:
- Choose Authentication Type: PSK, 802.1X, Local Web Auth, External Web Auth, Central Web Auth, Guest CWA, Foreign/Anchor
- Name the WLAN: Profile name and SSID
- Configure Security: Enter password (PSK) or select RADIUS server (802.1X)
- Set VLAN: Assign client VLAN
- Apply to APs: Choose which APs (or tag groups) will broadcast this WLAN
The wizard automates the creation of a WLAN profile, policy profile, and policy tag. It's ideal for straightforward deployments. For complex multi-site configurations with per-location variations, you'll still want to create profiles and tags manually.
Common WLAN Configuration Examples
Example 1: Basic PSK WLAN
Create a simple corporate WLAN with a pre-shared key:
! Create the WLAN profile
c9800(config)# wlan office 1 CorporateSSID
c9800(config-wlan)# security wpa wpa2 psk set-key ascii MySecurePassword123
c9800(config-wlan)# broadcast-ssid
c9800(config-wlan)# band 2.4ghz 5ghz 6ghz
c9800(config-wlan)# band-select
c9800(config-wlan)# exit
! Create the policy profile
c9800(config)# policy profile corp-employees
c9800(config-policy)# vlan 100
c9800(config-policy)# central-switching
c9800(config-policy)# session-timeout 1800
c9800(config-policy)# exit
! Create and bind the policy tag
c9800(config)# policy tag corp-main
c9800(config-policy-tag)# wlan-name office
c9800(config-policy-tag)# policy-profile corp-employees
c9800(config-policy-tag)# exit
! Create site and RF tags (or use defaults)
c9800(config)# site tag corp-site
c9800(config-site-tag)# ap-join-profile default-ap-profile
c9800(config-site-tag)# enable local site
c9800(config-site-tag)# exit
! Assign tags to an AP
c9800(config)# ap name MyAP-3802
c9800(config-ap)# ap-tag corp-main
c9800(config-ap)# site-tag corp-site
c9800(config-ap)# rf-tag default-rf-tag
c9800(config-ap)# exitExample 2: 802.1X Enterprise WLAN
Create a WLAN that authenticates users against RADIUS:
! Create the WLAN profile (802.1X mode)
c9800(config)# wlan enterprise 2 EnterpriseNet
c9800(config-wlan)# security wpa wpa2 ciphers ccmp
c9800(config-wlan)# broadcast-ssid
c9800(config-wlan)# exit
! Configure AAA (RADIUS server)
c9800(config)# aaa new-model
c9800(config)# radius server rds1
c9800(config-radius-server)# address ipv4 192.168.1.50
c9800(config-radius-server)# key Shared_Secret_Key
c9800(config-radius-server)# exit
! Create the policy profile
c9800(config)# policy profile enterprise-policy
c9800(config-policy)# vlan 200
c9800(config-policy)# central-switching
c9800(config-policy)# aaa-override
c9800(config-aaa-override)# aaa-attribute-list user-defined-acl vlan corp-vlan-acl
c9800(config-aaa-override)# exit
c9800(config-policy)# exit
! Create and bind the policy tag
c9800(config)# policy tag enterprise-main
c9800(config-policy-tag)# wlan-name enterprise
c9800(config-policy-tag)# policy-profile enterprise-policy
c9800(config-policy-tag)# exitExample 3: Guest WLAN with Web Authentication
Create a guest WLAN with local web authentication (splash page):
! Create the WLAN profile
c9800(config)# wlan guest 3 GuestNetwork
c9800(config-wlan)# security open
c9800(config-wlan)# broadcast-ssid
c9800(config-wlan)# exit
! Create the policy profile
c9800(config)# policy profile guest-policy
c9800(config-policy)# vlan 300
c9800(config-policy)# central-switching
c9800(config-policy)# web-auth local
c9800(config-policy)# exit
! Create and bind the policy tag
c9800(config)# policy tag guest-main
c9800(config-policy-tag)# wlan-name guest
c9800(config-policy-tag)# policy-profile guest-policy
c9800(config-policy-tag)# exitThe web-auth local command enables the built-in splash page on the controller. You can customize the portal appearance in the controller's portal settings.
Verification and Troubleshooting
After configuration, verify that WLANs are being broadcast correctly and that tags are properly assigned. Use these show commands:
Show WLAN Summary
c9800# show wlan summaryOutput displays all WLAN profiles with their status (disabled, enabled), WLAN ID, SSID, and security type.
Show Policy Tag Summary
c9800# show wireless tag policy summaryLists all policy tags, the WLANs they bind, and the policy profiles they reference.
Show Site Tag Summary
c9800# show wireless tag site summaryShows all site tags with their settings (local/remote, FlexConnect profile, etc.).
Show Policy Profile Summary
c9800# show wireless profile policy summaryDisplays all policy profiles and their key settings: VLAN, switching mode, timeouts, QoS.
Show AP Tag Summary
c9800# show ap tag summaryLists all APs and their assigned tags (policy, site, RF). Shows how the AP got its tag assignment (static, filter, location, default, or AP-learned via Plug and Play).
Validate Configuration
c9800# wireless config validateRuns a syntax and consistency check across all tags and profiles. This catches common mistakes like a WLAN assigned to two different policy profiles (which is a misconfiguration) or an orphaned policy profile with no WLANs.
Key Takeaways
- Profiles are templates. A WLAN profile defines the SSID and security. A policy profile defines client behavior. You create them once and reuse them across the deployment.
- Tags are assignments. Policy tags bind WLANs to policies and define the broadcast domain (roughly equivalent to AireOS AP groups). Site tags control local vs. FlexConnect mode. RF tags control radio behavior. Each AP gets exactly one of each.
- Modularity pays off. If you need to change VLAN assignment for an entire branch office, update the policy profile and restart CAPWAP on the site tag—no AP reboots needed. This is a 20-second rollout versus 3 minutes per AP in AireOS.
- Explicit mapping is required. As of 16.12.2+, WLANs are not broadcast by default. You must create a policy tag that maps WLANs to a policy profile. This gives you explicit control and prevents accidental SSID leakage.
- Tag persistence simplifies AP moves. Enable
ap tag persistency(release 17.6+) to allow APs to carry their configuration across controller migrations. - Use the wizard for quick wins. The WLAN Wizard (17.6.1+) is fast for simple deployments. For multi-site, multi-policy setups, build profiles and tags manually for better control.
- Validate before deploy. Run
wireless config validateto catch tag misconfigurations early. A red icon on an AP in the GUI indicates a tag mismatch—investigate immediately.
The C9800 WLAN model is designed for scale and flexibility. Once you internalize the profile-tag pattern, you'll find it more powerful and easier to manage than AireOS, especially in large, geographically dispersed deployments. Start with a single policy tag and site tag, verify it works, and then create custom tags as your deployment grows.