CCNA WLAN Configuration: WLC GUI, Security, QoS & SSID Setup

The Cisco WLC GUI is accessed via HTTPS to the WLC's management IP address. The main navigation tabs are Monitor, WLANs, Controller, Wireless, Security, Management, Commands, Help, and Feedback. For WLAN configuration, work primarily in the WLANs tab.

To create a new WLAN: go to WLANs → New. Configure the Profile Name (internal label), SSID (the name clients see), and WLAN ID (a number 1–512 that identifies the WLAN internally). After clicking Apply, the WLAN Edit page opens with multiple tabs for detailed configuration.

The WLAN must be explicitly enabled on the General tab — new WLANs are disabled by default. The Status checkbox enables the WLAN so APs will broadcast it. Always verify this step; forgetting to enable the WLAN is a common exam-scenario mistake.

Each WLAN is mapped to a WLC interface, which determines which VLAN client traffic is placed into on the wired side. The WLC has a management interface (for WLC management traffic) and dynamic interfaces (one per WLAN/VLAN). A WLAN configured on the 'VLAN10' dynamic interface places client traffic into VLAN 10 on the switch trunk connected to the WLC.

Creating a dynamic interface: go to Controller → Interfaces → New. Configure the interface name, VLAN ID, IP address (this is the interface IP on that VLAN), subnet mask, and default gateway. Assign a DHCP server address so the WLC knows where to relay DHCP requests from wireless clients.

The switch port connecting the WLC must be a trunk port allowing all WLAN VLANs. The WLC tags client traffic with the appropriate VLAN ID when forwarding it to the switch.

WLAN security is configured on the Security tab of the WLAN editor. The Layer 2 Security dropdown selects the authentication method: None (open), WPA+WPA2, or 802.1X. For most enterprise WLANs, WPA+WPA2 is selected.

WPA2-Personal (PSK): select WPA+WPA2, enable WPA2 Policy, set Auth Key Mgmt to PSK, and enter the passphrase. All clients use the same pre-shared key. Simple to configure, appropriate for small deployments and personal networks.

WPA2-Enterprise (802.1X): select WPA+WPA2, enable WPA2 Policy, set Auth Key Mgmt to 802.1X. This requires a RADIUS server. Configure the RADIUS server under Security → AAA → RADIUS → Authentication. Enter the server IP, shared secret, and port (default 1812). Clients authenticate with individual credentials (username/password or certificates) through the RADIUS server.

For maximum security, Cisco recommends WPA3 where supported. The WLC exam scenarios on CCNA 200-301 primarily test WPA2 configuration — know both PSK and Enterprise workflows.

QoS settings on the QoS tab assign a quality-of-service profile to the WLAN. The profiles available: Platinum (voice — highest priority), Gold (video), Silver (best-effort data, the default), Bronze (background). These profiles map to DSCP values and 802.11e (WMM) access categories.

For a voice WLAN (e.g., Wi-Fi calling, Cisco Jabber): set QoS to Platinum to ensure voice frames receive priority treatment both in the Wi-Fi medium (using WMM) and on the wired side (matching DSCP EF). For a guest WLAN: Bronze or Silver to limit guest traffic priority relative to corporate traffic.

The CCNA exam tests which QoS profile is appropriate for different traffic types rather than the detailed DSCP/WMM mapping. Remember: Platinum = voice, Gold = video, Silver = data, Bronze = background.

On the Advanced tab, key settings include: Allow AAA Override (allows RADIUS to return VLAN/QoS assignments per user), Coverage Hole Detection (triggers alerts when clients experience poor signal), Client Band Select (steers capable clients to 5 GHz to reduce 2.4 GHz congestion), and FlexConnect settings for local switching.

The 802.11r (Fast BSS Transition) and 802.11k (Neighbor Reports) settings on the Advanced tab improve roaming performance. 802.11r enables fast re-authentication when roaming; 802.11k helps clients discover nearby APs. These are increasingly relevant as voice-over-Wi-Fi use grows.