3.9. Wireless LAN GUI Configuration
💡 First Principle: The WLC GUI is where most wireless configuration happens in enterprise deployments. Unlike CLI-heavy switch configuration, wireless controllers were designed with GUI management in mind. The exam tests your ability to identify correct settings in screenshots—not memorize CLI syntax.
What happens when WLC configuration goes wrong: Consider this scenario—you create a new "Corporate" SSID but accidentally map it to the Guest VLAN. Employees connect, get IP addresses from the guest DHCP scope, and suddenly can't access internal servers. Or you enable WPA2-PSK for convenience, but now there's one shared password for 500 employees. When someone leaves, that password should change—but who wants to reconfigure 500 devices?
Think of the WLC GUI like an airport control tower. From one place, you manage all the APs (aircraft), control which SSIDs are broadcast (flight schedules), assign users to VLANs (terminals), and set QoS policies (priority boarding).
The WLAN Creation Workflow:
When you create a new wireless network, the WLC walks you through these decisions:
Step 1: Identity
- Profile Name: Internal identifier (you see this in the WLC)
- SSID: Network name (users see this on their devices)
- WLAN ID: Numeric identifier (1-512)
- Status: Enabled or disabled
Step 2: Security
| Setting | Options | When to Use |
|---|---|---|
| Layer 2 Security | WPA2-PSK, WPA2-Enterprise, WPA3 | Always use WPA2 minimum |
| Layer 3 Security | Web auth, VPN passthrough | Guest networks |
| AAA | RADIUS server selection | Enterprise authentication |
Step 3: QoS Profile Assignment
QoS determines how traffic from this SSID is prioritized:
| Profile | DSCP Marking | Target Traffic | Use For |
|---|---|---|---|
| Platinum | EF (46) | Voice | VoIP SSIDs |
| Gold | AF41 (34) | Video | Video conferencing |
| Silver | 0 | Best effort | General corporate |
| Bronze | 0 (deprioritized) | Background | Guest networks |
What happens if you choose wrong: Assigning "Bronze" to your corporate voice SSID means voice calls get dropped during congestion while guest Netflix streams smoothly. QoS profile selection matters.
Step 4: Advanced Settings
| Setting | What It Does | Security Impact |
|---|---|---|
| Broadcast SSID | Hide/show network name | Hiding provides minimal security (easily discovered) |
| Client exclusion | Temp-ban after failed auth attempts | Prevents brute-force attacks |
| DHCP required | Clients must use DHCP | Prevents static IP attacks |
| P2P blocking | Block client-to-client traffic | Isolates guests from each other |
| FlexConnect local switching | Traffic switched at AP | Reduces WAN bandwidth for branch offices |
FlexConnect deserves special attention: In a traditional deployment, all wireless traffic travels back to the WLC, even if the user and server are both at the same branch office. FlexConnect lets the AP switch traffic locally—critical for sites with slow WAN links.
⚠️ Exam Trap: WLC screenshots will show partial configurations and ask what's wrong or what happens next. Understand the workflow, not just the options.