Follow this video to install Cisco WLC on Proxmox:
https://www.youtube.com/watch?v=MeDwvj0LxhU
Onboard access points on:
- 🛰️ R2_LAN
- 🛰️ R4_LAN
capwap ap hostname <hostname>
capwap ap ip <ip address> <subnet mask> <gateway>
capwap ap primary-base <WLC hostname> <WLC ip address>
Log in to WLC, go to Monitoring > Wireless > AP Statistics
- Confirm AP status is Joined
Go to Configuration > Tags & Profiles > AP Join. Click Add.
- 🏷️ Name
- 🌍 Country Code
- ⏱️ Time Zone → Use-Controller
Enable:
- ✅ SSH
- ✅ Serial Console
- Username
- Password
- Secret
Click Update & Apply to Device
🔁 Repeat for:
R4_LAN_AP_JOIN
- 🏢 Local Mode → All traffic tunneled to WLC (central switching)
- 🛰️ FlexConnect Mode → Traffic switched locally at AP (best for branch sites / WAN failure)
Go to Configuration > Tags & Profiles > Flex → Click Add.
- Name
- Native VLAN ID
Click Add:
- VLAN Name
- VLAN ID
Click Save
Click Update & Apply to Device
🔁 Repeat for:
R4_LAN_FLEX
Go to Configuration > Tags & Profiles > Policy → Click Add
- Name
- Status: ✅ Enabled
- IP MAC Binding: ❌ Disabled
- Central Switching: ❌ Disabled
- Central Authentication: ✅ Enabled
- Central DHCP: ❌ Disabled
- VLAN / VLAN Group
- ✅ Allow AAA Override
Click Update & Apply to Device
🔁 Repeat for:
R4_LAN_POLICY
Go to Configuration > Tags & Profiles > WLANs → Click Add
- Profile Name
- SSID
- WLAN ID
- Status: ✅ Enabled
- Broadcast SSID: ✅ Enabled
⚠️ If AP supports WiFi 6E → Enable 6GHz radio
- WPA2 + WPA3
⚠️ Required for 6GHz support
- Enabled
- FT + SAE
- SAE
- PSK-SHA256
- FT + PSK
- PSK
- 🔒 Pre-Shared Key:
<YourWiFiPass>
Click Update & Apply to Device
🔁 Repeat for:
R4_LAN_SSID_PSK
Go to Configuration > Security > AAA → Click + AAA Wizard
- 🏷️ Name
- 🌐 Server Address → (Cisco ISE IP)
- 🔑 Key → (same as ISE)
- 🔄 CoA: ❌ Disabled
Click Next
- 🏷️ Name
- 📡 Assigned Servers
Click Next
-
✅ Authentication
-
❌ Authorization and Accounting
-
🏷️ Name
-
🔧 Type:
dot1x -
📂 Group Type:
group -
📡 Assigned Server Groups
Click Apply to Device
Go to Configuration > Tags & Profiles > WLANs → Click Add
- Profile Name
- SSID
- WLAN ID
- Status: ✅ Enabled
- Broadcast SSID: ✅ Enabled
- WPA2 + WPA3
- 802.1X-SHA256
- 802.1X
- FT + 802.1X
Select Authentication List (RADIUS/ISE)
Click Apply to Device
🔁 Repeat for:
R4_LAN_AAA
Go to Configuration > Tags & Profiles > Tags → Click Add
- 🏷️ Name
Click Add:
- 📶 Select WLAN Profile
- 🧩 Select Policy Profile
Click ✅ and Apply to Device
🔁 Repeat for:
R4_LAN_POLICY_TAG
- 🏷️ Name
- 📡 AP Join Profile
- 🏢 Enable Local Site: ❌ Disabled
- 🌐 Flex Profile
Click Apply to Device
🔁 Repeat for:
R4_LAN_SITE_TAG
Go to Configuration > Security > AAA → Click + AAA Wizard
- 🏷️ Name
- 🌐 Server Address → (Cisco ISE IP)
- 🔑 Key → (same as ISE)
Click Next
- 🏷️ Name
- 📡 Assigned Servers
Click Next
- ✅ Authentication
- ✅ Authorization
- ❌ Accounting
- 🏷️ Name
- 🔧 Type:
login - 📂 Group Type:
group - 🔁 Fallback to local: ✅
- 📡 Assigned Server Groups
Click Authorization
- 🏷️ Name
- 🔧 Type:
exec - 📂 Group Type:
group - 📡 Assigned Server Groups
Click Apply to Device
Go to:
AAA Advanced > AAA Interface
- 📡 Select configured Authentication
- 🛡️ Select configured Authorization
- Apply to:
- 💻 VTY
- 🌐 HTTP
Click Apply
- 🔓 Logout from WLC
- 🔐 Login using
Admin-01(created in Cisco ISE)
✅ Login should be successful via TACACS+
- 🛰️ FlexConnect used for branch resiliency
- 🔐 WPA3 + 802.1X for secure wireless access
- 🧩 Tags simplify large-scale AP deployment
- 🔁 Centralized authentication via Cisco ISE
This setup includes:
- 🛰️ AP onboarding using CAPWAP
- 🌐 FlexConnect configuration for branch sites
- 🧩 Policy and VLAN mapping
- 📶 WLAN setup (PSK & AAA)
- 🔐 Integration with Cisco ISE (RADIUS & TACACS+)
- 🏷️ Tag-based deployment (Policy Tag + Site Tag)