Initially configure a Cisco Catalyst 9800 Series Wireless Controller

The following is the initial configuration process of C9800-80-K9.

1. Configure IP address and default route

## trunk or access
interface TenGigabitEthernet0/0/7
 switchport access vlan 62
 switchport mode access

interface Vlan62
 ip address 10.106.62.111 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.106.62.1

Updated on November 5, 2020
Or configure the IP address in the port instead of SVI

haifeli#sh run int gigabitEthernet 1
Building configuration...

Current configuration : 136 bytes
!
interface GigabitEthernet1
 no switchport
 ip address 10.106.37.33 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
end

haifeli#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 10.106.37.1
haifeli#

2. Configure SSH

WLC(config)#line vty 0 10
WLC(config-line)#transport input ssh 
WLC(config-line)#login local 
WLC(config-line)#end

WLC#conf t
WLC(config)#hostname haifeli-C9800
haifeli-C9800(config)#ip domain name lihaifeng.net
haifeli-C9800(config)#ip ssh version 2
haifeli-C9800(config)#crypto key generate rsa 
The name for the keys will be: haifeli-C9800.lihaifeng.net
Choose the size of the key modulus in the range of 512 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [1024]: 
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

3. Configure password

haifeli-C9800(config)#enable password 0 Cisco123
haifeli-C9800(config)#username admin privilege 15 password 0 Cisco123

4. Configure https

haifeli-C9800(config)#crypto key generate rsa modulus 2048 label web
haifeli-C9800(config)#ip http secure-server 
haifeli-C9800(config)#ip http secure-trustpoint web
haifeli-C9800(config)#crypto pki trustpoint web
haifeli-C9800(ca-trustpoint)#enrollment selfsigned 
haifeli-C9800(ca-trustpoint)#rsakeypair web
haifeli-C9800(ca-trustpoint)#exit
haifeli-C9800(config)#crypto pki enroll web
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: 10.106.62.111
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

Update on June 15, 2021

You may encounter the following errors when logging in to the GUI of the 9800.

%WEBSERVER-5-LOGIN_FAILED: Chassis 1 R0/0: nginx: Login Un-Successful from host 192.168.10.52 using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'

This is because you have not configured the HTTP authentication method. The following command may help you to solve this problem.

WLC(config)#ip http authentication local 

5. Configure country code

haifeli-C9800(config)#ap country IN
% 802.11bg/802.11a  Network must be disabled
haifeli-C9800(config)#ap dot11 24ghz shutdown 
Disabling the 802.11b network may strand mesh APs.
Are you sure you want to continue? (y/n)[y]: y
haifeli-C9800(config)#ap dot11 5 shutdown 
Disabling the 802.11a network may strand mesh APs.
Are you sure you want to continue? (y/n)[y]: y
haifeli-C9800(config)#
haifeli-C9800(config)#ap country IN
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y

haifeli-C9800(config)#no ap dot11 24ghz shutdown 
haifeli-C9800(config)#no ap dot11 5 shutdown

6. Configure management interface

haifeli-C9800(config)#wireless management interface vlan 62
haifeli-C9800#wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 

3 Responses

  1. xin says:

    good tutorial

  2. Bosco says:

    Fantastic! Thanks

  3. Alejandro says:

    Nice info

Leave a Reply

Your email address will not be published.