Wireless Foundational

Wireless LAN Basics

Definitive CCNA-level Wi-Fi fundamentals — SSID / BSS / ESS / BSSID terminology, autonomous vs lightweight APs, CAPWAP tunnel anatomy, WLC discovery (DHCP option 43 + DNS), Wi-Fi standards generations, security (WPA / WPA2 / WPA3), roaming, and 7 worked scenarios.

TL;DR

An access point (AP) bridges Wi-Fi clients onto the wired network. A wireless LAN controller (WLC) centralizes config + policy for many APs. Lightweight APs (the enterprise standard) depend on a WLC; autonomous APs are standalone.
Terminology to memorize: SSID = network name (`Corp-Wifi`), BSS = one AP's coverage area, BSSID = the AP radio's MAC, ESS = many BSSes broadcasting the same SSID.
APs reach the WLC over CAPWAP — UDP 5246 (control, DTLS-encrypted) + UDP 5247 (data tunnel). Because it tunnels, AP and WLC don't need to be on the same subnet.
WPA3 + 802.1X is the 2026 enterprise default. WPA2-PSK is still common for home/SMB and IoT. WEP and WPA are broken — never use.

Mental model

Wi-Fi extends a wired Layer-2 LAN over the air. Devices that can’t be cabled — phones, laptops, IoT, conference-room cameras — connect through an access point (AP) that bridges them to the wired network.

For a small office with 2–3 APs, each AP can be configured standalone. For an enterprise with 50+ APs across floors and buildings, you don’t want to log into each one. You centralize on a wireless LAN controller (WLC). Each AP just provides the radio; the WLC handles SSIDs, security, VLAN mapping, RF tuning, and roaming.

Three things to internalize before anything else:

The air is a shared half-duplex medium. Two devices on the same channel within range share the airtime. Half-duplex means at any instant, only one is transmitting. CSMA/CA (collision avoidance) coordinates who talks when.
A Wi-Fi network on the air looks different from on the wire. What clients see is the SSID; what the AP actually advertises is a BSSID per radio. Multiple BSSIDs can broadcast the same SSID.
Roaming is the hard part. When a client moves between APs, the handoff needs to be fast (< 100 ms for voice) without losing connection. The WLC’s job is to coordinate.

Wi-Fi standards — the generations

IEEE name	Marketing name	Year	Band	Max raw rate
802.11a	—	1999	5 GHz	54 Mbps
802.11b	—	1999	2.4 GHz	11 Mbps
802.11g	—	2003	2.4 GHz	54 Mbps
802.11n	Wi-Fi 4	2009	2.4 + 5 GHz	600 Mbps
802.11ac	Wi-Fi 5	2013	5 GHz	6.9 Gbps
802.11ax	Wi-Fi 6	2019	2.4 + 5 GHz	9.6 Gbps
802.11ax (6 GHz)	Wi-Fi 6E	2020	6 GHz	9.6 Gbps
802.11be	Wi-Fi 7	2024	2.4 + 5 + 6 GHz	46 Gbps

For the CCNA exam: recognize each, know which bands they use. For deep coverage of Wi-Fi 6 / 6E / 7 features (OFDMA, MU-MIMO, MLO, etc.) see Wi-Fi 6/6E/7 Features.

Frequency bands — 2.4 GHz vs 5 GHz vs 6 GHz

Band	Channels (US)	Range	Congestion	Use
2.4 GHz	1, 6, 11 (only 3 non-overlapping)	Long (penetrates walls)	Highly congested — Bluetooth, microwaves, IoT	Legacy + IoT
5 GHz	~25 non-overlapping 20 MHz channels	Shorter, blocked by walls more	Lower	Default for enterprise
6 GHz	14 non-overlapping 80 MHz channels	Similar to 5 GHz	Almost empty (Wi-Fi 6E only)	New deployments

2.4 GHz has only 3 non-overlapping channels in the US (1, 6, 11) because the band is small and channels overlap. 5 GHz has many more, which is why it’s the modern default for enterprise. 6 GHz is fresh spectrum opened in 2020 — only Wi-Fi 6E+ clients can use it.

For deep RF physics (path loss, SNR, RSSI, antenna patterns), see Wireless RF Fundamentals.

The terminology — SSID, BSS, BSSID, ESS

This is the single most-tested set of definitions in CCNA wireless. Internalize:

Term	Stands for	What it is	Example
SSID	Service Set Identifier	The Wi-Fi network name a user sees	`Corp-Wifi`
BSS	Basic Service Set	One AP’s radio coverage area	The lobby AP’s coverage
BSSID	Basic Service Set ID	The AP radio’s MAC address (uniquely identifies a BSS)	`ec:1d:8b:33:44:55`
ESS	Extended Service Set	Multiple BSSes broadcasting the same SSID	All 50 APs broadcasting `Corp-Wifi`
IBSS	Independent BSS	Ad-hoc Wi-Fi (no AP) — peer-to-peer	Phone hotspot in ad-hoc mode

The relationship:

One AP has one or more BSSes (one per active SSID per radio).
Each BSS has a unique BSSID (the radio MAC).
Many BSSes broadcasting the same SSID form an ESS.
An SSID is the human-readable name. A BSSID is the machine-readable identifier.

You can have:

1 AP × 1 SSID × 1 BSS × 1 BSSID
1 AP × 3 SSIDs × 3 BSSes × 3 BSSIDs (each SSID has its own BSSID on the same radio)
50 APs × 1 SSID × 50 BSSes × 50 BSSIDs = 1 ESS (the canonical enterprise pattern)

AP modes — autonomous vs lightweight

Autonomous AP — standalone, configures itself, no controller needed. Each AP holds its own config (WLAN definitions, security keys, VLAN mappings). Used in:

Home / SOHO with 1-3 APs.
Branch with no WLC.
Testing / labs.

Lightweight AP (LAP) — depends on a WLC. The AP just provides the radio; everything else (auth, VLAN assignment, RF management, roaming coordination) lives on the WLC. The enterprise standard.

A lightweight AP boots → finds the WLC → forms a CAPWAP tunnel → downloads its config. From that point, the AP is just a remote radio.

	Autonomous	Lightweight
Config location	On the AP	On the WLC (pushed to AP)
Scale	Tens of APs	Thousands
Roaming coordination	None (each AP independent)	WLC orchestrates fast roaming
RF tuning	Manual per AP	WLC’s RRM (Radio Resource Management) auto-tunes
Firmware updates	One AP at a time	WLC pushes to all APs
Cost	Lower upfront	Higher (WLC + APs)
When to choose	Small site, no controller	Enterprise, multi-site, mobility

Modern Cisco APs (Catalyst 9100 series) can run in either mode — boot determines which.

CAPWAP — how APs and WLCs actually talk

CAPWAP (Control And Provisioning of Wireless Access Points, RFC 5415) is the tunnel protocol between lightweight APs and the WLC.

Two channels:

Channel	UDP port	Purpose	Encrypted?
Control	5246	Config, policy, RF management, AP status	Yes (DTLS)
Data	5247	Client traffic encapsulated to/from WLC	Optional (DTLS)

The key insight: client traffic is tunneled from AP to WLC before being released onto the wired network. So:

Client connects to AP-23 in Building B.
Client’s frames are CAPWAP-encapsulated by AP-23.
Tunnel goes to WLC (perhaps in a different building, even data center).
WLC decapsulates and forwards onto the configured VLAN.

Because it’s tunneled, the AP and WLC don’t have to be on the same VLAN or even the same subnet. The AP can be at a branch; the WLC can be at HQ over the WAN. As long as IP reachability exists between them.

The other mode: FlexConnect, where the AP switches client traffic locally instead of tunneling to the WLC. Useful for branch offices where the WAN to the WLC is too slow to hairpin all traffic through. See AP Operating Modes.

WLC discovery — how an AP finds its WLC

When a lightweight AP boots, it doesn’t know where the WLC is. It tries multiple discovery methods, in order:

Static IP — if previously configured, the AP saves the WLC IP locally. Try it first.
Local subnet broadcast — broadcast a “Discovery Request” on the local subnet. Works if WLC is on the same VLAN.
DHCP Option 43 — the DHCP server hands out a vendor-specific option containing the WLC IP(s).
DNS — the AP queries DNS for CISCO-CAPWAP-CONTROLLER.<local-domain> (where local-domain comes from the DHCP-provided DNS suffix).
Manually configured IP — administratively set on the AP’s console.

The standard enterprise pattern: DHCP Option 43 or DNS. Once the AP discovers the WLC IP, it sends a CAPWAP Join Request and forms the tunnel.

DHCP Option 43 syntax (Cisco IOS DHCP server)

R1(config)# ip dhcp pool LWAPP-VLAN
R1(dhcp-config)# network 10.20.30.0 255.255.255.0
R1(dhcp-config)# default-router 10.20.30.1
R1(dhcp-config)# option 43 hex f104.0a01.0102        ! WLC IP = 10.1.1.2

The hex format encodes WLC IP addresses. f1 = sub-option type 0xF1 (WLC IP list), 04 = length 4 bytes, then the IP in hex. Multiple IPs concatenate.

DNS approach (often easier to manage)

Create a DNS A record for CISCO-CAPWAP-CONTROLLER.example.com pointing at your WLC IP(s). APs receiving a DHCP-provided DNS suffix of example.com automatically query for this name.

Security — WPA, WPA2, WPA3

Standard	Year	Authentication	Encryption	Status in 2026
WEP	1997	Shared key	RC4	Broken since 2001. Never use.
WPA	2003	PSK or 802.1X	TKIP	Stopgap. Deprecated. Don’t use.
WPA2 Personal	2004	PSK (4-way handshake)	AES-CCMP	Still common for home/SMB
WPA2 Enterprise	2004	802.1X + RADIUS	AES-CCMP	Common enterprise default
WPA3 Personal	2018	SAE (replaces PSK with stronger handshake)	AES-CCMP	New deployments default
WPA3 Enterprise	2018	802.1X + RADIUS	AES-CCMP / AES-GCMP	New enterprise default

Defaults for new 2026 deployments:

Home / SMB / guest SSID: WPA3-Personal with SAE.
Corporate SSID: WPA3-Enterprise + 802.1X with EAP-TLS (cert-based) or PEAP (cert + password).
6 GHz band: WPA3 mandatory — Wi-Fi 6E doesn’t allow older security on this band.

For the full picture see Wi-Fi Security.

802.1X / EAP — enterprise authentication

When a client joins an Enterprise SSID:

AP/WLC sees a new device, sends an EAP Identity Request.
Client sends its identity (username or cert).
WLC forwards EAP messages to the RADIUS server (Cisco ISE, FreeRADIUS, etc.) via the RADIUS protocol.
Authentication happens (cert validation, password check, posture check).
On success, RADIUS returns a per-session encryption key (PMK) and possibly a VLAN/dACL.
Client and AP derive the session keys via the 4-way handshake.
Client is authenticated, encrypted, and assigned to its policy.

See 802.1X / dot1x for the wired equivalent (same protocol, different transport).

Roaming — the WLC’s hardest job

When a Wi-Fi client moves from AP-23 to AP-24, the network needs to:

Detect the client is on AP-24 now.
Switch CAPWAP tunnel context.
Continue the existing TCP connections seamlessly.
Avoid re-authenticating from scratch (slow).

Three roaming techniques:

Technique	What it does
Layer-2 roaming	Within the same subnet — easy. Client keeps its IP.
Layer-3 roaming	Across subnets — needs tunneling back to anchor AP/WLC.
802.11r (Fast Transition / FT)	Pre-authenticates with neighboring APs. < 50 ms handoff. Required for voice.
802.11k	Helps client discover neighbor APs
802.11v	Lets WLC suggest a better AP to a client

For voice + video: enable 802.11r + 802.11k + 802.11v on the WLAN. Without these, voice calls drop during roaming.

Configuration on a Cisco 9800 WLC (CLI snippet)

GUI is the primary interface, but CLI exists:

WLC(config)# wlan Corp-Wifi 1 Corp-Wifi
WLC(config-wlan)# security wpa
WLC(config-wlan)# security wpa wpa3
WLC(config-wlan)# security wpa wpa3 ciphers gcmp256
WLC(config-wlan)# security wpa akm dot1x-sha256
WLC(config-wlan)# aaa-override
WLC(config-wlan)# client vlan 10
WLC(config-wlan)# no shutdown

For 802.1X you’d also configure RADIUS servers and a method-list, similar to wired AAA.

Verification (Catalyst 9800)

WLC# show ap summary
WLC# show wireless wlan summary
WLC# show wireless client summary
WLC# show wireless client mac-address <mac> detail
WLC# show ap name AP-LOBBY config general
WLC# show wireless interface summary
WLC# show wireless mobility summary

show ap summary = all APs joined to the WLC + their state. show wireless client summary = all clients + their SSID + AP + signal strength + IP.

On the AP itself (Cisco IOS-XE for Catalyst APs):

AP# show capwap detail
AP# show capwap client mn
AP# show ip interface brief

The 6-step Wi-Fi debug

When clients can’t connect or can’t pass traffic:

Is the AP joined to the WLC? show ap summary — state should be Registered.
Is the SSID broadcasting? Use a Wi-Fi scanner app from a phone — see if you can detect the SSID. If not, check show wireless wlan summary for state.
Can the client associate? Check show wireless client mac-address <mac> detail. State should reach Run.
Authentication succeeded? If 802.1X, check RADIUS server logs. Common failures: expired cert, wrong password, RADIUS server unreachable.
Did the client get an IP? DHCP server side. CAPWAP delivers client traffic to the configured VLAN; verify ip helper-address on the SVI.
Can the client ping the gateway? If yes, network is fine; problem is downstream. If no, check VLAN config + ACLs.

Worked scenarios

Scenario 1. A client connects to “Corp-Wifi” near AP-A, then walks to AP-B, also broadcasting “Corp-Wifi”. What changed and what stayed the same?

Answer:

Same: SSID, ESS, client’s IP, encryption keys (if 802.11r enabled).
Different: BSSID (the radio MAC of the AP it’s associated to — now AP-B’s MAC instead of AP-A’s), BSS (now AP-B’s coverage area), possibly channel.

Scenario 2. A new branch site has 6 lightweight APs but no WLC on-site. The corporate WLC is at HQ over a 50 Mbps WAN link. What design choice avoids hairpinning all client traffic through HQ?

Answer: Configure the APs in FlexConnect mode. Client data is switched locally at the AP onto a local VLAN, while control plane still goes to HQ via CAPWAP. Saves WAN bandwidth and improves performance.

Scenario 3. An AP boots but never appears as Registered on the WLC. What are the top three checks?

Answer:

CAPWAP ports open? UDP 5246 + 5247 from the AP subnet to the WLC IP. Test with telnet WLC-IP 5246 — should at least open TCP-like to confirm reachability (though CAPWAP is UDP, this rules out path-level firewalls).
AP found the WLC? Check the AP’s console: show capwap client mn. If it can’t see the WLC, fix DHCP Option 43 or DNS.
AP IOS matches WLC? Major version mismatches prevent CAPWAP join. Upgrade or downgrade as needed.

Scenario 4. Why does an enterprise typically use lightweight APs instead of autonomous?

Answer: Centralized management at scale. With 100+ APs, individually managing config, RF channels, firmware, security keys is impractical. The WLC handles RF tuning (RRM), client load-balancing, roaming optimization, fast 802.1X auth, and centralized policy.

Scenario 5. You want the same SSID broadcast on 2.4 GHz and 5 GHz from the same physical AP. How many BSSIDs?

Answer: Two BSSIDs — one per radio. The radios have different physical MAC addresses (often differing in the low bits). The SSID is the same; the BSSIDs differ. Clients see “Corp-Wifi” and choose which radio to associate with (band steering helps them prefer 5 GHz).

Scenario 6. A client says “I can see the Wi-Fi but can’t connect.” show wireless client mac-address <mac> shows state Authenticating. Most likely cause?

Answer: 802.1X / RADIUS issue. Either RADIUS server unreachable from WLC, wrong shared secret, expired client cert, or wrong username/password. Check RADIUS server logs first.

Scenario 7. Why doesn’t WEP work for security anymore?

Answer: WEP’s RC4 implementation is fundamentally broken — known cryptographic weaknesses since 2001 allow recovering the key by capturing a few minutes of traffic. Tools like aircrack-ng automate this. There is no fix; the protocol itself is unsalvageable. WPA2/WPA3 use AES which has no comparable weakness.

Common mistakes

Two APs broadcasting the same SSID with different security settings. Clients get unpredictable behavior. Make all APs in an ESS identical.
Forgetting CAPWAP firewall ports. UDP 5246 + 5247 blocked = AP can’t join WLC. The error is silent — AP just doesn’t show up.
APs and WLC on different subnets without discovery configured. Lightweight APs default to subnet broadcast for discovery. Across subnets, configure DHCP Option 43 or DNS.
Forgetting to set DTIM / beacon intervals for IoT. Battery devices wake up at DTIM intervals to check for buffered frames. Wrong intervals drain battery fast.
Mixing 2.4 GHz + 5 GHz without band-steering. Modern clients prefer 5 GHz but some legacy gear glues to 2.4. Enable band-steering on the WLC.
Co-channel interference. Two APs on the same channel in range constantly contend. Plan reuse: 1/6/11 for 2.4 GHz; let RRM auto-tune 5 GHz.
Skipping 802.11r for voice deployments. Voice handoff requires < 50 ms; without FT, the EAP re-auth alone takes 100+ ms and calls drop.
Using WPA2-PSK in 2026 production. WPA3-Personal (SAE) is a drop-in upgrade and adds forward secrecy + offline-attack protection.
Forgetting that 6 GHz mandates WPA3. If you try to broadcast a WPA2-only SSID on 6 GHz, clients can’t join — 6 GHz blocks legacy security entirely.
High AP density without RF planning. Cramming APs every 10 feet doesn’t help if they’re all on the same channels — they just create more co-channel interference. Run a predictive survey.

Lab to try tonight

If you have access to a Cisco Catalyst 9800 WLC (CML, EVE-NG, or Cisco DevNet Sandbox):

Bring up WLC + AP — virtual 9800 + virtual AP. Wait for the AP to register.
Configure SSID — create LAB-WIFI with WPA2-PSK key cisco123. Map to VLAN 10. Enable broadcast.
Client test — connect a laptop, verify it gets a 10.0.0.x DHCP address.
CAPWAP inspection — on the AP: show capwap detail. Observe control + data tunnel state.
Multi-SSID — add a GUEST SSID mapped to VLAN 20 with captive-portal redirect.
WPA3 upgrade — change LAB-WIFI to WPA3-Personal. Reconnect from a supported client.
802.1X with RADIUS — stand up FreeRADIUS on a Linux VM. Configure WLAN security as 802.1X. Test from a corporate cert.
Multi-AP roaming — if you can join a second AP, walk a client between them. Observe BSSID change in show wireless client mac-address <mac> detail.
Bonus: FlexConnect — convert an AP to FlexConnect mode. Verify client traffic is now switched locally at the AP, not tunneled to the WLC.
Bonus: Wireshark on CAPWAP — capture between AP and WLC. Decode the CAPWAP tunnel to see encapsulated client frames.

Cheat strip

Term	Plain English
AP	Access Point — the radio. Bridges Wi-Fi to wired.
WLC	Wireless LAN Controller — central brain for many APs
SSID	Network name (`Corp-Wifi`) — human-facing
BSS	One AP’s radio coverage area
BSSID	The AP radio’s MAC address — uniquely identifies a BSS
ESS	Many BSSes broadcasting the same SSID — one logical network
IBSS	Ad-hoc Wi-Fi (no AP). Rare.
Autonomous AP	Standalone, holds its own config
Lightweight AP	Depends on WLC. Enterprise standard.
CAPWAP	Tunnel between LAP and WLC. UDP 5246 (control, DTLS) + 5247 (data)
DHCP Option 43	Hands AP the WLC IP via DHCP
CISCO-CAPWAP-CONTROLLER	DNS-based WLC discovery name
FlexConnect	Mode where AP switches client traffic locally instead of tunneling to WLC
WEP / WPA	Broken. Never use.
WPA2-PSK	Still common at home/SMB
WPA3-Personal (SAE)	2026 home/SMB default — replaces PSK with stronger handshake
WPA2/3-Enterprise	802.1X + RADIUS. Enterprise standard
6 GHz mandates WPA3	No legacy security allowed
802.11r (FT)	Fast Transition for sub-50ms roaming. Required for voice
802.11k / v	Help clients discover and switch to better APs
Bands	2.4 GHz (congested, 3 non-overlapping ch) · 5 GHz (~25 ch) · 6 GHz (14 × 80 MHz, Wi-Fi 6E only)
Generations	Wi-Fi 4 (n) · 5 (ac) · 6 (ax) · 6E · 7 (be)

← Previous topic

Inter-VLAN Routing

How devices in different VLANs talk to each other. Covers router-on-a-stick (with sub-interfaces), Layer-3 switch SVIs, and when to pick each.

Next topic →

WLAN Architectures — Autonomous, Centralized (WLC), Cloud, Embedded

Definitive CCNA-level WLAN architecture guide — autonomous vs centralized vs cloud-managed vs embedded WLC, split-MAC duty division, CAPWAP tunnel, AP modes (Local / FlexConnect / Bridge), WLC discovery, redundancy / N+1 / SSO, when each architecture fits.

Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.