topic CAPWAP and User Data Encryption in Wireless

CAPWAP and User Data Encryption

tobin_jim — Sun, 04 Jul 2021 02:03:52 GMT

I'm trying to get an understanding of how user data is passed between the LWAP and the WLC. I understand from the WLC configuration guide that an encrypted exchange of control and data messages are exchanged between the LWAP and WLC using the CAPWAP protocol. It seems though that CAPWAP is used purely for the WLC to control the LWAP.

How is the user data passed between the LWAP and the WLC however? Is this encrypted using the CAPWAP protocol also?

Re: CAPWAP and User Data Encryption

dancampb — Tue, 10 Aug 2010 13:29:27 GMT

It depends on the model of controller you are running. The CAPWAP control traffic is always encrypted but the user traffic is only encrypted if the controller is a 5508. This is because of the additional resources available with the 5508 to be able to handle the additional overhead from the encryption.

Re: CAPWAP and User Data Encryption

marco_bartulihe — Tue, 25 Oct 2011 12:25:41 GMT

All user data is passed by the LAP to WLC and, by default, CAPWAP Control Packets are encrypted, but CAPWAP Data packets are not.

To encrypt data packets, you need a WLC model 5508 (with wplus license) because this is the only controller that supports data encryption and APs model 1130 or 1240.

Cisco do not recomment to enable data encryption because this may result in severe throughput degradation and may render the APs unusable.

But, if you still want to enable data encryption:

Using the GUI (Graphical Interface):

Step 1: Make sure that the wplus license is installed on the 5500 series controller. Once the license is installed, you can enable data encryption for the access points.
Step 2: Choose Wireless > Access Points > All APs to open the All APs page.
Step 3: Click the name of the access point for which you want to enable data encryption.
Step 4: Choose the Advanced tab to open the All APs > Details for (Advanced) page.
Step 5: Check the Data Encryption check box to enable data encryption for this access point or uncheck it to disable this feature. The default value is unchecked.
Step 6: Click Apply to commit your changes.
Step 7: Click Save Configuration to save your changes.

Using CLI (Command Line Interface):

Step 1: To enable or disable data encryption for all access points or a specific access point, enter this command:

config ap link-encryption {enable | disable} {all | Cisco_AP}

Step 2: When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter Y.
Step 3: To save your changes, enter this command:

save config

If you have any doubts or need more details refer to:

http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60lwap.html#wp1508163

Section: Configuring Data Encryption

Regards,

Marco Bartulihe

Re: CAPWAP and User Data Encryption

tuhpatel — Tue, 25 Oct 2011 13:26:58 GMT

7.0.116.0 code on the WLC has encription enabled on the WLC

Re: CAPWAP and User Data Encryption

George Stefanick — Wed, 26 Oct 2011 01:12:43 GMT

Wait ... so how does the special "Russian" code play into this then ?

Re: CAPWAP and User Data Encryption

tuhpatel — Wed, 26 Oct 2011 13:07:40 GMT

Hi George

For the Russian version the coutry lwas prevent the default encryption mode. That is why that image does not have encription enabled by default. You need to obtain a PAK paper license for encriyption on this image

Re: CAPWAP and User Data Encryption

George Stefanick — Wed, 26 Oct 2011 14:43:22 GMT

Oh, so the Russian code doesnt allow you to flip flop back from data encrytion to non data encryption. Correct ?

Re: CAPWAP and User Data Encryption

tuhpatel — Wed, 26 Oct 2011 14:46:49 GMT

You need to obtain a speacial PAK license for encrytion on that image. This is because Data DTLS Payload Encryption is Regulated by the Government for Russian users

Re: CAPWAP and User Data Encryption

George Stefanick — Wed, 26 Oct 2011 14:55:17 GMT

So that imgae doesnt automatcially encrypt the data payload? You still need to apply a PAK ?

Regular code .. you can flip this feature on and off with a special PAK, yes / no ?

Re: CAPWAP and User Data Encryption

tuhpatel — Wed, 26 Oct 2011 14:56:37 GMT

Yes that is correct !

hi.how to disable the CAPWAP

velraj.karuthakan — Mon, 21 Apr 2014 14:20:28 GMT

hi.

how to disable the CAPWAP Control Packets encryption in 2504 WLC

i am trying to execute this below command but it get crashed.

Cisco Controller) >test capwap encr AP78 disable Dumping a core. This can take a few minutes...

Controller crashed ....Queue Woken up jiffies = 4294960736

Software Failed on instruct

ion at:

pc = 0x104fe898 (cliTestCapwapEncryption+596), ra = 0x10b8d364 (cliTestCapwapEncryption+596)