Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17388
Views
10
Helpful
10
Replies

CAPWAP and User Data Encryption

tobin_jim
Level 1
Level 1

‎08-10-2010 04:14 AM - edited ‎07-03-2021 07:03 PM

I'm trying to get an understanding of how user data is passed between the LWAP and the WLC. I understand from the WLC configuration guide that an encrypted exchange of control and data messages are exchanged between the LWAP and WLC using the CAPWAP protocol. It seems though that CAPWAP is used purely for the WLC to control the LWAP.

How is the user data passed between the LWAP and the WLC however? Is this encrypted using the CAPWAP protocol also?

Labels:
0 Helpful
10 Replies 10

dancampb
Level 7
Level 7

‎08-10-2010 06:29 AM

It depends on the model of controller you are running.  The CAPWAP control traffic is always encrypted but the user traffic is only encrypted if the controller is a 5508.  This is because of the additional resources available with the 5508 to be able to handle the additional overhead from the encryption.

0 Helpful

velraj.karuthakan
Level 1
Level 1
In response to dancampb

‎04-21-2014 07:20 AM

hi.

how to disable the CAPWAP Control Packets encryption in 2504 WLC

i am trying to execute this below command but it get crashed.

 

Cisco Controller) >test capwap encr AP78 disable Dumping a core. This can take a few minutes...

Controller crashed ....Queue Woken up jiffies = 4294960736

 

Software Failed on instruct

ion at:

pc = 0x104fe898 (cliTestCapwapEncryption+596), ra = 0x10b8d364 (cliTestCapwapEncryption+596)

0 Helpful

marco_bartulihe
Level 1
Level 1

‎10-25-2011 05:25 AM

All user data is passed by the LAP to WLC and, by default, CAPWAP Control Packets are encrypted, but CAPWAP Data packets are not.

To encrypt data packets, you need a WLC model 5508 (with wplus license) because this is the only controller that supports data encryption and APs model 1130 or 1240.

Cisco do not recomment to enable data encryption because this may result in severe throughput degradation and may render the APs unusable.

But, if you still want to enable data encryption:

Using the GUI (Graphical Interface):

  • Step 1: Make sure that the wplus license is installed on  the 5500 series controller. Once the license is installed, you can  enable data encryption for the access points.
  • Step 2: Choose Wireless > Access Points > All APs to open the All APs page.
  • Step 3: Click the name of the access point for which you want to enable data encryption.
  • Step 4: Choose the Advanced tab to open the All APs > Details for (Advanced) page.
  • Step 5: Check the Data Encryption check box to enable data encryption for this access point or uncheck it to disable this feature. The default value is unchecked.
  • Step 6: Click Apply to commit your changes.
  • Step 7: Click Save Configuration to save your changes.

Using CLI (Command Line Interface):

  • Step 1: To enable or disable data encryption for all access points or a specific access point, enter this command:

        config ap link-encryption {enable | disable} {all | Cisco_AP}

  • Step 2: When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter Y.
  • Step 3: To save your changes, enter this command:

       save config

If you have any doubts or need more details refer to:

http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60lwap.html#wp1508163

Section: Configuring Data Encryption

Regards,

Marco Bartulihe

tuhpatel
Cisco Employee
Cisco Employee
In response to marco_bartulihe

‎10-25-2011 06:26 AM

7.0.116.0 code on the WLC has encription enabled  on the WLC

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to tuhpatel

‎10-25-2011 06:12 PM

Wait ... so how does the special "Russian" code play into this then ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

tuhpatel
Cisco Employee
Cisco Employee
In response to George Stefanick

‎10-26-2011 06:07 AM

Hi George

For the Russian version the coutry lwas prevent the default encryption mode. That is why that image does not have encription enabled by default. You need to obtain a PAK paper license for encriyption on this image

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to tuhpatel

‎10-26-2011 07:43 AM

Oh, so the Russian code doesnt allow you to flip flop back from data encrytion to non data encryption. Correct ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

tuhpatel
Cisco Employee
Cisco Employee
In response to George Stefanick

‎10-26-2011 07:46 AM

You need to obtain a speacial PAK license for encrytion on that image. This is because  Data DTLS Payload Encryption is Regulated by the Government for Russian users

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to tuhpatel

‎10-26-2011 07:55 AM

So that imgae doesnt automatcially encrypt the data payload? You still need to apply a PAK ?

Regular code .. you can flip this feature on and off with a special PAK, yes / no ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

tuhpatel
Cisco Employee
Cisco Employee
In response to George Stefanick

‎10-26-2011 07:56 AM

Yes that is correct !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card