Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
0
Helpful
5
Replies

How Secure Communication between Cisco WLC and AP

nibinrodrigues
Level 1
Level 1

‎01-20-2013 11:38 AM - edited ‎07-03-2021 11:22 PM

Hi,

I need to secure communication between Wireless Controller and AP using Certificate. Currently am planning to use LSC is there is another way to secure AP communication to WLC other than Authorize AP against AAA and LSC. because in both these senarions MAC spoofing comparmises network security

If there is another recommened senario kinldy provide some reference documentation/links.

Thanks

Nibin

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎01-20-2013 12:33 PM

The document in your other post describes what you need to do. I guess why do you want to do this. If an AP joins your WLC, well it's yours now and you have full control of the AP. I really don't see why anyone would implement this as I have not seen this implemented even amount the most secure environments.

Securing the wireless client is more important.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

nibinrodrigues
Level 1
Level 1
In response to Scott Fella

‎01-20-2013 07:35 PM

Thanks

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni

‎01-20-2013 07:46 PM

Ap communication and ap join are two different things. LSC will secure the join but the tunnel isn't secured unless you enable dtls.

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

nibinrodrigues
Level 1
Level 1
In response to George Stefanick

‎01-21-2013 01:37 AM

Dear George,

Thanks for the clarification. I am running WLC SOftware version 7.0.116.0. In the AP advanced tab I am not seeing the option to enable DTLS(Datagram Transport Layer Security) Screen shots attached. Can I enable this globally also does this feature require any additional license.

Thanks

Nibin

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to nibinrodrigues

‎01-21-2013 06:41 AM

Configuring Data Encryption

Cisco 5500 Series Controllers enable you to encrypt CAPWAP control packets (and optionally, CAPWAP data packets) that are sent between the access point and the controller using Datagram Transport Layer Security (DTLS). DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS. CAPWAP control packets are management packets exchanged between a controller and an access point while CAPWAP data packets encapsulate forwarded wireless frames. CAPWAP control and data packets are sent over separate UDP ports: 5246 (control) and 5247 (data). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established.

Note Only Cisco 5500 Series Controllers support data encryption. This feature is not available on other controller platforms. If an access point with data encryption enabled tries to join any other controller, the access point joins the controller, but data packets are sent unencrypted.

Note Cisco 1130 and 1240 series access points support DTLS data encryption with software-based encryption, and 1140, 1250, 1260, and 3500 series access points support DTLS data encryption with hardware-based encryption.

DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points. Most access points are deployed in a secure network within a company building, so data encryption is not necessary. In contrast, the traffic between an OfficeExtend access point and the controller travels through an unsecure public network, so data encryption is more important for these access points. When data encryption is enabled, traffic is encrypted at the access point before it is sent to the controller and at the controller before it is sent to the client.

Note Encryption limits throughput at both the controller and the access point, and maximum throughput is desired for most enterprise networks.

Caution In a Cisco unified local wireless network environment, do not enable DTLS on the Cisco 1130 and 1240 access points, as it may result in severe throughput degradation and may render the APs unusable.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card