CAPWAP and User Data Encryption

Unanswered Question

I'm trying to get an understanding of how user data is passed between the LWAP and the WLC. I understand from the WLC configuration guide that an encrypted exchange of control and data messages are exchanged between the LWAP and WLC using the CAPWAP protocol. It seems though that CAPWAP is used purely for the WLC to control the LWAP.

How is the user data passed between the LWAP and the WLC however? Is this encrypted using the CAPWAP protocol also?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dancampb Tue, 08/10/2010 - 06:29
User Badges:
  • Cisco Employee,

It depends on the model of controller you are running.  The CAPWAP control traffic is always encrypted but the user traffic is only encrypted if the controller is a 5508.  This is because of the additional resources available with the 5508 to be able to handle the additional overhead from the encryption.

velraj.karuthakan Mon, 04/21/2014 - 07:20
User Badges:


how to disable the CAPWAP Control Packets encryption in 2504 WLC

i am trying to execute this below command but it get crashed.


Cisco Controller) >test capwap encr AP78 disable Dumping a core. This can take a few minutes...

Controller crashed ....Queue Woken up jiffies = 4294960736


Software Failed on instruct

ion at:

pc = 0x104fe898 (cliTestCapwapEncryption+596), ra = 0x10b8d364 (cliTestCapwapEncryption+596)

marco_bartulihe Tue, 10/25/2011 - 05:25
User Badges:

All user data is passed by the LAP to WLC and, by default, CAPWAP Control Packets are encrypted, but CAPWAP Data packets are not.

To encrypt data packets, you need a WLC model 5508 (with wplus license) because this is the only controller that supports data encryption and APs model 1130 or 1240.

Cisco do not recomment to enable data encryption because this may result in severe throughput degradation and may render the APs unusable.

But, if you still want to enable data encryption:

Using the GUI (Graphical Interface):

  • Step 1: Make sure that the wplus license is installed on  the 5500 series controller. Once the license is installed, you can  enable data encryption for the access points.
  • Step 2: Choose Wireless > Access Points > All APs to open the All APs page.
  • Step 3: Click the name of the access point for which you want to enable data encryption.
  • Step 4: Choose the Advanced tab to open the All APs > Details for (Advanced) page.
  • Step 5: Check the Data Encryption check box to enable data encryption for this access point or uncheck it to disable this feature. The default value is unchecked.
  • Step 6: Click Apply to commit your changes.
  • Step 7: Click Save Configuration to save your changes.

Using CLI (Command Line Interface):

  • Step 1: To enable or disable data encryption for all access points or a specific access point, enter this command:

        config ap link-encryption {enable | disable} {all | Cisco_AP}

  • Step 2: When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter Y.
  • Step 3: To save your changes, enter this command:

       save config

If you have any doubts or need more details refer to:

Section: Configuring Data Encryption


Marco Bartulihe

tuhpatel Tue, 10/25/2011 - 06:26
User Badges:
  • Cisco Employee, code on the WLC has encription enabled  on the WLC

George Stefanick Tue, 10/25/2011 - 18:12
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Wait ... so how does the special "Russian" code play into this then ?

tuhpatel Wed, 10/26/2011 - 06:07
User Badges:
  • Cisco Employee,

Hi George

For the Russian version the coutry lwas prevent the default encryption mode. That is why that image does not have encription enabled by default. You need to obtain a PAK paper license for encriyption on this image

George Stefanick Wed, 10/26/2011 - 07:43
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Oh, so the Russian code doesnt allow you to flip flop back from data encrytion to non data encryption. Correct ?

tuhpatel Wed, 10/26/2011 - 07:46
User Badges:
  • Cisco Employee,

You need to obtain a speacial PAK license for encrytion on that image. This is because  Data DTLS Payload Encryption is Regulated by the Government for Russian users

George Stefanick Wed, 10/26/2011 - 07:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

So that imgae doesnt automatcially encrypt the data payload? You still need to apply a PAK ?

Regular code .. you can flip this feature on and off with a special PAK, yes / no ?


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode