Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CAPWAP and User Data Encryption

I'm trying to get an understanding of how user data is passed between the LWAP and the WLC. I understand from the WLC configuration guide that an encrypted exchange of control and data messages are exchanged between the LWAP and WLC using the CAPWAP protocol. It seems though that CAPWAP is used purely for the WLC to control the LWAP.

How is the user data passed between the LWAP and the WLC however? Is this encrypted using the CAPWAP protocol also?

10 REPLIES
Gold

Re: CAPWAP and User Data Encryption

It depends on the model of controller you are running.  The CAPWAP control traffic is always encrypted but the user traffic is only encrypted if the controller is a 5508.  This is because of the additional resources available with the 5508 to be able to handle the additional overhead from the encryption.

New Member

hi.how to disable the CAPWAP

hi.

how to disable the CAPWAP Control Packets encryption in 2504 WLC

i am trying to execute this below command but it get crashed.

 

Cisco Controller) >test capwap encr AP78 disable Dumping a core. This can take a few minutes...

Controller crashed ....Queue Woken up jiffies = 4294960736

 

Software Failed on instruct

ion at:

pc = 0x104fe898 (cliTestCapwapEncryption+596), ra = 0x10b8d364 (cliTestCapwapEncryption+596)

New Member

Re: CAPWAP and User Data Encryption

All user data is passed by the LAP to WLC and, by default, CAPWAP Control Packets are encrypted, but CAPWAP Data packets are not.

To encrypt data packets, you need a WLC model 5508 (with wplus license) because this is the only controller that supports data encryption and APs model 1130 or 1240.

Cisco do not recomment to enable data encryption because this may result in severe throughput degradation and may render the APs unusable.

But, if you still want to enable data encryption:

Using the GUI (Graphical Interface):

  • Step 1: Make sure that the wplus license is installed on  the 5500 series controller. Once the license is installed, you can  enable data encryption for the access points.
  • Step 2: Choose Wireless > Access Points > All APs to open the All APs page.
  • Step 3: Click the name of the access point for which you want to enable data encryption.
  • Step 4: Choose the Advanced tab to open the All APs > Details for (Advanced) page.
  • Step 5: Check the Data Encryption check box to enable data encryption for this access point or uncheck it to disable this feature. The default value is unchecked.
  • Step 6: Click Apply to commit your changes.
  • Step 7: Click Save Configuration to save your changes.

Using CLI (Command Line Interface):

  • Step 1: To enable or disable data encryption for all access points or a specific access point, enter this command:

        config ap link-encryption {enable | disable} {all | Cisco_AP}

  • Step 2: When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter Y.
  • Step 3: To save your changes, enter this command:

       save config

If you have any doubts or need more details refer to:

http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60lwap.html#wp1508163

Section: Configuring Data Encryption

Regards,

Marco Bartulihe

Cisco Employee

Re: CAPWAP and User Data Encryption

7.0.116.0 code on the WLC has encription enabled  on the WLC

Re: CAPWAP and User Data Encryption

Wait ... so how does the special "Russian" code play into this then ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: CAPWAP and User Data Encryption

Hi George

For the Russian version the coutry lwas prevent the default encryption mode. That is why that image does not have encription enabled by default. You need to obtain a PAK paper license for encriyption on this image

Re: CAPWAP and User Data Encryption

Oh, so the Russian code doesnt allow you to flip flop back from data encrytion to non data encryption. Correct ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: CAPWAP and User Data Encryption

You need to obtain a speacial PAK license for encrytion on that image. This is because  Data DTLS Payload Encryption is Regulated by the Government for Russian users

Re: CAPWAP and User Data Encryption

So that imgae doesnt automatcially encrypt the data payload? You still need to apply a PAK ?

Regular code .. you can flip this feature on and off with a special PAK, yes / no ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: CAPWAP and User Data Encryption

Yes that is correct !

7835
Views
0
Helpful
10
Replies
CreatePlease login to create content