There are a lot of resources esp. for the device to AP part. WPA2+AES is just one glint of the big picture, there are other blends as well esp. on how you want to authenticate your users e.g., WPA2+AES w/ PSK -Usual deployment using a shared key for all ysers
WPA2+AES w/ EAP or 802.1X -More secure auth and typical used in enterprise lvls, username/password is how the users authenticate PS: EAP has a lot of flavors as well, there LEAP, EAP-FAST, EAP-TLS(Certificate based authentiation)
WPAv1(WPA1), WEP, TKIP are other encryption flavors and quite old (WEP being the oldest and easy to breach). In todays networks WPA2+AES is the daddy of them all, all the rest like EAP are just sprinkles
Oh yeah, you might ask why CAPWAP is not encrypted by default and the admin must manually enable it, well in my opinion, especially if your deployment is in your internal network, it's not needed
We typically enable CAPWAP+DTLS only over remote area deployments though even that is not needed since remote areas w/c are typically connected through VPN w/c has encyrption/hashing and all of those in place. Note that encyrpting CAPWAP with DTLS adds a header e.g., that's additional bytes traversing through your infrastructure
So yeah, case to case basis on when CAPWAP+DTLS is enabled, but for internal deployments only e.g., where your WLC and AP is on just one managed network, it not that significant, still if you want to enable it, you can xD
Thanks a lot for your answer. I understand well what you meant.
I'm just still wondering if we are using simple Web authentication with the WLC's guest portal, as the Layer 2 security is disabled, and the Layer 3 security is used, would that mean there is no encryption ???
Usually, Web Authentication has no Layer 2 security e.g., no WPA2+AES encryption.
So yeah, there is no encryption involved in Guest portals. that is why they are deployed on a separate VLAN that has no route on the internal network its L3 details are directly out to the firewall for example.
What it means having ONLY L3 security is that: 1. Guest users already get an IP address 2. Traffic from guest is only allowed to passthrough if they provide correct credentials
Look, encryption happens between two(2) devices User<-->AP<-->WLC<--->ISE
From User to AP, well it depends on how you set it up, for Guest, it is usually unencrypted but if you use https:// then it is encrypted using SSL
Again, by default AP to WLC is unencrypted, but again you dont need to encrypt it since this usually in the internal network From WLC to ISE is connected via RADIUS, though uses a shared key, it is not, but then again, you dont need to enrypt it because again, it is on the internal network
The only way for 'hackers' can get through those traffic in the internal network is if you allow then to, and configured for them a sniffing port
Article ID:5727 Configure the Single Point Setup on the WAP581 Objective
A Wireless Access Point (WAP) connects to a router and serves as a node
to the Wireless Local Area Network (WLAN). Clustering is when multiple
WAPs are joined on the same network. Th...
Article ID:5706 Upgrade the Firmware on the WAP125 Objective New
firmware releases are improvements from previous firmware versions.
Network device performance can be enhanced when an upgrade is made.
Firmware files can be downloaded through: Trivial File...
Article ID:1972 Configure Time Settings on a Wireless Access Point
Objective The system clock provides a network-synchronized time-stamping
service for software events such as message logs. Without synchronized
time, accurate correlation of log files betw...