Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Encryption between end-device to AP and between AP to WLC


I was wondering how the data is encrypted from the end-device to the AP and from the AP to the WLC.

For me, the encryption between the AP and the WLC is up when we check through the "show ap link-encryption" , is that ok ?

But how the encryption between the end-device and the AP is working ? If we have a guest SSID with a web page on the WLC ?



Short answer:1. Device to AP

Short answer:
1. Device to AP => Your L2 Security setting e.g., WPA2+AES
2. AP to WLC    => By default CAPWAP is not encrypted but admin can enable CAPWAP over DTLS

Technical Answer, take time to read :P
1. Device to AP
    -Depends on your L2 settings, but to cover WPA2+AES
    -Click me like you mean it

2. AP to WLC:
    -Click me like you mean it

There are a lot of resources esp. for the device to AP part. WPA2+AES is just one glint of the big picture, there are other blends as well esp. on how you want to authenticate your users e.g., WPA2+AES w/ PSK    
-Usual deployment using a shared key for all ysers

WPA2+AES w/ EAP or 802.1X        
-More secure auth and typical used in enterprise lvls, username/password is how the users authenticate 
PS: EAP has a lot of flavors as well, there LEAP, EAP-FAST, EAP-TLS(Certificate based authentiation)

WPAv1(WPA1), WEP, TKIP are other encryption flavors and quite old (WEP being the oldest and easy to breach). In todays networks WPA2+AES is the daddy of them all, all the rest like EAP are just sprinkles

Rate or Mark as Answer helpful post :)


Oh yeah, you might ask why

Oh yeah, you might ask why CAPWAP is not encrypted by default and the admin must manually enable it, well in my opinion, especially if your deployment is in your internal network, it's not needed

We typically enable CAPWAP+DTLS only over remote area deployments though even that is not needed since remote areas w/c are typically connected through VPN w/c has encyrption/hashing and all of those in place. Note that encyrpting CAPWAP with DTLS adds a header e.g., that's additional bytes traversing through your infrastructure

So yeah, case to case basis on when CAPWAP+DTLS is enabled, but for internal deployments only e.g., where your WLC and AP is on just one managed network, it not that significant, still if you want to enable it, you can xD

New Member

Hi LJ,

Hi LJ,

Thanks a lot for your answer. I understand well what you meant.

I'm just still wondering if we are using simple Web authentication with the WLC's guest portal, as the Layer 2 security is disabled, and the Layer 3 security is used, would that mean there is no encryption ???



Usually, Web Authentication

Usually, Web Authentication has no Layer 2 security e.g., no WPA2+AES encryption.

So yeah, there is no encryption involved in Guest portals.
that is why they are deployed on a separate VLAN that has no route on the internal network
its L3 details are directly out to the firewall for example.

What it means having ONLY L3 security is that:
1. Guest users already get an IP address
2. Traffic from guest is only allowed to passthrough if they provide correct credentials

New Member

Hello LJ,

Hello LJ,

That was what I was thinking, thanks !

And if we have a guest portal on a cisco ISE, is there en encryption ?



Look, encryption happens

Look, encryption happens between two(2) devices

From User to AP, well it depends on how you set it up, for Guest, it is usually unencrypted but if you use https:// then it is encrypted using SSL

Again, by default AP to WLC is unencrypted, but again you dont need to encrypt it since this usually in the internal network
From WLC to ISE is connected via RADIUS, though uses a shared key, it is not, but then again, you dont need to enrypt it because again, it is on the internal network

The only way for 'hackers' can get through those traffic in the internal network is if you allow then to, and configured for them a sniffing port 

CreatePlease login to create content