The LWAPP and CAPWAP protocol join process is built on existing asymmetric and symmetric cryptography, hashing, and digital signatures. For an introduction to these concepts, see Public Key Cryptography, SSL and TLS protocols.
To join the controller, the access point and controller perform the following process:
1. AP sends Join Request
a. Random Session ID
b. X.509 Certificate of LWAPP
2. Controller Verification
a. Verifies LWAPP X.509 Certificate was signed by a trusted CA
b. Generates random AES encryption key for LWAPP Control traffic
c. Encrypts AES key using LWAPP Public Key
d. Concatenates key ciphertext with the Session ID from LWAPP Join Request
e. Encrypts concatenated string with Controller’s Private Key
3. Controller sends Join Response
a. Ciphertext (Session ID, encrypted AES key)
b. Controller’s X.509 Certificate
4. LWAPP Verification
a. Verifies Controller X.509 Certificate was signed by a trusted CA
b. Decrypts concatenated string using Controller’s Public Key
c. Validates the Session ID
d. Decrypts the AES key using LWAPP’s Private Key
5. Join Process is now completed
6. AES Key Lifetime timer is 8 hours
a. LWAPP sends LWAPP Key Update Request (contains new Session ID)
b. Controller generates new AES key and encrypts as stated above.
c. Controller sends LWAPP Key Update Response
Access points can also be restricted from joining a controller based on the AP Policies settings in the Security tab of the WLC. This allows more granular control of APs allowed to join a controller if the organization does not want to allow any valid Cisco AP to join for security reasons.
Select the type(s) of certificates to accept (SSC, MIC, LSC) when authorizing APs against the AP authorization list. SSC certificates always require valid AP entries in the AP authorization list. MIC and LSC are accepted by default, and will only be checked against the AP authorization list if their respective authorization check boxes are enabled.
Debugging the LWAPP Discovery and Join processes can be accomplished with the following commands:
LWAPP Console Port Commands
debug ip udp
debug lwapp client events
show crypto ca certificates
WLC Commands:
debug lwapp events enable
debug lwapp packet enable
debug lwapp error enable
debug pm pki enable
show time
It is VERY important that the WLC have the correct time set, otherwise it may reject the LWAPP Certificate during the Join process because it is outside the validity interval. To set the correct time on the controller, issue the config time CLI command.
If LWAPs are using Self-Signed Certificates, ensure that the WLC is configured to accept the SSCs:
show auth-list
config auth-list ap-policy ssc { enable | disable }
config auth-list add { mic | ssc } ap-mac ap-keyhash
config auth-list delete ap-mac
Cheers,
Andrew
Exactly the kind of stuff I enjoy reading, thanks for sharing.
ReplyDeleteThanks !
ReplyDeleteA picture is worth thousand words as the picture you shared about LWAPP Join process is self explanatory. i also read the links provided by you about Public Key Cryptography, SSL and TLS protocols.cryptography is most required to maintain confidentiality
ReplyDeleteTiny article giving massive picture. Fantastic
ReplyDeleteThanks Sanjay
Great stuff...........!!!!!!!11
ReplyDeletei'm trying to implement CAPWAP.but i'm getting problem that WTP is unable to join due to certification problem.how to check and resolve for self signed certificate? i don't know that how to include self signed certificates with in my code
ReplyDeleteCheck out this Cisco document for Troubleshooting a Lightweight Access Point Not Joining a WLC.
ReplyDeleteCheers,
Andrew
Hi Andrew,
ReplyDeleteIs there any config that we have to run for CAPWAP on AP and Wireless Lan Controller. Or is it done just by connecting the AP to the WLC and they will automatically do the discovery process?
No command, CAPWAP discovery process happens automatically.
ReplyDeleteIs there a way to find the 'date of manufacture' of an AP ?
ReplyDeleteHi krish,
DeleteI'm not sure on that. Try the "show inventory" or "show version" commands. I don't have access to a Cisco AP at the moment and can't check.
Andrew
Nice explaination
ReplyDelete