This post will give you a little bit insight of the packet flow when an Office Extend Access Point (OEAP) register to a WLC & strat to work. I have disabled encryption which will allow me to see CAPWAP control headers.
Even if AP is in local mode, DTLS control traffic should flow like this (unable see this in local mode as AP will not registered to WLC when encryption disabled)
As Office Extend AP is configured with wireless controller IP, hence it will send “CAPWAP-Control – Discovery Request” to controller management IP address. This is with UDP 5246 (CAPWAP-Control) & having DSCP-CS6 (or 48).
Then Controller will respond with “CAPWAP-Control Discovery Response” with source port UDP 5246, DSCP-CS6.
Next step is to start DTLS (Datagram Transport Layer Security) process.
In DTLS handsake , client (AP) will send “Client Hello” to WLC in order to establish DTLS handshake-Phase1. It is expecting to see “Hello Verify Request” from server (WLC) in order to manage packet loss issue. If client cannot see this “hello verify request” it will retransmit “Client Hello” msg again.
Client will send another “Client Hello” msg with cookie in order to counter measure DoS attack. Then server(WLC) reply with “Server Hello” with its cookie. This followed by Certificate, Server Key Exchange, Certificate request (from client) & “Server Hello Done” messages. Usually these DTLS msg are large & therefore it will be fragmented into several datagram. You can see the packet capture output show these. Then client (AP) will send Certificate, Client Key Exchange,Certificate Verify, Change Cipher Spec messages back to Server (WLC). Below shows the packet capture of these messages.
This point onwards all application data between client & server will be encrypted. (see below capture)
1. Office Extend – Overview
2. Configuring OEAP
3. H-REAP Modes of Operation
4. H-REAP with RADIUS
5. H-REAP with Local Auth (LEAP/EAP-FAST)
6. OEAP with Multiple Remote LANs
I’m trying to connect a office extend that is already configured but when I tried to connect the office extend to an specific INET connection does not work… but by other side I have tried the AP at home and it worked perfectly…
Is strange… I have request to INET provider to open the ports UDP 5246 and UDP 5247 and they reserved and static IP for the AP which is configured on DHCP mode… but from the INET that we had at the office is not able to connect to the WLAN Controler.
Is there anything we could do apart from the port opening?
perhaps we need to open any other port? or do any other configuration on the office INET Network?
Thanks in advance.
if that works over public internet at your Home, then there should be some restriction with the given service provider ?
From WLC can you ping static IP given by the ISP ?
Thank you very much for your help. we finally could solve the problem.
there was a static IP set up in the WAN port with another subnet from the one which is giving us now the internet provider.
Thank you again 🙂