AP Registration to a WLC is two parts; the discovery & the join phase. Following diagram shows this concept.
Usually Discovery request handled by Management Interface of a WLC & Join Requests handled by AP-Manager Interface. In 5508 only management interface available & it act as AP-Manager interface for these join request.
These are the steps AP will go through in order to register with a WLC.
Step 1. AP begins with a WLC discovery & join phase. AP send CAPWAP discovery request messages to WLC.
Step 2. Any WLC receiving the CAPWAP discovery request responds with an CAPWAP discovery response message.
Step 3. From the CAPWAP responses received from WLCs, AP selects a WLC to join.
Step 4. AP sends a CAPWAP join request to the WLC, expecting CAPWAP join response.
Step 5. WLC validates the AP and then CAPWAP join response to the AP. The AP validates the WLC to complete the discovery & join process. The validation on both the AP & WLC is a mutual authentication mechanism.An encryption key derivation process occur subsequently and that ensure future CAPWAP control messages are encrypted.
First challenge is to find where to send CAPWAP discovery messages ? AP first go through a hunt process to find a WLC. Here are the different methods AP can used for this. The order of these are not important
1. AP issues a DHCP discover request to get an IP address, unless it has previously configured static IP.
2. AP send a layer 3 local broadcast(255.255.255.255) message to find a WLC
3. DHCP Option 43 in the DHCP offer messages.
4. DNS- AP try to resolve CISCO-CAPWAP-CONTROLLER.local-domain or CISCO-LWAPP-CONTROLLER.local-domain to find an IP of a WLC
5. Previously known WLC IP, AP will rememberup to 24 previosly learnt WLC IP address & send discovery to them.
6. Statically configured from WLC
7. Statically Configured from AP CLI
To see AP registration process in detail will remove CAPWAP AP configurations in order to remove the previously known IP. You can do this as follows via AP CLI.
LWAP-02#debug capwap console cli This command is meant only for debugging/troubleshooting Any configuration change may result in different behavior from centralized configuration. CAPWAP console CLI allow/disallow debugging is on LWAP-02#erase /all nvram: Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete LWAP-02#reload Proceed with reload? [confirm] Writing out the event log to nvram..
Once rebooted it will complain about no IP. Yes without IP AP cannot do anything to register with WLC.
AP5475.d0dd.a488> *Mar 1 00:00:32.955: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 00:00:32.983: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:00:33.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Mar 1 00:00:33.935: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated *Mar 1 00:00:33.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Mar 1 00:00:38.719: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !! *Mar 1 00:00:48.719: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
Let’s configure static IP & see the console output( Remember that I have not configure the switch port for any access vlan yet). Since these are lightweight image we cannot configure like normal IOS AP. So here are the command to do this.
capwap ap ip address 10.10.113.5 255.255.255.0 capwap ap ip default-gateway 10.10.113.1 capwap ap controller ip address 10.10.111.10
Since I have not configured the switch port for vlan 113, still AP cannot reach its gateway. Then AP try to reboot & see to learn an IP again.
AP5475.d0dd.a488# *Mar 1 00:11:09.499: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using static IP. Forcing AP to use DHCP.
Now we will configure our switch port (fa1/0/12) to access vlan 113. This time you can see AP successfully able to complete Discovery & Join process as it can reach WLC. Note that since I have 4402 WLC it has AP manager interface with an IP (10.10.111.11) which respond to Join Request. (see below)
Press RETURN to get started! Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255) *Mar 1 00:00:31.107: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Mar 1 00:00:32.923: status of voice_diag_test from WLC is false *Mar 1 00:00:32.951: %SSH-5-ENABLED: SSH 2.0 has been enabled *Mar 1 00:00:32.971: Logging LWAPP message to 255.255.255.255. *Mar 1 00:00:34.747: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source *Mar 1 00:00:34.775: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 00:00:34.803: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:00:35.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Mar 1 00:00:35.755: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated *Mar 1 00:00:35.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255) Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255) *Mar 17 08:50:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.111.11 peer_port: 5246 *Mar 17 08:50:18.000: %CAPWAP-5-CHANGED: CAPWAP changed state to *Mar 17 08:50:18.567: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.111.11 peer_port: 5246 *Mar 17 08:50:18.567: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.111.11 *Mar 17 08:50:18.567: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN *Mar 17 08:50:18.707: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG *Mar 17 08:50:18.835: %LWAPP-3-CLIENTERRORLOG: Operator changed mode for 802.11g. Rebooting. *Mar 17 08:50:18.887: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Mar 17 08:50:18.895: %SYS-5-RELOAD: Reload requested by CAPWAP CLIENT. Reload Reason: Operator changed mode for 802.11g. *Mar 17 08:50:19.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down IOS Bootloader - Starting system.
If you took a wireshark packet capture of the WLC connected switch port you can see the details of each of these types of packet. See below wireshark capture shows different type of packets in discovery process.
Here is the Discovery Request packets details. Note that discovery request is sent to WLC management IP with destination port UDP 5246 (capwap-control). Also Message Element value 1 which indicate Static Configuration. Different IE value indicates the type of discovery method used. We will see few other options (DHCP, DNS, Broadcast) discovery in some other post.
3- DHCP Server
Here is the discovery response packet. As you can see WLC is providing all the information to AP (including WLC IP – AP mgr, Name, etc)
Then AP send the Join Request & expecting Join Response from WLC. First step is to establishing a secure CAPWAP connection with complete DTLS handshake as shown in the packet capture. This include Client Hello, HelloVerifyRequest/ ClientHello(with Cookie), ServerHello/Certificate, ClientKeyExchange/ ChangeCipherSpec, ServerChangeCipherSpec (See below)
Subsequent traffic is DTLS encrypted & cannot be decode to see what’s inside. You can disable encryption for CAPWAP by using “test capwap encr <ap-name> disabe” command on WLC CLI or “test capwap dtls ctrl disable” on AP CLI.
AP5475.d0dd.a488#test capwap dtls ctrl disable *Mar 17 09:54:15.891: Capwap Control packets will not be encrypted
But once I disable it , AP could not join the WLC & could not verify the complete process without DTLS encryption. In HREAP mode you can do this & see this complete process without encryption( Refer How Does OEAP Works for more detail).