Introduction to CAPWAP

CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and WLANs.
CAPWAP is also responsible for the encapsulation and forwarding of WLAN client traffic between an
AP and a WLC.

CAPWAP is based on LWAPP but adds additional security with Datagram Transport Layer Security
(DTLS). CAPWAP establishes tunnels on User Datagram Protocol (UDP) ports. CAPWAP can
operate either over IPv4 or IPv6, as shown in the figure, but uses IPv4 by default.

IPv4 and IPv6 both use UDP ports 5246 and 5247. Port 5246 is for CAPWAP control messages
used by the WLC to manage the AP. Port 5247 is used by CAPWAP to encapsulate data packets
traveling to and from wireless clients. However, CAPWAP tunnels use different IP protocols in the
packet header. IPv4 uses IP protocol 17 and IPv6 uses IP protocol 136.

Split MAC Architecture

A key component of CAPWAP is the concept of a split media access control (MAC). The CAPWAP
split MAC concept does all of the functions normally performed by individual APs and distributes
them between two functional components:

• AP MAC Functions
• WLC MAC Functions

The table shows some of the MAC functions performed by each.

Table caption

AP MAC Functions WLC MAC Functions

Beacons and probe

Authentication
responses

Packet acknowledgements Association and re-association of

and retransmissions roaming clients

Frame queueing and packet

Frame translation to other protocols
prioritization
 Table caption

AP MAC Functions WLC MAC Functions

MAC layer data encryption Termination of 802.11 traffic on a

and decryption wired interface

DTLS Encryption
DTLS is a protocol which provides security between the AP and the WLC. It allows them to
communicate using encryption and prevents eavesdropping or tampering.

DTLS is enabled by default to secure the CAPWAP control channel but is disabled by default for the
data channel, as shown in the figure. All CAPWAP management and control traffic exchanged
between an AP and WLC is encrypted and secured by default to provide control plane privacy and
prevent Man-In-the-Middle (MITM) attacks.

CAPWAP data encryption is optional and is enabled per AP. Data encryption requires a DTLS
license to be installed on the WLC prior to being enabled on an AP. When enabled, all WLAN client
traffic is encrypted at the AP before being forwarded to the WLC and vice versa.

FlexConnect APs
FlexConnect is a wireless solution for branch office and remote office deployments. It lets you
configure and control access points in a branch office from the corporate office through a WAN link,
without deploying a controller in each office.

There are two modes of operation for the FlexConnect AP.

• Connected mode - The WLC is reachable. In this mode the FlexConnect AP has CAPWAP
connectivity with its WLC and can send traffic through the CAPWAP tunnel, as shown in the figure.
The WLC performs all its CAPWAP functions.
• Standalone mode - The WLC is unreachable. The FlexConnect has lost or failed to establish
CAPWAP connectivity with its WLC. In this mode, a FlexConnect AP can assume some of the WLC
functions such as switching client data traffic locally and performing client authentication locally.
Channel Management
Frequency Channel Saturation
Wireless LAN devices have transmitters and receivers tuned to specific frequencies of radio waves
to communicate. A common practice is for frequencies to be allocated as ranges. Such ranges are
then split into smaller ranges called channels.

If the demand for a specific channel is too high, that channel is likely to become oversaturated. The
saturation of the wireless medium degrades the quality of the communication. Over the years, a
number of techniques have been created to improve wireless communication and alleviate
saturation. These techniques mitigate channel saturation by using the channels in a more efficient
way.

Direct-Sequence Spread Spectrum (DSSS) - This is a modulation technique designed to spread a

signal over a larger frequency band. Spread spectrum techniques were developed during war time to
make it more difficult for enemies to intercept or jam a communication signal. It does this by
spreading the signal over a wider frequency which effectively hides the discernable peak of the
signal, as shown in the figure. A properly configured receiver can reverse the DSSS modulation and
re-construct the original signal. DSSS is used by 802.11b devices to avoid interference from other
devices using the same 2.4 GHz frequency
Frequency-Hopping Spread Spectrum (FHSS) - This relies on spread spectrum methods to
communicate. It transmits radio signals by rapidly switching a carrier signal among many frequency
channels. With the FHSS, the sender and receiver must be synchronized to “know” which channel to
jump to. This channel hopping process allows for a more efficient usage of the channels, decreasing
channel congestion. FHSS was used by the original 802.11 standard. Walkie-talkies and 900 MHz
cordless phones also use FHSS, and Bluetooth uses a variation of FHSS.
Orthogonal Frequency-Division Multiplexing (OFDM) - This is a subset of frequency division
multiplexing in which a single channel uses multiple sub-channels on adjacent frequencies. Sub-
channels in an OFDM system are precisely orthogonal to one another which allow the sub-channels
to overlap without interfering. OFDM is used by a number of communication systems including
802.11a/g/n/ac. The new 802.11ax uses a variation of OFDM called Orthogonal frequency-division
multiaccess (OFDMA).

Channel Selection
A best practice for WLANs requiring multiple APs is to use non-overlapping channels. For example,
the 802.11b/g/n standards operate in the 2.4 GHz to 2.5 GHz spectrum. The 2.4 GHz band is
subdivided into multiple channels. Each channel is allotted 22 MHz bandwidth and is separated from
the next channel by 5 MHz. The 802.11b standard identifies 11 channels for North America, as
shown in the figure (13 in Europe and 14 in Japan).
Note: Search the internet for 2.4 GHz channels to learn more about the variations for different
countries.

The figure shows 11 channels that are 22MHz wide and 5MHz between each. The spectrum is
between 2.2GHz and 2.5GHz.

2.4 GHz Overlapping Channels in North America

Interference occurs when one signal overlaps a channel reserved for another signal, causing
possible distortion. The best practice for 2.4 GHz WLANs that require multiple APs is to use non-
overlapping channels, although most modern APs will do this automatically. If there are three
adjacent APs, use channels 1, 6, and 11, as shown in the figure.

The figure shows three APs using channels 1, 6, and 11.

2.4 GHz Non-Overlapping Channels for

802.11b/g/n
For the 5 GHz standards 802.11a/n/ac, there are 24 channels. The 5 GHz band is divided into three
sections. Each channel is separated from the next channel by 20 MHz. The figure shows all 24
Unlicensed National Information Infrastructure (U-NNI) 24 channels for the 5 GHz band. Although
there is a slight overlap at the tails of each channel's frequency, the channels do not interfere with
one another. 5 GHz wireless can provide faster data transmission for wireless clients in heavily
populated wireless networks because of the large amount of non-overlapping wireless channels.

Note: Search the internet for 5 GHz channels to learn more about the variations for different
countries.

The figure shows 8 channels that have 20MHz between each. The spectrum is between 5150 MHz
and 5350 MHz.

5 GHz First Eight Non-Interfering Channels

As with 2.4 GHz WLANs, choose non-interfering channels when configuring multiple 5 GHz APs that
are adjacent to each other, as shown in the figure.

The figure shows three APs using channels 36, 48, and 60.

12.5.3

the figure shows a map of a venue with different areas, entrances, and exits. There are circles in
different areas to limit the area of coverage.
 5 GHz Non-Interfering Channels for
802.11a/n/ac
Plan a WLAN Deployment
The number of users supported by a WLAN depends on the geographical layout of the facility,
including the number of bodies and devices that can fit in a space, the data rates users expect, the
use of non-overlapping channels by multiple APs in an ESS, and transmit power settings.

When planning the location of APs, the approximate circular coverage area is important (as shown in
the figure), but there are some additional recommendations:

• If APs are to use existing wiring or if there are locations where APs cannot be placed, note these
locations on the map.
• Note all potential sources of interference which can include microwave ovens, wireless video
cameras, fluorescent lights, motion detectors, or any other device that uses the 2.4 GHz range.
• Position APs above obstructions.
• Position APs vertically near the ceiling in the center of each coverage area, if possible.
• Position APs in locations where users are expected to be. For example, conference rooms are
typically a better location for APs than a hallway.
• If an IEEE 802.11 network has been configured for mixed mode, the wireless clients may experience
slower than normal speeds in order to support the older wireless standards.

When estimating the expected coverage area of an AP, realize that this value varies depending on
the WLAN standard or mix of standards that are deployed, the nature of the facility, and the transmit
power that the AP is configured for. Always consult the specifications for the AP when planning for
coverage areas.
 Wireless Security Overview
A WLAN is open to anyone within range of an AP and the appropriate credentials to associate to it.
With a wireless NIC and knowledge of cracking techniques, an attacker may not have to physically
enter the workplace to gain access to a WLAN.

Attacks can be generated by outsiders, disgruntled employees, and even unintentionally by

employees. Wireless networks are specifically susceptible to several threats, including:

• Interception of data - Wireless data should be encrypted to prevent it from being read by
eavesdroppers.
• Wireless intruders - Unauthorized users attempting to access network resources can be deterred
through effective authentication techniques.
• Denial of Service (DoS) Attacks - Access to WLAN services can be compromised either
accidentally or maliciously. Various solutions exist depending on the source of the DoS attack.
• Rogue APs - Unauthorized APs installed by a well-intentioned user or for malicious purposes can
be detected using management software.

DoS Attacks
Wireless DoS attacks can be the result of:

• Improperly configured devices - Configuration errors can disable the WLAN. For instance, an
administrator could accidently alter a configuration and disable the network, or an intruder with
administrator privileges could intentionally disable a WLAN.
• A malicious user intentionally interfering with the wireless communication - Their goal is to
disable the wireless network completely or to the point where no legitimate device can access the
medium.
• Accidental interference - WLANs are prone to interference from other wireless devices including
microwave ovens, cordless phones, baby monitors, and more, as shown in the figure. The 2.4 GHz
band is more prone to interference than the 5 GHz band.

Rogue Access Points

A rogue AP is an AP or wireless router that has been connected to a corporate network without
explicit authorization and against corporate policy. Anyone with access to the premises can install
(maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a
secure network resource.
Once connected, the rogue AP can be used by an attacker to capture MAC addresses, capture data
packets, gain access to network resources, or launch a man-in-the-middle attack.

A personal network hotspot could also be used as a rogue AP. For example, a user with secure
network access enables their authorized Windows host to become a Wi-Fi AP. Doing so circumvents
the security measures and other unauthorized devices can now access network resources as a
shared device.

To prevent the installation of rogue APs, organizations must configure WLCs with rogue AP policies,
as shown in the figure, and use monitoring software to actively monitor the radio spectrum for
unauthorized APs.

Man-in-the-Middle Attack
In a man-in-the-middle (MITM) attack, the hacker is positioned in between two legitimate
entities in order to read or modify the data that passes between the two parties. There are many
ways in which to create a MITM attack.

A popular wireless MITM attack is called the “evil twin AP” attack, where an attacker introduces
a rogue AP and configures it with the same SSID as a legitimate AP, as shown in the figure.
Locations offering free Wi-Fi, such as airports, cafes, and restaurants, are particularly popular
spots for this type of attack due to the open authentication.

a threat actor at Bobs Latte has used their laptop to set up an evil twin using an SSID of Bob
latte, open authentication, and channel 6

Wireless clients attempting to connect to a WLAN would see two APs with the same SSID offering
wireless access. Those near the rogue AP find the stronger signal and most likely associate with it.
User traffic is now sent to the rogue AP, which in turn captures the data and forwards it to the
legitimate AP, as shown in the figure. Return traffic from the legitimate AP is sent to the rogue AP,
captured, and then forwarded to the unsuspecting user. The attacker can steal the user’s
passwords, personal information, gain access to their device, and compromise the system.
Defeating an attack like an MITM attack depends on the sophistication of the WLAN infrastructure
and the vigilance in monitoring activity on the network. The process begins with identifying legitimate
devices on the WLAN. To do this, users must be authenticated. After all of the legitimate devices are
known, the network can be monitored for abnormal devices or traffic.
 SSID Cloaking and MAC Address Filtering
Wireless signals can travel through solid matter, such as ceilings, floors, walls, outside of the home,
or office space. Without stringent security measures in place, installing a WLAN can be the
equivalent of putting Ethernet ports everywhere, even outside.

To address the threats of keeping wireless intruders out and protecting data, two early security
features were used and are still available on most routers and APs: SSID cloaking and MAC address
filtering.

SSID Cloaking

APs and some wireless routers allow the SSID beacon frame to be disabled, as shown in the figure.
Wireless clients must manually configure the SSID to connect to the network.

MAC Addresses Filtering

An administrator can manually permit or deny clients wireless access based on their physical MAC
hardware address. In the figure, the router is configured to permit two MAC addresses. Devices with
different MAC addresses will not be able to join the 2.4GHz WLAN.

802.11 Original Authentication Methods

Although these two features would deter most users, the reality is that neither SSID cloaking nor
MAC address filtering would deter a crafty intruder. SSIDs are easily discovered even if APs do not
broadcast them and MAC addresses can be spoofed. The best way to secure a wireless network is
to use authentication and encryption systems.

Two types of authentication were introduced with the original 802.11 standard:

• Open system authentication - Any wireless client should easily be able to connect and should only
be used in situations where security is of no concern, such as those providing free internet access
like cafes, hotels, and in remote areas. The wireless client is responsible for providing security such
as using a virtual private network (VPN) to connect securely. VPNs provide authentication and
encryption services. VPNs are beyond the scope of this topic.
• Shared key authentication - Provides mechanisms, such as WEP, WPA, WPA2, and WPA3 to
authenticate and encrypt data between a wireless client and AP. However, the password must be
pre-shared between both parties to connect.

The following chart summarizes these authentication methods.

Shared Key Authentication Methods

 There are four shared key authentication techniques available, as described in the table. Until the
availability of WPA3 devices becomes ubiquitous, wireless networks should use the WPA2 standard.

Table caption
Authentication Method Description

The original 802.11 specification designed to secure the data using the Rivest Cipher 4 (RC4)
Wired Equivalent
encryption method with a static key. However, the key never changes when exchanging packets.
Privacy (WEP)
This makes it easy to hack. WEP is no longer recommended and should never be used.

A Wi-Fi Alliance standard that uses WEP, but secures the data with the much stronger Temporal
Wi-Fi Protected Access
Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes the key for each packet,
(WPA)
making it much more difficult to hack.

WPA2 is the current industry standard for securing wireless networks. It uses the Advanced
WPA2
Encryption Standard (AES) for encryption. AES is currently considered the strongest encryption protocol.

The next generation of Wi-Fi security. All WPA3-enabled devices use the latest security methods,
WPA3 disallow outdated legacy protocols, and require the use of Protected Management Frames (PMF).
However, devices with WPA3 are not yet readily available.

Authenticating a Home User

Home routers typically have two choices for authentication: WPA and WPA2. WPA2 is the stronger
of the two. The figure shows the option to select one of two WPA2 authentication methods:

• Personal - Intended for home or small office networks, users authenticate using a pre-shared key
(PSK). Wireless clients authenticate with the wireless router using a pre-shared password. No
special authentication server is required.
• Enterprise - Intended for enterprise networks but requires a Remote Authentication Dial-In User
Service (RADIUS) authentication server. Although more complicated to set up, it provides additional
security. The device must be authenticated by the RADIUS server and then users must authenticate
using 802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication.

In the figure, the administrator is configuring the wireless router with WPA2 Personal authentication
on the 2.4 GHz band.

Encryption Methods
Encryption is used to protect data. If an intruder has captured encrypted data, they would not be able
to decipher it in any reasonable amount of time.

The WPA and WPA2 standards use the following encryption protocols:
• Temporal Key Integrity Protocol (TKIP) - TKIP is the encryption method used by WPA. It provides
support for legacy WLAN equipment by addressing the original flaws associated with the 802.11
WEP encryption method. It makes use of WEP, but encrypts the Layer 2 payload using TKIP, and
carries out a Message Integrity Check (MIC) in the encrypted packet to ensure the message has not
been altered.
• Advanced Encryption Standard (AES) - AES is the encryption method used by WPA2. It is the
preferred method because it is a far stronger method of encryption. It uses the Counter Cipher Mode
with Block Chaining Message Authentication Code Protocol (CCMP) that allows destination hosts to
recognize if the encrypted and non-encrypted bits have been altered.

In the figure, the administrator is configuring the wireless router to use WPA2 with AES encryption
on the 2.4 GHz band.

Authentication in the Enterprise

In networks that have stricter security requirements, an additional authentication or login is required
to grant wireless clients such access. The Enterprise security mode choice requires an
Authentication, Authorization, and Accounting (AAA) RADIUS server.

• RADIUS Server IP address - This is the reachable address of the RADIUS server.
• UDP port numbers - Officially assigned UDP ports 1812 for RADIUS Authentication, and 1813 for
RADIUS Accounting, but can also operate using UDP ports 1645 and 1646, as shown in the figure.
• Shared key - Used to authenticate the AP with the RADIUS server.

In the figure, the administrator is configuring the wireless router with WPA2 Enterprise authentication
using AES encryption. The RADIUS server IPv4 address is configured as well with a strong
password to be used between the wireless router and the RADIUS server.

The shared key is not a parameter that must be configured on a wireless client. It is only required on
the AP to authenticate with the RADIUS server. User authentication and authorization is handled by
the 802.1X standard, which provides a centralized, server-based authentication of end users.

The 802.1X login process uses EAP to communicate with the AP and RADIUS server. EAP is a
framework for authenticating network access. It can provide a secure authentication mechanism and
negotiate a secure private key which can then be used for a wireless encryption session using TKIP
or AES encryption.

WPA3
At the time of this writing, devices that support WPA3 authentication were not readily available.
However, WPA2 is no longer considered secure. WPA3, if available, is the recommended 802.11
authentication method. WPA3 includes four features:
• WPA3-Personal
• WPA3-Enterprise
• Open Networks
• Internet of Things (IoT) Onboarding

WPA3-Personal

In WPA2-Personal, threat actors can listen in on the “handshake” between a wireless client and the
AP and use a brute force attack to try and guess the PSK. WPA3-Personal thwarts this attack by
using Simultaneous Authentication of Equals (SAE), a feature specified in the IEEE 802.11-2016.
The PSK is never exposed, making it impossible for the threat actor to guess.

WPA3-Enterprise

WPA3-Enterprise still uses 802.1X/EAP authentication. However, it requires the use of a 192-bit
cryptographic suite and eliminates the mixing of security protocols for previous 802.11 standards.
WPA3-Enterprise adheres to the Commercial National Security Algorithm (CNSA) Suite which is
commonly used in high security Wi-Fi networks.

Open Networks

Open networks in WPA2 send user traffic in unauthenticated, clear text. In WPA3, open or public Wi-
Fi networks still do not use any authentication. However, they do use Opportunistic Wireless
Encryption (OWE) to encrypt all wireless traffic.

IoT Onboarding

Although WPA2 included Wi-Fi Protected Setup (WPS) to quickly onboard devices without
configuring them first, WPS is vulnerable to a variety of attacks and is not recommended.
Furthermore, IoT devices are typically headless, meaning they have no built-in GUI for configuration,
and needed any easy way to get connected to the wireless network. The Device Provisioning
Protocol (DPP) was designed to address this need. Each headless device has a hardcoded public
key. The key is typically stamped on the outside of the device or its packaging as a Quick Response
(QR) code. The network administrator can scan the QR code and quickly onboard the device.
Although not strictly part of the WPA3 standard, DPP will replace WPS over time.