CAPWAP AP Join Process

Once the LWAPP/CAPWAP access point has discovered and selected a controller, the next step in the process is for the AP to join the selected controller. The join process verifies the identity of both the Cisco access point and controller, ensuring that only valid Cisco APs with either a Manufacturer Installed Certificate (MIC) or Self-Signed Certificate (SSC) from an autonomous AP conversion to lightweight mode can join the controller. This process also establishes a secure communication path for the LWAPP/CAPWAP control channel to ensure that only the current controller can configure and manage the access point.

The LWAPP and CAPWAP protocol join process is built on existing asymmetric and symmetric cryptography, hashing, and digital signatures. For an introduction to these concepts, see Public Key Cryptography, SSL and TLS protocols.

To join the controller, the access point and controller perform the following process:
1.      AP sends Join Request
a.       Random Session ID
b.      X.509 Certificate of LWAPP
2.      Controller Verification
a.       Verifies LWAPP X.509 Certificate was signed by a trusted CA
b.      Generates random AES encryption key for LWAPP Control traffic
c.       Encrypts AES key using LWAPP Public Key
d.      Concatenates key ciphertext with the Session ID from LWAPP Join Request
e.       Encrypts concatenated string with Controller’s Private Key
3.      Controller sends Join Response
a.       Ciphertext (Session ID, encrypted AES key)
b.      Controller’s X.509 Certificate
4.      LWAPP Verification
a.       Verifies Controller X.509 Certificate was signed by a trusted CA
b.      Decrypts concatenated string using Controller’s Public Key
c.       Validates the Session ID
d.      Decrypts the AES key using LWAPP’s Private Key
5.      Join Process is now completed
6.      AES Key Lifetime timer is 8 hours
a.       LWAPP sends LWAPP Key Update Request (contains new Session ID)
b.      Controller generates new AES key and encrypts as stated above.
c.       Controller sends LWAPP Key Update Response

All LWAPPs manufactured after July 18, 2005 have Manufacturer Installed Certificates (MIC) burned into protected flash memory. Upgraded access points manufactured prior to this date will have Self-Signed Certificates (SSC) installed during the upgrade process. The Cisco Upgrade Tool must be used during the upgrade of older APs in order to generate the self-signed certificate. SSCs are not trusted by default by the WLCs, so a mapping of AP MAC addresses to SSC Public Key hashes is created at the time of upgrade by the Cisco Upgrade Tool. This list can then be imported into WCS and pushed to the WLC.

Access points can also be restricted from joining a controller based on the AP Policies settings in the Security tab of the WLC. This allows more granular control of APs allowed to join a controller if the organization does not want to allow any valid Cisco AP to join for security reasons. 

Select the type(s) of certificates to accept (SSC, MIC, LSC) when authorizing APs against the AP authorization list. SSC certificates always require valid AP entries in the AP authorization list. MIC and LSC are accepted by default, and will only be checked against the AP authorization list if their respective authorization check boxes are enabled.

Debugging the LWAPP Discovery and Join processes can be accomplished with the following commands:

LWAPP Console Port Commands
debug ip udp
debug lwapp client events
show crypto ca certificates

WLC Commands:
debug lwapp events enable
debug lwapp packet enable
debug lwapp error enable
debug pm pki enable
show time

It is VERY important that the WLC have the correct time set, otherwise it may reject the LWAPP Certificate during the Join process because it is outside the validity interval. To set the correct time on the controller, issue the config time CLI command.

If LWAPs are using Self-Signed Certificates, ensure that the WLC is configured to accept the SSCs:
show auth-list
config auth-list ap-policy ssc { enable | disable }
config auth-list add { mic | ssc } ap-mac ap-keyhash
config auth-list delete ap-mac