Huawei Capwap Encryption

Popeye_Wang · Created May 30, 2020 07:55:27

Hi,

The AC manages and controls APs in a centralized manner through Control and Provisioning of Wireless Access Points (CAPWAP) tunnels. CAPWAP tunnels provide the following functions:

Maintain the running status of APs and the AC.
Help the AC manage APs and deliver configurations to APs.
Transmit service data to the AC for centralized forwarding.

Figure 1 shows the process of establishing a CAPWAP tunnel.

Figure 1 CAPWAP tunnel establishment process

The process of establishing a CAPWAP tunnel is as follows:

1. An AP sends a Discovery Request packet to find an available AC. (Discovery Phase) The AC determines whether to allow the AP. This process is similar to that in AP access and control phase. The AC does not respond to Discovery Request packets sent by the AP that is not allowed.

An AP can discover an AC in static or dynamic mode.

DHCP mode: An AP obtains the AC IP address through DHCP (by configuring a DHCP response packet to carry Option 43 for IPv4 packets or Option 52 for IPv6 packets containing the AC IP address list on the DHCP server), and sends a Discovery Request unicast packet to the AC. The AC then sends a Discovery Response packet to the AP.
DNS mode: An AP obtains the AC domain name and DNS server IP address through the DHCP service (by configuring a DHCP response packet to carry Option 15 for IPv4 packets or Option 24 for IPv6 packets containing the AC domain name on the DHCP server), and sends a request to the DNS server to obtain the IP address corresponding to the AC domain name. After obtaining the AC IP address, the AP unicasts a Discovery Request packet to the AC. The AC then sends a Discovery Response packet to the AP.
After receiving the DHCP Response packet, the AP obtains the AC domain name carried in Option 15 or Option 24. The AP then automatically adds the prefix huawei-wlan-controller to the obtained domain name and sends it to the DNS server to obtain the IP address corresponding to the AC domain name. For example, after obtaining the AC domain name ac.test.com configured on the DHCP server, the AP adds the prefix huawei-wlan-controller to ac.test.com and sends the huawei-wlan-controller.ac.test.com to the DNS server for resolution. The IP address corresponding to huawei-wlan-controller.ac.test.com must be configured on the DNS server.
Broadcast mode: The AP broadcasts a Discovery Request packet to automatically discover ACs in the same network segment. The AP then selects an AC to establish a CAPWAP tunnel based on the Discovery Response packets received from available ACs. The broadcast mode is used in the following cases:

When the AP fails to obtain the IP address of an AC, it broadcasts packets. If no AC responds to the broadcast packet for two times, a failure to discover an AC is determined.
After obtaining the IP address of an AC, the AP sends unicast packets to the AC. If the AC does not respond to the unicast packets for 10 times, the AP sends a broadcast packet. If no AC responds to the broadcast packet, the AP repeats the process of sending unicast and broadcast packets. If there is still no response, a failure to discover an AC is determined.
Static mode
An AC IP address list is preconfigured on the AP. When the AP goes online, the AP unicasts a Discovery Request packet to each AC whose IP address is specified in the preconfigured AC IP address list. After receiving the Discovery Request packet, the ACs send Discovery Response packets to the AP. The AP then selects an AC to establish a CAPWAP tunnel according to the received Discovery Response packets.
Dynamic mode
An AP can dynamically discover an AC in DHCP, DNS, or broadcast mode. Details on each of the modes are as follows:

2. The AP establishes CAPWAP tunnels with an AC.

CAPWAP tunnels include data tunnels and control tunnels.

Data tunnel: transmits service data packets from the AP to the AC for centralized forwarding. You can also enable Datagram Transport Layer Security (DTLS) encryption over the data tunnel to ensure security of CAPWAP data packets. Subsequently, CAPWAP data packets will be encrypted and decrypted using DTLS.
Control tunnel: transmits control packets between the AP and AC. You can also enable Datagram Transport Layer Security (DTLS) encryption over the control tunnel to ensure security of CAPWAP control packets. Subsequently, CAPWAP control packets will be encrypted and decrypted using DTLS.

Unicef · Created May 29, 2020 06:23:27

Hi user hope below can help:

CAPWAP Data Tunnel Encryption:

When the data forwarding mode is tunnel forwarding, service data packets between an AP and an AC are transmitted over a CAPWAP data tunnel. To improve service data security, you can run the capwap dtls data-link encrypt enable command to enable CAPWAP data tunnel encryption using DTLS. This configuration ensures that packets are encrypted and then transmitted over the CAPWAP data tunnel.

CAPWAP data tunnel encryption using DTLS can be configured in both the system view and AP system profile view. The difference is that the function configured in the system view takes effect for APs that go online through an AC and support this function, while the function configured in the AP system profile view takes effect for APs configured with the profile. Priority of the function in the AP system profile view is higher than that of the function in the system view. When this function is enabled in both the views, the configuration in the AP system profile view takes effect.

Configuration Method

Enable CAPWAP data tunnel encryption using DTLS in the AP system profile view.

<AC6605> system-view  [AC6605] wlan  [AC6605-wlan-view] ap-system-profile name system1  [AC6605-wlan-ap-system-prof-system1] capwap dtls data-link encrypt enable

Enable CAPWAP data tunnel encryption using DTLS in the system view.

<AC6605> system-view  [AC6605] capwap dtls data-link encrypt

https://support.huawei.com/enterprise/en/doc/EDOC1100096305/4a29dbff/capwap-data-tunnel-encryption

Popeye_Wang · Created May 30, 2020 07:55:27

Hi,

The AC manages and controls APs in a centralized manner through Control and Provisioning of Wireless Access Points (CAPWAP) tunnels. CAPWAP tunnels provide the following functions:

Maintain the running status of APs and the AC.
Help the AC manage APs and deliver configurations to APs.
Transmit service data to the AC for centralized forwarding.

Figure 1 shows the process of establishing a CAPWAP tunnel.

Figure 1 CAPWAP tunnel establishment process

The process of establishing a CAPWAP tunnel is as follows:

1. An AP sends a Discovery Request packet to find an available AC. (Discovery Phase) The AC determines whether to allow the AP. This process is similar to that in AP access and control phase. The AC does not respond to Discovery Request packets sent by the AP that is not allowed.

An AP can discover an AC in static or dynamic mode.

DHCP mode: An AP obtains the AC IP address through DHCP (by configuring a DHCP response packet to carry Option 43 for IPv4 packets or Option 52 for IPv6 packets containing the AC IP address list on the DHCP server), and sends a Discovery Request unicast packet to the AC. The AC then sends a Discovery Response packet to the AP.
DNS mode: An AP obtains the AC domain name and DNS server IP address through the DHCP service (by configuring a DHCP response packet to carry Option 15 for IPv4 packets or Option 24 for IPv6 packets containing the AC domain name on the DHCP server), and sends a request to the DNS server to obtain the IP address corresponding to the AC domain name. After obtaining the AC IP address, the AP unicasts a Discovery Request packet to the AC. The AC then sends a Discovery Response packet to the AP.
After receiving the DHCP Response packet, the AP obtains the AC domain name carried in Option 15 or Option 24. The AP then automatically adds the prefix huawei-wlan-controller to the obtained domain name and sends it to the DNS server to obtain the IP address corresponding to the AC domain name. For example, after obtaining the AC domain name ac.test.com configured on the DHCP server, the AP adds the prefix huawei-wlan-controller to ac.test.com and sends the huawei-wlan-controller.ac.test.com to the DNS server for resolution. The IP address corresponding to huawei-wlan-controller.ac.test.com must be configured on the DNS server.
Broadcast mode: The AP broadcasts a Discovery Request packet to automatically discover ACs in the same network segment. The AP then selects an AC to establish a CAPWAP tunnel based on the Discovery Response packets received from available ACs. The broadcast mode is used in the following cases:

When the AP fails to obtain the IP address of an AC, it broadcasts packets. If no AC responds to the broadcast packet for two times, a failure to discover an AC is determined.
After obtaining the IP address of an AC, the AP sends unicast packets to the AC. If the AC does not respond to the unicast packets for 10 times, the AP sends a broadcast packet. If no AC responds to the broadcast packet, the AP repeats the process of sending unicast and broadcast packets. If there is still no response, a failure to discover an AC is determined.
Static mode
An AC IP address list is preconfigured on the AP. When the AP goes online, the AP unicasts a Discovery Request packet to each AC whose IP address is specified in the preconfigured AC IP address list. After receiving the Discovery Request packet, the ACs send Discovery Response packets to the AP. The AP then selects an AC to establish a CAPWAP tunnel according to the received Discovery Response packets.
Dynamic mode
An AP can dynamically discover an AC in DHCP, DNS, or broadcast mode. Details on each of the modes are as follows:

2. The AP establishes CAPWAP tunnels with an AC.

CAPWAP tunnels include data tunnels and control tunnels.

Data tunnel: transmits service data packets from the AP to the AC for centralized forwarding. You can also enable Datagram Transport Layer Security (DTLS) encryption over the data tunnel to ensure security of CAPWAP data packets. Subsequently, CAPWAP data packets will be encrypted and decrypted using DTLS.
Control tunnel: transmits control packets between the AP and AC. You can also enable Datagram Transport Layer Security (DTLS) encryption over the control tunnel to ensure security of CAPWAP control packets. Subsequently, CAPWAP control packets will be encrypted and decrypted using DTLS.

Huawei Capwap Encryption

Recommended answer

Configuration Method

Third Party’s Trade Secret

`@trans`bright_future`~trans`

My Followers

Enterprise

Consumer

Corporate

Carriers

Huawei Capwap Encryption

Recommended answer

Configuration Method

Third Party’s Trade Secret

`@trans`bright_future`~trans`

My Followers