Cisco and CAPWAP

By | July 28, 2014

A Cisco AIR-LAP1131AG-E-K9 with a serial cable connected, some switches and a cup of coffee.

So now I've got a Cisco Aironet 1131ag access point, and first it didn't wanted to join the AC-Tube CAPWAP WLC (which is still under development).

A long night of debugging and reading log files led me to the result that this access point isn't really CAPWAP conform, when using the latest firmware 12.4.25e from May 2014 or maybe any other firmware available for this access point.

Things I've found out so far:

  • The discovery request message sent by this AP does not contain any radio information message elements, although it's demanded by specification.
  • The Num Encrypt field in the WTP descriptor message element is set to zero, followed by one byte of some data. This field must be between one (1) and 255, and it counts the number of the following encryption sub-elements where each is three bytes long. So if this field were allowed to be zero there shouldn't follow a single byte.
  •  A discovery response message which contains a mac address in the transport header and the M flag is set, confuses the message parser. The message by itself is correctly detected, but when reading the message elements, the parser thinks the whole message has a lot more bytes then it really has, because it reads the message length from the same position in the message as if there were no mac address present. So it gets some bytes from the mac address and treats them as message length.
  • When parsing an ac descriptor message element it tells that the version sub-element 4 (hardware version) is unknown and stops parsing, discarding the whole discovery response message which brought the ac descriptor message element. If the software version (5) sub-element is placed before the hardware version element, then the parser doesn't stop and the discovery response is accepted.

I am very disappointed.


Leave a Reply

Your email address will not be published. Required fields are marked *