Cisco and CAPWAP II

By | August 13, 2014

After some hard days of debugging, coding and doc-reading, today my Cisco 1131 LWAP finally sent it's first  join request to my Open Source CAPWAP WLC (which is still in an early development stage).

I faced a number of problems:

It seems, nobody in the world has ever tried to join a Cisco LWAP to a third-party WLC, or if anybody did, she/he didn't share her/his experience, so Google wasn't helpful in that case.

Before you get a join request from the LWAP, you first have to establish a DTLS connection with the LWAP, but the LWAP won't accept your certificate, if it's not signed by Cisco. There seems to be no way to turn off certificate verification, also psk-authentication is not supported, so you have to install your own CA certificate on the LWAP, but you can't (permanently) install a certificate from within the CLI, only a WLC which the LWAP is joined to can do that, but the LWAP won't join a third-party WLC, because the third-party WLC hasn't a cisco-signed certificate ...
So you have two choices: buy a Cisco WLC or install a certificate from within the CLI that is not stored permanently, but sufficient to join a third-party WLC which then might push a certificate permanently to the LWAP. I have chosen the second way ;-).

But installing a temporary certificate from within the CLI didn't work as expected.
First of all, the LWAP does not install a certificate, if the start and end date of the certificate is outside the current LWAP's date. So I had to set the LWAP's time and date first. But, after successfully installing the certificate,  the problem was now, that the LWAP lost it's date setting, set it to January 1 1970, whenever it was going to join state. Maybe the LWAP expects in the discovery response message a manufacturer specific message element which sets the current time. Of course, my third-party WLC does not know about such a message element.
Next I've tried to use a certificate, which is valid from 1 Jan 1970 to the next decade, but that didn't work too. I have got some strange errors, which I have not analyzed further, because I figured out by accident, that installing the same certificate that is used by the WLC works fine, although the LWAP's time is set to zero when going join state.

The next problem was within the openssl library.

The WLC told the DTLS connection were successfully established, but the LWAP gave the following error messsage:

DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:416 BD is not of DTLS Change Cipher Spec type

The reason was an expired timer in the openssl library. During the DTLS handshake process, after the server sent it's certificate, the LWAP needs too long to decode and verify the certificate an send it's answer. The timer in the openssl library, which is hard-coded initialized with a value of one second, expires, and the openssl library re-transmits it's certificate. But the LWAP expects in it's state the Change Cipher Spec Type message.

So the only way for now to establish a DTLS connection with the Cisco LWAP  is to use a patched openssl library, where the timeout duration is initialized with a bigger value than one second.

Maybe I will switch to gnutls in the future, in the hope there is the timeout duration configurable.

Leave a Reply

Your email address will not be published. Required fields are marked *