Cisco and CAPWAP III

By | August 14, 2014

As I wrote in my last post the Cisco LWAP resets it's clock to zero before joining the WLC, and my assumption was, that the WLC has to send the current time within the discovery response message encoded in a vendor specific payload.
Some digging throw the web and experimenting led me to the right message element, a vendor specific payload of type 151.

So now the Cisco LWAP  1131AG can establish a DTLS connection with AC-Tube while using your own root CA.

7 thoughts on “Cisco and CAPWAP III

  1. Joonwhan,Choi

    Very helpful!!
    I also tried to cisco ap to establish connection to 3rd party AC ( .. opencapwap). But failed as you noted.
    I can figure it out why it has failed now. Standard itself does not imply interoperability, sadly.
    I'm using Cisco AIR-CAP2602E-K-K9 with ap3g2-k9w8-tar.152-4.JB5.tar image.

    I'll follow your step to make it happen.


    1. 7u83 Post author

      I'm glad I could help you. Let me know if you succeed. I'm very interested.

  2. Joonwhan,Choi

    I can now parse DISCOVERY_RESPONSE from AC. But failed to establish DTL Ssession.
    AP sends Hello, but AC failed at SSL DTLS1_SEND_HELLO_VERIFY_REQUEST.
    I found that it's ssl library handling issue. AC code did not registered approriate callback. I'll modify the AC code and will test again. This was not a problem when I use openssl 0.9.8 version, but for 1.0.0 version needs callbacks to be registered by using SSL_CTX_set_cookie_generate_cb, SSL_CTX_set_cookie_verify_cb.
    Anyway, the real problem is certificates installation. I read your article but I did not understand how you installed certificates. I have 3 pem files from opencapwap, root.pem, server.pem, client.pem. root.pem and client.pem should be installed at AP. But AP has a lot of cerificates includes Cisco_IOS_MIC_cert, cisco-root-cert, airespace-device-root-cert, airespace-new-root-cert, airespace-old-root-cert.
    I can not figure what ceritifcates should be changed and how. Would you please give me a hint ?

    1. 7u83 Post author

      This script generates CLI commands , you can paste into a WTP terminal sessen to import a certificate. The script reads a file named root-ca.crt which ist the certificate you whant to import and must be placed in the same directory where you run the script.
      Before you paste the generated commands into the terminal you have to switch to enabled mode.
      You might also have to paste the commands in multiple parts, because pasting the whole output at once could overflow the serial line buffers of the WTP.

  3. Joonwhan,Choi

    Ok. I made AP to send JOIN to AC.
    (Added separate keypairs and certificate using crypto pki commands... not touching exsisting keys and cerificates)
    Now AC does not fully decode JOIN. It complains that some vendor specific element is not known. So invalidates JOIN message.
    Opencapwap code is not mature enough......

  4. Jun Zhou

    Cisco has a soft controller (virtual controller) maybe you can use it to obeserve the join process.


Leave a Reply

Your email address will not be published. Required fields are marked *