LWAPP is an open protocol for access point management. In this mode of
operation, a WLAN controller system is used to create and enforce policies
across multiple different lightweight access points. All functions essential to
WLAN operations are centrally controlled by WLAN controllers. In this mode of
operation, Cisco access points run a simplified version of Cisco IOS®. It is
not possible to enter into configuration mode and configure access points
individually in this mode. More information on LWAPP mode of operation can be
found at the following URL:
A Cisco access point running in LWAPP mode can be checked by issuing
the following command from the console.
Access points running in LWAPP mode will not allow the user to enter
into configuration mode, but will return an error message instead as shown in
the following output.
% Invalid input detected at '^' marker.
The alternative to LWAPP mode is the autonomous mode of operation. In
this mode, the access points are configured individually and run either VxWorks
or Cisco IOS operating systems.
Cisco 1200, 1131 and 1240 series access points that are controlled by
2000 or 4400 WLAN controllers in LWAPP mode of operation may accept unencrypted
traffic from end hosts even when configured to encrypt traffic. Such traffic
needs to be sourced from the MAC address of a legitimate, already authenticated
end host. By exploiting this vulnerability, an attacker may send malicious
traffic into a secure network. Legitimate end hosts will still communicate with
the access point in an encrypted manner.
Only the access points that are running in LWAPP mode are affected by
this vulnerability. Access points that are running in autonomous mode are not
In LWAPP mode, access points download their software from the WLAN
controller. Therefore, a software upgrade on the WLAN controller is required to
address this vulnerability.
This issue is documented by the Cisco bug ID
registered customers only)