- Preface
- Using the Command-Line Interface
- Using the Web Graphical User Interface
-
- Configuring the Switch for Access Point Discovery
- Configuring Data Encryption
- Configuring Retransmission Interval and Retry Count
- Configuring Adaptive Wireless Intrusion Prevention System
- Configuring Authentication for Access Points
- Converting Autonomous Access Points to Lightweight Mode
- Using Cisco Workgroup Bridges
- Configuring Probe Request Forwarding
- Optimizing RFID Tracking
- Configuring Country Codes
- Configuring Link Latency
- Configuring Power over Ethernet
-
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring MACsec Encryption
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring Wireless Guest Access
- Managing Rogue Devices
- Classifying Rogue Access Points
- Configuring wIPS
- Configuring Intrusion Detection System
-
- Administering the System
- Performing Switch Setup Configuration
- Configuring Right-To-Use Licenses
- Configuring Administrator Usernames and Passwords
- Configuring 802.11 parameters and Band Selection
- Configuring Aggressive Load Balancing
- Configuring Client Roaming
- Configuring Application Visibility and Control
- Configuring Voice and Video Parameters
- Configuring RFID Tag Tracking
- Configuring Location Settings
- Monitoring Flow Control
- Configuring SDM Templates
- Configuring System Message Logs
- Configuring Online Diagnostics
- Managing Configuration Files
- Configuration Replace and Configuration Rollback
- Working with the Flash File System
- Working with Cisco IOS XE Software Bundles
- Troubleshooting the Software Configuration
Configuring Data Encryption
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring Data Encryption
Cisco 1260, 3500, 3600, 801, 1140, 1310, and 1520 series access points support Datagram Transport Layer Security (DTLS) data encryption.
You can use the switch to enable or disable DTLS data encryption for a specific access point or for all access points.
Non-Russian customers who use the Cisco switch do not need a data DTLS license.
Restrictions for Configuring Data Encryption
Encryption limits throughput at both the switch and the access point, and maximum throughput is desired for most enterprise networks.
If your switch does not have a data DTLS license and if the access point associated with the switch has DTLS enabled, the data path will be unencrypted.
In images that do not have a DTLS license, the DTLS commands are not available.
Information About Data Encryption
The switch enables you to encrypt Control and Provisioning of Wireless Access Points (CAPWAP) control packets (and optionally, CAPWAP data packets) that are sent between the access point and the switch using DTLS. DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS. CAPWAP control packets are management packets exchanged between a switch and an access point while CAPWAP data packets encapsulate forwarded wireless frames. CAPWAP control and data packets are sent over separate UDP ports: 5246 (control) and 5247 (data). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established.
How to Configure Data Encryption
Configuring Data Encryption (CLI)
1.
configure terminal
2.
ap link-encryption
3.
end
4.
show ap link-encryption
5.
show wireless dtls connections
DETAILED STEPS
Configuring Data Encryption (GUI)
| Step 1 |
Choose . The All APs page is displayed. | ||
| Step 2 | Click the name of the access point for which you want to enable data encryption. The AP > Edit page is displayed. | ||
| Step 3 | Click the Advanced tab. | ||
| Step 4 | Select or unselect the Data Encryption check box.
| ||
| Step 5 | Click Apply. | ||
| Step 6 | Click Save Configuration. |
Configuration Examples for Configuring Data Encryption
Displaying Data Encryption States for all Access Points: Examples
This example shows how to display the encryption state of all access points or a specific access point. This command also shows authentication errors, which track the number of integrity check failures and replay errors. Relay errors help in tracking the number of times the access point receives the same packet:
Switch# show ap link-encryption
Encryption Dnstream Upstream Last
AP Name State Count Count Update
------------------ ---------- -------- -------- ------
3602a Enabled 0 0 Never
This example shows how to display a summary of all active DTLS connections:
Switch# show wireless dtls connections
AP Name Local Port Peer IP Peer Port Ciphersuite
--------------- ------------ ------------- ---------- --------------------
3602a Capwap_Ctrl 10.10.21.213 46075 TLS_RSA_WITH_AES_128_CBC_SHA
3602a Capwap_Data 10.10.21.213 46075 TLS_RSA_WITH_AES_128_CBC_SHA
Feedback