Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.3.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: March 27, 2023

Chapter: Data DTLS

Data DTLS
Data Datagram Transport Layer Security
Configure data DTLS (GUI)
Configure data DTLS (CLI)
Configure manufacturing installed certificate expiration bypass for AP join (CLI)

Data DTLS

Data Datagram Transport Layer Security

A data Datagram Transport Layer Security (DTLS) is a security protocol that

encrypts CAPWAP data packets sent between an access point and a controller
uses separate UDP ports for control (5246) and data (5247) packets,
is a standards-track IETF protocol that can encrypt both control and data packets based on TLS, and
supports v1.2 as the latest version available.

Feature history for data DTLS


Feature name	Release information	Feature description
Data Datagram Transport Layer Security	Cisco IOS XE Gibraltar 16.7.1	The data Datagram Transport Layer Security (DTLS) is a standards-track IETF protocol that can encrypt both control and data packets based on TLS.

CAPWAP control and data packets

CAPWAP control packets are management packets that are exchanged between a controller and an AP. CAPWAP data packets encapsulate forwarded wireless frames.

If an AP does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established.

DTLS handshake

If an AP supports Data DTLS

It enables data DTLS after receiving the new configuration from the controller
The AP performs a DTLS handshake on port 5247 and after successfully establishing the DTLS session, and
All the data traffic (from the access point to the controller and the controller to the access point) is encrypted.

Note

The throughput is affected for some APs that have data encryption enabled.

The controller does not perform a DTLS handshake immediately after processing client-hello with a cookie, if the following incorrect settings are configured:

ECDHE-ECDSA cipher in ap dtls-cipher and RSA-based certificate in “wireless management trustpoint”.
RSA cipher in ap dtls-cipher and EC-based certificate in “wireless management trustpoint”.

This is applicable when you move from CC > FIPS > non-FIPS mode.

Note

If the DHCP lease time of the AP is less and the DHCP pool is small, the AP join may fail or a failure in establishing the Data Datagram Transport Layer Security (DTLS) session may occur. In such scenarios, associate the AP with a named site-tag and increase the DHCP lease time for at least eight days.

Configure data DTLS (GUI)

Complete this task to enable DTLS data encryption for the APs on the controller.

Procedure

Step 1	Click Configuration > Tags and Profile > AP Join.
Step 2	Click Add to create a new AP Join Profile or click an existing profile to edit it.
Step 3	Click CAPWAP > Advanced.
Step 4	Check Enable Data Encryption check box to enable Datagram Transport Layer Security (DTLS) data encryption.
Step 5	Click Update & Apply to Device.

The DTLS data encryption for the APs on the controller is enabled.

Configure data DTLS (CLI)

Complete this task to enable DTLS data encryption for the access points on the controller.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure an AP profile and enter AP profile configuration mode.

Example:

Device(config)# ap profile ap-profile-name

Note

Use the default AP profile (default-ap-profile) or create a named AP profile, as shown in the example.

Step 3

Enable link encryption on your profile.

Example:

Device(config-ap-profile)# link-encryption

Answer Yes, when the system prompts you with this message:

Enabling link-encryption will reboot the APs with link-encryption.
                        Are you sure you want to continue? (y/n)[y]:

Note

If you set stats-timer as zero (0) under the AP profile, then the AP will not send the link encryption statistics.

Step 4

Return to privileged EXEC mode.end

Example:

Device(config-ap-profile)# end

Step 5

(Optional) Display the DTLS session established for the AP that has joined this controller.

Example:

Device# show wireless dtls connections

Step 6

(Optional) Display the link encryption-related statistics (whether link encryption is enabled or disabled) counter received from the AP.

Example:

Device# show ap link-encryption

The DTLS data encryption for the access points on the controller is now enabled.

Device# configure terminal
Device(config)# ap profile ap-profile-name
Device(config-ap-profile)# link-encryption
Device(config-ap-profile)# end
Device# show wireless dtls connections
Device# show ap link-encryption

Configure manufacturing installed certificate expiration bypass for AP join (CLI)

Complete this task to configure manufacturing installed certificate (MIC) expiration bypass for AP join.

This configuration allows older APs with expired Manufacturing Installed Certificates (MIC) to perform CAPWAP DTLS handshakes.

Note

Examples of messages displayed when APs fail to join due to expired certificates include:

.May
15 10:00:40.385: %DTLS_TRACE_MSG-3-WLC_DTLS_ERR: Chassis 1 R0/0: wncd: DTLS Error,
session:192.168.25.157[55384] MAC: 84b8.02ed.d82, Certificate validation failed

.May
15 10:00:40.386: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP
Event: Session-IP:192.168.25.157[55384] CAPWAP DTLS session closed for AP, cause: DTLS handshake error

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure and define the certificate map attributes. Enter the CA certificate map configuration mode.

Example:

Device(config)# crypto pki certificate map map-tag <1-65535>

Step 3

Configure the certificate issuer's name.

Example:

Device(ca-certificate-map)# issuer-name co issuer-name-string

Note

You can add multiple rules and filters under the same map. The rule specifies that any certificate whose issuer-name contains Cisco Manufacturing CA (case insensitive) is selected under this map.

Step 4

Exit the CA certificate map configuration mode.

Example:

Device(ca-certificate-map)# exit

Step 5

Define the trustpool policy.

Example:

Device(config)# crypto pki trustpool policy

Step 6

Allow APs with invalid MIC or certificates that are not yet valid.

Example:

Device(ca-trustpool)# match certificate map-name allow expired-certificate

The manufacturing installed certificate (MIC) expiration bypass for AP join is configured.

Device# configure terminal
Device(config)# crypto pki certificate map map1 1
Device(ca-certificate-map)# issuer-name co cisco manufacturing ca
Device(ca-certificate-map)# exit
Device(config)# crypto pki trustpool policy
Device(ca-trustpool)# match certificate map1 allow expired-certificates

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)