CAPWAP: A Standard for Wireless Controllers

CAPWAP: A Standard for Wireless Controllers

Are you looking to support multi-vendor AP on your existing WLAN controller transparently and allow centralized configuration and monitoring?

Typically Wireless Access Points falls under two broad categories, Thick and Thin Access Points. Thick Access Points perform all processing locally on the device and does not require an external controller. On the other side, thin Access Points depends on Controller for various purposes. In such typical centralize Wireless deployment; one or more controllers manage a set number of deployed access points. Access points retrieve their configuration from the controller and report their status back to the controller for management purposes.

Therefore Access Points use protocols such as Secure Light Access Point Protocol (SLAPP), Lightweight Access Point Protocol (LWAPP) etc to simplify management, configuration, and various other features.

With this typical centralized wireless setup and use of above-mentioned protocols support, controllers and Access Points are vendor locked in and inter-vendor compatibility becomes a big challenge.

Solution to the Problem: CAPWAP

A unified CAPWAP standard aims to be a protocol that could enable centralized wireless hardware to utilize a simple, streamlined method of communicating between access points and controllers. It was defined to ease the implementation of large wireless deployments that uses the Controller-AP (Access Point) architecture.  It was produced in part by Cisco, Aruba Networks, and Research in Motion. It combines the strengths of SLAPP's generic design and extensibility while utilizing LWAPP's state machine for managing the connection between AP and controller. This protocol differentiates between data traffic and control traffic, as LWAPP did. However, only the control messages are transmitted in a DTLS tunnel still.

In a controller-based architecture, CAPWAP access points are dependent on a wireless controller to provide the software image, configuration, and centralized control and optionally data forwarding functions. Therefore, it is necessary for the access point to find a list of available controllers with which it can associate.

Challenges resolved by CAPWAP

  • Centralized management solution of the AP in a typical WLAN deployment
  • Configuration of multiple AP types transparent, and ensure configurations are consistent across the network
  • Monitoring the status of both hardware and software configurations is necessary to ensure a properly operating network
  • Ensuring network security, both from 3rd party AP, such as rogue access points being connected to the network, as well as preventing the loss of network secrets from the physical theft of access points is also critical

How it works-

When supported and enabled, CAPWAP's first function is to start a discovery phase. Wireless APs search for a controller by sending discovery request messages. Upon receiving a discovery request, the controller replies with a discovery response. At this moment, the two devices have established a secure connection with the use of Datagram Transport Layer Security (DTLS) protocol to exchange CAPWAP control and data messages. Control messages contain information and instructions related to WLAN management; on the other hand, Data messages encapsulate forwarded wireless frames. Each is sent to a different User Datagram Protocol (UDP) port.

There are 2 modes of operation:-

  1. Split MAC mode
  2. Local MAC mode

Split MAC mode: The CAPWAP protocol integrates all Layer 2 wireless data and management information, which are then exchanged between the controller and AP.

Local MAC mode: It enables data frames to be locally bridged Ethernet frames.

In both modes, all the wireless management information at layer 2 are processed by AP


CAPWAP protocol has the full-fledged support of robust security based on DTLS mechanism, so there is no need of special security mechanism, such as IPSEC. Also, a remote WLAN controller already deploys the software/hardware engine to decrypt the DTLS encrypted CAPWAP packets if it supports CAPWAP to manage wireless Access Points. The CAPWAP protocol is a bridge between the security mechanisms specified by the wireless link layer protocol and Authentication, Authorization, and Accounting (AAA).  In CAPWAP, DTLS is medium to secure the link between the access points and controllers.  In addition to securing control messages, it's also a link in this chain of trust for establishing link layer keys.