Communication between access point and WLAN controller

Note: As of firmware version LCOS 7.20 there is a difference between LANCOM access points (e. g. the LANCOM L-54ag) and LANCOM wireless routers (e.g. the LANCOM 1811 Wireless) with regard to the ex-factory default settings in the WLAN modules. In the following specifications, the general term access point will be used for the most part.

Communication between an access point and the WLAN controller is always initiated by the access point. In the following cases, the devices search for a WLAN controller that can assign a configuration to them:

When shipped, the WLAN modules in LANCOM access points are set to the 'Managed' operating mode. In this mode, LANCOM access points search for a central WLAN controller that can provide them with a configuration, and they remain in "search mode" until they discover a suitable WLAN controller or until the operating mode of the WLAN module is changed manually.
While searching for a WLAN controller, LANCOM access points switch off their WLAN module(s).
Ex-factory, the WLAN modules in LANCOM wireless routers are set to the 'access point' operating mode. In this mode, LANCOM wireless routers function as standalone access points with a configuration that is stored locally in the device. For integration into a WLAN infrastructure that is centrally managed by WLAN controllers, the operating mode of the WLAN modules in LANCOM wireless routers has to be switched into the 'managed' mode.

The access point sends a "discovery request message" at the beginning of communication to find the available WLAN controllers. This request is sent as a broadcast. However, because in some structures a potential WLAN controller cannot be reached by a broadcast, special addresses from additional WLAN controllers can also be entered into the configuration of the access points.

Note: The DNS names of WLAN controllers can also be resolved. All access points with LCOS 7.22 or higher have the default name 'WLC-Address' pre-configured so that a DNS server can resolve this name to a LANCOM WLAN controller. The same applies to the DHCP suffixes learned via DHCP. This also makes it possible to reach WLAN controllers that are not located in the same network, without having to configure the access points.

From the available WLAN controllers, the access point selects the best one and requests it to establish the DTLS connection. The "best" WLAN controller for the access point is the one with the least load, i.e. the lowest ratio of managed access points compared to the maximum possible number of access points. In case of two or more equally "good" WLAN controllers, the access point selects the nearest one in the network, i.e. that with the fastest response time.

The WLAN controller then uses an internal random number to determine a unique and secure session key, which it uses to secure the connection to the access point. The CA in the WLAN controller issues a certificate to the access point by means of SCEP. The certificate is protected by a one-time-only "challenge" (password). The access point uses this certificate for authentication at the WLAN controller to collect the certificate.

The access point is provided with the configuration for the integrated SCEP client via the secure DTLS connection – the access point uses the SCEP to retrieve its certificate from the SCEP CA. Once this is done, the assigned configuration is transferred to the access point.

Note: SCEP stands for Simple Certificate Encryption Protocol, CA forCertification Authority.

Authentication and configuration can both be carried out either automatically or only with a corresponding entry of the access point's MAC address in the AP table of the WLAN controller. If the access point's WLAN modules were deactivated at the beginning of the DTLS communication, these will be activated after successful transfer of the certificate and configuration (provided they are not explicitly deactivated in the configuration).

The management and configuration data will then be transferred via the CAPWAP tunnel. The payload data from the WLAN client is then released in the access point directly into the LAN and transferred, for example, to the server.