Communication between access point and WLAN controller

Communication between an AP and the WLC is always initiated by the AP. In the following cases, the devices search for a WLC that can assign a configuration to them:

When shipped, the WLAN modules in LANCOM APs are set to the 'Managed' operating mode. In this mode, APs search for a central WLC that can provide them with a configuration, and they remain in "search mode" until they discover a suitable WLC or until the operating mode of the WLAN module is changed manually.
While the AP searches for a WLC, its WLAN module is switched off.
Ex-factory, the WLAN modules in LANCOM wireless routers are set to the 'access point' operating mode. In this mode, wireless routers function as standalone access points with a configuration that is stored locally in the device. For integration into a WLAN infrastructure that is centrally managed by WLAN controllers, the operating mode of the WLAN modules in wireless routers has to be switched into the 'managed' mode.

Note: Communication between the access point and the WLAN-Controller takes place via CAPWAP as well as via SCEP. For CAPWAP the UDP port 1027 is used in the default configuration (can be changed in the WLAN-Controller configuration). For the communication via SCEP the protocol HTTP (TCP port 80) is used.

The AP sends a "discovery request message" at the beginning of communication to find the available WLCs. This request is sent as a broadcast. However, because in some structures a potential WLC cannot be reached by a broadcast, special addresses from additional WLCs can also be entered into the configuration of the APs.

Note: The DNS names of WLCs can also be resolved. All APs with LCOS 7.22 or higher have the default name 'WLC-Address' preconfigured so that a DNS server can resolve this name to a WLC. The same applies to the DHCP suffixes learned via DHCP. This also makes it possible to reach WLCs that are not located in the same network, without having to configure the APs.

From the available WLCs, the AP selects the best one and requests it to establish the DTLS connection. The "best" WC for the AP is the one with the least load, i.e. the lowest ratio of managed APs compared to the maximum possible number of APs. In case of two or more equally "good" WLCs, the AP selects the nearest one in the network, i.e. that with the fastest response time.

The WLC then uses an internal random number to determine a unique and secure session key, which it uses to secure the connection to the AP. The CA in the WLC issues a certificate to the AP by means of SCEP. The certificate is protected by a one-time-only "challenge" (password). The AP uses this certificate for authentication at the WLC to collect the certificate.

The AP is provided with the configuration for the integrated SCEP client via the secure DTLS connection – the AP uses the SCEP to retrieve its certificate from the SCEP CA. Once this is done, the assigned configuration is transferred to the AP.

Note: SCEP stands for Simple Certificate Encryption Protocol, CA for Certification Authority.

Authentication and configuration can both be carried out either automatically or only with a corresponding entry of the AP's MAC address in the AP table of the WLC. If the AP's WLAN modules were deactivated at the beginning of the DTLS communication, these will be activated after successful transfer of the certificate and configuration (provided they are not explicitly deactivated in the configuration).

The management and configuration data will then be transferred via the CAPWAP tunnel. The payload data from the WLAN client is then released in the AP directly into the LAN and transferred, for example, to the server.