Lightweight Access Point Protocol (LWAPP)

Introduction

1. When the AP initially connects to the network it broadcasts at layer 2 looking for a controller. This is a LWAPP Discovery Request that should be received by the controller management MAC address. What should happen is the controller ought to respond with a Discovery Response indicating the number of APs associated to the controller. The AP then connects to the least loaded controller by sending a Join Request.
2. If no controller is found at layer 2, then the AP requests an IP address via DHCP.
3. If a controller is not found on the same subnet then the layer 3 switched network often deploys DHCP relay on the VLANs that the APs use. The DHCP server not only responds with an IP address but it also provides the AP with the IP addresses of available WLCs (Option 43, sub-option 241), these addresses may be prioritised with one Wireless LAN Controller (WLC) being first and another WLC second. The default gateway and DNS information is also provided by the DHCP server.
4. In layer 3 mode the AP sends a LWAPP Discovery Request to the AP manager IP address using a directed broadcast.
5. If there is no response then the AP will send the Discovery Request to any controllers that have been learned from other APs via Over The Air Provisioning (OTAP).
6. The controller responds with a Discovery Response indicating the number of APs associated to the controller.
7. The AP then sends to the least loaded controller a Join Request which contains the AP's X.509 certificate.
8. The AP uses the following order when associating with a controller:
   1. First try the Primary controller, then the Secondary and then the Tertiary controller.
   2. Next try the Master Controller
   3. Then the least loaded controller
   4. Finally, the least loaded Access Point Manager interface
9. The WLC validates the AP and then sends an LWAPP join response to the AP and this contains the WLC's X.509 certifcate.
10. The AP now validates the WLC, thereby completing the discovery and join process which includes mutual authentication and encryption key derivation using the X.509 certificates. This is used to secure the join process and future LWAPP control messages.
11. The AP registers with a WLC according to hardware option 60 parameters that describe the hardware AP type.
12. The WLC updates the AP image software if required and configures the AP with the appropriate radio and SSID settings
13. A client device attempts to connect to an SSID.
14. If 802.1x authentication is required then credentials are sent through the LWAPP tunnel to the WLC.
15. The WLC maps the SSID to the relevant user VLAN and this 802.1x traffic enters the firewall.
16. The firewall rules permit this traffic to be forwarded on to the RADIUS server. The RADIUS function may be provided by Cisco's ACS (Access Control Server).
17. The RADIUS server checks the credentials and allows the user device access.
18. The user device now obtains an IP address via DHCP through the firewall.
19. The corporate policy determines where the user can go and what that user can do.
20. For the SSIDs that use WPA2-PSK for encryption, there are different network keys set up on the WLCs for each SSID. Users must use the relevant key to gain access to their SSID.