Security Policy
To ensure tunnel confidentiality
and security when the parent and AS exchange management packets through
a CAPWAP tunnel, use Datagram Transport Layer Security (DTLS) to encrypt
packets transmitted in the CAPWAP tunnel, change the shared key for
encrypting sensitive information, or configure a Pre-Shared Key (PSK)
for checking CAPWAP packet integrity.
If PSKs are used for CAPWAP
tunnel encryption (keys are preconfigured on both the parent and AS),
the parent and AS can negotiate successfully and set up a CAPWAP tunnel
when their PSKs are the same.
During the configuration, pay
attention to the following:
- If DTLS is used for CAPWAP tunnel encryption, the CPUs of the
parent and AS participate in DTLS encryption, deteriorating AS connection
performance. To mitigate this impact, use DTLS only in scenarios requiring
high confidentiality.
- The parent and AS cannot support both High Availability (HA) and
DTLS encryption functions. If both functions are enabled and an active/standby
switchover occurs on the parent, the AS waits until the original CAPWAP
tunnel ages before it can re-establish a CAPWAP tunnel, causing an
AS service interruption. If both functions are enabled and an active/standby
switchover occurs on the AS, the AS needs to re-establish a link and
connect to the parent again, during which the AS service will also
be interrupted.
- ASs connected to the parent will restart when the parent uses
DTLS to encrypt packets transmitted in the CAPWAP tunnel, the shared
key for encrypting sensitive information is changed on the parent,
or a PSK is configured for checking CAPWAP packet integrity on the
parent.
- When an AS is being upgraded, do not enable the parent to use
DTLS to encrypt packets transmitted in the CAPWAP tunnel, change the
shared key for encrypting sensitive information on the parent, or
configure a PSK for checking CAPWAP packet integrity on the parent.
- If DTLS encryption is enabled on the parent and an AS has connected
to the parent, the PSK is automatically delivered to the AS after
it is changed on the parent. Do not repeatedly change the PSK within
10 minutes.
Configuration Method
Configure DTLS encryption
for the CAPWAP tunnel, and configure PSKs on the parent and AS.
Configure a PSK on the parent.
<HUAWEI> system-view
[HUAWEI] capwap dtls psk test@1234 //Set the PSK used for DTLS encryption to test@1234.
[HUAWEI] capwap dtls psk-mandatory-match enable //Allow APs to use the default PSK to establish DTLS sessions with ACs.
[HUAWEI] capwap dtls control-link encrypt //Enable the function of encrypting the CAPWAP control tunnel using DTLS.
[HUAWEI] capwap sensitive-info psk huawei123 //Change the PSK used for encrypting sensitive information to huawei123.
[HUAWEI] capwap message-integrity psk huawei321 //Set the CAPWAP packet integrity check PSK to huawei321.
Configure a PSK on an AS.
<HUAWEI> as access dtls psk test@1234 //Set the DTLS encryption PSK to test@1234.