Our APs are very intelligent devices, when they boot up they’re shouting out a broadcast message, asking for a controller and stores this into flash for further usage. This works fine until we put the WLC and the APs in different subnets. For this situation we can set up a DHCP-server and configure the option 53, also we can configure a DNS-server to respond to CISCO-CAPWAP-CONTROLLER with the IP of the WLC. Summarized, there are 4 ways to connect the AP.
I hope this is going without saying: Powering the AP via PoE or a power-injector, maybe a power-supply.
The next step is to elect the WLC the AP want to connect with, if they’re multiple responses. If the AP is already connected, we can configure a primary, secondary and tertiary controller for each AP. So if one controller fails or the AP could not find the first one during the boot process it connects to the next one.
The next in line is to brand an AP to connect with a WLC the is the „MASTER CONTROLLER MODE „. This mode automatically writes the WLC’s IP into the APs config.
The last way if the AP found several WLCs is the to choose by the load of the WLC’s. The load is measured by the connected APs and the license applied. 10 APs licensed, 8 connected, 80% load.
The initial get to know between the WLC and AP runs over the control-channel, at port 5246 UDP at the controller. The is done with DTLS, Datagram Transport Layer Security.
They’re exchange their certificates, first the WLC to AP and the AP to WLC.
The DTLS traffic then runs encrypted, farther via UDP port 5246. The client data is transfered via UDP 5247 and is not encrypted by default!
What I found in the latest WLC version is very extreme, but it’s prescribed by law in some country’s 😉