Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term CAPWAP

Training Camp • Cybersecurity Glossary

What is CAPWAP?

An IETF protocol (RFC 5415) that lets a wireless controller centrally manage and tunnel traffic for many access points, with DTLS-encrypted control.

Glossary > Network Security > CAPWAP

Understanding CAPWAP

CAPWAP (Control and Provisioning of Wireless Access Points) is a standardized IETF protocol, defined in RFC 5415, that enables a central wireless LAN controller (WLC) to manage and control multiple access points (APs) across a network. It standardizes how a controller configures, monitors, updates, and tunnels traffic for lightweight APs in an enterprise wireless deployment.

CAPWAP uses two logical channels over UDP: a control channel (UDP port 5246) for management messages, AP discovery, configuration, and firmware updates, and a data channel (UDP port 5247) that tunnels client wireless traffic between the AP and the controller. The control channel is secured with DTLS (Datagram Transport Layer Security), providing encryption and mutual authentication between AP and controller using certificates, so management traffic cannot be easily intercepted or spoofed. APs and controllers exchange messages so the controller maintains centralized policy, RF management, and client state, while APs handle the real-time radio functions.

From a security standpoint, centralization through CAPWAP improves consistency: security policies, encryption settings, and patches are pushed uniformly, and rogue AP detection and RF monitoring are coordinated controller-wide. The DTLS-protected control plane defends against an attacker injecting configuration or impersonating a controller, which could otherwise let them hijack APs or redirect traffic. The data tunnel can also carry client traffic back to a central point for inspection and enforcement. Protecting the controller itself, and validating AP certificates, is critical, since compromising the WLC could affect the entire wireless fabric.

For example, an enterprise deploys 200 lightweight access points across several buildings, all managed by a pair of redundant wireless controllers. When a new AP is plugged in, it discovers a controller, establishes a DTLS-secured CAPWAP control session, authenticates by certificate, and automatically downloads its configuration and the correct firmware, no manual per-AP setup. When the security team changes the corporate Wi-Fi password policy, they update it once on the controller and CAPWAP pushes it to every AP, ensuring uniform, centrally enforced wireless security.

Learn More About CAPWAP:

Ready to Get Certified?

CAPWAP is one of the topics you'll master in the CCNA Boot Camp.

CCNA Boot Camp →