Default Ciphersuites Supported for CAPWAP-DTLS
From Cisco IOS XE Bengaluru 17.5.1, Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)/Galois Counter Mode (GCM) ciphersuite with perfect forward secrecy (PFS) capability is added in the default list along with the existing AES128-SHA ciphersuite. All Cisco access point (AP) models, except the Cisco IOS APs, will prioritize this PFS ciphersuite for CAPWAP-DTLS under default configuration.
Note |
If link encryption is enabled for secure data channel traffic, then COS AP (DTLS client) will prioritize DHE-RSA-AES128-SHA over ECDHE/GCM ciphersuite. |
During DTLS handshake, the preference order of the ciphersuites are important. This feature allows you to set the order of priority while configuring cipher suites.
When explicit ciphersuites are not configured, default ciphersuites that are listed in the table below are applied.
Security Mode |
Ciphersuite |
---|---|
FIPS and non-FIPS |
|
WLANCC |
|
This feature is supported on all variants of the Cisco Catalyst 9800 Series Wireless Controllers and APs, except Cisco Industrial Wireless 3702 Access Point.
For a list of controllers and APs supported in a particular release, see the release notes available at: https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-release-notes-list.html