Wireless Access

Does anyone know if it is possible to change the encryption algorithm used between campus mode access-point to the mobility controllers?

For eg, I am seeing all the access point using AES 254 / R-Sig / Sha1-96.

I believe the above is related to the default crypto policy setup on the controller.

Unfortunately, Sha1-96 is frowned upon by most security standards these days. I understand it is possible to create our own crypto policy and i do see more secure option other than Sha1-96. However, i am not sure if it is possible to have the access point negotiate to non default ipsec policy.

Also, i read somewhere about the Advance Crypto license but the documents was more on RAP rather than CAP.

Questions:

1. Can CAP IPsec to controller using custom crypto isakmp policy?

If yes, anyone knows how and if requires any additional license (such as Advanced Cryptography (ACR) module)

The CAP only uses cryptography (CPSEC) for management messages between the access point and the controller are sent encrypted.  Those messages like, "change your channel" and "change your transmit power" are the extent of it.  The user traffic is still tunneled all the way back to the controller where they are decrypted, so even if you did not have CPSEC, the user traffic would be wifi encrypted all the way back to the controller.

CPSEC is also used to selectively admit access points to the controller network.  I would not say that there is anything interesting in CPSEC traffic, really that would require more sophisticated types of encryption than there is right now.

I apologize that I didn't answer your question directly.  I only wanted to put it in perspective.  I will let others answer your question.