Describes authentication workflows between Cisco SD-WAN Controllers and WAN edge devices, focusing on secure credential exchanges, device validation, and trust establishment within the SD-WAN framework.
The final step in the automatic authentication process involves mutual authentication between the SD-WAN Controller and the WAN edge device. The controller authenticates the WAN edge device to confirm it belongs to the network, and the WAN edge device authenticates the controller. Upon successful authentication, the DTLS connection between the two devices becomes permanent, and the controller establishes an OMP peering session over this connection. The WAN edge device then begins sending data traffic over the Cisco Catalyst SD-WAN overlay network.
To initiate the session, either device starts an encrypted DTLS connection to the other, using RSA encryption. Each device generates an RSA private-public key pair at boot.
SD-WAN Controller authenticates the WAN edge device as follows:
-
The controller sends a 256-bit random challenge to the WAN edge device.
-
The WAN edge device responds with:
-
Its serial number
-
Its chassis number
-
Its board ID certificate
-
The 256-bit random value signed by its private key
-
-
The controller compares the serial and chassis numbers against its authorized device list. If no match exists, it tears down the DTLS connection.
-
The controller verifies the signature on the random value using the public key extracted from the device’s board ID certificate. If invalid, it tears down the connection.
-
The controller validates the board ID certificate using the root CA chain. If invalid, it tears down the connection.
-
The controller compares the response to the original challenge issued by the SD-WAN Validator. If they match, authentication succeeds; otherwise, the connection is torn down.
After these checks, the controller confirms the WAN edge device is valid.
The WAN edge device authenticates the SD-WAN Controller as follows:
-
The controller sends its trusted root CA signed certificate to the WAN edge device.
-
The WAN edge device extracts the controller’s serial number from the certificate and verifies it against its authorized serial number list. If no match exists, it tears down the connection.
-
The WAN edge device extracts the organization name from the certificate and compares it to its configured organization name. If they do not match, it tears down the connection.
-
The WAN edge device verifies the certificate’s signature using the root CA chain (Symantec or enterprise CA). If invalid, it tears down the connection.
After these checks, the WAN edge device completes authentication of the controller.
The DTLS connection used for authentication becomes permanent, and the two devices establish an OMP session over it to exchange control plane traffic.
This authentication process repeats for every SD-WAN Controller and WAN edge device introduced into the overlay network. Each WAN edge device must connect to at least one controller via a successful DTLS connection. For redundancy, domains typically have multiple controllers, allowing each WAN edge device to connect to more than one controller.
Over the OMP session, the WAN edge device sends control plane information to the controller to help it learn the network topology:
-
The WAN edge device advertises service-side prefixes and routes learned from local static and dynamic routing protocols (BGP and OSPF).
-
Each WAN edge device has a transport locator (TLOC), the address of the interface connecting to the WAN transport network or NAT gateway. Once the DTLS connection is established, OMP registers the TLOCs with the controller.
-
The WAN edge device advertises IP addresses of services on its service-side network, such as firewalls and intrusion detection devices.
The controller installs these OMP routes in its routing database and advertises them to other WAN edge devices in the overlay network. It also updates each WAN edge device with OMP route information learned from other devices. The controller can apply inbound policies on received routes before installing them and outbound policies before advertising routes.