Describes authentication procedures between key SD-WAN infrastructure components, emphasizing secure credential exchanges, verification steps, and trust establishment during automated bring-up.
Cisco SD-WAN Controller initiates the first authentication with Cisco SD-WAN Validator, the first two devices on the Cisco Catalyst SD-WAN overlay network to validate and authenticate each other. When the Controller boots, it connects to the Validator, allowing the Validator to learn about the Controller. Both devices then automatically start a two-way authentication process over an encrypted DTLS channel secured by RSA keys generated at boot. The authentication handshakes occur in parallel, but for clarity, they are often illustrated sequentially.
If authentication succeeds, the devices establish a permanent DTLS communication channel. If any authentication step fails, the device detecting the failure tears down the connection, terminating the attempt.
The Controller knows how to reach the Validator because its configuration includes the Validator’s IP address or DNS name. The Validator is ready to respond because:
-
Its role as the authentication system is configured.
-
It has received the Controller authorized serial numbers downloaded from Cisco SD-WAN Manager.
If the Validator is not yet started when the Controller initiates authentication, the Controller periodically retries until successful.
The detailed authentication steps are:
-
The Controller initiates an encrypted DTLS connection to the Validator.
-
The Validator sends its trusted root CA signed certificate and the WAN edge authorized serial number file to the Controller.
-
The Controller extracts the organization name from the Validator’s certificate and compares it to its configured organization name. If they match, the Controller confirms the Validator’s organization; if not, it tears down the connection.
-
The Controller verifies the Validator’s certificate signature using the root CA chain (Symantec or enterprise CA). If valid, it accepts the certificate; otherwise, it tears down the connection.
-
The Controller sends its trusted root CA signed certificate to the Validator.
-
The Validator extracts the Controller’s serial number from the certificate and checks it against its authorized serial number file. If no match exists, it tears down the connection.
-
The Validator compares the organization name from the Controller’s certificate to its configured name. If they match, it confirms the Controller’s organization; if not, it tears down the connection.
-
The Validator verifies the Controller’s certificate signature using the root CA chain. If valid, it accepts the certificate; otherwise, it tears down the connection.
After these checks, the bidirectional authentication completes, and the DTLS connection transitions from temporary to permanent. The devices establish an OMP session over this connection.
In networks with multiple Controllers for redundancy, this authentication process repeats between each Controller and the Validator. Controllers learn about each other’s IP addresses from the Validator and synchronize route information. For higher availability, connect Controllers to the WAN network through different NAT devices.
Each Validator maintains permanent DTLS connections equal to the number of Controllers in the network topology. These connections form the control plane; no data traffic flows over them. After all Controllers register with the Validator, the Validator and Controllers are ready to validate and authenticate WAN edge routers in the Cisco Catalyst SD-WAN network.