Cisco Catalyst SD-WAN Onboarding Guide, Releases 26.x and Later

PDF

Authentication Between Cisco SD-WAN Controllers

Want to summarize with AI?

Log in

Outlines the authentication processes between Cisco Catalyst SD-WAN Controllers, detailing mutual verification methods and secure communication protocols used during system initialization.


In a domain with multiple SD-WAN Controller, the controllers authenticate each other to establish a full mesh of permanent DTLS connections for synchronizing OMP routes. Each SD-WAN Controller learns the IP addresses of other controllers from the SD-WAN Validator.

During the authentication handshake with the SD-WAN Validator, each controller receives a copy of the authorized serial number file for SD-WAN Controllers. If this file contains more than one serial number, it indicates the network may have multiple controllers.

When a SD-WAN Controller authenticates with the SD-WAN Validator, the validator sends it the IP addresses of other authenticated controllers. If the validator later discovers another controller, it sends that controller's address to the already authenticated controllers.

The controllers then authenticate each other by performing the following steps sequentially (though authentication occurs in parallel):

  1. Controller1 initiates an encrypted DTLS connection to controller2 and sends its trusted root CA signed certificate.

  2. Controller2 extracts controller1's serial number from the certificate using its chain of trust and verifies it matches one in the authorized serial number file. If no match exists, controller2 tears down the DTLS connection.

  3. Controller2 extracts the organization name from the certificate and compares it to its locally configured organization name. If they match, controller2 confirms controller1's organization; otherwise, it tears down the connection.

  4. Controller2 verifies the certificate's signature using the root CA chain (Symantec or enterprise CA). If valid, controller2 accepts the certificate; if invalid, it tears down the connection.

After these checks, controller2 completes authentication of controller1.

Controller1 then authenticates controller2 by performing the same steps:

  1. Controller2 sends its trusted root CA signed certificate to controller1.

  2. Controller1 verifies controller2's serial number against the authorized serial number file, tearing down the connection if no match exists.

  3. Controller1 compares the organization name from the certificate to its local configuration, tearing down the connection if they do not match.

  4. Controller1 verifies the certificate's signature using the root CA chain, tearing down the connection if invalid.

After these checks, controller1 completes authentication of controller2, and the temporary DTLS connection becomes permanent.

Once all SD-WAN Controllers have registered with the SD-WAN Validatorr, the validator and controllers are ready to validate and authenticate the WAN Edge routers in the Cisco Catalyst SD-WAN network.