Cisco Catalyst SD-WAN Onboarding Guide, Releases 26.x and Later

PDF

Authentication between the WAN edge device and Cisco SD-WAN Manager

Want to summarize with AI?

Log in

Explains authentication steps between WAN edge devices and Cisco SD-WAN Manager, covering verification mechanisms and secure onboarding procedures within the automated bring-up sequence.


After the Cisco WAN edge device and SD-WAN Validator authenticate each other, the WAN edge device receives its full configuration over a DTLS connection with SD-WAN Manager:

  • The WAN edge device establishes a DTLS connection with SD-WAN Manager.

  • SD-WAN Manager sends the configuration file to the WAN edge device.

  • Upon receiving the configuration file, the WAN edge device activates its full configuration.

  • The WAN edge device starts advertising prefixes to SD-WAN Controller.

If you do not use SD-WAN Manager, you can log in to the WAN edge device and manually load its configuration file or configure the device manually.

The following steps describe the detailed authentication process between a WAN edge device and SD-WAN Manager:

  1. The WAN edge device initiates an encrypted DTLS connection to the IP address of SD-WAN Manager. RSA encryption secures this connection. Each device generates an RSA private-public key pair at boot. SD-WAN Manager receives the WAN edge device's original interface address and uses the outer IP address in the received packet to determine if the WAN edge device is behind a NAT. If so, SD-WAN Manager maps the WAN edge device's public IP address and port to its private IP address.

  2. Over this encrypted DTLS channel, the WAN edge device and SD-WAN Manager authenticate each other in parallel.

WAN edge device authenticates SD-WAN Manager:

  • SD-WAN Manager sends its trusted root CA signed certificate to the WAN edge device.

  • The WAN edge device extracts the organization name from the certificate using its chain of trust and compares it to the organization name configured on the device. If they match, the WAN edge device confirms the organization of SD-WAN Manager; otherwise, it tears down the DTLS connection.

  • The WAN edge device verifies the certificate’s signature using the root CA chain (Symantec or enterprise CA). If the signature is valid, the certificate is considered valid; if not, the DTLS connection is torn down.

After these checks, the WAN edge device completes authentication of SD-WAN Manager.

SD-WAN Manager authenticates the WAN edge device:

  • SD-WAN Manager sends a 256-bit random challenge to the WAN edge device.

  • The WAN edge device responds with:

    • Its serial number

    • Its chassis number

    • Its board ID certificate (for hardware WAN edge devices) or signed certification (for WAN edge Cloud devices)

    • The 256-bit random value signed by the WAN edge device's private key

  • SD-WAN Manager compares the serial and chassis numbers to its authorized device list file. If no match exists, it tears down the DTLS connection.

  • It verifies the signature of the 256-bit random value using the WAN edge device’s public key extracted from the board ID certificate. If invalid, it tears down the connection.

  • It validates the board ID certificate using the root CA chain. If invalid, it tears down the connection.

After these checks, SD-WAN Manager completes authentication of the WAN edge device.

When mutual authentication succeeds, SD-WAN Manager sends the configuration file to the WAN edge device. Upon receiving the configuration, the WAN edge device activates its full configuration and starts advertising prefixes to SD-WAN Controller.