Details authentication between validator and WAN edge devices, highlighting credential validation, certificate exchanges, and trusted onboarding for secure SD-WAN connectivity.
When you deploy a WAN edge device, it must first:
-
Establish a secure connection with Cisco SD-WAN Manager to receive its full configuration.
-
Establish a secure connection with Cisco SD-WAN Controller to participate in the Cisco Catalyst SD-WAN overlay network.
The WAN edge device automatically discovers Cisco SD-WAN Manager and Cisco SD-WAN Controller with help from Cisco SD-WAN Validator. The WAN edge device's initial configuration includes the Cisco SD-WAN Validator's IP address or DNS name. Using this, the WAN edge device establishes a DTLS connection with Cisco SD-WAN Validator. Both devices authenticate each other automatically in a two-way process to confirm they are valid WAN edge devices. Upon successful authentication, Cisco SD-WAN Validator sends the WAN edge device the IP addresses of Cisco SD-WAN Manager and Cisco SD-WAN Controller. The WAN edge device then tears down its connection with Cisco SD-WAN Validator and begins establishing secure DTLS connections with the other two devices.
After booting and performing initial configuration, WAN edge devices automatically seek their Cisco SD-WAN Validator. Cisco SD-WAN Validator and Cisco SD-WAN Controllers recognize and authenticate WAN edge devices because the authorized device list file is installed on both.
The WAN edge device uses the configured IP address or DNS name of Cisco SD-WAN Validator to reach it. Cisco SD-WAN Validator is ready to respond because:
-
Its role as the authentication system is defined in its initial configuration.
-
The authorized serial number file for WAN edge devices is installed on Cisco SD-WAN Validator.
If Cisco SD-WAN Validator is not yet started when the WAN edge device initiates authentication, the device retries periodically until successful.
The following steps describes a detailed authentication process between Cisco SD-WAN Validator and WAN edge device:
-
The WAN edge device initiates an encrypted DTLS connection to Cisco SD-WAN Validator’s public IP address. RSA encryption secures this connection. Each device generates an RSA private-public key pair at boot. Cisco SD-WAN Validator uses the outer IP address in the packet to detect if the WAN edge device is behind NAT and maps the public IP and port to the private IP.
-
Over the encrypted DTLS channel, both devices authenticate each other in parallel.
WAN edge device authenticates Cisco SD-WAN Validator:
-
Cisco SD-WAN Validator sends its trusted root CA signed certificate.
-
The WAN edge device extracts the organization name from the certificate and compares it to its configured organization name. If they match, the validator is considered valid; otherwise, the DTLS connection is torn down.
-
The WAN edge device verifies the certificate’s signature using the root CA chain (Symantec or enterprise CA). If invalid, it tears down the connection.
Cisco SD-WAN Validator authenticates the WAN edge device:
-
Cisco SD-WAN Validator sends a 256-bit random challenge.
-
The WAN edge device responds with its serial number, chassis number, board ID certificate, and the signed 256-bit random value using its private key.
-
Cisco SD-WAN Validator verifies the serial and chassis numbers against its authorized device list. If no match, it tears down the connection.
-
It verifies the signature of the random value using the WAN edge device’s public key from the board ID certificate. If invalid, it tears down the connection.
-
It validates the board ID certificate using the root CA chain. If invalid, it tears down the connection.
After successful mutual authentication, Cisco SD-WAN Validator sends the following in parallel:
-
To the WAN edge device:
-
IP addresses of Cisco SD-WAN Controllers (public or NAT-mapped private and public IPs with ports).
-
Serial numbers of authorized Cisco SD-WAN Controllers.
-
If the WAN edge device is behind NAT, a request to initiate a session with Cisco SD-WAN Controller.
-
-
To Cisco SD-WAN Controller:
-
A message announcing the new WAN edge device.
-
If the WAN edge device is behind NAT, a request to initiate a session with the WAN edge device.
-
Finally, the WAN edge device tears down the DTLS connection with Cisco SD-WAN Validator.