PDF(1.3 MB) View with Adobe Reader on a variety of devices
Updated:March 23, 2018
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document introduces the 8.7
Mobility Encrypted Tunnel and provides general guidelines for its deployment.
The purpose of this document is to:
Provide an overview of 8.7
Mobility Encrypted Tunnel Feature
Highlight supported Key Features
Provide details on deploying and managing the 8.7 Mobility Encrypted
You must have AireOS 8.0 or higher
release on a Wireless LAN Controller in order to upgrade to the 8.5MR1 or 8.7
This feature is functional only in 8.5MR1 and 8.7 and above releases
and is supported on 3504, 5520 and 8540 controllers.
Product or Feature
The scope of the
document is to provide a high level system description of support for
End-to-End encryption of Mobility tunnel between Anchor and Foreign WLC. The
document also describes the basic assumptions from the WLC perspective to
support End-to-End encryption of Mobility tunnel between Anchor and Foreign
The architecture for
End-to-End encryption of Mobility tunnel between Anchor and Foreign WLC is
shown in the diagram below. In this architecture the WLCs are connected through
CAPWAP based mobility tunnels which use DTLS encryption between the WLCs. The
client data passes through secure DTLS encrypted CAPWAP tunnel between AP to
WLC and between the Foreign and Anchor WLCs it passes through the CAPWAP based
mobility tunnels which use DTLS encryption. Thus, through the entire data path
from the client network to the Anchor WLC the client data is passing through
encrypted tunnel with no scope for Man in the Middle snooping.
In release 8.7
end-to-end Tunnel encrypted between Anchor and Foreign Controllers
tunnel passes through CAPWAP v4 with DTLS encryption
Old and New
Mobility Architecture will be supported
Client SSO will be
Supported on 3504,
5520 and 8540 controllers
Encrypted Mobility Tunnel
To configure End to
End Encrypted Mobility Tunnel in the release 8.7 follow the steps as indicated
the controllers that need to participate in the Mobility Group exchange. All
controllers have to be configured with each other information.
Encryption on each controller.
Mobility Encryption, the controller will reboot.
rebooting, the controller will display the following message, hit OK and then
Apply the change.
controllers that were configured with Encrypted Mobility Tunnel come up they
will show with Status Up.
Mobility Encryption is enabled and Tunnel Link status shows as UP, one more
check can be done to verify the encrypted connection is established. Perform
MPING from one Controller to another Controller IP address over the Encrypted
Tunnel and make sure MPING is successful.