Encrypted Tunnel Deployment Guide

Available Languages

Download Options

  • PDF     (1.3 MB)
    View with Adobe Reader on a variety of devices
Updated:March 23, 2018

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

Introduction

This document introduces the 8.7 Mobility Encrypted Tunnel and provides general guidelines for its deployment. The purpose of this document is to:

  • Provide an overview of 8.7 Mobility Encrypted Tunnel Feature

  • Highlight supported Key Features

  • Provide details on deploying and managing the 8.7 Mobility Encrypted Tunnel Feature

Pre-requisite

You must have AireOS 8.0 or higher release on a Wireless LAN Controller in order to upgrade to the 8.5MR1 or 8.7 code.


Note

This feature is functional only in 8.5MR1 and 8.7 and above releases and is supported on 3504, 5520 and 8540 controllers.

Product or Feature Overview

The scope of the document is to provide a high level system description of support for End-to-End encryption of Mobility tunnel between Anchor and Foreign WLC. The document also describes the basic assumptions from the WLC perspective to support End-to-End encryption of Mobility tunnel between Anchor and Foreign WLC.

The architecture for End-to-End encryption of Mobility tunnel between Anchor and Foreign WLC is shown in the diagram below. In this architecture the WLCs are connected through CAPWAP based mobility tunnels which use DTLS encryption between the WLCs. The client data passes through secure DTLS encrypted CAPWAP tunnel between AP to WLC and between the Foreign and Anchor WLCs it passes through the CAPWAP based mobility tunnels which use DTLS encryption. Thus, through the entire data path from the client network to the Anchor WLC the client data is passing through encrypted tunnel with no scope for Man in the Middle snooping.



  • In release 8.7 end-to-end Tunnel encrypted between Anchor and Foreign Controllers

  • The encrypted tunnel passes through CAPWAP v4 with DTLS encryption

  • Old and New Mobility Architecture will be supported

  • Client SSO will be supported

  • Supported on 3504, 5520 and 8540 controllers

Configuring Encrypted Mobility Tunnel

To configure End to End Encrypted Mobility Tunnel in the release 8.7 follow the steps as indicated below.

Procedure
    Step 1   Configure all the controllers that need to participate in the Mobility Group exchange. All controllers have to be configured with each other information.



    Step 2   Enable Mobility Encryption on each controller.

    After enabling Mobility Encryption, the controller will reboot.





    Step 3   Before rebooting, the controller will display the following message, hit OK and then Apply the change.



    Step 4   After controllers that were configured with Encrypted Mobility Tunnel come up they will show with Status Up.

    Figure 1.



    Step 5   After the Mobility Encryption is enabled and Tunnel Link status shows as UP, one more check can be done to verify the encrypted connection is established. Perform MPING from one Controller to another Controller IP address over the Encrypted Tunnel and make sure MPING is successful.



    Copyright © 2018, Cisco Systems, Inc. All rights reserved.

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products