topic Mobility control & data encryption in Wireless

Mobility control & data encryption

Murinos — Mon, 05 Jul 2021 18:16:55 GMT

Hi everybody!

Found this paper:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_encrypted_tunnel_deployment_guide.html

It says that:

"In release 8.7 end-to-end Tunnel encrypted between Anchor and Foreign Controllers"

by issuing commands:

config mobility group member add

config mobility encryption enable

(i'm not mentioning adding mobility peers)

But in Configuration Guide it's more complicated:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt { enable | disable}

config mobility group member data-dtls peer-mac-addr { enable | disable}

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/encrypted_mobility_tunnel.html

1) Which commands are true?

2) Will both control (port 16666) and data (port 16667) flows will be encrypted after enabling this feature?

3) When deploying Foreign-Anchor scenario with this encryption, is it enough to open ports 16666 & 16667 on the firewalls for mobility messaging and user traffic to be tunneled between foreign and anchor? Or is it required to open 5246/5247 for CAPWAP traffic for Anchor also? (not mentioning everything else, like https, snmp etc.)

Thanks in advance!

Artem

Re: Mobility control

Scott Fella — Fri, 08 Nov 2019 19:09:58 GMT

I don’t think this is necessary in your own environment, maybe in a shared environment. Mobility only uses 16666 and 16667 and you don’t need the ports for AP’s open unless for some reason you have AP’s joined to those controllers.

Re: Mobility control

Murinos — Fri, 08 Nov 2019 19:43:09 GMT

Thanks, Scott!

It's customer's requirement. We need to either confirm or refuse that both flows encrypted when speaking with their security department. It will not affect the design though, just want to be sure when speaking with them.

Re: Mobility control

Scott Fella — Fri, 08 Nov 2019 22:04:58 GMT

Okay… one thing that is important and is something to discuss with them are: is this for guest and if so, why not make is as simple as possible for the end user. If they want PSK, then only do WPA2-PSK and not use a portal. You will not be able to do both together and that is frustrating for an end user whom has to do both if it was even available. Give them the choice of one or the other:)

Re: Mobility control & data encryption

Rasika Nayanajith — Fri, 08 Nov 2019 23:20:33 GMT

In release 8.7 end-to-end Tunnel encrypted between Anchor and Foreign Controllers"

by issuing commands:

config mobility group member add

config mobility encryption enable

(i'm not mentioning adding mobility peers)

But in Configuration Guide it's more complicated:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt { enable | disable}

config mobility group member data-dtls peer-mac-addr { enable | disable}

1) Which commands are true?

"config mobility group member add" is not the full command syntax. What you see in config guide is full syntax of that command. In other deployment guide, it just give the stating section of that command.

Mobility peer encryption introduced in 8.5MR1 release. So in that version you have to enable it globally (note that WLC will reboot once you enable it ) . See this Ciscolive presentation (below image from it - slide 16)

(WLC-1) >config mobility ?

dscp Configures the Mobility inter controller DSCP value.
encryption Configures tunnel(control/data) encryption in mobility flat architecture.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
new-architecture Configure the controller to switch between old and new mobility architecture.
statistics Resets the mobility statistics

(WLC-1) >config mobility encryption enable

Enabling encryption would change the data and control channel of mobility tunnel from unencrypted to encrypted !!!
Configuration changes will be saved and System will be rebooted. !!!
Are you sure you want to continue? (y/n)
y

Mobility tunnel encryption is enabled for flat architecture.
The system has unsaved changes.
Configuration saved!
System will now restart!

Later versions, you do not have option to enable it like that. You can enable it per mobility member. Here is a controller running on 8.10 configuration options.

(WLC-3) >config mobility ?

dscp Configures the Mobility inter controller DSCP value.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
statistics Resets the mobility statistics.

(WLC-3) >config mobility group member ?

add Add/Change a Mobility group member to the list.
data-dtls Optional data-dtls configuration for mobility peer. Default is enabled
delete Delete a Mobility group member from the list.
hash Configure hash key for authorization. Applicable only if member is a Virtual Controller in the same domain.

(WLC-3) >config mobility group member add 28:94:0f:ae:42:e0 10.5.x.x mildura encrypt ?

disable Disables secure communication to peer
enable Enables secure communication to peer

(WLC-3) >config mobility group member add 28:94:0f:ae:42:e0 10.5.x.x mildura encrypt enable

2. Yes, both control & data will be encrypted. You can disable "data-dtls" if you want

(WLC-3) >config mobility group member data-dtls 28:94:0f:ae:42:e0 ?

enable Optional data-dtls enable or disable for member
disable Optional data-dtls enable or disable for member

(WLC-3) >config mobility group member data-dtls 28:94:0f:ae:42:e0 enable

data-dtls already configured

3. Still mobility messages use UDP 16666 & 16667 in outer headers, however inner traffic (control & data) is encrypted.

HTH

Rasika

*** Pls rate all useful responses ***

Re: Mobility control & data encryption

Murinos — Mon, 11 Nov 2019 08:03:14 GMT

Thank you very much, Rasika!
It's exactly what I needed to know.