topic Re: Mobility group - high cipher option. in Wireless

Mobility group - high cipher option.

Murinos — Mon, 05 Jul 2021 19:01:06 GMT

Good day!

I wonder, what does "High Cipher" option do in Mobility Group member setup? This is 8.10.105 release.

Please, look at the screenshot attached.

I could not find any mention of it neither in the configuration guide for release 8.10 nor anywhere else...

Thanks!

Re: Mobility group - high cipher option.

Rasika Nayanajith — Mon, 04 May 2020 21:00:41 GMT

This will enable encrypted mobility messaging (CAPWAP DTLS based) instead of unencrypted EoIP

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/encrypted_mobility_tunnel.html

HTH

Rasika

*** Pls rate all useful responses ***

Re: Mobility group - high cipher option.

Murinos — Tue, 05 May 2020 17:55:45 GMT

@Rasika Nayanajith Thank you for the reply! I appreciate it a lot.

I'll try to be more specific.

As you have already mentioned here https://community.cisco.com/t5/other-wireless-mobility-subjects/mobility-control-amp-data-encryption/m-p/3955950/highlight/true#M101919 , encrypted mobility messaging via CAPWAP DTLS is enabled by 2 commands:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt { enable | disable} (which is Secure Mobility - Enabled in GUI)

config mobility group member data-dtls peer-mac-addr { enable | disable} (which is Data Tunnel Encryption - Enabled in GUI)

The same is described in the configuration guide for 8-10 you provided earlier https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/encrypted_mobility_tunnel.html .

I believe these 2 commands will make the WLCs to use CAPWAP DTLS instead of EoIP for Mobility Data traffic indeed.

What I am asking about is "High Cipher" selection. Please look at the screenshot. I've highlighted additional 3rd option we can use with the previous 2 commands. But I can't find it's description anywhere and this is what I'm asking about.

Re: Mobility group - high cipher option.

Rasika Nayanajith — Wed, 06 May 2020 01:09:02 GMT

Thank you for reminding me of that old thread.

You are right about documentation about that "high cipher option", I cannot find anything on cisco.com about it either.

Here is what I think, it is for cipher suites support for a key length longer than 128 bits.

Again, Cisco should provide more context around what exactly that feature means to avoid confusion. If I get anything else, I will keep you posted here.

Thank you

Rasika

Re: Mobility group - high cipher option.

Murinos — Tue, 02 Jun 2020 10:15:42 GMT

@Rasika Nayanajith You were right, I've asked TAC about it and they confirmed your version. They created a bug to fix this docomentation, so waiting for announce in next version of Deployment Guide. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu45944

Re: Mobility group - high cipher option.

Rasika Nayanajith — Tue, 30 May 2023 18:50:44 GMT

Thank you for the bug to fix that documentation & give more clear information about those DTLS high ciphers options

Rasika