Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
2
Replies

5508 SSO link between controllers encryption

Go to solution
Nick Shelley
Level 1
Level 1

‎08-20-2015 07:30 PM - edited ‎07-05-2021 03:48 AM

Hi all,

 

Google's my buddy, but couldn't seem to help me out on this one.  When I have a pair of 5508 controllers (running 8.0 code), and the primary sends a config update to the secondary, how is that encrypted? DTLS? 

thx for any helpful info.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎08-21-2015 12:09 AM

HI Nick,

Yes you are right.

Encryption Support

Encryption of HA related messages between the active and standby controllers is supported with the use of data transport layer security (DTLS). The encryption is disabled by default. The encryption is supported for configuration, AP, and client synchronization.

Encryption is supported only if the active and standby controllers communicate through the redundancy interface on the management ports. Encryption is not supported if the redundancy port is used for communication between the active and standby controllers. However, the RMI that is mapped to the redundancy port is the default option. If the RMI is not mapped to the redundancy port, the encryption is enabled because the HA information goes over the network.

If encryption is enabled on one controller and disabled on the other, the controllers do pair up, but data synchronization over the redundancy link is unencrypted. Encryption is supported for configurations, AP, and client synchronization. Role negotiation and keepalive messages are not encrypted.

 

This info is taken from this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01101111.html

 

Regards

Don't forget to rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎08-21-2015 12:09 AM

HI Nick,

Yes you are right.

Encryption Support

Encryption of HA related messages between the active and standby controllers is supported with the use of data transport layer security (DTLS). The encryption is disabled by default. The encryption is supported for configuration, AP, and client synchronization.

Encryption is supported only if the active and standby controllers communicate through the redundancy interface on the management ports. Encryption is not supported if the redundancy port is used for communication between the active and standby controllers. However, the RMI that is mapped to the redundancy port is the default option. If the RMI is not mapped to the redundancy port, the encryption is enabled because the HA information goes over the network.

If encryption is enabled on one controller and disabled on the other, the controllers do pair up, but data synchronization over the redundancy link is unencrypted. Encryption is supported for configurations, AP, and client synchronization. Role negotiation and keepalive messages are not encrypted.

 

This info is taken from this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01101111.html

 

Regards

Don't forget to rate helpful posts

0 Helpful

Go to solution
Nick Shelley
Level 1
Level 1
In response to Sandeep Choudhary

‎08-21-2015 09:58 AM

Thanks Sandeep. 

So I'm running 8.0.120 code.  The command:

"config redundancy link-encryption enable"

is not present in the cli.  Does anyone know if this is a bug/feature?

 

thx,

Nick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card