cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
0
Helpful
2
Replies

5508 SSO link between controllers encryption

Nick Shelley
Level 1
Level 1

Hi all,

 

Google's my buddy, but couldn't seem to help me out on this one.  When I have a pair of 5508 controllers (running 8.0 code), and the primary sends a config update to the secondary, how is that encrypted? DTLS? 

thx for any helpful info.

1 Accepted Solution

Accepted Solutions

Sandeep Choudhary
VIP Alumni
VIP Alumni

HI Nick,

Yes you are right.

Encryption Support

Encryption of HA related messages between the active and standby controllers is supported with the use of data transport layer security (DTLS). The encryption is disabled by default. The encryption is supported for configuration, AP, and client synchronization.

Encryption is supported only if the active and standby controllers communicate through the redundancy interface on the management ports. Encryption is not supported if the redundancy port is used for communication between the active and standby controllers. However, the RMI that is mapped to the redundancy port is the default option. If the RMI is not mapped to the redundancy port, the encryption is enabled because the HA information goes over the network.

If encryption is enabled on one controller and disabled on the other, the controllers do pair up, but data synchronization over the redundancy link is unencrypted. Encryption is supported for configurations, AP, and client synchronization. Role negotiation and keepalive messages are not encrypted.

 

This info is taken from this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01101111.html

 

Regards

Don't forget to rate helpful posts

View solution in original post

2 Replies 2

Sandeep Choudhary
VIP Alumni
VIP Alumni

HI Nick,

Yes you are right.

Encryption Support

Encryption of HA related messages between the active and standby controllers is supported with the use of data transport layer security (DTLS). The encryption is disabled by default. The encryption is supported for configuration, AP, and client synchronization.

Encryption is supported only if the active and standby controllers communicate through the redundancy interface on the management ports. Encryption is not supported if the redundancy port is used for communication between the active and standby controllers. However, the RMI that is mapped to the redundancy port is the default option. If the RMI is not mapped to the redundancy port, the encryption is enabled because the HA information goes over the network.

If encryption is enabled on one controller and disabled on the other, the controllers do pair up, but data synchronization over the redundancy link is unencrypted. Encryption is supported for configurations, AP, and client synchronization. Role negotiation and keepalive messages are not encrypted.

 

This info is taken from this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01101111.html

 

Regards

Don't forget to rate helpful posts

Thanks Sandeep. 

So I'm running 8.0.120 code.  The command:

"config redundancy link-encryption enable"

is not present in the cli.  Does anyone know if this is a bug/feature?

 

thx,

Nick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card