cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
230
Views
0
Helpful
4
Replies

enabling DTLS mode in cisco WLC

Noovi
Beginner
Beginner

 

how to enable DLS mode in cisco 5520

 

 

(FR-21636wl-04) >show mobility summary

Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... FR-21636wl
Multicast Mode .................................. Disabled
DTLS Mode ....................................... Disabled
Mobility Domain ID for 802.11r................... 0x9718
Mobility Keepalive Interval...................... 10

4 REPLIES 4

Flavio Miranda
Advisor
Advisor

Hi

   During the Mobility group configuration or you can edit existing group.

 

 

 

Step 1

Choose Controller > Mobility Management > Mobility Groups to open the Static Mobility Group Members page.

Note 
If you want to delete any of the remote controllers from the mobility group, hover your cursor over the blue drop-down arrow for the desired controller and choose Remove.
Step 2

Click New to open the Mobility Group Member > New page.

Step 3

Add a controller to the mobility group as follows:

  1. In the Member IP Address text box, enter the management interface IPv4 address of the controller to be added.

    Note 
    IPv6 address is not supported.
  2. In the Member MAC Address text box, enter the MAC address of the controller to be added.

  3. In the Group Name text box, enter the name of the mobility group.

    Note 
    The mobility group name is case sensitive.
  4. From the Secure Mobility drop-down list, choose Enabled.

  5. From the Data Tunnel Encryption drop-down list, choose Enabled.

  6. From the High Cipher drop-down list, choose Enabled.

    You must enable High Cipher only if you require DTLS v1.2 encryption. The default value is Disabled. In disabled state, DTLS v1.0 encryption is enabled.

  7. In the Hash text box, enter the virtual controller's hash key of the peer mobility controller.

    You must configure the hash only if the peer mobility controller is a virtual controller.

  8. Click Apply to commit your changes. The new controller is added to the list of mobility group members on the Static Mobility Group Members page.

Hi,

 

i think these options are for enabling DTLS for peer. I have done that all steps but still DTLS mode is showing as disabled.

 

DTLS Mode ....................................... Disabled

"You must enable High Cipher only if you require DTLS v1.2 encryption. The default value is Disabled. In disabled state, DTLS v1.0 encryption is enabled."

 

  The disable is the default value for DTLS v1.0.  But, you can choose higher value. 

In AireOS you have to enable per peer. In that way, you won't see DTLS mode enabled in the global "show mobility summary" output. If you have enabled DTLS mode for a peer, you can use "show mobility dtls connection" to verify.

 

Below is my 3504 establish DTLS mobility with 9800

 

(H3504) >show mobility dtls connections

DTLS connections:

Role   Local Link             Peer Link               Connection Status         Index
---------- ------------------------- ------------------------- ------------------------------
Client 192.168.225.100:16666 192.168.100.20:16666 TLS_RSA_WITH_AES_256_GCM_SHA384 512

 

Here is the "show mobility summary"

(H3504) >show mobility summary

Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... MRNH
Multicast Mode .................................. Disabled
DTLS Mode ....................................... Disabled
Mobility Domain ID for 802.11r................... 0xafc
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Mobility Use Profile Name........................ Disabled

Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:1e:7a:10:69:ff 192.168.100.20 MRNL 0.0.0.0 Up
70:0b:4f:ca:e8:00 192.168.225.100 MRNH 0.0.0.0 Up

 

9800 will always use secure mobility (DTLS) by default. You can enable high-chippers additionally using "wireless mobility high-cipher" CLI command.

9800-2#show wireless mobility summary
Mobility Summary

Wireless Management VLAN: 100
Wireless Management IP Address: 192.168.100.20
Wireless Management IPv6 Address:
Mobility Control Message DSCP Value: 48
Mobility High Cipher : True
Mobility DTLS Supported Ciphers: TLS_ECDHE_RSA_AES128_GCM_SHA256, TLS_RSA_AES256_GCM_SHA384
Mobility Keepalive Interval/Count: 10/3
Mobility Group Name: MRNL
Mobility Multicast Ipv4 address: 0.0.0.0
Mobility Multicast Ipv6 address: ::
Mobility MAC Address: 001e.7a10.69ff
Mobility Domain Identifier: 0x1024

 

HTH

Rasika

*** Pls rate all useful responses ***

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: