Cisco SD-WAN Controller Certificate Need and Deployment Guide

Today let’s discuss a topic that most of the field engineers struggle to understand and implement in the context of Cisco SD-WAN. In this article I am going to talk about the certificates and why we need them?

Cisco SD-WAN Components Overview
As you already know there are three main components of Cisco SD-WAN solutions also known as planes:

• Management Plane (vManage): Single window to provision, configure, manage, and troubleshoot SD-WAN fabric.
• Control Plane (vSmart): the brain of the solution to perform the control plane processing such as building the network topology, calculating the best path, and distributing information to data plane.
• Orchestrator Plane (vBond): orchestrate the communication between all the components of the SD-WAN. It is the first point of contact to perform the authentication & authorization before any component participate in the SD-WAN overlay network.
• Data Plane (WAN Edge Router): is the router platform that is installed at remote and central site. WAN links are terminated on Data Plane performs the traffic forwarding between locations and establish IPsec tunnels for data security. 

After a quick component introduction, let’s move to the zero-trust security that is part of the Cisco SD-WAN solution architecture. Zero trust security is implemented using the authorized list model. vManage maintain two types of authorized lists. One for all WAN Edge routers and another for all Controllers. 

All the WAN edge routers and controllers mutually authenticated using the authorized list model. It means devices are authorized before they actively participate in the network traffic forwarding. 

This authorized list come of the Plug-and-play (SaaS) portal of the Cisco where all the devices are added by provisioning team, customer, or system integrator. 

Once the devices are added to the smart account this smart account, vManage can automatically synchronize to smart account or manual upload of the provisioning file can be done by network administrator. 

There is another type of authorized list that is known as authorized controller list – this list is resulted after adding the controllers (vBond, vSmart) to the vManage. 

vManage distribute both types of authorized list as per Figure 1

Fig 1.1- Authorized list distribution

WAN Edge Routers and Controllers mutually identify and authenticate using the authorized list model. Now the question comes, how the identity is verified of the various components? And the answer is the various certificates – don’t worry this article is all about this. 

Identity

Any mutual authentication needs identification of the devices, and this identity is established through certificates. A quick review on the certificate validation will help to understand the rest of the story. 

Certificate validation is based on the client/server model. There are two parties one is client and another who authenticates is the server. Clients present the Certificate Authority (CA) signed certificate to the server. Server validates the certificate signature. 

On a very high-level, Server performs the HASH on the certificate and get the value A; Now Server using the public key from the root certificate decrypt the certificate and get the value B; to have a valid certificate on the client both value A and B should match, and validation succeeds. Now client is trusted, and public keys can be used for encryptions.

Fig 1.2- Certificate Validation Overview

After this quick overview, let’s come back on Cisco SD-WAN. Now there are two types of components we are dealing with – Controllers and the Data Plane devices so we have two types of identities to understand. 

Controllers Identity 

Cisco SD-WAN Controller components can be identified using certificates. These certificates can be provided by Symantec, DigiCert or Cisco signed certificates. If customer is willing to use enterprise certificates they are also supported. These devices signed certificates are installed on each controller. 

Root Certificate chain for corresponding CA is installed on each controller so that it can authenticate other controller components. Most of the root certificates are pre-loaded on the controller as part of the software and no need any manual root certificate installation. However, in case of Enterprise CA, root certificate needs to be manually loaded on the controllers.

WAN Edge Router Identity:
There are three types by which you can check the WAN edge router and these types are as below:

Type 1: Cisco IOS-XE devices have secure unique identity (SUDI) which has x.509 v3 certificate with associated key pair. This is protected in the hardware which is known as Trust Anchor Module or TAM. 

Symantec/DigiCert and Cisco root certificate to authenticate the controllers are preloaded in the software. These are required for trust for controller certificates. 

Type 2: vEdge routers that are manufactured by Viptela are identified by AVNET and this is loaded during the manufacturing of the router on Temper proof module (TPM Chip). 

Symantec/DigiCert and Cisco root certificate to authenticate the controllers are preloaded in the software. These are required for trust for controller certificates

Type 3: all other virtual routers such as vEdge cloud, ISRv, Catalyst 8000v; CSR 1000V, or ASR 1002-X  they are identified using the OTP generated by the vManage during the deployment. Initially a temporary identity is generated and once the authentication done permanent identity generated by the vManage. In this case, vManage works as the CA for generating and installing the certificate on these devices. 

Fig 1.3- Controller & Device Identity

I hope I am easy on you, now let’s complete the final part. Authentication and Authorization of the SD-WAN components. Controller authenticating the WAN Edge Router (Controller is server and WAN Edge router is client in this scenario)- 

• First, the Root CA certificate trust is validated using the root certificate 
• Now, Organization Name from the certificate (Certificate OU) is compared with locally configured organization name (this is part of controller initial system configuration)
• Finally, the serial number is validated against the Authorized list of the devices

WAN Edge Router Authenticating the Controller 

• First, the Root CA certificate trust is validated using the root certificate 
• Now, Organization Name from the certificate (Certificate OU) is compared with locally configured organization name (this is part of the initial system configuration)

Post successful authentication and verification a secure tunnel (DTLS/TLS) is established between the controller and the WAN Edge router. Post this state, device is discovered in vManage, and further advanced full configuration can be pushed to the device using the templates.