Transport Layer Security Tunnel Support

Information About Transport Layer Security Tunnel Support

The Cisco Catalyst 9800 Series Wireless Controller requires direct access to a public cloud to implement the teleworker solution using Cisco OfficeExtend Access Points (OEAPs). With the introduction of Transport Layer Security (TLS) tunnel support from Cisco IOS XE Amsterdam 17.3.2 onwards, the controller can now reach a public cloud automatically. This helps Cisco Catalyst Center on Cloud to establish TLS communication channels with the controller to perform monitor and manage of wireless solutions.

The TLS connection ensures that the configuration and telemetry are reliably and securely communicated between the controller and the Digital Network Architecture (DNA) on Cloud. The TLS tunnel encrypts all the data that is sent over the TCP connection. The TLS tunnel provides a more secure protocol across the internet. After the controller discovery, the Cisco Catalyst Center on Cloud uses Cisco DNA Assurance and Automation features to manage the controller centrally.

Cisco Plug and Play

The Cisco Plug and Play solution is a converged solution that provides a highly secure, scalable, seamless, and unified zero-touch deployment experience.

Plug-n-Play Agent

The Cisco Plug and Play (PnP) agent is an embedded software component that is present in all the Cisco network devices that support simplified deployment architecture. The PnP agent understands and interacts only with a PnP server. The PnP agent, using DHCP, DNS, or other such methods, tries to acquire the IP address of the PnP server with which it wants to communicate. After a server is found and a connection is established, the agent communicates with the PnP server to perform deployment-related activities.

For more information on Cisco Plug and Play, see the Cisco Plug and Play Feature Guide.

The Transport Layer Security Tunnel (TLS) over PnP feature is supported on the following controllers:

  • Cisco Catalyst 9800-80 Wireless Controller

  • Cisco Catalyst 9800-40 Wireless Controller

  • Cisco Catalyst 9800-L Wireless Controller

Configuring a Transport Layer Security Tunnel

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

crypto tls-tunnel TLS-tunnel-name

Example:

Device(config)# crypto tls-tunnel cloud-primary

Configures a crypto TLS tunnel channel.

Step 3

server {ipv4 <A.B.C.D> | ipv6 <X.X.X.X::X> | url <url-name>} port 443 <1025-65535>

Example:

Device(config-crypto-tls-tunnel)# server ipv4 172.31.255.255 port 4043

Specifies the server IPv4 address, IPv6 address, or URL name and the port number.

Step 4

overlay interface interface-name interface-num

Example:

Device(config-crypto-tls-tunnel)# overlay interface Loopback0

Specifies the overlay interface and interface number.

An overlay interface is a logical, multiaccess, multicast-capable interface. An overlay interface encapsulates Layer 2 frames in IP unicast or multicast headers.

Step 5

local interface interface-name interface-num priority rank

Example:

Device(config-crypto-tls-tunnel)# local-interface vlan 1 priority 1

Specifies the LAN interface type, number, and the priority rank.

Note

 

Currently, the tunnel supports only one WAN interface with priority 1 and does not support the list of WAN interfaces with multiple priorities.

Step 6

psk id identity key options

Example:

Device(config-crypto-tls-tunnel)# psk id test key

Specifies a preshared key and password options.

Step 7

pki trustpoint trustpoint trustpoint-label [sign | verify]

Example:

Device(config-crypto-tls-tunnel)# pki trustpoint tsp1 sign

Specifies the trustpoints for use with the RSA signature authentication method as follows:

  • sign: Use the certificate from the trustpoint which is sent to the peer.

  • verify: Use the certificate from the trustpoint to verify the certificate received from the peer.

Note

 
  • If the sign or verify keyword is not specified, the trustpoint is used for signing and verification.

  • In TLS Tunnel block, authentication can be done using either pre-shared key (PSK) or PKI (certificate based).

Step 8

(Optional) cc-mode

Example:

Device(config-crypto-tls-tunnel)# cc-mode
(Optional)

Indicates a common criteria mode, which is a Federal Information Processing Standards (FIPS) mode.

Step 9

no shutdown

Example:

Device(config-crypto-tls-tunnel)# no shutdown

Enables the TLS tunnel.

Step 10

end

Example:

Device(config-crypto-tls-tunnel)# end

Returns to privileged EXEC mode.