Authentication between vEdge Router & vManage NMS

Authentication between vEdge Router & vManage NMS

Posted on Jan 27, 2020 (0)

Authentication between vEdge Router & vManage NMS

Once the vEdge router and vBond authorized each other, vEdge router receives its full configuration over DTLS connection with vManage NMS

Following are the steps:

  • vEdge router establish a DTLS connection with vManage
  • vManage will send the configuration file to vEdge Router
  • After the Configuration file receive from vManage, vEdge will activate its full configuration
  • vEdge router starts advertising prefixes to vSmart Controller

Below is the step by step described, how automatic authentication happens between vEdge and vManage

First vEdge router initiates an encrypted DTLS connection to the IP address of the vManage NMS. Over this encrypted Tunnel, vEdge and vManage will authenticate to each other.

Now let’s see how vEdge Router will authenticate the vManage NMS.

  1. vManage will send its trusted root CA signed certificate to vEdge Router
  2. vEdge Router uses it chain of trust to extract the organization name from certificate and match it with its own, if they don’t match it will tear down the DTLS connection.
  3. If the name matches , vEdge router uses its root CA chain to verify that vManage certificate is signed by root CA , if it is not so then vEdge router will tear down the connection
  4. And if the Root certificate is validated vEdge router now knows that vManage is valid and after this process authentication of vManage NMS is complete

Now let’s see how vManage NMS authenticate the vEdge Router.

  1. vManage send the 256 bit challenge to vEdge router and this challenge is a random value.
  2. The vEdge router sends following response for the challenge that include following:
  • vEdge Serial number
  • vEdge Chassis number
  • vEdge Board ID certificate
  • 256 bit random value signed by vEdge router Private key
  1. vManage after receiving this information , compares the serial and chassis number from its vEdge authorized device list file , if there is no match vManage will tear down the connection
  2. if the match is found vManage check if the signing of 256 bit random value is proper or not by using vEdge router public key which it extracts from Router Board ID certificate , if the Certificate value is not matched vManage will down the DTLS connection
  3. if the value is proper , vManage uses root CA chain from vEdge router board ID certificate to validate that board id certificate is itself valid or not , the certificate is not valid the vManage will tear down the connection

One these check are performed successfully, vManage certify that vEdge router is valid and its authentication is successful. Now Once two way authentication is successful, vManage will send the configuration file to vEdge router and when the vEdge router receives the configuration file , it will activate its full configuration and will start advertising the prefixes to vSmart controller.


    You are will be the first.


Please login here to comment.