Which component authenticates WAN Edge devices before allowing them into the overlay fabric?

Authenticating WAN Edge devices before they join the overlay fabric is handled by the vBond Orchestrator. It sits at the edge of the control plane as the first contact point for a new edge device, validating its identity using certificates and the policy defined in vManage. Once vBond approves the device, it tells the edge which vSmart controllers to connect to and provides the necessary reachability information so secure control-plane connections can be established and the edge can join the overlay. This bootstrap role also helps with NAT traversal if needed. vManage is for centralized provisioning and management, not the initial authentication of edges. vSmart runs the overlay control plane after the edge has joined. Cisco ISE is an external security product and not used to bootstrap SD-WAN overlay authentication.