Token Authentication is a method to provide a device-bound and
time-bound access to a Cisco IOS device that is offline and therefore not able to
reach the AAA database for a proper authentication. The access is
unauthenticated and should be used in caution, in particular the privilege
level granted to the session.
Token authentication can configure the privilege level for the
technician to grant access for any operation on the device. This feature is
used to grant a technician access to the Cisco IOS device to perform simple device
management such as statistics collection or even restarting an interface while
the Cisco IOS device is in an error state and disconnected from the rest of the
The local technician accounts are authorized with a temporary time-bound
authentication token without exposing the password. The token structure is
encrypted and not visible to the technician. The technician uses this encrypted
token as the password.
The generated token is encrypted with the token encryption key and
provided to the technician. Once the temporary time-bound authentication token
is used as the login credential, it is decrypted and verified by the local AAA
database by using the token encryption key.
The network security is protected by ensuring that the technician is given
access to the network after authenticating the technician’s token credentials
(shared by the Connected Grid [CG] network management system [NMS] and the
device). In addition, this access is for a limited time period that is embedded
inside the token structure. Beyond that specific time period in which the token
is valid, the technician’s session is disconnected and no future network
session is allowed with the same token.