Table Of Contents
Administrative Secure Device Provisioning Introducer
Prerequisites for Administrative SDP Introducer
Restrictions for Administrative SDP Introducer
Information About Administrative SDP Introducer
Feature Overview of Administrative SDP Introducer
Benefits of Administrative SDP Introducer
How to Configure Administrative SDP Introducer
Configuring an Administrative Introducer
Configuration Examples for Administrative SDP Introducer
Configuring an Administrative Introducer Using Authentication and Authorization Lists: Example
Verifying the Configuration: Example
administrator authentication list
administrator authorization list
Administrative Secure Device Provisioning Introducer
The Administrative Secure Device Provisioning (SDP) Introducer feature allows you to act as an administrative introducer to introduce a device into a public key infrastructure (PKI) network and then provide a username as the device name for the record locator in the authentication, authorization, and accounting (AAA) database.
Feature History for Administrative SDP Introducer
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Administrative SDP Introducer
•
•
•
•
•
Prerequisites for Administrative SDP Introducer
•
•
•
•
•
Restrictions for Administrative SDP Introducer
When using RADIUS, a user/device that needs to be introduced by the administrative introducer must always use cisco as its own password. TACACS+ does not have this limitation; a user/device can have any password and be introduced by the administrative introducer.
Information About Administrative SDP Introducer
To use the Administrative SDP Introducer feature, you need to understand the following concepts:
•
•
Feature Overview of Administrative SDP Introducer
SDP simplifies deployment of Virtual Private Network (VPN) devices by allowing users to introduce their VPN device to the PKI network. The SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device name.
In some deployment scenarios, the introducer is an administrator doing the introduction for many devices. However, using the introducer (the administrator) name to define the device name results in multiple devices being incorrectly deployed with the same device name. Instead this feature allows the administrator to specify the correct device name during the introduction.
More generally stated, the introducer username is used as the database record locater to determine all other information about the device including the Cisco IOS configuration template, various template variables (pulled from an AAA database and expanded into the template), and the appropriate subject name for PKI certificates issued to the device. For simplicity, this database record locator is called the user/device name.
The administrative introducer provides a device name. In that way, an administrator can provide the appropriate record locater when doing an introduction. For example, if an administrator is trying to introduce a device for username rover, then the administrator introduces the device into the PKI network and provides rover as the record locator after logging into the registrar using the administrator's own credentials. The record locator, rover, becomes the device name. All other template and PKI certificate subject name information specific to the introduction is then provided by the rover username records instead of by the administrator's record.
The registrar device uses the supplied username information with a user introducer name. This allows the existing mechanisms for determining a user's authorization, template, and PKI certificate information to be supported without modification.
Figure 1 shows a sample SDP topology in which an administrative introducer is introducing the petitioner to the registrar which then authorizes the petitioner.
Figure 1 Sample SDP Topology
Benefits of Administrative SDP Introducer
Greater Flexibility and Ease of Use
The SDP introduction phase allows an administrator performing the introduction to supply the name for the device being introduced. The supplied device name is used as if it were the name of an introducer in the normal SDP mechanisms, preserving the existing functionality of the SDP configuration.
How to Configure Administrative SDP Introducer
This section contains the following procedures:
•
•
Configuring an Administrative Introducer
Perform the following task to configure an administrative introducer using administrator authentication and authorization lists.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
Note
DETAILED STEPS
Verifying the Configuration
Perform the following task to verify that an administrative introducer using administrator authentication and authorization lists has been created.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for Administrative SDP Introducer
This section contains the following configuration examples:
•
•
Configuring an Administrative Introducer Using Authentication and Authorization Lists: Example
The following example shows an administrative introducer with an authentication list named authen-tac and an authorization list named author-tac being configured:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto provisioning registrarRouter(tti-registrar)# administrator authentication list authen-tacRouter(tti-registrar)# administrator authorization list author-tacRouter(tti-registrar)# endVerifying the Configuration: Example
The following example from the show running-config command displays information about the administrative introducer that you just created:
Router# show running-configBuilding configuration...Current configuration : 2700 bytes!! Last configuration change at 01:22:26 GMT Fri Feb 4 2005!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname router!boot-start-markerboot-end-marker!memory-size iomem 5enable secret 5 $1$tpBS$PXnBDTIDXfX5pWa//1JX20enable password lab!aaa new-model!!!aaa session-id common!resource manager!clock timezone GMT 0ip subnet-zerono ip routing!!no ip dhcp use vrf connected!!no ip cefno ip domain lookupip domain name cisco.comip host router 10.3.0.6ip host router.cisco.com 10.3.0.6no ip ips deny-action ips-interface!no ftp-server write-enable!crypto pki server mycs!crypto pki trustpoint mycsrevocation-check crlrsakeypair mycs!crypto pki trustpoint ttirevocation-check crlrsakeypair tti!crypto pki trustpoint micenrollment url http://router:80revocation-check crl!crypto pki trustpoint foorevocation-check crl!!!crypto pki certificate map foo 10!crypto pki certificate chain mycscertificate ca 01crypto pki certificate chain tticrypto pki certificate chain miccertificate 02certificate ca 01crypto pki certificate chain foo!crypto provisioning registrar <---------- !SDP registrar device parameters!administrator authentication list authen-tacadministrator authorization list author-tac!no crypto engine onboard 0username qa privilege 15 password 0 lab!!!Additional References
The following sections provide references related to the Administrative SDP Introducer feature.
Related Documents
SDP, including the SDP web page
Easy Secure Device Deployment feature module, Release 12.3(7)T
Note
Security commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Security features including trustpoints, certificate enrollment, and authentication
Cisco IOS Security Configuration Guide, Release 12.3
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents new commands.
•
•
administrator authentication list
To authenticate an administrative introducer for a Secure Device Provisioning (SDP) transaction, use the administrator authentication list command in tti-registrar configuration mode. To disable administrative introducer authentication, use the no form of this command.
administrator authentication list list-name
no administrator authentication list list-name
Syntax Description
Defaults
All introducers are authenticated as users; their username is used directly to build the device name.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
When you use the administrator authentication list command in SDP transactions, the RADIUS or TACACS+ authentication, authorization, and accounting (AAA) server checks for a valid account by looking at the username and password.
The authentication list and the authorization list usually both point to the same AAA list. It is possible that the lists can be on different databases, but it is generally not recommended.
Examples
The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:
Router(config)# crypto provisioning registrarRouter(tti-registrar)# pki-server mycsRouter(tti-registrar)# administrator authentication list authen-radRouter(tti-registrar)# administrator authorization list author-radRouter(tti-registrar)# authentication list authen-tacRouter(tti-registrar)# authorization list author-tacRouter(tti-registrar)# template username ftpuser password ftppwdRouter(tti-registrar)# template config ftp://ftp-server/iossnippet.txtRouter(tti-registrar)# endRelated Commands
administrator authorization list
To specify the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS command-line interface (CLI) snippet that is sent back to the petitioner for an administrative introducer in a Secure Device Provisioning (SDP) transaction, use the administrator authorization list command in tti-registrar configuration mode. To disable the subject name and list of template variables, use the no form of this command.
administrator authorization list list-name
no administrator authorization list list-name
Syntax Description
Defaults
There is no authorization information requested from the authentication, authorization, and accounting (AAA) server for the administrator.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
When you use the administrator authorization list command in SDP transactions, the RADIUS or TACACS+ AAA server stores the subject name and template variables. The name and variables are sent back to the petitioner in the Cisco IOS CLI snippets. This list and the authorization list are usually on the same database, but they can be on different AAA databases. (Storing lists on different databases is not recommended.)
When a petitioner makes an introducer request, multiple queries are sent to the AAA list database on the RADIUS or TACACS+ server. The queries search for entries of the following form:
user Password <userpassword>cisco-avpair="ttti:subjectname=<<DN subjectname>>"cisco-avpair="tti:iosconfig#<<value>>"cisco-avpair="tti:iosconfig#<<value>>"cisco-avpair="tti:iosconfig#=<<value>>"
Note
If a subject name were received in the authorization response, the registrar stores it in the enrollment database, and that subject name overrides the subject name that is supplied in the subsequent certificate request (PKCS10) from the petitioner device.
The numbered tti:iosconfig values are expanded into the Cisco IOS snippet that is sent to the petitioner. The configurations replace any numbered ($1 through $9) template variable. Because the default Cisco IOS snippet template does not include the variables $1 through $9, these variables are ignored unless you configure an external Cisco IOS snippet template. To specify an external configuration, use the template config command.
Note
Examples
The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:
Router(config)# crypto provisioning registrarRouter(tti-registrar)# pki-server mycsRouter(tti-registrar)# administrator authentication list authen-radRouter(tti-registrar)# administrator authorization list author-radRouter(tti-registrar)# authentication list authen-tacRouter(tti-registrar)# authorization list author-tacRouter(tti-registrar)# template username ftpuser password ftppwdRouter(tti-registrar)# template config ftp://ftp-server/iossnippet.txtRouter(tti-registrar)# endRelated Commands
Glossary
administrative introducer—An administrator or management system using SDP to deploy a VPN device associated with some other user or record.
authentication, authorization, and accounting (AAA)—An architectural framework for configuring a set of independent security functions in a consistent manner.
certificate—A digital representation of user or device attributes, including a public key, that is signed with an authoritative private key.
certificate authority (CA)—A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service provides centralized key management for the participating devices and is explicitly entrusted by the receiver to validate identities and to create digital certificates.
device name—The name of a device used to locate or generate all configuration information about a device. For a user introducer, this is the username. For an administrative introducer, this is supplied; for example, hub1.
enrollment—The process of obtaining a new certificate from a CA.
petitioner—A new device, such as a certificate server, that is joined to the secure domain.
public key infrastructure (PKI)—A system of certificates and authorities that provide trusted and efficient key and certificate management to support security protocols such as IPSec.
registrar—A server that authorizes the petitioner.
RADIUS (remote authentication dial-in user service)—A distributed client/server system that secures networks against unauthorized access by providing detailed accounting information and flexible administrative control over authentication and authorization processes.
TACACS+ (terminal access controller access control system plus)—A security application that provides centralized validation of users attempting to gain access to your access point.
user introducer—An end user using SDP to deploy a VPN device associated with itself.
VPN—Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
Note
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Guest
