Table Of Contents
Secure Device Provisioning Certificate-Based Authorization
Prerequisites for SDP Certificate-Based Authorization
Restrictions for SDP Certificate-Based Authorization
Information About SDP Certificate-Based Authorization
Feature Overview of SDP Certificate-Based Authorization
Benefits of SDP Certificate-Based Authorization
How to Configure SDP Certificate-Based Authorization
Configuration Examples for SDP Certificate-Based Authorization
Configuring the Petitioner: Example
Configuring the Registrar: Example
Verifying the Configuration: Example
authorization username (tti-registrar)
Secure Device Provisioning Certificate-Based Authorization
The Secure Device Provisioning (SDP) Certificate-Based Authorization feature allows certificates issued by other certificate authority (CA) servers to be used for SDP introductions.
Feature History for SDP Certificate-Based Authorization
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for SDP Certificate-Based Authorization
•
•
•
•
Prerequisites for SDP Certificate-Based Authorization
•
•
•
Restrictions for SDP Certificate-Based Authorization
Since remote authentication dial-in user service (RADIUS) does not differentiate between authentication and authorization, you need to use the default password, cisco, for certificate authorization.
Information About SDP Certificate-Based Authorization
To use the SDP Certificate-Based Authorization feature, you need to understand the following concepts:
•
•
Feature Overview of SDP Certificate-Based Authorization
When the registrar receives an introduction request via the secure HTTP server, the registrar does an authentication, authorization, and accounting (AAA) lookup based on the introducer's username and password to authorize the request. The registrar checks the integrity of the request by verifying the request signature using the petitioner-signing certificate.
Because the petitioner certificate is self-signed, it is just used to convey the public key of the petitioner. No verification or authorization check is done on the certificate. This basically means authorization is per-user based and no per-device information is used.
There are some scenarios when per-device authorization is preferred. Therefore, if the petitioner is able to use certificates issued by other CA servers for SDP transactions, the existing PKI infrastructure can be used and authorization can be achieved over the certificate attributes.
Figure 1 shows a sample SDP topology with an introducer, a petitioner (with an existing certificate), and a registrar.
Figure 1 Sample SDP Topology
Benefits of SDP Certificate-Based Authorization
Enhanced Security Through Improved Authorization
The SDP Certificate-Based Authorization feature provides authorization of the specific device being deployed. Previously, introducer-to-petitioner device communication was secured only using physical security between the introducer and the petitioner device. SDP certificate-based authorization gives the registrar an opportunity to validate the current device identity before accepting the introduction.
How to Configure SDP Certificate-Based Authorization
This section contains the following procedures:
•
•
•
Configuring the Petitioner
Perform the following task to configure the petitioner to use a certificate and the Rivest, Shamir, and Adelmen (RSA) keys associated with a specific trustpoint.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
Note
DETAILED STEPS
Configuring the Registrar
Perform the following tasks to configure the registrar:
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Verifying the Configuration
Perform the following task to verify that the SDP parameters have been configured.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for SDP Certificate-Based Authorization
This section contains the following configuration examples:
•
•
•
Configuring the Petitioner: Example
In the following example, a petitioner is configured to use the certificate issued by the trustpoint named mytrust:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto provisioning petitionerRouter(tti-petitioner)# trustpoint signing mytrust
Router(tti-petitioner)# end
Configuring the Registrar: Example
In the following example, a registrar is configured to verify the petitioner-signing certificate and to perform authorization lookups:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto provisioning registrarRouter(tti-registrar)# authentication trustpoint mytrust
Router(tti-registrar)# authorization login certificate
Router(tti-registrar)# authorization username subjectname all
Router(tti-registrar)# end
Verifying the Configuration: Example
The following example from the show running-config command verifies that the petitioner, the registrar, and related parameters have been configured:
Router# show running-configBuilding configuration...Current configuration : 2700 bytes!! Last configuration change at 01:22:26 GMT Fri Feb 4 2005!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname router!boot-start-markerboot-end-marker!memory-size iomem 5enable secret 5 $1$tpBS$PXnBDTIDXfX5pWa//1JX20enable password lab!aaa new-model!aaa authentication login user_aaalist group tacacs+aaa authorization network user_aaalist group tacacs+aaa authentication login admin_aaalist group radiusaaa authorization network admin_aaalist group radius!!aaa session-id common!resource manager!clock timezone GMT 0ip subnet-zerono ip routing!!no ip dhcp use vrf connected!!no ip cefno ip domain lookupip domain name cisco.comip host router 10.3.0.6ip host router.cisco.com 10.3.0.6no ip ips deny-action ips-interface!no ftp-server write-enable!crypto pki server mycs!crypto pki trustpoint mycsrevocation-check crlrsakeypair mycs!crypto pki trustpoint ttirevocation-check crlrsakeypair tti!crypto pki trustpoint micenrollment url http://router:80revocation-check crl!crypto pki trustpoint foorevocation-check crl!!!crypto pki certificate map foo 10!crypto pki certificate chain mycscertificate ca 01crypto pki certificate chain tticrypto pki certificate chain miccertificate 02certificate ca 01crypto pki certificate chain foo!crypto provisioning registrar <---------- !SDP registrar device parameters!pki-server mycsauthentication list user_aaalistauthentication trustpoint mytrustauthorization list existingcerts_aaalistauthorization login certificateauthorization username subjectname all!no crypto engine onboard 0username qa privilege 15 password 0 lab!!!Additional References
The following sections provide references related to the SDP Certificate-Based Authorization feature.
Related Documents
PKI AAA functionality
PKI AAA Authorization Using the Entire Subject Name feature module, Release 12.3(11)T
SDP, including the SDP web page
Easy Secure Device Deployment feature module, Release 12.3(7)T
Security commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Cisco IOS Security Command Reference, Release 12.3 T
Security features including trustpoints, certificate enrollment, and authentication
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents new commands.
•
•
authentication trustpoint
To specify the trustpoint used to authenticate the Secure Device Provisioning (SDP) petitioner device's existing certificate, use the authentication trustpoint command in tti-registrar configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
authentication trustpoint {trustpoint-label | use-any}
no authentication trustpoint {trustpoint-label | use-any}
Syntax Description
Defaults
If this command is not specified, the petitioner-signing certificate is not verified.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
Issue the authentication trustpoint command in tti-registrar configuration mode to validate the signing certificate that the petitioner used.
Examples
The following example shows how to specify the trustpoint mytrust for the petitioner-signing certificate:
crypto provisioning registrarauthentication trustpoint mytrustAfter the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:
crypto pki trustpoint ttienrollment url http://pki1-36a.cisco.com:80revocation-check crlrsakeypair tti 1024auto-enroll 70Related Commands
authorization (tti-registrar)
To enable authentication, authorization, and accounting (AAA) authorization for an introducer or a certificate, use the authorization command in tti-registrar configuration mode. To disable authorization, use the no form of this command.
authorization {login} | {certificate} | {login certificate}
no authorization {login} | {certificate} | {login certificate}
Syntax Description
Defaults
If an authorization list is configured, then authorization is enabled by default.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
This command controls the authorization of the introduction. Authorization can be based on the following:
•
•
•
If you issue the authorization login command, the introducer logs in with a username and password such as ttiuser and mypassword, which are used against the configured authorization list to contact the AAA server and determine the appropriate authorization.
If you issue the authorization certificate command, the certificate of the petitioner is used to build an AAA username, which is used to obtain authorization information.
If you issue the authorization login certificate command, authorization for the introducer combines with authorization for the petitioner's current certificate. This means that two AAA authorization lookups occur. In the first lookup, the introducer username is used to retrieve any AAA attributes associated with the introducer. The second lookup is done using the configured certificate name field. If an AAA attribute appears in both lookups, the second one prevails.
Examples
The following example shows how to specify authorization for both the introducer and the current certificate of the petitioner:
crypto provisioning registrarauthorization login certificateRelated Commands
authorization username (tti-registrar)
To specify the parameters for the different certificate fields that are used to build the authentication, authorization, and accounting (AAA) username, use the authorization username command in tti-registrar configuration mode. To disable the parameters, use the no form of this command.
authorization username {subjectname subjectname}
no authorization username {subjectname subjectname}
Syntax Description
Defaults
Parameters for the certificate fields are not specified.
Command Modes
tti-registrar configuration
Command History
Examples
The following example shows that the serialnumber option is used as the authorization username:
aaa authorization network maxaaa group tacac+aaa new-modelcrypto ca trustpoint mscaenrollment url http://caserver.mycompany.comauthorization list maxaaaauthorization username subjectname serialnumberRelated Commands
trustpoint signing
To specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure Device Provisioning (SDP) exchange, use the trustpoint signing command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
trustpoint signing trustpoint-label
no trustpoint signing trustpoint-label
Syntax Description
Defaults
If a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate is generated.
Command Modes
tti-petitioner configuration
Command History
Usage Guidelines
Use the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the petitioner for signing its certificate.
Examples
The following example shows how to specify the trustpoint mytrust:
crypto provisioning petitionertrustpoint signing mytrustAfter the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:
crypto pki trustpoint ttienrollment url http://pki1-36a.cisco.com:80revocation-check crlrsakeypair tti 1024auto-enroll 70Related Commands
Glossary
authentication, authorization, and accounting (AAA)—An architectural framework for configuring a set of independent security functions in a consistent manner.
certificate—A digital representation of user or device attributes, including a public key, that is signed with an authoritative private key.
certificate authority (CA)—A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service provides centralized key management for the participating devices and is explicitly entrusted by the receiver to validate identities and to create digital certificates.
enrollment—The process of obtaining a new certificate from a CA.
petitioner—A new device that is joined to the secure domain. The petitioner can be a certificate server.
public key infrastructure (PKI)—A system of certificates and authorities that provide trusted and efficient key and certificate management to support security protocols such as IPSec.
registrar—A server that authorizes the petitioner.
RADIUS (remote authentication dial-in user service)—A distributed client/server system that secures networks against unauthorized access by providing detailed accounting information and flexible administrative control over authentication and authorization processes.
trustpoint—One or more identities that are considered trustworthy and can be used to validate other identities.
user introducer—An end user using SDP to deploy a VPN device associated with itself.
VPN—Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level.
Note
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Guest
