This white paper provides detailed design and implementation information for deploying eTokens with Cisco® Virtual Office. Please refer to the Cisco Virtual Office overview (found at http://www.cisco.com/go/cvo) for further information about the solution, its architecture, and all of its components.
What Is an eToken?
An eToken is a hardware device that provides password authentication, helping to identify a user. It looks similar to a pen drive and is inserted into the USB port of a router or computer. Once the eToken has been inserted and the user has provided a valid login, the user is given appropriate access to the system. eTokens are beneficial to corporations, organizations, libraries, banks, finance companies, educational institutions, and government and defense organizations. They are also useful wherever security is necessary, whether on a personal computer or in a cyber café. They are widely used in e-banking, e-commerce, stock trading, and online data and financial transactions.
How eTokens Work with Cisco Virtual Office
eTokens provide security in Cisco Virtual Office by allowing connectivity to the corporate servers when inserted and dropping the secure tunnels when removed. This guide describes the steps needed for an end user to connect a new router to a VPN using an eToken. It gives a detailed description of inserting and removing the eToken and managing eToken access. It also provides a step-by-step guide to securely provisioning a Cisco Virtual Office remote VPN router with an eToken.
Platforms and Images
When using eTokens with Cisco Virtual Office, many platforms are supported. Some examples are the Cisco 7300, 7200 or 7600 Series Routers for the hub and the Cisco 870, 880, 1800, 2800, and 3800 Series Integrated Services Routers for the spokes.
The recommended Cisco IOS® Software image for both hub and spokes is 12.4(15)T IOS or later. For the Cisco 880 Series routers, the recommended image is 12.4(20)T.
The Cisco Configuration Professional version used should be 1.0.
The Cisco Security Manager should be version 3.2 or higher and should be integrated with the Cisco Configuration Engine, 2.0 or the latest certified version.
The Secure Device Provisioning (SDP) and Cisco IOS public key infrastructure (PKI) certificate server run on Cisco IOS Software Release 12.4(15)T or later.
Using eTokens with Cisco Virtual Office
eTokens can be used with Cisco Virtual Office in three different ways:
• As a physical key, holding only RSA keys
• To bootstrap a remote router, holding RSA keys plus a small config file
• To hold the almost-complete spoke configuration
The first option is the most practical one and is described in detail in this guide. With this option, a new router and new eToken can be shipped directly to the end user or acquired off the shelf. Only the default factory configuration is needed in both devices. The entire Cisco Virtual Office configuration is pushed remotely.
The second option, the bootstrap technique, establishes the initial lines of configuration that are just the minimum to have a remote router establish a secure tunnel to a management server. It includes a PKI trust point and certificate, IP Security (IPsec) configuration, clock synchronization, and a Cisco CNS agent that makes the Cisco Configuration Engine react to events.
For cases in which the eToken is used to hold the bootstrap configuration, or for the third option, storing the full Cisco Virtual Office configuration, an extra step is necessary to copy the configuration file to the eToken. This step is not covered in this guide. It requires a tool to push a Cisco IOS Software configuration to an eToken. The Token Management System (TMS) application software from Aladdin can be used to save PKI certificates plus a Cisco IOS Software configuration file in an eToken. This could, however, also be done manually.
We recommend the first option because it is straightforward to implement and achieves the major goal: to be able to conveniently enable and disable a Cisco Virtual Office spoke with just an eToken. It also adds no extra overhead to managing the Cisco Virtual Office deployment, since the only thing needed is to add three extra lines of configuration.
For secure remote provisioning of new Cisco Virtual Office spokes, SDP is the best approach for getting the spokes connected. This is the case for medium and large enterprises or service providers-deployments in which a zero-touch secure deployment is achieved with the Cisco Security Manager, combined with the Cisco Configuration Engine as the provisioning tool and SDP for remotely pushing a PKI certificate, plus a bootstrap configuration template for new spokes joining the VPN.
In the guide, we focus on the steps that the end user will go though to connect a new Cisco ISR to a VPN while using an eToken to securely lock the router's access to the central site.
We assume that PKI is used across the VPN deployment; otherwise, eTokens would not make sense for a Cisco Virtual Office deployment.
This section describes how to deploy an eToken that is used to store only RSA keys with Cisco Virtual Office. The eToken works as a physical lock mechanism: when inserted, it allows connectivity to the corporate servers to be established; when removed, it automatically drops the secure tunnels.
The configuration is nearly the same as for a regular Cisco Virtual Office deployment; only one extra command is needed:
crypto pki token eToken removal timeout 1
This command forces the router to clear the active running memory of whatever is defined as stored in the eToken. In other words, if we save RSA keys in the eToken, removing it from the router will force tunnels to be dropped after one second as the keys are deleted from memory.
The following are a few other commands that can be used with eTokens:
CVO-spoke1-vpn#crypto pki token eToken ?
admin access to administrative functions
change-pin new PIN to access token
label new label for token
lock log out and lock the token
login PIN to access token
logout log out of the token
unlock decrypt token pin and log in the token
Inserting the eToken
Inserting the eToken displays the following information in the console. The USB eToken is now ready to use for crypto, after we log in with the correct PIN:
27847769: Apr 24 17:05:36.740 PDT: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Low speed USB device has been inserted in port 0.
Note: The PKI trust point should contain the name of this generated RSA key pair, so that if the eToken is removed and the router regenerates RSA keys on its own, due to the auto-renewal timers expiring, it will keep using the eToken RSA keys for the VPN tunnels. In the example just given, the trust point would be:
27847843: Apr 24 17:29:18.998 PDT: %CRYPTO-4-TOKENKEYTIMEOUT: RSA keypairs for token eToken and associated IPSEC sessions will be deactivated in 1 seconds
27847844: Apr 24 17:29:19.998 PDT: %CRYPTO-4-TOKENKEYSDEACTIVATED: RSA keypairs from token eToken and associated IPSEC sessions being deactivated now
27847845: Apr 24 17:29:20.002 PDT: %SSH-5-DISABLED: SSH 1.99 has been disabled
27847846: Apr 24 17:29:29.909 PDT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor 10.7.12.2 (Tunnel13) is down: holding time expired
27847847: Apr 24 17:29:29.917 PDT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor 10.7.12.1 (Tunnel13) is down: holding time expired
The system log messages shown above are for a router in which Dynamic Multipoint Virtual Private Network (DMVPN) internal network is 10.7.12.0/20.
As IPsec tunnels go down, the routing protocol also goes down.
Managing the eToken Access
The PIN for the eToken can be changed by the administrator or the end user, given the proper privileges. The Aladdin eToken, for example, comes with the factory default PIN of 1234567890. This is a number, but it can also be a string.
To change this PIN, you can use the command-line interface (CLI):
However, for a VPN remote Cisco Virtual Office router, we recommend that the end user be instructed to use a browser to change the PIN. To enable this, you need to give the CLI exec privilege level 1: the capability to change the PIN. This involves adding the following line to the Cisco Virtual Office spoke configuration:
This example assumes that the remote Cisco Virtual Office site has configured the 10.32.247.105 protected LAN side router IP address. Note that we use privilege level 1 here, as we do not want the end user to have full access to the Cisco Virtual Office spoke router.
The Cisco Virtual Office administrator does not need to keep track of the PIN that the end user defines.
Steps for Securely Provisioning a Cisco Virtual Office Remote VPN Router with an eToken, from the Remote Site Perspective
Assuming that Cisco Security Manager plus the Cisco Configuration Engine are used to generate and push the Cisco Virtual Office configuration to the remote router with the help of the SDP feature, and that the eToken will only hold the RSA keys, the steps for provisioning a remote VPN router with an eToken are as follows:
Step 1. User requests a new service from the Cisco Virtual Office administrator, who will use Cisco Security Manager to create a new device and define the security and IP policies that the new spoke will run. The end user needs to tell the administrator how the new spoke will have access to the Internet (ISP details). Then the administrator deploys the router's configuration; this involves staging a config file in the Cisco Configuration Engine containing the final configuration, plus issuing an enroll command to get the new routers trusted by the corporate PKI certificate server.
Step 2. In the meantime, a new Cisco ISR and eToken are shipped to the end user/remote site, containing only the factory default configuration.
Step 3. To provision the router, the end user follows the instructions given in the "Cisco Virtual Office Provisioning Steps" document received from the administrator via email (or mail). These quick steps will trigger the full provisioning of the new VPN spoke router.
Please read the management guides at http://www.cisco.com/go/cvo for detailed information on how to configure all of the Cisco Virtual Office management servers, respective routers, and tools.
Steps for Provisioning Cisco Virtual Office
This section contains an example of a document that can be sent to the end user containing steps for deploying a new spoke.
In this example a Cisco 881 Integrated Services Router is used, and it is assumed that the ISP provides a Dynamic Host Configuration Protocol (DHCP) service from a modem, or when the end user has a NAT box to access the Internet.
WELCOME TO OUR COMPANY SITE-TO-SITE VPN.
The following instructions will let you provision the new Cisco 881 router that will allow you to connect to our central office
The full process will take a few minutes. Please follow these steps carefully.
1. Connecting the router to the Internet
• Connect the 881-FastEthernet4-WAN interface to the modem provided by your internet service provider, or to a NAT router if you use one.
• Connect a PC to the 881 (LAN side), for example, to FastEthernet0.
• If you have a DHCP connection, your PC should already be able to access the Internet at this point. Make sure that your PC is physically connected to the Cisco Virtual Office router.
• Enter your Cisco Virtual Office VPN username/password (provided by your administrator).
• Click Next to have the bootstrap template downloaded to your router.
At this point, SDP applies a predefined configuration template (which is retrieved from the Cisco Security Manager) plus a PKI certificate signed by the SDP registrar itself and trusted by the Cisco Virtual Office management gateway.
This will bootstrap the Cisco 881 router and allow it to establish an IPsec tunnel to the management gateway and thus have access to the Cisco Configuration Engine / Cisco Security Manager. Now the full configuration file, pre-generated by the Cisco Security Manager and staged in the Cisco Configuration Engine, will be pushed to the router.
No user intervention is needed during this stage.
All these steps take about one minute to execute, the time needed for the spoke to enroll with the SDP registrar, get a PKI certificate, and load a small bootstrap template, followed by the management tunnel coming up and the full configuration file being retrieved from the Cisco Configuration Engine.
Reinserting the eToken at a Later Time
The full Cisco Virtual Office configuration should include the login credentials for the eToken user who will enter his or her PIN every time it is inserted. This user can have privilege level 1, and the crypto pki login command should be set to allow a privilege level 1 user to execute it.
The following commands are an example:
username etoken privilege 1 secret 0 eToken
privilege exec level 1 crypto pki
This example is for a Cisco Virtual Office spoke configured with the 10.32.247.104/28 protected network.
The end user document continues now. Please note that we set up the username etoken and password eToken with privilege level 1 for this purpose.
• Wait 1 minute to allow the full VPN configuration to be downloaded.
• Now renew your PC IP address. To do this do (assuming that you're using Microsoft Windows):
– Click Start -> Run
– Type "cmd" (or "command," depending on the Windows version).
– Type "ipconfig /release" followed by "ipconfig /renew" (if the end machine runs another OS, the procedure for bouncing the interface is needed here).
• After a new IP address is shown, open a browser and test your connectivity to the internal corporate site.
Reinserting the eToken at a Later Time
You will have to unlock the eToken private security keys every time the eToken is inserted or the router is power-cycled.
To activate the security keys stored in the eToken, follow these steps. Please note that your router local home IP address is now 10.32.247.105.
• Open a browser window in a PC connected to the Cisco 881 router
• Enter the new PIN. It can be numeric, or a word.
Figure 5. Change the eToken PIN
Important Information about the eToken PIN
The end user must enter the PIN every time the eToken is reinserted or the router is power-cycled. After the PIN has been changed, the administrator can reset the login failure count to zero (via the "crypto pki token max-retries" command). The maximum number of allowable login failures is set by default to 15; after that the eToken is permanently locked and can be recovered only with the admin-PIN.
If you want to change the admin-PIN on the token, you must be logged into the eToken as admin, via the "crypto pki token admin login" command. For example,
crypto pki token usbtoken0 admin login 5678
Please contact your eToken provider for more information about the admin-PIN.
The scenario just described is for situations in which we want to be extra careful and have the end user always unlock the eToken by entering the PIN. However, if you just want to use the eToken as a physical key for on/off operation, without the need to type a PIN, you can set auto-login in the router configuration. This command allows the router to log the eToken in automatically when it is inserted into port USB0. It can be saved to NVRAM as well.
crypto pki token usbtoken0:login 1234567890
Now the end user can safely insert/remove the eToken and does not need to worry about the PIN, while still having an easy way to lock the router's VPN access to the central office.