The DHCP option 43
and option 60 is a vendor specific identifier which is used by the PnP agent to
locate and connect to the PnP server. To support multiple vendors, the PnP
agent in Cisco device sends out a case-sensitive “ciscopnp” as the option 60
string during the DHCP discovery. The DHCP server can be configured with
multiple classes matching with a different option 60 string that comes from
each network device. After the option 60 string matches, the DHCP server sends
out the corresponding option 43 string back to the device. The following is the
format for defining the option 43 for PnP deployments:
option 43 ascii
The field ‘T’ in the
PnP string provides an option for the network administrator to specify the
location of the certificate bundle, which can be hosted on a local or remote
If the certificate
bundle is available at the specified location, then the agent:
bundle from the file server to the device.
signature of the downloaded bundle to ensure it has a genuine Cisco signature.
certificates on the device.
If the ‘T’ option is
not specified and the transport mechanism is specified in the option 43 string
as HTTPs, the PnP agent looks for the Cisco signed certificate bundle in the
default folder of the same server
If the certificates
are available at the default location then the agent performs the steps
mentioned above to install the certificates.
certificates are installed and the server discovery is complete, the agent
initiates the HTTPs connection with the server without any additional
configuration. During the HTTPs handshake, the device uses the certificates
installed from the bundle to validate the server certificate.
The following figure
shows the end-to-end secured PnP workflow using the CA bundle-based
Figure 12. Secured PnP
Deployment with Trustpool
This flow works only
if the server is using a certificate signed by one of the known signing
authorities that is available in the bundle. If the server uses a certificate
that is not a part of the bundle then the HTTPs handshake will fail. When you
specify the option 43 string with HTTPs as a transport option and if the bundle
download fails, the agent will not fall back to any of the unsecured
communication protocol even if the server is reachable. If the transport option
is specified as HTTP with a parameter 'T' pointing to a valid certificate
bundle location, the agent overrides the transport option HTTP and changes it
to HTTPs for secured communication. Generally, the agent will choose the most
secured communication from the available options.
The path specified
in the DHCP option 43 to locate the certificate bundle file can be an absolute
URL or a relative URL. If you specify a relative URL, the agent forms a full
URL with the server IP address or hostname as specified in the option 43 string
and uses HTTP as the file transfer protocol.
Also, to install the
certificates, the agent expects the device to have an updated system clock.
Because, you configure the DHCP server first, you cannot specify the current
time in the DHCP server. In such a scenario, an IP address or a URL can be
specified as an alternative parameter in the option 43 with the prefix 'Z',
which can point the device to a NTP server. The agent synchronizes the clock on
the device with the NTP server and then installs the certificates.