1 © 2004 cisco systems, inc. all rights reserved. ca training usb flash drives and secure etoken
TRANSCRIPT
1© 2004 Cisco Systems, Inc. All rights reserved.CA Training
USB Flash drives and Secure eToken
222© 2005 Cisco Systems, Inc. All rights reserved.
Introduction
USB Feature
Credential Storage with eToken:
1.Storing the Credentials
2.Using the Credentials
Simplified Provisioning:
1.Secure Provisioning with eToken
2.Bootstrap Provisioning
Using the USB Flash and eToken File System
Agenda
333© 2005 Cisco Systems, Inc. All rights reserved.
• Provides Portable Credentials storage for Virtual Private Network (VPN) RSA Key Pairs with eToken
• Provides off-platform storage, generation of VPN Credentials
• Encryption keys are loaded when eToken plugged in, and removed when eToken removed
• Provides secure configuration storage and distribution with eToken
• Easy to secure distribution of encryption keys and pre-shared keys
• Provision boot-strap config into eToken, send Token to location
• Router loads bootstrap config off the eToken when turned on, or merges configuration when eToken plugged into router
• Provides Portable storage for images and configuration distribution via USB Flash drives,
• Plug Flash into router, turn router on, router loads off bootstrap configuration, or copy configuration from Flash
• Copy Cisco IOS images from and to the USB Flash File System
USB Port on Cisco Routers
444© 2005 Cisco Systems, Inc. All rights reserved.
What is USB?
• USB – Universal Serial Bus.Typically PC’s are Hosts.
Devices such as Flash drives and Secure tokens plug into Hosts.
• ISR USB implementation:– Is a USB Host.– Supports USB 2.0 and USB 1.1 Devices.– Supports Low Speed (1.5 Mbps) and Full Speed (12 Mbps)
Devices.– Supports FAT16 disk format, compatible with windows
– Does not Support High Speed (480 Mbps). Please note that USB 2.0 High Speed Flash drive Devices will operate at Full Speed if High Speed is not supported.
555© 2005 Cisco Systems, Inc. All rights reserved.
USB Support on Cisco Routers
• Supported in Cisco IOS Release 12.3(14)T
• Supported on all routers with USB port, including: Cisco 871 router, Cisco 1800 series, Cisco 2800 series, or Cisco 3800 series routers.
• 2 USB Ports on Cisco 3800 series routers, Cisco 2851, Cisco 2821, Cisco 2811, Cisco 871, Cisco 1811, Cisco 1812 routers
• 1 USB Port on Cisco 2801, and Cisco 1841 routers
666© 2005 Cisco Systems, Inc. All rights reserved.
USB Devices Support
• USB eToken Support:
eToken Pro key sold by Aladdin Knowledge Systems
http://www.ealaddin.com/etoken/cisco
• USB Flash Module
Hardware device sold by Cisco Systems
Flash drives are supported at Full Speed (12 Mbps)
Supports the Flash Part numbers only:
•64 MB – MEMUSB-64FT
•128 MB – MEMUSB-128FT
•256 MB – MEMUSB-256FT
• Flash and USB eToken are the only USB devices supported at this time
777© 2005 Cisco Systems, Inc. All rights reserved.
Introduction
USB Feature
Credential Storage with eToken:
1.Storing the Credentials
2.Using the Credentials
Simplified Provisioning:
1.Secure Provisioning with eToken
2.Bootstrap Provisioning
Using the USB Flash and eToken File System
Agenda
8© 2004 Cisco Systems, Inc. All rights reserved.CA Training
Credential Storage with eToken:
1- Storing the Credentials
2- Using the Credentials
999© 2005 Cisco Systems, Inc. All rights reserved.
1- Storing the RSA Keypair on the eToken
• Steps to store the credentials on the eToken:1. Plug eToken to router
2. Login to the eToken using the provided PIN
3. Generate the keypair with the CLI
4. Write memory: Credentials are stored on the eToken instead of Private NVRAM
• Credentials can be generated on different router
• Directory & key files are hidden from IOS CLI, even when the eToken is logged in.
• Logged-in eToken becomes the default key storage location for newly-created keys.
101010© 2005 Cisco Systems, Inc. All rights reserved.
eToken login options
crypto pki token default user-pin 0 1234567890Any token or give a lable optional 0 crypto pki token default user-pin 0 1234567890Any token or give a lable optional 0
router(config)#
There are two ways to login to the eToken:1. Automatic: PIN is in the running-configs
2. Manual login: From CLI with or without the enable mode
crypto pki token usbtoken0: login 1234567890crypto pki token usbtoken0: login 1234567890
router# or router>
Note: eToken default pin is 1234567890
111111© 2005 Cisco Systems, Inc. All rights reserved.
Without USB eToken: Steps to generate and store the Crypto Keys
crypto key gen rsacry pki trustpoint IOSCA enrollment url http://10.23.2.2crypto ca authenticate IOSCAcrypto ca enroll IOSCA
crypto key gen rsacry pki trustpoint IOSCA enrollment url http://10.23.2.2crypto ca authenticate IOSCAcrypto ca enroll IOSCA
router(config)#
Write memWrite mem
router#
• Store the encryption keys on the eToken
• Generate Keys and Enroll with the CA
121212© 2005 Cisco Systems, Inc. All rights reserved.
With USB eToken: Steps to generate and store the Crypto Keys
crypto key gen rsacry pki trustpoint IOSCA enrollment url http://10.23.2.2crypto ca authenticate IOSCAcrypto ca enroll IOSCA
crypto key gen rsacry pki trustpoint IOSCA enrollment url http://10.23.2.2crypto ca authenticate IOSCAcrypto ca enroll IOSCA
router(config)#
1. Plug in the eToken
Write memWrite mem
router#4. Store the encryption keys on the eToken
3. Generate Keys and Enroll with the CA
crypto pki token usbtoken0: login 1234567890crypto pki token usbtoken0: login 1234567890
Router#2. Login to the eToken
131313© 2005 Cisco Systems, Inc. All rights reserved.
•This router begins with no keys
c2851-27#show crypto key mypubkey rsa
c2851-27#show crypto ca certificates
c2851-27#conf tEnter configuration commands, one per line. End with CNTL/Z.c2851-27(config)#c2851-27(config)#cry key gen rsaThe name for the keys will be: c2851-27.cisco.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]
c2851-27(config)#*Jan 13 06:46:26.633: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 1: Generate the RSA Keys
141414© 2005 Cisco Systems, Inc. All rights reserved.
•The write mem is defaulted to store the key on the eToken
c2851-27(config)#cry pki trustpoint IOSCAc2851-27(ca-trustpoint)#enrollment url http://10.23.2.2c2851-27(ca-trustpoint)#exitc2851-27(config)#crypto ca authenticate IOSCACertificate has the following attributes: Fingerprint MD5: 23272BD4 37E3D9A4 236F7E1A F534444E Fingerprint SHA1: D1B4D9F8 D603249A 793B3CAF 8342E1FE 3934EB7A
% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.c2851-27(config)#cry ca enc2851-27(config)#cry ca enroll IOSCA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.
Password:
Step 2: Enrolling with the CA
151515© 2005 Cisco Systems, Inc. All rights reserved.
•write mem will store the keys to the eToken automatically
Re-enter password:
% The subject name in the certificate will include: c2851-27.cisco.com% Include the router serial number in the subject name? [yes/no]: no% Include an IP address in the subject name? [no]: noRequest certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate IOSCA verbose' commandwill show the fingerprint.
c2851-27(config)#*Jan 13 06:47:19.413: CRYPTO_PKI: Certificate Request Fingerprint MD5: E6DDAB1B 0E30EFE6 54529D8A DA787DBA*Jan 13 06:47:19.413: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 3B0F33B7 57C02A10 3935042B C4B6CD3D 61039251*Jan 13 06:47:21.021: %PKI-6-CERTRET: Certificate received from Certificate AuthOrityc2851-27(config)#do write memBuilding configuration...[OK]c2851-27(config)#*Jan 13 06:47:29.481: %CRYPTO-6-TOKENSTOREKEY: Key c2851-27.cisco.com stored onCryptographic Token eToken Successfully
Step 3: Storing the Keys to the eToken
161616© 2005 Cisco Systems, Inc. All rights reserved.
Internet
2- Using the Stored Credentials
User Experience with eToken:
1. User Plugs in the eToken
2. Login to eToken: Automatic or from CLI
3. Router initiates the VPN Tunnel using the stored credentials
4. User is connected to VPN
5. User removes the eToken
6. Router tears down the VPN tunnel after timeout
Headend
171717© 2005 Cisco Systems, Inc. All rights reserved.
Token removal timeout
crypto pki token usbtoken0 removal timeout 10crypto pki token usbtoken0 removal timeout 10
router(config)#
• The crypto keys uses the default ISAKMP timeout to re-key the credentials
• Use the following command change the timeout after removing the eToken,
• The following tears down the VPN tunnel after 10 seconds from removing the eToken
181818© 2005 Cisco Systems, Inc. All rights reserved.
eToken and IPSec Configuration
• eToken effect ISAKMP during negotiations
• eToken credentials storage works with any IPSec configurations using PKI (i.e. IPSec, IPSec with GRE, DMVPN)
• This example uses the following configurations
crypto isakmp policy 1!crypto ipsec transform-set test_transformset esp-3des!crypto map test_cryptomap 10 ipsec-isakmp set peer 10.23.2.3 set transform-set test_transformset match address 170!interface GigabitEthernet0/0crypto map test_cryptomap!access-list 170 permit ip host 1.1.1.1 host 3.3.3.3
191919© 2005 Cisco Systems, Inc. All rights reserved.
•The write mem is defaulted to store the key on the eToken when the eToken is plugged in•After write memory, the directory /keystore is created, and the key are stored hidden in the directory
c2851-27#dir usbtoken0:Directory of usbtoken0:/
2 d--- 64 Jan 13 2005 05:07:42 +00:00 1000 5 d--- 2600 Jan 13 2005 05:07:42 +00:00 1001 8 d--- 0 Jan 13 2005 05:07:42 +00:00 1002 10 d--- 512 Jan 13 2005 05:07:42 +00:00 1003 12 d--- 0 Jan 13 2005 05:07:44 +00:00 5000 13 d--- 0 Jan 13 2005 05:07:44 +00:00 6000 14 d--- 0 Jan 13 2005 05:07:44 +00:00 7000 15 d--- 0 Jan 06 2005 23:57:44 +00:00 keystore
32768 bytes total (15741 bytes free)
Display the eToken File System
•Notice the bytes free decreases after the keys are stored
202020© 2005 Cisco Systems, Inc. All rights reserved.
•The following show command displays the key read on the eToken•When the eToken is unplugged, the keys will be removed and the VPN is torn down
c2851-27#show crypto key mypubkey rsa% Key pair was generated at: 06:37:26 UTC Jan 13 2005Key name: c2851-27.cisco.com Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E3C644 43AA7DDD 732E0F4E 3CA0CDAB 387ABF05 EB8F22F2 2431F1AE 5D51FEE3 FCDEA934 7FBD3603 7C977854 B8E999BF 7FC93021 7F46ABF8 A4BA2ED6 172D3D09 B5020301 0001% Key pair was generated at: 06:37:27 UTC Jan 13 2005Key name: c2851-27.cisco.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DD96AE 4BF912EB 2C261922 4784EF98 2E70E837 774B3778 7F7AEB2D 87F5669B BF5DDFBC F0D521A5 56AB8FDC 9911968E DE347FB0 A514A856 B30EAFF4 D1F453E1 003CFE65 0CCC6DC7 21FBE3AC 2F8DEA16 126754BC 1433DEF9 53266D33 E7338C95 BB020301 0001
Display the Credentials
212121© 2005 Cisco Systems, Inc. All rights reserved.
•Removing the eToken, will cause the router to remove the crypto keys and time out the vpn tunnel
c2851-27#*Jan 13 07:01:45.689: %USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED: A USB device has been removed from port 0.*Jan 13 07:01:45.801: %USB_TOKEN_FILESYS-6-USB_TOKEN_REMOVED: USB Token device removed: usbtoken0.*Jan 13 07:01:45.801: %CRYPTO-6-TOKENREMOVED: Cryptographic token eToken removed from usbtoken0*Jan 13 07:01:45.801: %CRYPTO-4-TOKENKEYTIMEOUT: RSA keypairs for token eToken and associated IPSEC sessions will be deactivated in 1 seconds*Jan 13 07:01:46.801: %CRYPTO-4-TOKENKEYSDEACTIVATED: RSA keypairs from token eToken and associated IPSEC sessions being deactivated now*Jan 13 07:01:46.801: %SSH-5-DISABLED: SSH 1.99 has been disabledc2851-27#show crypto key mypubkey rsa
c2851-27#
Removing the eToken
222222© 2005 Cisco Systems, Inc. All rights reserved.
•Removing the eToken, will cause the router to remove the crypto keys and time out the vpn tunnel•Plug in the eToken first, then use the following commands to remove the RSA Key pair
Removing the credentials from the eToken
cryto key zeroize rsano crypto pki trustpoint IOSCAcryto key zeroize rsano crypto pki trustpoint IOSCA
router(config)#
c2851-27#show crypto key mypubkey rsa
c2851-27#
232323© 2005 Cisco Systems, Inc. All rights reserved.
Introduction
USB Feature
Credential Storage with eToken:
1.Storing the Credentials
2.Using the Credentials
Simplified Provisioning:
1.Secure Provisioning with eToken
2.Bootstrap Provisioning
Using the USB Flash and eToken File System
Agenda
24© 2004 Cisco Systems, Inc. All rights reserved.CA Training
Simplified Provisioning:
1- Secure Provisioning with eToken
2- Bootstrap Provisioning
252525© 2005 Cisco Systems, Inc. All rights reserved.
1- Secure Provisioning with eToken
crypto pki token default secondary config CONFIG1.CFGcrypto pki token default secondary config CONFIG1.CFG
router(config)#
• eToken can be used to store and secure a secondary configuration file
• This config file is processed after login to eToken• Can setup tunnels, etc. using token keys• Configuration File is protected by the Secure token• Merged with running configuration• Only one secondary config can be configured• Merged configs can be manually saved by “write
mem”
262626© 2005 Cisco Systems, Inc. All rights reserved.
•Text file stored on the eToken•Can Contain the complete router configuration or a subset VPN tunnel configuration•Merged with running configuration•Config file should have the “end” statement at the last line, else the config is applied but a following error is logged
c2851-27#*Jan 13 18:06:54.594: %PARSER-4-BADCFG: Unexpected end of configuration file.
c2851-27#
Config file format
272727© 2005 Cisco Systems, Inc. All rights reserved.
2- Boot Strap Provisioning
•Boot strap configuration from the USB Flash or eToken•Booting images from usbflash is not supported in 12.3(14)T•Use the following command to configure bootstrap from USB device
Router(config)# boot config usbtoken0:CONFIG1.CFG
Or
Router(config)# boot config usbflash0:CONFIG1.CFG
282828© 2005 Cisco Systems, Inc. All rights reserved.
Introduction
USB Feature
Credential Storage with eToken:
1.Storing the Credentials
2.Using the Credentials
Simplified Provisioning:
1.Secure Provisioning with eToken
2.Bootstrap Provisioning
Using the USB Flash and eToken File
Agenda
29© 2004 Cisco Systems, Inc. All rights reserved.CA Training
Using the USB Flash and eToken File System
303030© 2005 Cisco Systems, Inc. All rights reserved.
USB eToken and USB Flash Comparison
USB eToken USB Flash
Accessibility Used to securely store and transfer digital certificates and router configurations from the eToken to the router
Used to store and deploy router configurations and images from the USB Flash to the router.
Storage size 32KB 64MB, 128MB, 256MB
Files types •Typically used to store bootstrap data, digital certificates and configurations for Firewalls and IPSec VPNs
•eTokens cannot store Cisco IOS images
Stores an file type that might be stored on a compact flash
313131© 2005 Cisco Systems, Inc. All rights reserved.
USB eToken and USB Flash Comparison (2)
USB eToken USB Flash
Security •Files can encrypted and accessed only with a user PIN
•Files can also be stored in a non-secure format
Files can only be stored in a non-secure format
Boot Images and Configurations
Configuration can be booted from the eToken to the router.
• Secondary configuration can be booted from the eToken to the router. Secondary configuration allows users to load their IPSec configuration.
Configuration file is automatically transferred from the USB Flash to the router.
323232© 2005 Cisco Systems, Inc. All rights reserved.
List of files
Change directory
Format
Copy a file
Copy image to USB Flash
Delete a file
Other show usb commands
Plug in the USB Flash
eToken Specific commands
•Plug in the eToken
•Login and Logout the eToken
•Troubleshooting eToken Login
Managing the USB File System
333333© 2005 Cisco Systems, Inc. All rights reserved.
•Displays the USB Drive contentsUse dir or Show command to display the content
router# dir usbtoken0:
Or
router# dir usbflash0:
c2851-27#dir usbtoken0:Directory of usbtoken0:/
2 d--- 64 Jan 13 2005 05:19:26 +00:00 1000 5 d--- 2600 Jan 13 2005 05:19:26 +00:00 1001 8 d--- 0 Jan 13 2005 05:19:26 +00:00 1002 10 d--- 512 Jan 13 2005 05:19:26 +00:00 1003 12 d--- 0 Jan 13 2005 05:19:26 +00:00 5000 13 d--- 0 Jan 13 2005 05:19:28 +00:00 6000 14 d--- 0 Jan 13 2005 05:19:28 +00:00 7000
32768 bytes total (27385 bytes free)
List all files on the Drive
343434© 2005 Cisco Systems, Inc. All rights reserved.
•Change the directory on the USB Drive
router# cd usbtoken0:/1000
Or
router# cd usbflash0:/1000
c2851-27#cd usbtoken0:/1000c2851-27#dirDirectory of usbtoken0:/1000/
3 ---- 11 Jan 13 2005 06:28:04 +00:00 1 4 ---- 32 Jan 13 2005 06:28:04 +00:00 2
32768 bytes total (27385 bytes free)
Change directory
353535© 2005 Cisco Systems, Inc. All rights reserved.
• USB Drive will be formatted
router# format usbtoken0:
Or
router# format usbflash0:
c2851-27#format usbtoken0:Format operation may take a while. Continue? [confirm]Format operation will destroy all data in "usbtoken0:". Continue? [confirm]Reclaiming all space......Initializing devices......
Format of usbtoken0 complete
Format the Drive
363636© 2005 Cisco Systems, Inc. All rights reserved.
•Copies the running config to the eTokenrouter# copy running-config usbtoken0:
Or
router# copy running-config usbflash0:c2851-27#copy running-config ? archive: Copy to archive: file system flash: Copy to flash: file system ftp: Copy to ftp: file system http: Copy to http: file system https: Copy to https: file system ips-sdf Update (merge with) IPS signature configuration null: Copy to null: file system nvram: Copy to nvram: file system rcp: Copy to rcp: file system running-config Update (merge with) current system configuration scp: Copy to scp: file system startup-config Copy to startup configuration system: Copy to system: file system tftp: Copy to tftp: file system usbflash1: Copy to usbflash1: file system usbtoken0: Copy to usbtoken0: file system xmodem: Copy to xmodem: file system ymodem: Copy to ymodem: file system
Copy files
373737© 2005 Cisco Systems, Inc. All rights reserved.
•Copy an image from flash to usbflash0:
router#
router#copy flash:c1841-advsecurityk9-mz.123-14T usbflash0:Destination filename [c1841-advsecurityk9-mz.123-14T]?Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC17523748 bytes copied in 58.544 secs (299326 bytes/sec)
Copy image from flash: to usbflash0:
383838© 2005 Cisco Systems, Inc. All rights reserved.
•Deleting a file from the USB file system
router# delete usbtoken0:running-config
Or
router# delete usbflash0:running-config
c2851-27#delete usbtoken0:running-configDelete filename [running-config]?Delete usbtoken0:running-config? [confirm]c2851-27#
Delete a File
393939© 2005 Cisco Systems, Inc. All rights reserved.
The following are addition USB commands
•Show usb controller•Show usb device•Show usb driver
Other USB commands
404040© 2005 Cisco Systems, Inc. All rights reserved.
router#
router#*Feb 2 19:21:53.531: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has been inserted in port 0.*Feb 2 19:21:54.171: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
Plug in the USB Flash
Router#*Feb 2 19:29:26.595: %USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED: A USB device has been removed from port 0.*Feb 2 19:29:26.699: %USBFLASH-5-CHANGE: usbflash0 has been removed!
Unplugging the USB Flash
414141© 2005 Cisco Systems, Inc. All rights reserved.
eToken Specific commands
424242© 2005 Cisco Systems, Inc. All rights reserved.
Plug in the eToken, with user pin is stored in the running-configPlug in the eToken, with user pin is stored in the running-config
router#
c2851-27#*Jan 13 05:17:20.001: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Low speed USB device has been inserted in port 0.*Jan 13 05:17:21.497: %USB_TOKEN_FILESYS-6-USB_TOKEN_INSERTED: USB Token deviceinserted: usbtoken0.*Jan 13 05:17:21.501: %USB_TOKEN_FILESYS-6-REGISTERING_WITH_IFS: Registering USB Token File System usbtoken0: might take a while...*Jan 13 05:17:21.841: %CRYPTO-6-TOKENINSERTED: Cryptographic token eToken inserted in usbtoken0*Jan 13 05:17:22.053: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Successful*Jan 13 05:17:25.401: %USB_TOKEN_FILESYS-6-REGISTERED_WITH_IFS: USB Token File System usbtoken0 is registered...
Plug in the eToken
434343© 2005 Cisco Systems, Inc. All rights reserved.
•Login to the eToken
router# crypto pki token usbtoken0: login 1234567890
c2851-27#crypt pki token usbtoken0: login 1234567890Token eToken is usbtoken0
Token login to usbtoken0(eToken) successful*Jan 13 05:26:46.385: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Successful
Login and logout to the eToken
•Logout from the eToken
router# crypto pki token usbtoken0: logout
crypto pki token usbtoken0: logoutToken eToken is usbtoken0
Token logout from usbtoken0(eToken) successful*Jan 28 05:46:59.544: %CRYPTO-6-TOKENLOGOUT: Cryptographic Token eToken Logout Successful
444444© 2005 Cisco Systems, Inc. All rights reserved.
•Successful login
c2851-27#crypto pki token usbtoken0: login 1234567890Token eToken is usbtoken0
Token login to usbtoken0(eToken) successfulA pre-shared key for address mask 10.23.2.3 255.255.255.255 already exists!
c2851-27#*Jan 13 18:44:44.038: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Successfulc2851-27#
Troubleshooting Login failure
c2851-27#crypto pki token usbtoken0: login 1234567891Token eToken is usbtoken0
Token login to usbtoken0(eToken) failedc2851-27#*Jan 13 18:44:50.558: %CRYPTO-3-TOKENLOGINFAILED: Cryptographic Token eToken Login FAILED
•Failed login with wrong pin
454545© 2005 Cisco Systems, Inc. All rights reserved.
Credential Storage with eToken:
1.Storing the Credentials
2.Using the Credentials
Simplified Provisioning:
1.Secure Provisioning with eToken
2.Bootstrap Provisioning
Using the USB Flash and eToken File System
Summary