Consent Token Authorization Process For System Shell Access - Cisco Catalyst 9500 Manual
System management configuration guide, cisco ios xe amsterdam 17.2.x
Hide thumbs
Also See for Catalyst 9500:
- Manual (310 pages) ,
- Configuration manual (223 pages) ,
- Hardware installation manual (122 pages)
Table of Contents
Advertisement
Consent Token
Consent Token Authorization Process for System Shell Access
administrator) to access system shell on your device. Consent Token is a lock, unlock and re-lock mechanism
that provides you with privileged, restricted, and secure access to the system shell.
When you request access to system shell, you need to be authorized. You must first run the command to
generate a challenge using the Consent Token feature on your device. The device generates a unique challenge
as output. You must then copy this challenge string and send it to a Cisco Authorized Personnel through e-mail
or Instant Message.
The Cisco Authorized Personnel processes the unique challenge string and generates a response that is unique.
The Cisco Authorized Personnel copies this response string and sends it to you through e-mail or Instant
Message.
You must then input this response string into your device. If the challenge-response pair match, you are
authorized to access system shell. If not, an error is displayed and you are required to repeat the authentication
process.
Once you gain access to system shell, collect the debug information required by the Cisco TAC engineer.
After you are done accessing system shell, terminate the session and continue the debugging process.
Figure 6: Consent Token
Consent Token Authorization Process for System Shell Access
This section describes the process of Consent Token authorization to access system shell:
Procedure
Step 1
Generate a challenge requesting for access to system shell for the specified time period.
Example:
Device# request consent-token generate-challenge shell-access auth-timeout 900
z S S d r A A A A Q E B A A Q A A A A B A g A E A A A A A A M A C H 8 6 c s U h m D l 0 B A A Q 0 F v d 7 C x q R Y U e o D 7 B 4 A w W 7 Q U A B A A A A G 8 G A A h D V E F f R E V N T w c A G E N U Q V 9 E R U 1 P X 0 N U Q V 9 T S U d O S U 5 H X 0 t F W Q g A C 0 M 5 O D A w L U N M L U s 5 C Q A L O V p Q U E V E S E 5 K R k I =
Device#
*Jan 18 02:47:06.733: %CTOKEN-6-AUTH_UPDATE: Consent Token Update (challenge generation
attempt: Shell access 0).
Send a request for a challenge using the request consent-token generate-challenge shell-access
time-validity-slot command. The duration in minutes for which you are requesting access to system shell is
the time-slot-period.
In this example, the time period is 900 minutes after which the session expires.
The device generates a unique challenge as output. This challenge is a base-64 format string.
System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)
312
Advertisement
Table of Contents
Troubleshooting
