Filter
Top Products
60-83
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 60 Router Device Administration
Secure Device Provisioning on Cisco IOS Routers
Defining Secure Device Provisioning Policies
The petitioner component is automatically enabled on all Cisco IOS routers. The SDP policy in Security
Manager enables the registrar. To define an SDP policy you must define:
• The AAA server group containing the AAA server that the registrar uses to authenticate and
authorize the introducer.
• The CA server to which the petitioner enrolls during the bootstrap process.
• The location of the introduction page that is displayed after authorization was performed.
• The location of the bootstrap configuration to be provided to the petitioner.
Related Topics
• Secure Device Provisioning Workflow, page 60-82
• Configuring a AAA Server Group for Administrative Introducers, page 60-84
• Secure Device Provisioning on Cisco IOS Routers, page 60-81
Step 1 Do one of the following:
• (Device view) Select Platform > Device Admin > Secure Device Provisioning from the Policy
selector.
• (Policy view) Select Router Platform > Device Admin > Secure Device Provisioning from the
Policy Type selector. Select an existing policy or create a new one.
The Secure Device Provisioning page is displayed. See Table 60-37 on page 60-85 for a description of
the fields on this page.
Step 2 Under Introducer Authentication, enter the name of the AAA server group containing the relevant AAA
server, or click Select to select it from a list or to create a new object.
The selected AAA server determines whether the username and password supplied by the introducer
represent an authorized user. The AAA server must use TACACS+, RADIUS, or be local.
Note Each AAA server in the selected group must be configured to communicate with an interface
that exists on the router; otherwise, validation fails. If you want to configure a different AAA
server group for authenticating and authorizing administrative introducers, see Configuring a
AAA Server Group for Administrative Introducers, page 60-84.
Step 3 Under Petitioner Authentication, define the CA server that authenticates the identity of the petitioner by
doing one of the following:
• Select Local CA Server, then enter the local CA name in the field provided. If you have already
configured the CA server locally on the registrar, a trustpoint is generated automatically.
Note If you have not configured the router as the CA server, enter the command Crypto pki
server [name] using the CLI or FlexConfigs. This command is mandatory when you
deploy an SDP policy configured with a local CA server.
• Select Remote CA Server, then enter the name of a PKI enrollment object, or click Select to select
it from a list or to create a new object.
The PKI enrollment object defines the external CA server used in the SDP policy.