60-81
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 60 Router Device Administration
Secure Device Provisioning on Cisco IOS Routers
Secure Device Provisioning on Cisco IOS Routers
Secure Device Provisioning (SDP) offers an integrated solution for streamlining VPN and network
security deployment. SDP (previously called Easy Secure Device Deployment, or EzSDD) enables
remote-site users to securely bootstrap their VPN device through an easy-to-use web interface, thereby
easing the deployment burden, lowering costs, and shortening the network development cycle. For
example, a telecommuter or small branch office user can remove a new device from its shipping package,
plug it in, open a simple web management interface, and establish VPN connectivity, all within a period
of just a few minutes.
For more information about SDP, see Setting Up Secure Device Provisioning (SDP) for Enrollment in a
PKI, which can be found in Cisco IOS Security Configuration Guide, Release 12.4T.
Note SDP requires Cisco IOS Software Release 12.3(8)T or later. Attempting to deploy this policy to a router
running an earlier version could result in deployment failure. You also cannot configure the policy on
NO-VPN router models (those that do not allow VPN configurations, such as the 3845 NOVPN).
Trusted Transitive Introduction (TTI) is the protocol that acts as the primary mechanism for
implementing SDP. As shown in Figure60-3, TTI comprises the following three entities:
Introducer—A mutually trusted device that introduces the petitioner to the registrar. Introducers can
be end users who use SDP to deploy VPN devices associated with themselves to the PKI network,
or an administrator/management system that uses SDP to deploy many VPN devices to the PKI
network. This latter type is known as an administrative introducer. For more information, see
Configuring a AAA Server Group for Administrative Introducers, page60-84.
Petitioner—A remote-site device that is joined to the secure domain. The petitioner serves web
pages to the introducer and receives the bootstrap configuration from the introducer’s web browser.
The petitioner component is enabled by default on all Cisco IOS devices.
Registrar—A server that authorizes the petitioner by communicating directly with an
authentication, authorization, and accounting (AAA) server to verify user credentials, permit or
deny enrollment, and retrieve user-specific configuration information.
Use the SDP policy in Security Manager to configure the router as a registrar.
Figure 60-3 Secure Device Provisioning
For more information about Secure Device Provisioning, see:
Contents of Bootstrap Configuration, page 60-82
Secure Device Provisioning Workflow, page 60-82
144755
Petitioner Registrar
Introducer
Secure communication
Point introduction
Secure communication
Point introduction