60-84
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 60 Router Device Administration
Secure Device Provisioning on Cisco IOS Routers
Step 4 Select the source of the introduction page that is displayed after you log in to the registrar. The
introduction page indicates whether authorization was successfully completed and contains a button for
completing the process of obtaining the bootstrap configuration.
If you do not select the default welcome page, you must enter the URL required to access a different
welcome page that you prepared elsewhere.
Step 5 Select the source of the bootstrap configuration provided to the petitioner to implement its first-time
configuration:
If the source of the bootstrap configuration is a non-Security Manager URL, enter the URL and also
the username and password for accessing the URL, if required.
If the source of the configuration file is a Security Manager URL:
Enter the name of a FlexConfig, or click Select to select it from a list or to create a new object.
The FlexConfig contains the device commands required to retrieve the appropriate bootstrap
configuration. For more information, see Add or Edit FlexConfig Dialog Box, page7-29.
Enter the device name formula required by the FlexConfig to derive the device name of the
petitioner from the username submitted by the introducer. (The two names typically have a fixed
relationship.) The default formula is $n, which uses the introducer name to determine the device
name.
The device name determines which bootstrap configuration the petitioner should receive. The
resulting URL contains the name of the FlexConfig you selected, as well as the parameters and
formula you defined.
Enter a username and password for accessing the Security Manager server containing the
FlexConfig. The password can contain alphanumeric characters, but cannot consist of a single
digit.
Configuring a AAA Server Group for Administrative Introducers
Administrative introducers are administrators or management systems that introduce many devices to the
PKI network. You can configure a AAA server group for authenticating and authorizing administrative
introducers by appending the following FlexConfig to the configuration of the router:
aaa new-model
radius-server host 1.2.3.4 auth-port 1645 acct-port 1646 key key
aaa group server radius default-radius-group2
server 1.2.3.4 auth-port 1645 acct-port 1646
exit
aaa authentication login CSM_SDP2 group default-radius-group2
crypto provisioning registrar
administrator authentication list CSM_SDP2
administrator authorization list CSM_SDP2
exit
This FlexConfig serves two functions—it configures the AAA server group to use and it associates this
server group with the SDP crypto.
For more information about administrative introducers, see Administrative Secure Device Provisioning
Introducer on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtadintr.html