CHAPTER 18
Consent Token
• Restrictions for Consent Token, on page 311
• Information About Consent Token, on page 311
• Consent Token Authorization Process for System Shell Access, on page 312
• Feature History for Consent Token, on page 313
Restrictions for Consent Token
• Consent Token is enabled by default and cannot be disabled.
• After the challenge has been sent from the device, the response needs to be entered within 30 minutes.
If it is not entered, the challenge expires and a new challenge must be requested.
• A single response is valid only for one time for a corresponding challenge.
• The maximum authorization timeout for root-shell access is seven days.
• After a switchover event, all the existing Consent Token based authorizations would be treated as expired.
You must then restart a fresh authentication sequence for service access.
• Only Cisco authorized personnel have access to Consent Token response generation on Cisco's challenge
signing server.
• In System Shell access scenario, exiting the shell does not terminate authorization until the authorization
timeout occurs or the shell authorization is explicitly terminated by the consent token terminate
authorization command.
We recommend that you force terminate System Shell authorization by explicitly issuing the Consent
Token terminate command once the purpose of System Shell access is complete.
Information About Consent Token
Consent Token is a security feature that is used to authenticate the network administrator of an organization
to access system shell with mutual consent from the network administrator and Cisco Technical Assistance
Centre (Cisco TAC).
In some debugging scenarios, the Cisco TAC engineer may have to collect certain debug information or
perform live debug on a production system. In such cases, the Cisco TAC engineer will ask you (the network
System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)
311
To Next Page
Loading...
Need help?
General
