Cisco SR224T Administration Guide - Page 265
Sensitive Data Zero-Touch Auto Configuration, passphrase control is Restricted
View all Cisco SR224T manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 265 highlights
Secure Sensitive Data Configuration Files 19 Sensitive Data Zero-Touch Auto Configuration SSD Zero-touch Auto Configuration is the auto configuration of target devices with encrypted sensitive data, without the need to manually pre-configure the target devices with the passphrase whose key is used to encrypted the sensitive data. The device currently supports Auto Configuration, which is enabled by default. When Auto Configuration is enabled on a device and the device receives DHCP options that specify a file server and a boot file, the device downloads the boot file (remote configuration file) into the Startup Configuration file from a file server, and then reboots. NOTE The file server may be specified by the bootp siaddr and sname fields, as well as DHCP option 150 and statically configured on the device. The user can safely auto configure target devices with encrypted sensitive data, by first creating the configuration file that is to be used in the auto configuration from a device that contains the configurations. The device must be configured and instructed to: • Encrypt the sensitive data in the file • Enforce the integrity of the file content • Include the secure, authentication configuration commands and SSD rules that properly control and secure the access to devices and the sensitive data If the configuration file was generated with a user passphrase and SSD file passphrase control is Restricted, the resulting configuration file can be autoconfigured to the desired target devices. However, for auto configuration to succeed with a user-defined passphrase, the target devices must be manually pre-configured with the same passphrase as the device that generates the files, which is not zero touch. If the device creating the configuration file is in Unrestricted passphrase control mode, the device includes the passphrase in the file. As a result, the user can auto configure the target devices, including devices that are out-of-the-box or in factory default, with the configuration file without manually pre-configuring the target devices with the passphrase. This is zero touch because the target devices learn the passphrase directly from the configuration file. Cisco Small Business 200 Series Smart Switch Administration Guide 266