administrator) to access system shell on your device. Consent Token is a lock, unlock and re-lock mechanism
that provides you with privileged, restricted, and secure access to the system shell.
When you request access to system shell, you need to be authorized. You must first run the command to
generate a challenge using the Consent Token feature on your device. The device generates a unique challenge
as output. You must then copy this challenge string and send it to a Cisco Authorized Personnel through e-mail
or Instant Message.
The Cisco Authorized Personnel processes the unique challenge string and generates a response that is unique.
The Cisco Authorized Personnel copies this response string and sends it to you through e-mail or Instant
Message.
You must then input this response string into your device. If the challenge-response pair match, you are
authorized to access system shell. If not, an error is displayed and you are required to repeat the authentication
process.
Once you gain access to system shell, collect the debug information required by the Cisco TAC engineer.
After you are done accessing system shell, terminate the session and continue the debugging process.
Figure 14: Consent Token
Consent Token Authorization Process for System Shell Access
This section describes the process of Consent Token authorization to access system shell:
Procedure
Step 1 Generate a challenge requesting for access to system shell for the specified time period.
Example:
Device# request consent-token generate-challenge shell-access auth-timeout 900
zSSdrAAAAQEBAAQAAAABAgAEAAAAAAMACH86csUhmDl0BAAQ0Fvd7CxqRYUeoD7B4AwW7QUABAAAAG8GAAhDVEFfREVNTwcAGENUQV9ERU1PX0NUQV9TSUdOSU5HX0tFWQgAC0M5ODAwLUNMLUs5CQALOVpQUEVESE5KRkI=
Device#
*Jan 18 02:47:06.733: %CTOKEN-6-AUTH_UPDATE: Consent Token Update (challenge generation
attempt: Shell access 0).
Send a request for a challenge using the request consent-token generate-challenge shell-access
time-validity-slot command. The duration in minutes for which you are requesting access to system shell is
the time-slot-period.
In this example, the time period is 900 minutes after which the session expires.
The device generates a unique challenge as output. This challenge is a base-64 format string.
System Management Configuration Guide, Cisco IOS XE Bengaluru 17.4.x (Catalyst 9400 Switches)
386
Consent Token
Consent Token Authorization Process for System Shell Access
To Next Page
Loading...
Need help?
General