With the release of 12.3(14)T code Cisco routers shipped with a USB port now have the capability to use those ports for USB Storage or E-Token Services. The USB Storage feature enables certain models of Cisco routers to support USB flash modules and with SmartCard technology (which is owned by Aladdin Knowledge Systems) in a USB key form factor (also referred to as a USB eToken) to provide secure access to a router. USB eTokens provides secure configuration distribution and allows users to store Virtual Private Network (VPN) credentials for deployment. USB flash drives allow users to store images and configurations external to the router. Some of the advantages this provides customer are: 

1. Provides Portable Credentials storage for Virtual Private Network (VPN) RSA Key Pairs with eToken. Provides off-platform storage, generation of VPN Credentials. Encryption keys are loaded when eToken plugged in, and removed when eToken removed.
2. Provides secure configuration storage and distribution with eToken. Easy to secure distribution of encryption keys and pre-shared keys. Provision boot-strap config into eToken, send Token to location. Router loads bootstrap config off the eToken when turned on, or merges configuration when eToken plugged into router.
3. Provides Portable storage for images and configuration distribution via USB Flash drives. Plug Flash into router, turn router on, router loads off bootstrap configuration, or copy configuration from Flash. Copy Cisco IOS images from and to the USB Flash File System.

The ISR’s USB implementation functions as a USB host which supports both USB 1.1 and USB 2.0 devices. This ISR’s USB implementation supports low-speed (1.5 Mbps) and full-speed (12 Mbps) devices with a FAT-16 file format which is compatible with MS Windows. The ISR’s USB ports do not support high-speed (480 Mbps) devices however USB 2.0 high speed flash drive devices will operate at full speed if high speed is not supported.

USB ports are supported on all routers with a USB port, including: Cisco 871 router, Cisco 1800 series, Cisco 2800 series, or Cisco 3800 series routers. 2 USB Ports are on 3800 series routers, 2851’s, 2821’s, 2811’s, 871’s, 1811’s and 1812’s routers. 1 USB Port is on Cisco 2801, and Cisco 1841 routers. As mentioned earlier USB support on ISR routers support 2 types of USB devices, USB Flash Drives or USB E-Tokens.

USB eToken Support uses eToken Pro key which is sold by Aladdin Knowledge Systems (http://www.ealaddin.com/etoken/cisco) and the USB Flash Module is a hardware device sold by Cisco which supports only the following part numbers: 

• 64 MB – MEMUSB-64FT
• 128 MB – MEMUSB-128FT
• 256 MB – MEMUSB-256FT 

So what’s the difference between the USB Flash drive and the USB E-Token drive? Below is a comparison chart detailing the differences between the devices:

So let’s examine how we manage and use the USB Flash drive. First upon initially plugging the USB flash drive into the router, the router will list some syslog messages that the drive has been inserted into the chassis:

In order to view the contents of the USB drive you can use the ‘dir usbflash0:’ command. The router lists the contents of the drive upon issuance of this command. An example is provided below:

Since the flash drive is disk space, this space can be formatted just as any other disk space can. This can be seen below:

You can also use USB Flash to transfer an image to the flash: file system then boot the image off of flash. You can use the router or a PC to put the image on the USB Flash. In the example below I copy an image from the USB Flash to the routers flash file system:

Once you remove the USB Flash drive the router will provide you with a couple of syslog messages letting you know the drive has been removed. 

So what about the USB E-Token drive? Do you configure it in the same manner? Well not really but some of the commands used when managing the USB Flash can be used with the E-Token drive however you substitute the token<0-9> instead of using the flash<0-9> command. For example the following sample output displays directory information for the E-Token Drive:

In order to use and store credentials on the E-Token drive the steps are a little more involved than when using the Flash drive. The steps are outlined below: 

1. Plug eToken to router
2. Login to the eToken using the provided PIN
3. Generate the keypair with the CLI
4. Write memory - Credentials are stored on the eToken instead of Private NVRAM

Now the Credentials can be generated on different router than the router the E-Token drive is plugged into and the directory & key files are hidden from IOS CLI, even when the eToken is logged in. There are two ways to login to the E-Token drive, manual and automatic. When you use automatic a PIN number is created and configured in the running configuration of the router. The PIN is stored in the private configuration, so it is not visible in the startup or running configuration.

And the command to configure manual login to the E-token drive is listed below. This command can be issued from within exec or enable mode.

Next we will need to generate our keys and enroll with the CA. This is shown below:

After enrolling with the CA we need to store our credentials on the E-Token instead of NVRAM. This is done using the ‘wr mem’ command.

So let’s look at a full example here….This router started without any keys defined so we will first generate the needed keys.

Next we will enroll our router with the CA server and afterwards issue the ‘wr mem’ command to store the key on the E-Token.

Once this is complete you can create your VPN using the store credentials. So the steps to get your VPN up and running using the E-Token are as follows: 

1. User Plugs in the eToken
2. Login to eToken: Automatic or from CLI
3. Router initiates the VPN Tunnel using the stored credentials
4. User is connected to VPN
5. User removes the eToken
6. Router tears down the VPN tunnel after timeout

One thing to note is that the crypto keys use the default ISAKMP timeout to re-key the credentials. If you want to change this period of time use the following command to change the timeout after removing the eToken, The following tears down the VPN tunnel after 10 seconds from removing the eToken:

Also once you pull the plug on the E-Token, the router will display a number of syslog messages notifying you that the E-Token has been removed: