• Consent Token is enabled by default and cannot be disabled.

• After the challenge has been sent from the device, the response needs to be entered within 30 minutes. If it is not entered, the challenge expires and a new challenge must be requested.

• A single response is valid only for one time for a corresponding challenge.

• The maximum authorization timeout for root-shell access is seven days.

• After a switchover event, all the existing Consent Token based authorizations would be treated as expired. You must then restart a fresh authentication sequence for service access.

• Only Cisco authorized personnel have access to Consent Token response generation on Cisco's challenge signing server.

• In System Shell access scenario, exiting the shell does not terminate authorization until the authorization timeout occurs or the shell authorization is explicitly terminated by the consent token terminate authorization command.

  We recommend that you force terminate System Shell authorization by explicitly issuing the Consent Token terminate command once the purpose of System Shell access is complete.

In some debugging scenarios, the Cisco TAC engineer may have to collect certain debug information or perform live debug on a production system. In such cases, the Cisco TAC engineer will ask you (the network administrator) to access system shell on your device. Consent Token is a lock, unlock and re-lock mechanism that provides you with privileged, restricted, and secure access to the system shell.

When you request access to system shell, you need to be authorized. You must first run the command to generate a challenge using the Consent Token feature on your device. The device generates a unique challenge as output. You must then copy this challenge string and send it to a Cisco Authorized Personnel through e-mail or Instant Message.

The Cisco Authorized Personnel processes the unique challenge string and generates a response that is unique. The Cisco Authorized Personnel copies this response string and sends it to you through e-mail or Instant Message.

You must then input this response string into your device. If the challenge-response pair match, you are authorized to access system shell. If not, an error is displayed and you are required to repeat the authentication process.

Once you gain access to system shell, collect the debug information required by the Cisco TAC engineer. After you are done accessing system shell, terminate the session and continue the debugging process.

The Cisco IOS XE secure boot functionality ensures that only Cisco signed software is loaded on a Cisco IOS XE platform. Before introducing the dev-key install functionality, Cisco IOS XE platforms are shipped with Dev Public Key and Release Public Key. These keys are used to validate the images signed by corresponding private keys. The subset of Cisco IOS XE platforms which support dev-key install functionality are shipped only with Release Public Key without a Dev Public Key. With this change in the functionality, an image that is signed with a Dev Private Key will not boot due to the absence of Dev Public Key for image verification. However, for some reason, if the Cisco IOS XE device is shipped back to Cisco, a Product Return and Replacement (RMA) specialist may need to load an image signed with Dev Private Key. This requires the RMA specialist to install a Dev Public Key on the device to ensure that the verification of the image signed with Dev Private key passes. To install the Dev Public Key, use the commands mentioned in the following section.

To turn on or turn off the consent token, use the following debug commands:

• debug platform software consent-token all

• debug platform software consent-token errors