Introduction
In this document, we will discuss a typical radkit use case and how to enable password-less access to the RADKit service GUI through HTTP proxy by incorporating the RADKit service as an device within the RADKit device inventory.
Problem
Consider the scenario where a partner is responsible for managed services across various customers. The partner's objective is
to administer and operate the RADKit service on their customers' behalf. A question arises: how can they efficiently onboard new network devices from customer's network into the RADKit device inventory or facilitate RADKit remote user provisions remotely when working with TAC, without the reliance on VPN, in order to access the RADKit service GUI for configuration and management?
Solution
We will now outline the proposed solution and the procedure to address this challenge.
In my lab setup where the RADKit service is running and operational, connection to the corporate VPN is a prerequisite for access initially.
(Lab RADKit version was 1.6.5 when I wrote this doc, FYI.)
Then, the following steps will enable you to access RADKit service GUI without the need for VPN connectivity:
-
Navigate to the "Devices" section and select the "Add Device" option.
radkit-add device
2. Input the necessary information, ensuring that "RADKit Service" is chosen from the device type dropdown list. Enter the host management IP as 127.0.0.1, which denotes the localhost. Appropriate Role-Based Access Control (RBAC) labels should be selected. Tick the HTTP option under management protocols, and remember to alter the default port to 8081. Here we recommend use other admin users other than superadmin for security considerations. Conclude by clicking "Add & Close."onboarding RADKit service
3. Next, activate the HTTP proxy feature via the RADKit network console or the RADKit client application. We can leverage http proxy for password-less GUI access (e.g. DNAC, WLC, ISE, APIC and more). Here are the steps to Enable HTTP Proxy:
1.From Radkit Network Console, enter proxy start http 4001 (Network Console) or client.start_http_proxy(4001) via Radkit Client (You can define different ports which is not in use from your laptop, note that ports 1-1023 may require extra privileges.)
2.Here make sure you follow the instruction for browser's proxy configuration. Copy the PAC URL and put it in Firefox Settings > Network Settings > Automatic Proxy Configuration URL.
3.Now open https://index.proxy/
4.GUI of the devices can be accessed from there (It will end with http.proxy).
Following example is from network console:
[lindawa@s2ld-twxy-gsa5] 696786054> proxy start http 4002
HTTP proxy is NOT PROTECTED by username/password
[RUNNING] <radkit_client.sync.port_forwarding.ProxyPortForwarder object at 0x1305342b0>
---------- -------
status RUNNING
local_port 4002
#active 0
#failed 0
#closed 0
#total 0
protocol HTTP
bytes up 0
bytes down 0
exception None
---------- -------
Use this PAC URL for proxy auto-configuration: https://prod.radkit-cloud.cisco.com/pac?port=4002&protocol=HTTP
Then navigate to: https://index.proxy/
[lindawa@s2ld-twxy-gsa5] 696786054>
4. Now let's open https://index.proxy/ and start to access to my RADKit service without vpn (see in the screenshots, VPN is disconnected. )
Known caveats:
Symptom:
Some times, when you click on "Go to web page", it may take you to login page(as shown in screenshot below). 
Workaround:
Please go back to the index.proxy page, select the service, and click on "Reset" button to reset the session. Then click on "Go to web page" the password-less GUI access should work.
This defect will be fixed in upcoming releases.
In summary, In this use case, we demonstrated that partner engineers can access RADKit service GUI in order to onboard more devices to RADKit, or provision new remote users wen needed via http proxy feature. Partners don't have to physically go on site in order to operate or manage RADKit service, also no VPN is required.
