cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
2
Helpful
3
Replies

RADKit case study: Passwordless RADKit Service GUI Access Guide

lindawa
Cisco Employee
Cisco Employee

Introduction

 

In this document, we will discuss a typical radkit use case and how to enable password-less access to the RADKit service GUI through HTTP proxy by incorporating the RADKit service as an device within the RADKit device inventory.

 

Problem

Consider the scenario where a partner is responsible for managed services across various customers. The partner's objective is

to administer and operate the RADKit service on their customers' behalf. A question arises: how can they efficiently onboard  new network devices from customer's network into the RADKit device inventory or facilitate RADKit remote user provisions remotely when working with TAC, without the reliance on VPN, in order to access the RADKit service GUI for configuration and management?

 

Solution

We will now outline the proposed solution and the procedure to address this challenge. 

In my lab setup where the RADKit service is running and operational, connection to the corporate VPN is a prerequisite for access initially. 

(Lab RADKit version was 1.6.5 when I wrote this doc, FYI.)

Then, the following steps will enable you to access RADKit service GUI without the need for VPN connectivity:

  1. Navigate to the "Devices" section and select the "Add Device" option.

    radkit-add deviceradkit-add device




























    2. Input the necessary information, ensuring that "RADKit Service" is chosen from the device type dropdown list. Enter the host management IP as 127.0.0.1, which denotes the localhost. Appropriate Role-Based Access Control (RBAC) labels should be selected. Tick the HTTP option under management protocols, and remember to alter the default port to 8081. Here we recommend use other admin users other than superadmin for security considerations. Conclude by clicking "Add & Close."
    onboarding RADKit serviceonboarding RADKit service






































    3. Next, activate the HTTP proxy feature via the RADKit network console or the RADKit client application. We can leverage http proxy for password-less GUI access (e.g. DNAC, WLC, ISE, APIC and more). Here are the steps to Enable HTTP Proxy: 

1.From Radkit Network Console, enter proxy start http 4001 (Network Console) or client.start_http_proxy(4001) via Radkit Client (You can define different ports which is not in use from your laptop, note that ports 1-1023 may require extra privileges.)

2.Here make sure you follow the instruction for browser's proxy configuration. Copy the PAC URL and put it in Firefox Settings > Network Settings > Automatic Proxy Configuration URL.

3.Now open https://index.proxy/

4.GUI of the devices can be accessed from there (It will end with http.proxy).

Following example is from network console: 

 

 

[lindawa@s2ld-twxy-gsa5] 696786054> proxy start http 4002
HTTP proxy is NOT PROTECTED by username/password
[RUNNING] <radkit_client.sync.port_forwarding.ProxyPortForwarder object at 0x1305342b0>
----------  -------
status      RUNNING
local_port  4002   
#active     0      
#failed     0      
#closed     0      
#total      0      
protocol    HTTP   
bytes up    0      
bytes down  0      
exception   None   
----------  -------

Use this PAC URL for proxy auto-configuration: https://prod.radkit-cloud.cisco.com/pac?port=4002&protocol=HTTP
Then navigate to: https://index.proxy/

[lindawa@s2ld-twxy-gsa5] 696786054> 

 

 

4. Now let's open  https://index.proxy/ and start to access to my RADKit service without vpn (see in the screenshots, VPN is disconnected. )

No VPN connectedNo VPN connectedhttp index proxy pagehttp index proxy page


























 

Known caveats:

Symptom:

Some times, when you click on "Go to web page", it may take you to login page(as shown in screenshot below). 
password-less brokenpassword-less broken

























Workaround:

Please go back to the index.proxy page, select the service, and click on "Reset" button to reset the session. Then click on "Go to web page" the password-less GUI access should work. 

This defect will be fixed in upcoming releases. 
Screenshot 2024-03-27 at 11.44.11 pm.png




















In summary, In this use case, we demonstrated that partner engineers can access RADKit service GUI in order to onboard more devices to RADKit, or provision new remote users wen needed via http proxy feature. Partners don't have to physically go on site in order to operate or manage RADKit service, also no VPN is required. 


accessing radkit service gui without vpn, in password less wayaccessing radkit service gui without vpn, in password less way

3 Replies 3

andriio
Level 1
Level 1

we have this after upgrade to freshest release

andriio_0-1712847501229.png

 

Hello andriio,

I will be assisting you with the reported issue however I will reach out via PM as I will need to request details and logs. When/if issue is identified, I will post on here for posterity.

@andriio - PM has been sent.