Configure Catalyst Center Remote Support Authorization Feature

Available Languages

Download Options

  • PDF     (1.0 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (816.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 10, 2026
Document ID:220313

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to setup the Remote Support Authorization feature in Cisco's Catalyst Center (formerly Cisco's DNA Center).

Prerequisites

To fully utilize the Remote Support Authorization feature in the Cisco Catalyst Center, certain criteria must be met:

  • Cisco Catalyst Center must be version 2.3.7.6 or higher.
  • The Support Services package must to be installed in Cisco Catalyst Center.
  • Allow remote authorization support through the firewall or proxy.
note-icon

Note: Remote Support Authorization was introduced in Cisco Catalyst Center version 2.3.3.x, however, it has limited functionality. Only network device access is permitted and Cisco Catalyst Center CLI access is not present in the earlier version. Cisco Catalyst Center version 2.3.7.6+ offers web UI proxy access, role-based access control (RBAC) profiling, and passwordless command access.

Description

Cisco RADKit provides secure interactive connectivity to remote terminals and Web UIs. The Cisco RADKit features are integrated into the Cisco Catalyst Center and are referenced as Remote Support Authorization. When users utilize the Remote Support Authorization feature, users can have Cisco TAC Remote in their Cisco Catalyst Center environment to help gather information or troubleshoot issues. This helps reduce the amount of time users must sit on video calls as TAC investigates issues that have occurred.

Limitations

The current version of Remote Support Authorization have these limitations compared to the RADKit standalone version:

  • When the support engineer executes the "maglev", "sudo" or "rca" commands on your Cisco Catalyst Center, they prompt for credentials. Remote Support Authorization does not automate the handling of these credentials, so, you must share these credentials with the support engineer (Feature added in Cisco Catalyst Center 2.3.7.6+).
  • Through the Remote Support Authorization service, it is not possible to connect to the Graphical User Interface (GUI) of network devices.
  • It is not possible to provide remote access to devices that are not in the Cisco Catalyst Center inventory but that must be necessary for troubleshooting (for example ISE).
  • It is not possible to provide remote access to wireless access points, even when they are in the Cisco Catalyst Center inventory.
  • Remote access is limited to 24 hours at a time until version 2.3.7.9 and from 2.3.7.10 the limit is 4 days.
  • By creating an authorization, you allow access to all devices in the Cisco Catalyst Center inventory. It is not possible to restrict access to certain network devices.

To overcome these limitations, you can consider installing the standalone RADKit service instead. Installation is available for Windows, Mac, and Linux. For more information, refer to: RADKit

Network Connectivity

Cisco Catalyst Center connects to the Cisco RADKit connector over AWS. The Cisco RADKit connector is built into the Remote Support Authorization feature. TAC connects to the Cisco RADKit connector over AWS and uses a Cisco RADKit client. Once a Support ID is generated by the Cisco Catalyst Center environment, the Cisco RADKit client uses the Support ID to connect to the Cisco Catalyst Center.

RADKit Architecture

Set Up Remote Support Authorization

For Remote Support Authorization to be enabled to allow TAC engineer to engage remotely, these steps must be completed:
1. Ensure the firewall allows the required URL.
2. Install the Support Services package.
3. Configure the SSH credentials for the Remote Support Authorization workflow (No longer required in Cisco Catalyst Center versions 2.3.7.6+).
4. Create a new authorization.


Step 1

1. For Remote Support Authorization to work, the Cisco Catalyst Center connector must communicate with the AWS connector. To ensure this communication, this URL must be allowed through the firewall if one is configured: Prod RADKit

tip-icon

Tip: For more information on specific ports and URLs that are required to be allowed/open for Cisco Catalyst Center features to work, review the Plan the Deployment section of the Installation Guide.

Step 2

1. After a fresh install or an upgrade of the Cisco Catalyst Center version 2.3.5.x or higher is completed, the Support Services package must be manually installed. This is an optional package and is not installed by default.

2. Navigate to the Cisco Catalyst Center UI.

3. From the Home screen of the Cisco Catalyst Center UI, select the Cloud Icon at the top-right of the screen and choose Go to Software Management.

Software Management

4. Once on the Software Management page, you can see the current installed release and any available release(s) to upgrade to (and any available optional packages).

5. The Support Services package is an optional package and is not installed automatically after a completed fresh install or an upgrade where the package was not previously deployed.

6. Click the box for the Support Services Package under the available packages list, then click the Install button on the bottom-right of the screen.

Catalyst Center

7. A pop-up window appears for a dependency check for the selected package(s).

8. When the check is finished, choose Continue.

9. The selected package(s) then begins to install. The length of this process depends on the number of packages currently in the deployment process. As the package is in the deployment process, an orange banner appears at the top of the screen that states Automation and Assurance services have been temporarily disrupted. This occurs due to the new support-service pod this is created and is in the process of boot up.

Catalyst Center - Support Services

10. After roughly 10 to 20 minutes, the new pod is in a fully up state and the Support Services package installation completes. Once the package has been installed, refresh the browser, and proceed to Step 3.

Step 3

  1. Full access to the Remote Support Authorization feature requires that the SSH credentials be configured in the Remote Support Authorization settings. Without these credentials defined, the TAC is not be able to utilize Cisco RADKit to troubleshoot remotely.
  2. To configure the SSH credentials, navigate to the Question Mark icon on the top-right of the Cisco Catalyst Center UI.
  3. From the list, choose Remote Support Authorization.
note-icon

Note: The Remote Support Authorization only shows after the Support Services package is installed and the browser has been refreshed. Refer to Step 2 on how to complete this.

note-icon

Note: SSH credentials no longer need to be configured in the Remote Support Authorization page starting in version 2.3.7.6 and above. This is part of the new passwordless feature. Cisco Catalyst Center pulls the credentials stored internally and no credentials must  be configured or shared to TAC engineers.

Spoiler
Remote Support Authorization

4. Next, you are redirected to the Remote Support Authorization page. As this is the first time accessing this page after installation of the Support Services package, you only see the Create New Authorization screen.

Step 4

1. Choose Create a Remote Support Authorization.

Create a Remote Support Authorization

2. You are redirected to the Access Permission Agreement page. This page has two options:

  • New VTY connections between Cisco Catalyst Center and the devices managed in Inventory.
  • Access to the CLI of the Cisco Catalyst Center appliance(s)

3. To establish an SSH connection with the network devices managed by Cisco Catalyst Center, the first option must be selected. If this option is not selected, TAC engineers cannot SSH into the devices with Cisco RADKit.

4. To establish an SSH connection to the Cisco Catalyst Center appliance(s), the second option must be selected. If this option is not selected, TAC engineers cannot access the Cisco Catalyst Center with Cisco RADKit. For the best use of the Remote Support Authorization feature, it is recommended to select both options.

5. After the desired options are selected, click Next.

Access Permission Agreement

6. Next, you are redirected to a workflow page to start the setup of the authorization. You must enter the TAC engineer(s) email address and their access role. For example: “ciscotac@cisco.com” and "OBSERVER-ROLE". These two fields are optional:

  • Existing SR Number(s)
  • Access Justification

7. If you have an open TAC Service Request, enter that Service Request number in the Existing SR Number(s) field.
If you have additional documentation for the Remote Support Authorization, add that in the Access Justification field such as, “Required by the TAC to help troubleshoot an issue seen”.

8. Click Next.

note-icon

Note: The ability to use the GUI to generate the RCA or mini-RCA, run validation tool checks, or run any reports is disabled for the OBSERVER-ROLE access as this is a read-only role.

Setup the Authorization

9. Now, you are redirected to the Schedule the Access step. You must either choose Now or Later. You can start the authorization immediately or schedule the authorization in advance.

note-icon

Note: The authorization can only be scheduled in advanced for up to 30 days from the current date the authorization request was created.

note-icon

Note: Authorization requests are set for 24 hours. Although, authorizations can be cancelled early; the duration cannot be changed from 24 hours.

Schedule the Access

10. You are redirected to the Summary page, which lists the configuration changes with the Create a Remote Support Authorization workflow. Review and confirm the settings are correct. If the settings are correct, click Create.

Summary

11. Click Create to proceed to the final step. You are redirected to a page that states the authorization has been created. Key items on this page include:

  • TAC engineer email address
  • Scheduled start time and duration of the authorization
  • Support ID
note-icon

Note: The TAC engineer requires the Support ID to connect with the Cisco RADKit client to attach the authorization request. Copy the information provided and send it to the TAC engineer.

Authorization Created

12. From this page you have the option to choose Create Another Authorization, View All Authorizations, View Activity Page, or View Workflows.

13. If another authorization does not need to be created, you can choose View All Authorizations to see all current and past authorizations.

  • View Activity Page redirects you to the Audit Logs page.
  • View All Authorizations redirects you to the Current Authorizations page on the Remote Support Authorization section.
  • You can view All, Scheduled, or Active authorizations.
  • Click on an authorization to open a side window that displays the settings configured with the Create a Remote Support Authorization workflow.

Current Authorizations

14. You can cancel an authorization or view audit logs of what the TAC engineer has done with your deployment. You can choose to switch to the Past Authorizations tab to view historical information on previous authorizations.

15. Choose View Logs to be redirected to the Audit Logs page. From the Audit Logs page, you can choose Filter, then filter by Description with the email address of the TAC engineer.

Filter by TAC Engineer


16. Choose Apply. This adds a filter based on the TAC engineer(s) email address and it shows the description of the audit logs when Cisco RADKit is used to remote into the deployment.

Audit Logs by TAC Engineer

More Audit Logs by TAC Engineer


17. From the audit logs you can see what the TAC engineer did and when they signed on.  

warning-icon

Warning: Remote Support Authorization feature of Cisco Catalyst Center version 2.3.7.6 is tested with Cisco RADKit client 1.6.11.

Step-by-Step Video Guide

Refer to the link to view a video created as a step-by-step guide:

Revision History

Revision Publish Date Comments
5.0
10-Jun-2026
Updated spelling, grammar, sentence structure, spacing, numbering, alt text on pictures, and updated notes and tips for alignment purposes.
4.0
13-Aug-2024
Update Cisco DNA Center to Cisco Catalyst Center. Updated the title. Updated the doc to display the new workflow for enabling on 2.3.7.6+
3.0
01-Mar-2024
Added "limitations" section
2.0
07-Apr-2023
Initial Release
1.0
29-Mar-2023
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Matthew Flesch
    Customer Delivery Engineering Technical Leader
  • Herbert Baerten
    Customer Delivery Engineering Technical Leader

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products