This document describes configuration steps required to successfully register Cisco Connected Grid Router 1000 (CGR 1000) with Connected Grid Operating System (CGOS) to Field Network Director (FND) as a Field Device. Before a router is registered to the FND, it must meet several pre-requisites that include enrollment in Public Key Infrastructure (PKI) and custom configuration. In addition to this, a sanitized sample configuration will be included.
Contributed by Ryan Bowman, Cisco TAC Engineer.
Cisco recommends that you have knowledge of these topics:
CG-NMS/FND application server 1.0 or later installed and running with web UI access available.
Tunnel Provisioning Server (TPS) proxy server installed and running.
Oracle database server installed and correctly configured.
setupCgms.sh successfully run at least once with a successful first-time db_migrate.
DHCPv4 and DHCPv6 server(s) already configured and available with proxy settings saved on the Admin > Provisioning Settings page of the FND web User Interface (UI).
The device .csv file should have already been imported to the FND and the device should be in 'unheard' status.
The information in this document is based on these software and hardware versions:
Software-based SSM (also 3.0.1-36)
cgms-tools package installed in application server (3.0.1-36)
All Linux servers running RHEL 6.5
All Windows servers running Windows Server 2008 R2 Enterprise
CSR 1000v running on a VM as head-end router
CGR-1120/K9 used as Fied Area Router (FAR) with CG-OS 4(3)
A controlled FND lab environment was used during the creation of this document. While other deployments will differ, you should adhere to all minimum requirements from the installation guides.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step-by-Step Configuration and Enrollment
1. Configure the device hostname.
2. Configure the domain-name.
3. Configure the DNS server(s).
4. Configure and verify time/NTP.
5. Bring up the cellular cards and/or Ethernet interfaces. Ensure that all necessary interfaces have their IPs and that the router has a gateway of last resort. In order for the FND to successfully provision the Loopback 0 interface, it must already be created with addresses. Create the Loopback 0 interface and verify that it has IPv4 and IPv6 addresses. You can use throwaway" IPs because they will be replaced after tunnel provisioning.
7. Create your trustpoint enrollment profile (This is the direct URL for the Simple Certificate Enrollment Protocol (SCEP) enrollment webpage on your RSA Certificate Authority (CA). If you use a Registration Authority, the URL will be different):
Router(config)#crypto ca profile enrollment LDevID_Profile
Router(config-enroll-profile)#enrollment url http://networkdeviceenrollmentserver.your.domain.com/CertSrv/mscep/mscep.dll
8. Create your trustpoint and bind the enrollment profile to it.
9. Authenticate your trustpoint with the SCEP server.
Router(config)#crypto ca authenticate LDevID
Trustpoint CA authentication in progress. Please wait for a response...
2017 Mar 8 19:02:00 %$ VDC-1 %$ %CERT_ENROLL-2-CERT_EN_SCEP_CA_AUTHENTICATE_OK: Trustpoint LDevID: CA certificates(s) authenticated.
10. Enroll your trustpoint in Public Key Infrastructure (PKI).
Router(config)#crypto ca enroll LDevID
Create the certificate request ..
Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Re-enter challenge password:
The serial number in the certificate will be: PID:CGR1120/K9 SN:JAF############
Certificate enrollment in progress. Please wait for a response...
2017 Mar 8 19:02:24 %$ VDC-1 %$ %CERT_ENROLL-2-CERT_EN_SCEP_ENROLL_OK: Trustpoint LDevID: Device identity certificate successfully enrolled to CA.
11. Verify your ceritifcate chain.
Router#show crypto ca certificates
12. Configure SNMP parameters required for Callhome to work correctly.
Router(config)#snmp-server contact NAME
Router(config)#snmp-server user admin network-admin
Router(config)#snmp-server community PUBLIC group network-operator
13. Configure these basic Wireless Personal Area Network (WPAN) module settings.