Configure Remote Support Authorization in ISE 3.4

Introduction

This document describes how to configure Remote Support Authorization on Cisco Identity Services Engine (ISE) 3.4 to permit access from Cisco Agents.

Prerequisites

Requirements

Cisco recommends that you have basic knowledge of Cisco ISE®.

To setup the RADKit Service, the ISE Primary Administration Node must have HTTPS connectivity to prod.radkit-cloud.cisco.com either directly or through a configured proxy. Additionally, a valid CCO account is required.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco ISE version 3.4 patch 2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

The Remote Support Authorization feature leverages Cisco RADkitto provide Cisco Specialists with secure, audited, remote access to select ISE nodes in your environment to streamline troubleshooting.

RADKit ISE Architecture Overview

RADKit is CSDL approved. CSDL is a Cisco process that reviews software for security risks, data privacy and third-party licensing compliance. RADKit underwent stringent security review: code quality and dependencies are analyzed throughout the development process; our services are constantly monitored. All data at rest or in transit is protected by industry standard algorithms (AES, RSA, SHA-2, ECDH…) and protocols (2-way authenticated TLS1.3, SSH) with industry-recommended parameters. 

RADKit only facilitates data transfer but nothing is collected nor stored by RADKit in the RADKit Cloud. It is just an efficient way for you to collect data and a more secure way to exchange data with your support engineer than sending emails or manually uploading to an SR. The only exception to this rule is the audit trail that we generate for your security, that is owned by you and that never leaves your system.

RADKit Service Setup

Navigate to Operations > Support > Remote Support Authorization. Enter your Cisco SSO associated email address for authentication.

Initial Remote Support Authorization page where Email entry required

After the Remote Support Authorization service starts, click Complete SSO Authentication.

After entering Email, button appears to Complete SSO Authentication

Click Accept on the newly opened window to complete the authorization to the Cisco RADkit Cloud.

SSO Authentication Page where Authorization completed

Configure a Remote Support Authorization

Click Create A Remote Support Authorization to configure a remote access session.

After authentication, option to Create Remote Support Authorization appears

Enter the email address of the Cisco Specialist that you want to provide access to. Select Observer (Read-Only) to provide read-only access to the Cisco Specialist, or Admin (Read-Write)to provide full read-write access to the Cisco Specialist. If this access is related to an existing TAC Service Request, you can enter the SR number as well as any other justification for the remote access. Click Next after entering the required information.

Note: Providing the SR numbers allows TAC to upload the collected logs automatically without any intervention. As well, this helps documenting the remote connection and commands in the SR.

First page of Authorization creation

Schedule the duration and timing for the remote authorization. To schedule the access immediately, select Now. To schedule the access for a later date or time, select Scheduled and set the required information in Start Date and Start Time. Click Next after entering the required information.

Second page of Authorization creation

Select each ISE node that you would like to give access to. To enable remote CLI access to the nodes, select I Agree to give access to CLI. To enable remote UI access to the nodes, select I Agree to give access to UI. Click Next after entering the required information.

Note: To provide UI access, you must configure a UI administrator username/password. This account is used to create a new admin user that the Cisco specialist uses to sign in with the specified access level, thus the entered account must have the required permissions to create a new admin account. The credentials must be for an internal admin user unless Active Directory is configured as a UI identity source in which case AD admin credentials can also be used.

Third page of Authorization creation

Click the copy icon to copy the remote support authorization information and provide this to the Cisco Specialist. Click Finish to finalize the remote access authorization.

Summary page of Authorization creation

Verify

You can verify all currently active remote support authorizations on the Current Authorizations tab. You can view any previous remote support authorizations on the Past Authorizations tab.

Verify Active Authorizations

To view CLI session audit logs for a node, navigate to Operations > Support > Troubleshoot > Download Logs, select the node you want to download the logs for, then select Debug Logs. All CLI sessions can be found in the radkit-session folder. Click on the file name to download the audit logs.

Note: CLI session monitoring must be done per node. Each node has its own radkit-session folder with specific audit logs for the node.

CLI Audit Logs

To view UI audit logs, you can use the audit reports in the ISE UI. Navigate to Operations > Reports > Audit > Administrator Logins to view any administrator logins to the UI or CLI. Navigate to Operations > Reports > Audit > Change Configuration Audit to view any changes made by administrators in the UI.

Note: Cisco Specialists that sign into the UI use username <user>-CustomerSupport where <user> is the username supplied in the remote support authorization. Cisco Specialists that sign into the CLI use username customersuppadmin if they have Admin (Read-Write) access, or customersuppreadonly if they have Observer (Read-Only) access.

Troubleshoot

To view logs on the container starting during the initial setup process where the email is entered on the UI, we need to view the ADE.log file. From the CLI, enter the show logging system ade/ADE.log tail command:

2025-05-20T14:21:07.670874-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status  
2025-05-20T14:21:07.818398-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] docker_container_running failed,current status: 
2025-05-20T14:21:07.821281-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Starting Remote Support Authorization Service...
2025-05-20T14:21:07.824667-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] inside setup_radkit
2025-05-20T14:21:07.828862-05:00 ise-3-4-909-55 ADEOSShell[594468]: ADEAUDIT 2061, type=USER, name=RADKIT status, username=system, cause=Remote Support Authorization Service started., adminipaddress=10.201.229.55, interface=CLI, detail=Remote Support Authorization Service started.
2025-05-20T14:21:07.829439-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] inside docker_container_exists
2025-05-20T14:21:07.877488-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] inside docker_image_exists
2025-05-20T14:21:08.057775-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Image exist with ID = d6a7d3665e920f00ca484d4f0060c9f3e76ec416c7dda7ff7fc81a60be97537a
2025-05-20T14:21:08.060665-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Docker image exists
2025-05-20T14:21:08.063583-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Docker image ise-radkit-service is already loaded.
2025-05-20T14:21:08.066214-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Setting up radkit

ISE monitors the container to check if it is running and if the RADKit application is ready before marking the Remote Authorization Service as started.

2025-05-20T14:21:24.477946-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status  true
2025-05-20T14:21:24.800804-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:24.804531-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 1
2025-05-20T14:21:27.859691-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status  true
2025-05-20T14:21:28.024853-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:28.028121-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 2
2025-05-20T14:21:31.079596-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status  true
2025-05-20T14:21:31.232927-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:31.236149-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 3
2025-05-20T14:21:34.287758-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status  true
2025-05-20T14:21:34.426699-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:34.429983-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 4
2025-05-20T14:21:37.486192-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status  true
2025-05-20T14:21:37.621712-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Remote Support Authorization Service started.

You can also check the status of the RADKit Service using the API call https://<ISE_PPAN>/api/v1/customersupport/checkstatus .

Output when RadKit Service is running

Output when RadKit Service is not running

To view the RADKit Service logs once the Remote Support Authorization Service is started, enter the show logging application radkit/service/service.log command. When the service is first started, some basic setup is done with the RADKit application.

2025-05-20T19:21:31.730Z INFO  | internal | MainThread <main> [] RADKit Service [version='1.6.12']
2025-05-20T19:21:31.731Z INFO  | internal | MainThread <main> [] STDIN is not a terminal; assuming --headless
2025-05-20T19:21:31.732Z INFO  | internal | MainThread <main> [] This RADKit release does not expire
2025-05-20T19:21:34.101Z INFO  | internal | MainThread radkit_service.database.service_db [DB] Creating new database file. [path=PosixPath('/radkit/service/service-db.json.encrypted')]
2025-05-20T19:21:34.102Z INFO  | internal | MainThread radkit_service.database.service_db [DB] Storing DB encryption key in credentials backend. [path=PosixPath('/radkit/service/service-db.json.encrypted')]
2025-05-20T19:21:34.104Z INFO  | internal | MainThread radkit_service.database.service_db [DB] Opening database. [path=PosixPath('/radkit/service/service-db.json.encrypted')]
2025-05-20T19:21:34.105Z INFO  | internal | MainThread radkit_service.backup [SYSTEM] Ensuring backup directory [backup_dir_path='/radkit/service/backups/20250520-192134_1.6.12']

The RADKit service which is available for connections is created.

2025-05-20T19:22:25.284Z INFO  | radkit_control/superadmin/184f89f8 | MainThread radkit_service.service [SYSTEM] Creating service
2025-05-20T19:22:25.655Z INFO  | radkit_control/superadmin/184f89f8 | MainThread Service(0x7F92596171D0) [AUDIT,SYSTEM] Starting RADKit Service [serial='xv3i-f2xi-kls6' log_dir=PosixPath('/radkit/logs/service')]
2025-05-20T19:22:25.664Z INFO  | radkit_control/superadmin/184f89f8 | MainThread SingleWebSocketForwarderClient(0x7F925BCE3390) [] Connecting to forwarder [forwarder_base_url='wss://prod.radkit-cloud.cisco.com/forwarder-3/' uri='wss://prod.radkit-cloud.cisco.com/forwarder-3/websocket/']
2025-05-20T19:22:25.679Z INFO  | radkit_control/superadmin/c5f2549f | MainThread radkit_service.webserver.middlewares.logging [AUDIT,FASTAPI] API call request [request_id='591020e2-cb1d-4406-8b95-d2f5dbcd5a04' url='/api/v1/auth/logout' request_method='POST' event_target='::1' event_target_port=8081 app_identifier='RADKit Service' protocol='https' source_location='radkit_control' event_source='::1' event_source_port=48122 peer_identity='superadmin']

When you add a remote support authorization in the GUI, the Cisco Specialist is created as a remote user.

2025-05-20T19:24:10.599Z INFO  | radkit_control/superadmin/5d496186 | MainThread DBOperationsAPI(0x7F9259646390) [AUDIT,DB] Creating remote user [username='mabramsk@cisco.com']
2025-05-20T19:24:10.600Z INFO  | radkit_control/superadmin/5d496186 | MainThread radkit_service.webserver.fastapi_endpoints.dependencies [AUDIT,FASTAPI] API call success [request_id='eb8879fd-3c0c-45d7-9733-6b7fcdc9f1aa' effects='Created a new remote user' username='mabramsk@cisco.com' labels=[(1, 'mabramsk-7a7675cc')]]

When the Cisco Specialist connects to the service and accesses an ISE node, it is shown in these logs.

2025-05-20T19:26:02.766Z INFO  | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] new RPC request [rpc_name='get-capabilities' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:03.033Z INFO  | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread CapabilitiesResponder(0x7F92597C42D0) [AUDIT,RPC] user requested Capabilities
2025-05-20T19:26:03.117Z INFO  | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread CapabilitiesResponder(0x7F92597C42D0) [RPC] finished handling capabilities request
2025-05-20T19:26:03.121Z INFO  | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] RPC request finished [rpc_name='get-capabilities' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:04.863Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR | MainThread EncryptedRPCServerTransportRequest(0x7F92598C3410) [RPC] New incoming end-to-end encrypted request. [tls_version='TLSv1.3' rpc_name='h2']
2025-05-20T19:26:04.864Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee | MainThread H2MultiplexingRPCServerTransport(0x7F925A1B9550) [RPC] New incoming H2 multiplexed request.
2025-05-20T19:26:04.869Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] new RPC request [rpc_name='get-basic-inventory' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:04.879Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread InventoryResponder(0x7F925A1B8810) [AUDIT,RPC] user requested inventory
2025-05-20T19:26:04.882Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread InventoryResponder(0x7F925A1B8810) [RPC] finished handling basic inventory request
2025-05-20T19:26:04.885Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] RPC request finished [rpc_name='get-basic-inventory' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:26.083Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] new RPC request [rpc_name='start-interactive-terminal' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:26.090Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread TerminalProxyRunner(0x7F9259795D50) [AUDIT,TERMINAL] interactive terminal request [device_uuid=UUID('1881cca5-9194-4625-a288-8cd9ee49440c') device_name='ise']
2025-05-20T19:26:26.146Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread SSHPTYStream.create [] connected to device over SSH [device='ise']
2025-05-20T19:26:26.198Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread radkit_service.session_log [] Session log initialized [filepath='/radkit/session_logs/service/20250520-192626-cjZPy-yR.e2ee.h2-3-SSH-ise.log']
2025-05-20T19:26:43.932Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread TerminalProxyRunner(0x7F9259795D50) [AUDIT,TERMINAL] device request finished [device_name='ise' device_uuid=UUID('1881cca5-9194-4625-a288-8cd9ee49440c')]
2025-05-20T19:26:43.935Z INFO  | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] RPC request finished [rpc_name='start-interactive-terminal' identity='mabramsk@cisco.com' connection_type='CLOUD']

Once the remote authorization expires or is removed, the remote user is deleted from the RADKit service.

2025-05-20T19:26:55.195Z INFO  | radkit_control/superadmin/8fd4246f | MainThread radkit_service.webserver.fastapi_endpoints.remote_users [AUDIT,FASTAPI] Deleting remote user [router='remote-users' username='mabramsk@cisco.com']
2025-05-20T19:26:55.196Z INFO  | radkit_control/superadmin/8fd4246f | MainThread radkit_service.webserver.fastapi_endpoints.remote_users [AUDIT,FASTAPI] API call success [router='remote-users' effects='Deleted remote user' username='mabramsk@cisco.com']

Related Information

• Cisco Identity Services Engine Administrator Guide, Release 3.4
• Release Notes for Cisco Identity Services Engine, Release 3.4