在ISE 3.4中配置遠端支援授權
簡介
本文檔介紹如何在3.4上配置遠端Cisco Identity Services Engine (ISE)支援授權以允許從Cisco代理進行訪問。
必要條件
需求
思科建議您瞭解Cisco ISE®的基本知識。
要設定RADKit服務,ISE主管理節點必須直接或通過已配置的代理與prod.radkit-cloud.cisco.com建立HTTPS連線。此外,需要有效的CCO帳戶。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco ISE版本3.4補丁2
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
設定
遠端支援授權功能利用Cisco RADkit為思科專家提供安全、經過稽核的遠端訪問,以選擇您環境中的ISE節點,從而簡化故障排除。
RADKit ISE架構概述
RADKit已獲得CSDL的批准。CSDL是一個思科流程,用於審查軟體的安全風險、資料隱私和第三方許可合規性。RADKit經過了嚴格的安全審查:整個開發過程中都要分析代碼品質和依賴關係;我們的服務不斷受到監控。所有靜止或傳輸中的資料都受行業標準演算法(AES、RSA、SHA-2、ECDH...)和協定(雙向身份驗證TLS1.3、SSH)以及行業推薦引數的保護。
RADKit僅方便資料傳輸,但RADKit不會在RADKit雲中收集或儲存任何內容。這只是您收集資料的一個有效方式,以及與您的支援工程師交換資料的一種比傳送電子郵件或手動上傳到SR更安全的方法。此規則的唯一例外是我們為您的安全生成的稽核跟蹤,它屬於您所有,永遠不會離開您的系統。
RADKit服務設定
導航至Operations > Support > Remote Support Authorization。輸入用於身份驗證的Cisco SSO關聯電子郵件地址。
需要輸入電子郵件的初始遠端支援授權頁面
遠端支援授權服務啟動後,按一下 Complete SSO Authentication.
輸入電子郵件後,按鈕顯示為完成SSO身份驗證
按一下Accept新開啟的視窗,完成對的授Cisco RADkit Cloud權。
完成授權的SSO身份驗證頁
配置遠端支援授權
按一下Create A Remote Support Authorization以配置遠端訪問會話。
身份驗證後,出現Create Remote Support Authorization選項
輸入您想要提供訪問許可權的思科專家的電子郵件地址。選擇Observer (Read-Only)為思科專家提供只讀訪問許可權,或為Admin (Read-Write)思科專家提供完全讀寫訪問許可權。如果此訪問與現有TAC服務請求相關,您可以輸入SR編號以及遠端訪問的任何其他理由。輸入Next所需資訊後按一下。
授權建立的第一頁
計畫遠端授權的持續時間和時間。要立即安排訪問,請選擇Now. Scheduled「要安排在以後的日期或時間進行訪問,選擇並設定中的必需資訊Start Date Start Time.,然後在輸入所需資訊後單Next擊」。
授權建立的第二頁
選擇要授予訪問許可權的每個ISE節點。要啟用對節點的遠端CLI訪問,請選擇I Agree to give access to CLI.「要啟用對節點的遠端UI訪問」,選擇I Agree to give access to UI該選Next項。輸入所需資訊後,按一下。
授權建立的第三頁
按一下復製圖示複製遠端支援授權資訊,並將此資訊提供給思科專家Finish。按一下以最終確定遠端訪問授權。
授權建立的摘要頁面
驗證
您可以在頁籤上驗證所有當前活動的遠端支援Current Authorizations授權。您可以在頁籤上檢視任何以前的遠端支援Past Authorizations授權。
驗證有效授權
要檢視節點的CLI會話稽核日誌,請導Operations > Support > Troubleshoot > Download Logs覽至,選擇要為其下載日誌的節點,然後選擇Debug Logs。所有CLI會話都可以在radkit-session資料夾中找到。按一下檔名下載稽核日誌。
CLI稽核日誌
要檢視UI稽核日誌,可以使用ISE UI中的稽核報告。導航到Operations > Reports > Audit > Administrator Logins以檢視任何管理員登入UI或CLI。導航到Operations > Reports > Audit > Change Configuration Audit,檢視管理員在UI中所做的任何更改。
疑難排解
要檢視容器上的日誌,需要檢視ADE.log檔案,這些日誌將在初始設定過程中在UI上輸入電子郵件時開始。在CLI中,輸入show logging system ade/ADE.log tail命令:
2025-05-20T14:21:07.670874-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status
2025-05-20T14:21:07.818398-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] docker_container_running failed,current status:
2025-05-20T14:21:07.821281-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Starting Remote Support Authorization Service...
2025-05-20T14:21:07.824667-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] inside setup_radkit
2025-05-20T14:21:07.828862-05:00 ise-3-4-909-55 ADEOSShell[594468]: ADEAUDIT 2061, type=USER, name=RADKIT status, username=system, cause=Remote Support Authorization Service started., adminipaddress=10.201.229.55, interface=CLI, detail=Remote Support Authorization Service started.
2025-05-20T14:21:07.829439-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] inside docker_container_exists
2025-05-20T14:21:07.877488-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] inside docker_image_exists
2025-05-20T14:21:08.057775-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Image exist with ID = d6a7d3665e920f00ca484d4f0060c9f3e76ec416c7dda7ff7fc81a60be97537a
2025-05-20T14:21:08.060665-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Docker image exists
2025-05-20T14:21:08.063583-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Docker image ise-radkit-service is already loaded.
2025-05-20T14:21:08.066214-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Setting up radkitISE監控容器以檢查其是否正在運行以及RADKit應用程式是否準備就緒,然後再將遠端授權服務標籤為已啟動。
2025-05-20T14:21:24.477946-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status true
2025-05-20T14:21:24.800804-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:24.804531-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 1
2025-05-20T14:21:27.859691-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status true
2025-05-20T14:21:28.024853-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:28.028121-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 2
2025-05-20T14:21:31.079596-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status true
2025-05-20T14:21:31.232927-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:31.236149-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 3
2025-05-20T14:21:34.287758-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status true
2025-05-20T14:21:34.426699-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] In isRadkitAppReady: App is not ready
2025-05-20T14:21:34.429983-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] ISE Radkit app is not ready,checking app status counter: 4
2025-05-20T14:21:37.486192-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Container run status true
2025-05-20T14:21:37.621712-05:00 ise-3-4-909-55 root: info:[application:operation:radkit-control.sh] Remote Support Authorization Service started.您還可以使用API呼叫https://<ISE_PAN>/api/v1/customersupport/checkstatus檢查RADKit服務的狀態。
運行RadKit服務時的輸出
RadKit服務未運行時輸出
要在啟動遠端支援授權服務後檢視RADKit服務日誌,請輸入show logging application radkit/service/service.log命令。當服務首次啟動時,將使用RADKit應用程式完成一些基本設定。
2025-05-20T19:21:31.730Z INFO | internal | MainThread [] RADKit Service [version='1.6.12']
2025-05-20T19:21:31.731Z INFO | internal | MainThread [] STDIN is not a terminal; assuming --headless
2025-05-20T19:21:31.732Z INFO | internal | MainThread [] This RADKit release does not expire
2025-05-20T19:21:34.101Z INFO | internal | MainThread radkit_service.database.service_db [DB] Creating new database file. [path=PosixPath('/radkit/service/service-db.json.encrypted')]
2025-05-20T19:21:34.102Z INFO | internal | MainThread radkit_service.database.service_db [DB] Storing DB encryption key in credentials backend. [path=PosixPath('/radkit/service/service-db.json.encrypted')]
2025-05-20T19:21:34.104Z INFO | internal | MainThread radkit_service.database.service_db [DB] Opening database. [path=PosixPath('/radkit/service/service-db.json.encrypted')]
2025-05-20T19:21:34.105Z INFO | internal | MainThread radkit_service.backup [SYSTEM] Ensuring backup directory [backup_dir_path='/radkit/service/backups/20250520-192134_1.6.12'] 建立了可用於連線的RADKit服務。
2025-05-20T19:22:25.284Z INFO | radkit_control/superadmin/184f89f8 | MainThread radkit_service.service [SYSTEM] Creating service
2025-05-20T19:22:25.655Z INFO | radkit_control/superadmin/184f89f8 | MainThread Service(0x7F92596171D0) [AUDIT,SYSTEM] Starting RADKit Service [serial='xv3i-f2xi-kls6' log_dir=PosixPath('/radkit/logs/service')]
2025-05-20T19:22:25.664Z INFO | radkit_control/superadmin/184f89f8 | MainThread SingleWebSocketForwarderClient(0x7F925BCE3390) [] Connecting to forwarder [forwarder_base_url='wss://prod.radkit-cloud.cisco.com/forwarder-3/' uri='wss://prod.radkit-cloud.cisco.com/forwarder-3/websocket/']
2025-05-20T19:22:25.679Z INFO | radkit_control/superadmin/c5f2549f | MainThread radkit_service.webserver.middlewares.logging [AUDIT,FASTAPI] API call request [request_id='591020e2-cb1d-4406-8b95-d2f5dbcd5a04' url='/api/v1/auth/logout' request_method='POST' event_target='::1' event_target_port=8081 app_identifier='RADKit Service' protocol='https' source_location='radkit_control' event_source='::1' event_source_port=48122 peer_identity='superadmin']當您在GUI中新增遠端支援授權時,思科專家將建立為遠端使用者。
2025-05-20T19:24:10.599Z INFO | radkit_control/superadmin/5d496186 | MainThread DBOperationsAPI(0x7F9259646390) [AUDIT,DB] Creating remote user [username='mabramsk@cisco.com']
2025-05-20T19:24:10.600Z INFO | radkit_control/superadmin/5d496186 | MainThread radkit_service.webserver.fastapi_endpoints.dependencies [AUDIT,FASTAPI] API call success [request_id='eb8879fd-3c0c-45d7-9733-6b7fcdc9f1aa' effects='Created a new remote user' username='mabramsk@cisco.com' labels=[(1, 'mabramsk-7a7675cc')]]當思科專家連線到服務並訪問ISE節點時,它將顯示在這些日誌中。
2025-05-20T19:26:02.766Z INFO | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] new RPC request [rpc_name='get-capabilities' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:03.033Z INFO | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread CapabilitiesResponder(0x7F92597C42D0) [AUDIT,RPC] user requested Capabilities
2025-05-20T19:26:03.117Z INFO | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread CapabilitiesResponder(0x7F92597C42D0) [RPC] finished handling capabilities request
2025-05-20T19:26:03.121Z INFO | cloud-rpc/mabramsk@cisco.com/4Kkevny_ | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] RPC request finished [rpc_name='get-capabilities' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:04.863Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR | MainThread EncryptedRPCServerTransportRequest(0x7F92598C3410) [RPC] New incoming end-to-end encrypted request. [tls_version='TLSv1.3' rpc_name='h2']
2025-05-20T19:26:04.864Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee | MainThread H2MultiplexingRPCServerTransport(0x7F925A1B9550) [RPC] New incoming H2 multiplexed request.
2025-05-20T19:26:04.869Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] new RPC request [rpc_name='get-basic-inventory' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:04.879Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread InventoryResponder(0x7F925A1B8810) [AUDIT,RPC] user requested inventory
2025-05-20T19:26:04.882Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread InventoryResponder(0x7F925A1B8810) [RPC] finished handling basic inventory request
2025-05-20T19:26:04.885Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-1 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] RPC request finished [rpc_name='get-basic-inventory' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:26.083Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] new RPC request [rpc_name='start-interactive-terminal' identity='mabramsk@cisco.com' connection_type='CLOUD']
2025-05-20T19:26:26.090Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread TerminalProxyRunner(0x7F9259795D50) [AUDIT,TERMINAL] interactive terminal request [device_uuid=UUID('1881cca5-9194-4625-a288-8cd9ee49440c') device_name='ise']
2025-05-20T19:26:26.146Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread SSHPTYStream.create [] connected to device over SSH [device='ise']
2025-05-20T19:26:26.198Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread radkit_service.session_log [] Session log initialized [filepath='/radkit/session_logs/service/20250520-192626-cjZPy-yR.e2ee.h2-3-SSH-ise.log']
2025-05-20T19:26:43.932Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread TerminalProxyRunner(0x7F9259795D50) [AUDIT,TERMINAL] device request finished [device_name='ise' device_uuid=UUID('1881cca5-9194-4625-a288-8cd9ee49440c')]
2025-05-20T19:26:43.935Z INFO | cloud-rpc/mabramsk@cisco.com/cjZPy-yR.e2ee.h2-3 | MainThread RPCServer(0x7F925A1B9B10) [AUDIT,RPC] RPC request finished [rpc_name='start-interactive-terminal' identity='mabramsk@cisco.com' connection_type='CLOUD']一旦遠端授權過期或刪除,將從RADKit服務中刪除遠端使用者。
2025-05-20T19:26:55.195Z INFO | radkit_control/superadmin/8fd4246f | MainThread radkit_service.webserver.fastapi_endpoints.remote_users [AUDIT,FASTAPI] Deleting remote user [router='remote-users' username='mabramsk@cisco.com']
2025-05-20T19:26:55.196Z INFO | radkit_control/superadmin/8fd4246f | MainThread radkit_service.webserver.fastapi_endpoints.remote_users [AUDIT,FASTAPI] API call success [router='remote-users' effects='Deleted remote user' username='mabramsk@cisco.com']相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
13-Nov-2025
|
初始版本 |
意見