Cisco IOx Zero Trust Connector Install

format

topic


Cisco IOx Zero Trust Connector Install

IIoT Remote Connect

Cisco IOx. Agilicus Connector.

Cisco IR1101 IOx

Overview

The Cisco IOx family provides an excellent platform to run the Agilicus Connector. In this example we are working with the Cisco IR1101, suitable for rugged, embedded environments.

The instructions below were tested on

Cisco IR1101-K9
17.11.1a

Cisco IOx Zero Trust: Cisco Router Setup

Follow the Cisco instructions on enabling IOx, enabling applications and routing. Some sample config is shown here, but this varies by platform. Key items required:

  1. Clock sync (ntp, GPS)
  2. Ability to reach https://www.agilicus.com/
  3. Ability to reach https://api.agilicus.com/

Below we have achieved this with NAT but you can also use a bridge.

interface VirtualPortGroup0
 ip address 192.168.100.1 255.255.255.0
 ip nat inside

interface Vlan1
 ip address 192.168.2.2 255.255.255.0
 ip nat outside

ntp server 0.pool.ntp.org

ip dhcp pool vg0
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
 dns-server 1.1.1.1
interface VirtualPortGroup0
 ip address 192.168.100.1 255.255.255.0
 ip nat inside

interface Vlan1
 ip address 192.168.2.2 255.255.255.0
 ip nat outside

ntp server 0.pool.ntp.org

ip dhcp pool vg0
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
 dns-server 1.1.1.1

ip name-server 1.1.1.1

iox
ip default-gateway 192.168.2.1

ip access-list standard IOX_NAT
 10 permit 192.168.100.0 0.0.0.255

ip nat inside source list IOX_NAT interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.1

Cisco IOx Zero Trust: Install

On this platorm we will use a container-based install. This platform does not support standard container registries, so we will install the layers manually.

First, download to your local computer the appropriate file for your platform (amd64 or arm64). The IR1101 in our example is arm64.

Second, navigate to the IOx web admin, Configuration/Services/IOx.

From here we will:

  1. Create Application
  2. Upload image (from above)
  3. Set Profile (ram/disk/cpu)
  4. Set networking
  5. Set environment variables (from Agilicus Admin)
  6. Set configuration volume
  7. Activate application
  8. Start application

at which point the Agilicus connector will be running

5603e8e1 image

Cisco IOx Zero Trust: Detailed Steps

Add New Application

In the Cisco IOx web admin, select ‘Add New’ application.

cisco-ir1101-1

Upload Image

Download to your local computer the appropriate file for your platform (amd64 or arm64). The IR1101 in our example is arm64.

Upload this image to the IOx device.

Name the Application ‘agilicus’.

271adbcd cisco ir1101 2

Activate

Select ‘Activate’

39526109 cisco ir1101 3

Copy Setup Configuration

In the Agilicus Admin UI, create a connector. Install. use the ‘Docker’ instructions.

Copy the 3 items shown in the image:

-v agilicus:/etc/agilicus/agent
-e AGILICUS_CHALLENGE_ID=…
-e AGILICUS_CHALLENGE_CODE=…

NOTE: the code times out after 10 minutes. If you copy this, and do not start the container within this time, you can generate a new one by closing and re-open the install dialog.

68c4edaf cisco ir1101 4

Configure Application

You may optionally configure the resource limits. The Agilicus Connector will typically consume < 256MiB memory, ~150MiB storage, and < 25% of 1 CPU.

Configure the network to match your overall setup (bridge vs NAT).

Uncheck ‘auto delete’, paste the command line from the previous step., Select Activate.

cisco-ir1101-5

Start Application

Select the Agilicus Connnector and start it.

cisco-ir1101-6

(Optional) Diagnose Application

You can examine the output logs, if needed, via ‘Manage’ and then ‘Log’ and ‘Download’

78b3ae43 cisco ir1101 7

(Optional) Diagnose Application Log

You can examine the output logs, if needed, via ‘Manage’ and then ‘Log’ and ‘Download’

cisco-ir1101-8

Check Connector Status

Within approximately 90 seconds you should see the Connector come online in the Agilicus admin UI.

0f425c90 cisco ir1101 9

At this stage you have successfully configured the Agilicus Connector on your Cisco IOx device. You may now configure individual services via the Agilicus admin interface.

Sample things to consider would be SSH to the IOx device, the Web Admin of the IOx device, as well as other onwards resources.

In our example router, the SSH management interface is 192.168.2.2. I added a SSH resource, named irr1101-ssh, with that as the IP. I was then able to sign in via Agilicus Profile and see the Router CLI.