Cisco IOx Zero Trust Connector Install

Cisco IR1101 IOx

Cisco IOx Zero Trust Connector Install

Cisco IOx. Agilicus Connector.

Overview

The Cisco IOx family provides an excellent platform to run the Agilicus Connector. In this example we are working with the Cisco IR1101, suitable for rugged, embedded environments.

The instructions below were tested on

Cisco IR1101-K9
17.11.1a

Cisco IOx Zero Trust: Cisco Router Setup

Follow the Cisco instructions on enabling IOx, enabling applications and routing. Some sample config is shown here, but this varies by platform. Key items required:

  1. Clock sync (ntp, GPS)
  2. Ability to reach https://www.agilicus.com/
  3. Ability to reach https://api.agilicus.com/

Below we have achieved this with NAT but you can also use a bridge.

interface VirtualPortGroup0
 ip address 192.168.100.1 255.255.255.0
 ip nat inside

interface Vlan1
 ip address 192.168.2.2 255.255.255.0
 ip nat outside

ntp server 0.pool.ntp.org

ip dhcp pool vg0
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
 dns-server 1.1.1.1
interface VirtualPortGroup0
 ip address 192.168.100.1 255.255.255.0
 ip nat inside

interface Vlan1
 ip address 192.168.2.2 255.255.255.0
 ip nat outside

ntp server 0.pool.ntp.org

ip dhcp pool vg0
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
 dns-server 1.1.1.1

ip name-server 1.1.1.1

iox
ip default-gateway 192.168.2.1

ip access-list standard IOX_NAT
 10 permit 192.168.100.0 0.0.0.255

ip nat inside source list IOX_NAT interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.1

Cisco IOx Zero Trust: Install

On this platorm we will use a container-based install. This platform does not support standard container registries, so we will install the layers manually.

First, download to your local computer the appropriate file for your platform (amd64 or arm64). The IR1101 in our example is arm64.

5603e8e1 image

Second, navigate to the IOx web admin, Configuration/Services/IOx.

From here we will:

  1. Create Application
  2. Upload image (from above)
  3. Set Profile (ram/disk/cpu)
  4. Set networking
  5. Set environment variables (from Agilicus Admin)
  6. Set configuration volume
  7. Activate application
  8. Start application

at which point the Agilicus connector will be running

Cisco IOx Zero Trust: Detailed Steps

Start Application

Select the Agilicus Connnector and start it.

(Optional) Diagnose Application

You can examine the output logs, if needed, via ‘Manage’ and then ‘Log’ and ‘Download’

(Optional) Diagnose Application Log

You can examine the output logs, if needed, via ‘Manage’ and then ‘Log’ and ‘Download’

Check Connector Status

Within approximately 90 seconds you should see the Connector come online in the Agilicus admin UI.

c08a1fb8 cisco ir1101 1

Add New Application

In the Cisco IOx web admin, select ‘Add New’ application.

271adbcd cisco ir1101 2

Upload Image

Download to your local computer the appropriate file for your platform (amd64 or arm64). The IR1101 in our example is arm64.

Upload this image to the IOx device.

Name the Application ‘agilicus’.

Activate

Select ‘Activate’

Copy Setup Configuration

In the Agilicus Admin UI, create a connector. Install. use the ‘Docker’ instructions.

Copy the 3 items shown in the image:

-v agilicus:/etc/agilicus/agent
-e AGILICUS_CHALLENGE_ID=…
-e AGILICUS_CHALLENGE_CODE=…

NOTE: the code times out after 10 minutes. If you copy this, and do not start the container within this time, you can generate a new one by closing and re-open the install dialog.

Configure Application

You may optionally configure the resource limits. The Agilicus Connector will typically consume < 256MiB memory, ~150MiB storage, and < 25% of 1 CPU.

Configure the network to match your overall setup (bridge vs NAT).

Uncheck ‘auto delete’, paste the command line from the previous step., Select Activate.

At this stage you have successfully configured the Agilicus Connector on your Cisco IOx device. You may now configure individual services via the Agilicus admin interface.

Sample things to consider would be SSH to the IOx device, the Web Admin of the IOx device, as well as other onwards resources.

In our example router, the SSH management interface is 192.168.2.2. I added a SSH resource, named irr1101-ssh, with that as the IP. I was then able to sign in via Agilicus Profile and see the Router CLI.