Secure Communication with Devices through a vmanage-admin Account

Cisco SD-WAN Manager communicates with devices, such as Cisco Catalyst Cellular Gateways, using a secure channel—either a datagram transport layer security (DTLS) tunnel or transport layer security (TLS) tunnel. Within this secure channel, it communicates with the devices or controllers using the NETCONF protocol, within an SSH session. It uses an internal-use-only passwordless "vmanage-admin" user account on the device or controller. The vmanage-admin account is created during the initial device setup. Cisco SD-WAN Manager uses this secure channel for monitoring, configuring, and managing devices.

As noted, the vmanage-admin user accounts do not have any password associated with them, so Cisco SD-WAN Manager uses a passwordless procedure to log in to the account. To accomplish this, Cisco SD-WAN Manager generates an asymmetric encryption public-private key pair. During deployment of a device, Cisco SD-WAN Manager copies the public key that it has generated to the device. It sends the public key using a proprietary protocol, within a secure channel—a DTLS or TLS tunnel.

The activity that Cisco SD-WAN Manager performs using the vmanage-admin account appears in syslog messages and in the output of certain show commands. The syslog messages are logged with the same level of detail as activities performed through any other user account. The level of syslog detail depends on the syslog configuration of the device.

Cisco SD-WAN Manager requires the vmanage-admin account on devices in order to monitor, configure, and manage the devices. Removing, disabling, or altering this account on a device would prevent Cisco SD-WAN Manager from performing these activities, and is not supported.

Before You Begin

This procedure configures a cellular gateway using a feature template. For information about using a configuration group, see Configure a Cellular Gateway Using a Configuration Group in Cisco SD-WAN Manager.

Configure a Cellular Gateway Using a Feature Template

1. Create a device template for Cisco Cellular Gateway CG418-E devices.

   See Configure Devices in the Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x.

   After you enter a description for the feature template:

   1. From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

   2. Click Device Templates.

      Note	In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.

   3. From the Create Template drop-down list choose From Feature Template.

   4. From the Device Model drop-down list select the type of device for which you are creating the template.

   5. Choose Cellular Gateway > Cellular Gateway Platform > Create Template. Then configure the Cellular Gateway Platform feature template as shown in the following table.

      Table 2. Cellular Gateway Platform Template Parameters

      Parameter Name	Description
      Basic Configuration Tab
      Time Zone	Choose the time zone to use for the device. The device uses this time zone for clock synchronization when NTP is configured.
      Management Interface	Enter the IPv4 address of the management interface for accessing the device.
      Admin-Password	Enter the admin user password for logging in to the device by using an SSH client or a console port.
      NTP-Servers	Configure one or more NTP servers to which the device synchronizes its clock.
      Cellular Configuration Tab
      IP-Src-Violation	Choose v4 only, v6 only, or v4 and v6 to enable the IP source violation feature for the corresponding IP address types. Choose None if you do not want to enable this feature.
      Auto-SIM	Choose On to enable the auto-SIM feature. When this feature is enabled, the device automatically detects the service provider to which SIMs in the device belong and automatically loads the appropriate firmware for that provider.
      Primary SIM Slot	Choose the slot that contains the primary SIM card for the device. If the device loses service to this slot, it fails over to the secondary slot.
      Failover-Timer (minutes)	Enter the number of minutes that the device waits before trying to communicate with the primary SIM slot after the device detects loss of service to this slot.
      Max-Retry	Enter the number of consecutive unsuccessful attempts by the device to communicate with the primary SIM before failing over to the secondary slot

   6. Choose Cellular Gateway > Cellular Gateway Profile and choose Create Template from the Cellular Gateway Profile drop-down list. Then configure the Cellular Gateway Profile feature template as shown in the following table.

      Table 3. Cellular Gateway Profile Template Parameters

      Parameter Name	Description
      Basic Configuration Tab
      SIM	Choose a SIM slot and configure the following options to create a profile for the SIM in that slot. This profile indicates to the service provider which of its cellular networks the SIM should attach to. Profile ID: Enter a unique ID for the profile Access Point Name: Enter the name of the access point for this profile Packet Data Network Type: Choose the type of network for data services for this profile (IPv4, IPv6, or IPv4v6) Authentication: Choose the authentication method that this profile uses for data, and enter the user name and password for this method in the Profile Username and Profile Password fields that display You can configure one profile for each SIM slot in the device.
      Add Profile	Click to add an access point name (APN) profile that the cellular device uses to attach to a cellular network. You can add up to 16 profiles.
      Profile ID	Enter a unique identifier for the profile. Valid values: Integers 1 through 16.
      Access Point Name	Enter a name to identify the cellular access point.
      Packet Data Network Type	Choose the packet data network (PDN) type of the cellular network (IPv4, IPv6, or IPv46).
      Authentication	Choose the authentication method that is used to attach to the cellular access point (none, pap, chap, pap_chap).
      Profile Username	If you choose an authentication method other than none, enter the user name to use for authentication when attaching to the cellular access point.
      Password	If you choose an authentication method other than none, enter the password to use for authentication when attaching to the cellular access point.
      Add	Click to add the profile your are configuring.
      Advanced Configuration Tab
      Attach Profile	Choose the profile that the device uses to connect to the cellular network.
      Cellular 1/1 Profile	Choose the profile that the device uses for data connectivity over the cellular network.

2. Attach the device template to the device.

   For information, see Attach and Detach a Device Template in the Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x.

Before You Begin

Create a configuration group for Cisco Catalyst Cellular Gateways using Workflows > Create Cellular Gateway Group. On the Configuration Groups page, the resulting configuration group is labelled cellulargateway in the Device Solution column.

For information about creating configuration groups and applying them to devices, see the Using Configuration Groups section of Cisco Catalyst SD-WAN Configuration Groups, Cisco IOS XE Catalyst SD-WAN Release 17x.

Configure a Cellular Gateway Using a Configuration Group

1. From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

2. Click … adjacent to a configuration group for a Cisco Catalyst Cellular Gateway and choose Edit.

3. Open the Global Profile section and add (click Add Global Profile Feature) or edit (click … and Edit) any of the following features.

   • AAA feature:

     Table 4. Local

     Parameter Name	Description
     Name	The account name is preset to admin and cannot be changed.
     Password	Enter a password for login.

     Table 5. TACACS

     Parameter Name	Description
     TACACS Configuration	Enable TACACS configuration. Click Add TACACS to add one or more TACACS servers.
     Authentication	TACACS authentication option: tacacs_ascii: Send authentication information in ASCII format. tacacs_pap: Send authentication information using the password authentication protocol (PAP).
     Timeout	Timeout for TACACS authentication. Range: 1 through 1000 seconds
     TACACS
     IP Address	IP address of the TACACS server.
     Auth Port	TCP port number to connect to the TACACS server. Default: 49
     Secret Key	Encryption key for encrypting and decrypting traffic between the cellular gateway and the TACACS server. Configure the same key on the TACACS server.
     Source Interface	Preconfigured as Cellular1/0, and cannot be changed. This is the only interface that the cellular gateway can use for communication with the TACACS server.
     Priority	Priority level of the TACACS server. Zero is a default priority value and indicates the highest priority. If a cellular gateway is unable to establish a connection with the highest priority server, it attempts to connect to the server of the next highest priority. Range: 0 through 7

   • Cellular feature:

     Table 6. Cellular Settings

     Parameter Name	Description
     Primary Slot	Choose a SIM slot to designate it as primary. Range: 0, 1 Default: 0
     SIM SLOT 0 Cellular Profile
     Profile Id	Profile ID. You can click Add to add multiple profiles.
     Access Point Name	Access point name, from your service provider.
     Authentication Method	Authentication method (none, pap, chap, pap_or_chap) indicated by your service provider.
     Username	Username for authentication, as indicated by your service provider.
     Password	Password for authentication, as indicated by your service provider.
     Packet Data Network Type	Packet data network type (IPv4, IPv6, IPv4v6), as indicated by your service provider.
     Attach Profile	Choose the attach profile from the defined profiles.
     Data Profile	Choose the data profile from the defined profiles. You can use the same profile for the attach profile and data profile.
     SIM SLOT 1 Cellular Profile
     See the fields described for SIM slot 0.

   • Logging feature:

     Table 7. Disk

     Parameter Name	Description
     Disk File Rotate	Maximum number of log files to store locally. The device collects diagnostic monitor log files, which have a maximum size of 20 MB each, until the number of files reaches the rotate value. Then the device deletes the oldest file to make room for a new file. Range: 1 through 10
     Disk File Size	Maximum file size for each log file that the device stores locally. After reaching the maximum size, the device creates a new log file, with a numerically sequenced filename. Range: 1 through 20 megabytes

     Table 8. Servers

     Parameter Name	Description
     Server Name Type	Choose ipv4 or ipv6, according to the server address type, or choose dns if you enter a server domain name in the Server Name Value field.
     Server Name Value	IP address or domain name of the server.
     Source IP	By default, this is the system IP address. You can choose the Device Specific option to specify per device.
     Priority	Filter the type of log messages saved using one of the following priority options, listed from lowest to highest priority. Each priority option configures the device to save log messages of that priority and all higher priorities. For example, information is the lowest priority of message, so choosing information includes information log messages and all other log messages too. Choosing error excludes information, notice, and warn log messages, but includes error messages and all other log messages of higher priority (critical, alert, and emergency). From lowest to highest priority, the options are the following: information notice warn error critical alert emergency

   • Network Protocol feature:

     Table 9. Basic Configuration

     Parameter Name	Description
     Passthrough	The cellular gateway operates in one of two modes: IP passthrough and NAT. In IP passthrough mode, the cellular gateway passes the public IP address assigned by the internet service provider (ISP) to a downstream device attached to the cellular gateway. Disabling the Passthrough option enables NAT, which gives the devices that are connected to the cellular gateway access to a DHCP server and to the local gateway. Note   Enabling passthrough mode disables and hides the other fields in the Basic Configuration section.
     DHCP Pool
     DHCP Pool	Enable a DHCP pool for NAT.
     DHCP Network Pool	IP address pool, in classless interdomain routing (CIDR) format.
     Lease Days	Days for DHCP lease time Range: 0 to 365
     Lease Hours	Hours for DHCP lease time. Range: 0 to 23
     Lease Minutes	Minutes for DHCP lease time. Range: 0 to 59
     PAT Configuration
     PAT Configuration	Enable port address translation (PAT).
     Add PAT Config	Click this to add one or more PAT configurations.
     Description	Description of the PAT configuration.
     Protocol	Choose TCP or UDP.
     LocalAddress	IPv4 format address.
     LocalPort	Port number. Range: 0 to 65535
     InterfaceName	Preconfigured as Cellular1/0, which is the WAN interface for the cellular gateway.
     GlobalPort	Global port number. Range: 1 to 65535

     Table 10. NTP Servers

     Parameter Name	Description
     NTP	To configure a network time protocol (NTP) server, enter an IPv4 address or a DNS name. Maximum number of NTP servers: 4

4. (Optional) To add CLI configuration commands, do the following:

   1. Open the CLI Add-on Profile.

   2. Click Add Feature.

   3. In the Type drop-down list, choose Config.

   4. Enter a name for the feature.

   5. Enter a CLI configuration.

   6. Click Save.

   Note	CLI configuration commands in the CLI Add-on Profile override any configuration done using the Global Profile.