RADKit Network Console
The RADKit Network Console is a feature that provides a simple command line interface (CLI) for basic RADKit Client functions. It is meant to be used for quick connectivity to a RADKit Service instance, establishing interactive sessions and downloading/uploading files with no hassle and minimal training.
Note
The Network Console is part of the RADKit Client. When using pip, you need to install
the cisco-radkit-client Python package. When using the Windows or macOS installer,
the RADKit Client is automatically installed.
Starting the Network Console
Using the command line
On Linux or macOS (or on Windows, starting with 1.7.0):
$ radkit-network-console
or, to directly log in as myid@example.com:
$ radkit-network-console --username myid@example.com
Because the latter will immediately proceed with the login, you will be redirected to the RADKit SSO portal as soon as the Network Console starts.
Using the application shortcut
If you installed RADKit using the Windows or macOS installer, there will be a dedicated shortcut in the Start Menu or Applications folder called RADKit Network Console.
The Network Console prompt
After startup, the following prompt will be displayed:
$ radkit-client network-console
RADKit Network Console (EXPERIMENTAL)
Type `help` to list commands.
>
The interface is a shell-type interface where you can enter human-friendly commands. The shell supports autocompletion for all known syntaxes and objects including device names and local files and directories.
The Network Console shell also supports history i.e. recalling and searching for commands across sessions. You can use the Ctrl-R shortcut to search through history, or the Up arrow to find a previously entered command.
Note
Some parameters such as service serial numbers and remote files can’t be autocompleted.
Commands
login
The login command is required to authenticate the current RADKit CLI session.
It allows the following two syntaxes:
login <email_address>performs SSO login with the provided email address as the identity;loginwith no parameters appends@cisco.comto the current username on the local system and uses it as the SSO identity.
Note
If the session was already authenticated because --username was passed,
there is no need to perform another login using this command.
Once logged in, the username will appear in the prompt:
> login
Logging in as: myuser@cisco.com
[myuser] >
service-cloud
The service-cloud command allows you to connect to a remote RADKit Service.
If the Service is unavailable or the user is not authorized to access it, an error will be printed.
By default, the service-cloud command syntax asks for the service-id of the RADKit Service to connect to, as well as the sr or no-sr argument to link the connection to a TAC Service Request or not.
Linking the service connection to a TAC SR allows manual or automatic interactive session log upload to the Cisco TAC SR (see new command session-logs).
service-cloud <service> sr <sr> [auto-upload|manual-upload]
[myuser] > service-cloud abcd-1234-efgh sr 612345678
Connecting to Service: abcd-1234-efgh in context of SR 612345678 with manual log upload
[myuser@abcd-1234-efgh] 612345678>
Note
Whenever the service connection is opened with an SR number, the SR number is printed in the prompt as depicted above.
The keywords auto-upload or manual-upload (default) specify how the interactive session log files should be uploaded to the service request.
auto-uploadwill automatically upload the log files to the related service request when the interactive session is finished.manual-uploadwill require the user to use thesession-logs uploadcommand to upload the desired logs to the service request.
The default preference can be overridden by a settings.toml setting on the client, or the -s client.network_console.auto_upload_by_default true at launch.
[client.network_console]
auto_upload_by_default=true
For RADKit usage outside of the context of a TAC service request, use the `no-sr keyword such as:
service <service> no-sr
Note
When SR context is enabled (default), the command syntax service <service> is no longer accepted and requires the explicit use of either sr <sr> keyword, or no-sr in case no service request is available. This is to ensure tracking consistency on the service-request. A warning inviting to use the new syntax will be displayed in such case. Refer to the section below to disable SR context using settings.
[myuser] > service-cloud abcd-1234-efgh
ERROR:
To open a service in the context of a Cisco TAC SR, use:
service-cloud <service> sr [TAC SR NUMBER] [auto-upload|manual-upload]
This allows manual or automatic session logs upload to the TAC SR
To open a service session without context, please use:
service-cloud <service> no-sr
Note
The use of sr keyword requires to have permissions to access this SR (The logged-in user must be associated with the contract used to open the TAC SR).
It’s possible to disable the SR context feature using either the setting -s client.network_console.enable_sr_context false on Network-Console launch, as well as permanently disable it as a setting in the settings.toml for the RADKit Client:
[client.network_console]
enable_sr_context=false
In such case, the service-cloud CLI will only accept the service-id argument. All features related to SR attachment (session log upload and CXD upload) will be disabled.
Syntax with SR context feature disabled (Identical to pre-1.6.x versions):
[myuser] > service-cloud abcd-1234-efgh
Connecting to Service: abcd-1234-efgh
[myuser@abcd-1234-efgh] >
service
The service command is an alias for service-cloud.
service-direct-with-sso
The service-direct-with-sso commands connects directly to a service using the cloud first to authenticate.
The syntax and keywords are similar as for service-cloud, but you need to specify the
service’s hostname or IP address and an optional port (if different from the default 8181)
[myuser] > service-direct-with-sso aaaa-bbbb-cccc host 10.1.2.3 no-sr
Connecting to Service: aaaa-bbbb-cccc without SR context
[myuser@aaaa-bbbb-cccc] >
service-direct
The service-direct commands connects directly to a service, however authenticating directly against the service.
service-direct does NOT require the user to first authenticate against the cloud (no prior login is needed).
service-direct requires the user to provide the following options:
the service’s hostname or IP address and an optional port (if different from the default 8181)
the username as defined on the service (the command asks for the corresponding password)
Optional: the service’s SHA256 fingerprint (as shown in the server’s ‘E2EE Connectivity Status’ tab)
[] > service-direct host 10.1.2.3 user myuser@cisco.com
Connecting to service instance at 10.1.2.3:8181
Direct RPC password: *********
[myuser@10.1.2.3-8181] >
show
The show command works similarly to the show command on Cisco devices.
It allows to view the state of several Network Console objects, such as:
show client: displays the currently logged-in user (SSO). If the client session is currently operational and valid,AUTHENTICATEDwill be printed as the status. Otherwise, it probably means the session has timed out (seereauthenticatebelow):[myuser@abcd-1234-efgh] > show client [AUTHENTICATED] Client(identity='myuser@cisco.com', status='AUTHENTICATED', authentication_method='sso', domain_name='PROD') --------------------- ------------------------ identity myuser@cisco.com status AUTHENTICATED authentication_method sso domain_name PROD --------------------- ------------------------
show service: displays the currently connected Service. It displays important information such as the remote Service version, number of devices and the current SSO identity.[myuser@abcd-1234-efgh] > show service Service(identity='myuser@cisco.com', service_id='abcd-1234-efgh') ----------------------------- ------------------------------------------------------- identity myuser@cisco.com service_id abcd-1234-efgh #devices 306 #capabilities 18 version 1.3.7 e2ee_supported No e2ee_active No, not supported by service (use_e2ee=WHEN_AVAILABLE) supported_compression_methods ['zstd'] ----------------------------- -------------------------------------------------------
show inventory: displays the list of devices which are part of the Service’s inventory.Note
If a device has been added to the inventory after the initial connection to the Service, the inventory must be updated in order to reflect the change. See the
update-inventorycommand for this.[myuser@abcd-1234-efgh] > show inventory <radkit_client.sync.device.DeviceDict object at 0x110271340> name host device_type Terminal Netconf Swagger HTTP description failed ----------------------------- ---------------------------- ------------- ---------- --------- --------- ------ --------------------------- -------- 10-48-32-20 10.48.32.20 IOS_XR True False False False False 10-48-32-249 10.48.32.249 IOS_XR True False False False
The command also supports filtering based on partial/regex matches:
show inventory name <filter_string>show inventory device_type <filter_string>show inventory description <filter_string>
Note
The
<filter_string>values from the commands above support standard Python inline flags such as(?i)to perform case-insensitive matching. See example below for case insensitive search.[myuser@abcd-1234-efgh] > show inventory name (?i)L3 <radkit_client.sync.device.DeviceDict object at 0x112302700> name host device_type Terminal Netconf Swagger HTTP description failed ---------------------- -------------- ------------- ---------- --------- --------- ------ -------------------------- -------- l3-rack10-router-1 172.20.1.110 IOS_XE True False False False False l3-rack12-router-2 172.20.1.112 IOS_XE True False False False False
show proxy: displays the active SOCKS or HTTP proxy session (seeproxybelow).show session-logs <device>: displays the current session logs files which have been created since the start of the RADKit Network Console. Those logs can be uploaded directly to the service request using the commandsession-logs upload <filename>(seesession-logsbelow for more details)[myuser@abcd-1234-efgh] 612345678> show session-logs <radkit_client.sync.state.SessionsDict object at 0x10c84f7c0> Active Session objects for device: <bound method AsyncDevice.name of AsyncDevice(name='router-123', service_display_name='router-123', host='10.48.88.253', device_type='LINUX', forwarded_tcp_ports='1-65535', failed=False)> key service_id device_name term term_size bytes_read bytes_written closed session_log_filename ----- ------------ ------------- -------------- ----------- ------------ --------------- -------- ------------------------------ 0 abcd-1234-efgh router-123 xterm-256color 148x28 1137 14 True 20230818-154209-router-123.log
interactive
interactive establishes an interactive SSH/Telnet session to the remote device.
Takes a valid device name as argument.
[myuser@abcd-1234-efgh] > interactive acdc-920-2-cisco-com
Attaching to acdc-920-2-cisco-com ...
Type: ~. to terminate.
~? for other shortcuts.
When using nested SSH sessions, add an extra ~ per level of nesting.
ACDC-920-2#terminal length 0
ACDC-920-2#terminal width 0
ACDC-920-2#
When exiting an interactive session, you will simply return to the Network Console prompt.
snmp
snmp performs either an SNMP Get or SNMP Walk request on the specified device with the specified OID.
snmp get <device> <oid>performs an SNMP Get request on the given device and OID, such as:
[myuser@abcd-1234-efgh] > snmp get router-123 1.3.6.1.4.1.9.2.1.3.0
[SUCCESS] <radkit_client.sync.snmp.SNMPTable object at 0x1135dc790>
i oid value
--- --------------------- -------------
0 1.3.6.1.4.1.9.2.1.3.0 'ROUTER-123'
snmp walk <device> <oid>performs an SNMP Walk request on the given device and OID such as:
[myuser@abcd-1234-efgh] > snmp walk router-123 1.3.6.1.4.1.9.2.1
[SUCCESS] <radkit_client.sync.snmp.SNMPTable object at 0x113a1b820>
i oid value
--- ---------------------- --------------------
0 1.3.6.1.4.1.9.2.1.1.0 '\r\n16.7(8r)S\r\n'
1 1.3.6.1.4.1.9.2.1.10.0 1000
2 1.3.6.1.4.1.9.2.1.11.0 91074036
3 1.3.6.1.4.1.9.2.1.12.0 0
...
Note
The SNMP Walk results are limited to 1000 OIDs to preserve resources and responsiveness (by default. service can change this by setting service.snmp.default_session_limit).
SNMP Get and Walk requests will timeout after 30 seconds, unless a different timeout is passed in the command.
Timeout and retries may be changed from the default value by passing them as argument after the OID, in both SNMP Walk and SNMP Get requests, such as:
snmp walk|get <device> <oid> <timeout> <retries>
[myuser@abcd-1234-efgh] > snmp walk router-123 1.3.6.1.4.1.9.2.1.73 10 2
Using 10s timeout and 2 retries
[SUCCESS] <radkit_client.sync.snmp.SNMPTable object at 0x108e37ac0>
i oid value
--- ---------------------- ----------------------------------------------
0 1.3.6.1.4.1.9.2.1.73.0 'harddisk:cbrsup-universalk9.17.12.01.SPA.bin'
[myuser@abcd-1234-efgh] >
The timeout is expressed in seconds and must be greater or equal to 1. Retries indicates how many times the SNMP request needs to be retried if no response after the timeout has passed. A value of 0 indicates no retry.
The SNMP retries and timeout values can be changed permanently by settings in the settings.toml, such as:
[client.network_console]
snmp_retries=5
snmp_timeout=15
update_inventory
update_inventory Changed in 1.7: update_inventory becomes deprecated. Please use update-inventory instead.
update-inventory
update-inventory refreshes the inventory, in case anything has changed on the RADKit
Service side. This command takes no argument.
reauthenticate
If a client session times out, using the reauthenticate command will
attempt to log in the current user again. This command takes no argument.
download
download downloads a file from a remote device to the local file system through SCP or SFTP.
The syntax is: download {scp|sftp} <device_name> <remote_file> <local_file>
[myuser@abcd-1234-efgh] > download scp acdc-920-1-cisco-com config_backup local_config_backup
local_config_backup 100.0% [========================================>] 19951/19951 eta [00:00]
[myuser@abcd-1234-efgh] >
Note
The remote device must support SCP or SFTP for this to work, and it must have valid Terminal credentials configured on the RADKit Service side.
download cxd
download cxd allows to transfer a file from the remote device to Cisco CXDrive (Usually a TAC service request), directly from the RADKit service side. When using CXD transfer, the file does not transit through the RADKit Client or Network-Console.
The syntax is: dowmload cxd {scp|sftp} <device_name> <remote_file> [<cxd_file>]
Note
For Cisco users, please ensure the context to the correct SR is opened during service connection with service <service-id> sr <sr>. Otherwise, the following message will be printed:
[myuser@abcd-1234-efgh] > download cxd scp my-router logs.txt logs.txt
ERROR: Invalid SR number format
Open SR context during service connection with:
service <service-id> sr <sr-number>
Then, proceed again with CXD transfer
Note
For non-Cisco users, Network-Console will prompt for the service request number, such as the following:
[myuser@abcd-1234-efgh] > download cxd scp my-router logs.txt logs.txt
Cisco Service Request number (6xxxxxxxx): 612345678
[SUCCESS] FillerRequest(status='SUCCESS', rpc_name='read-and-upload-file')
---------------- ----------------------------------------------
sent_timestamp 2023-09-22 17:37:19
request_type SCP download to destination
client_id myuser@external.com
service_id abcd-1234-efgh
updates 1 total, 0 failed
result None
forwarder wss://prod.radkit-cloud.cisco.com/forwarder-1/
e2ee_used True
compression_used zstd
---------------- ----------------------------------------------
upload
upload uploads a file from the local file system to a remote device through SCP or SFTP.
The syntax is: upload {scp|sftp} <device_name> <local_file> <remote_file>
[myuser@abcd-1234-efgh] > upload scp acdc-920-1-cisco-com abc.pcap bootflash:abc.pcap
abc.pcap 100.0% [===============================================>] 2887340/2887340 eta [00:00]
[myuser@abcd-1234-efgh] >
Note
The remote device must support SCP or SFTP for this to work, and it must have valid Terminal credentials configured on the RADKit Service side.
proxy
proxy start starts a local SOCKS or HTTP proxy session for a given port (see Port forwarding, SOCKS5 & HTTP proxy).
The syntax is: proxy start {http|socks} <local_port>
To start an HTTP proxy:
[myuser@abcd-1234-efgh] > proxy start http 10000
HTTP proxy is NOT PROTECTED by username/password
[RUNNING] <radkit_client.sync.port_forwarding.ProxyPortForwarder object at 0x110526140>
---------- -------
status RUNNING
local_port 10000
#active 0
#failed 0
#closed 0
#total 0
protocol HTTP
bytes up 0
bytes down 0
exception None
---------- -------
Use http://localhost:10000 as an HTTP proxy in your browser.
Then navigate to: https://index.proxy/
To start a SOCKS proxy:
[myuser@abcd-1234-efgh] > proxy start socks 10001
SOCKS_V5 proxy is NOT PROTECTED by username/password
[RUNNING] <radkit_client.sync.port_forwarding.ProxyPortForwarder object at 0x11050c0d0>
---------- --------
status RUNNING
local_port 10001
#active 0
#failed 0
#closed 0
#total 0
protocol SOCKS_V5
bytes up 0
bytes down 0
exception None
---------- --------
Use this PAC URL for proxy auto-configuration: https://prod.radkit-cloud.cisco.com/pac?port=10001
Then navigate to: https://index.proxy/
proxy stop stops an HTTP or SOCKS proxy.
The syntax is: proxy stop {http|socks}
To stop a proxy:
[myuser@abcd-1234-efgh] > proxy http stop
[myuser@abcd-1234-efgh] > proxy socks stop
[myuser@abcd-1234-efgh] > show proxy
No active proxy.
The show proxy command will list active HTTP and SOCKS proxies.
[myuser@abcd-1234-efgh] > show proxy
HTTP Proxy:
[RUNNING] <radkit_client.sync.port_forwarding.ProxyPortForwarder object at 0x110526140>
---------- -------
status RUNNING
local_port 10000
#active 0
#failed 0
#closed 0
#total 0
protocol HTTP
bytes up 0
bytes down 0
exception None
---------- -------
Use http://localhost:10000 as an HTTP proxy in your browser.
Then navigate to: https://index.proxy/
SOCKS Proxy:
[RUNNING] <radkit_client.sync.port_forwarding.ProxyPortForwarder object at 0x11050c0d0>
---------- --------
status RUNNING
local_port 10001
#active 0
#failed 0
#closed 0
#total 0
protocol SOCKS_V5
bytes up 0
bytes down 0
exception None
---------- --------
Use this PAC URL for proxy auto-configuration: https://prod.radkit-cloud.cisco.com/pac?port=10001
Then navigate to: https://index.proxy/
Note
Proxy sessions are asynchronous and run in the background. Once the proxy is started, you will be returned to the Network Console prompt to continue your work.
HTTP and SOCKS proxy can be both set simultaneously as long as they are running on different local ports
session_logs
session_logs Changed in 1.7: session_logs becomes deprecated. Please use session-logs instead.
session-logs
session-logs upload <filename> command allows to manually upload a given interactive session log to a Cisco CX service request, provided that the connection to the service was made using service <service> sr <sr>.
[myuser@abcd-1234-efgh] 612345678> show session-logs
<radkit_client.sync.state.SessionsDict object at 0x10c84f7c0>
Active Session objects for device: <bound method AsyncDevice.name of AsyncDevice(name='router-123', service_display_name='router-123', host='10.48.88.253', device_type='LINUX', forwarded_tcp_ports='1-65535', failed=False)>
key service_id device_name term term_size bytes_read bytes_written closed session_log_filename
----- ------------ ------------- -------------- ----------- ------------ --------------- -------- ------------------------------
0 abcd-1234-efgh router-123 xterm-256color 148x28 1137 14 True 20230818-154209-router-123.log
[myuser@abcd-1234-efgh] 612345678> session-logs upload 20230818-154209-router-123.log
Uploading session log /Users/myuser/.radkit/session_logs/client/20230818-154209-router-123.log [1268 bytes] to 612345678, please wait ...
Upload successful!
The logs are then attached to the Cisco TAC SR.
Note
This feature requires the RADKit Network Console to be executed with a logged-in user having access to the specified service request. (The user must be associated with the contract number used to open the TAC SR)
platform
The platform command introduced in 1.6.3 offers additional functionality for certain platform types.
- Supported platforms:
Catalyst Control Center (CCC), formerly DNA Center
Cisco Firewall Threat Defense (FTD)
Cisco Firepower Management Center (FMC)
platform ccc
The platform ccc offers the following additional features for Cisco Catalyst Center.
Note
Due to software limitations with the embedded RADKit inside Cisco Catalyst Center (Remote Support Authorization), the following features require using a standalone RADKit service (1.6.0 or above) containing one or more CATALYST_CENTER device(s).
When connecting to a Cisco Catalyst Center instance running a version incompatible with these features, the following message will be printed:
"RADKit Service version <version> does not support this feature."
platform ccc rca <device>: This allows to generate an RCA file on the server. The command will return the prompt when the generation is finished. To transfer the generated RCA file from the device, use thedownload scp <>command.platform ccc admin-shell <device>: Establishes an interactive session as admin shell onto the device. Some Catalyst Center versions require a consent-token (Cisco-internal only), in such case, a browser window will open to authenticate with Cisco internal credentials. Not all Catalyst Center versions are supported yet at this time.platform ccc root-shell <device>: Establishes an interactive session as root shell onto the device. Some Catalyst Center versions require a consent-token (Cisco-internal only), in such case, a browser window will open to authenticate with Cisco internal credentials. Not all Catalyst Center versions are supported yet at this time.
platform ftd
The platform ftd command offers one-liner shell access to the following shells of FTD device
platform ftd <device> clish: Default shell on FTD - This command is equivalent tointeractive <device>.platform ftd <device> expert: Equivalent to typingexpertinto aclishshell, handles the sudo password prompt automatically.platform ftd <device> lina: Equivalent to typingsystem support diagnostic-cli.
Note
These commands are only available for devices configured with type FTD on the RADKit service side.
platform fmc
The platform fmc command offers one-liner shell access to the following shells of FMC devices
platform fmc <device> clish: Default shell on FMC - This command is equivalent tointeractive <device>.platform fmc <device> expert: Equivalent to typing`expertinto aclishshell, handles the sudo password prompt automatically.
Note
These commands are only available for devices configured with type FMC on the RADKit service side.
platform linux
The platform linux command offers root shell access (sudo) for LINUX devices.
The command platform linux <device> su will create a root shell interactive terminal session, provided that the user is part of the sudoers file. If not, then the interactive session will fail.
Stopping the Network Console
To exit, simply enter exit or quit, or send EOF at the prompt (^D on Linux/macOS).