ArcanaNetworks
KT12132.jpg

Virtual Office Deployment Guide

ManageExpress® Virtual Office Deployment Guide

Scope of Document

This deployment guide provides detailed information on configuring the Cisco® Virtual Office headend devices and ManageExpress® Virtual Office. It also presents the end-user provisioning process performed to deploy new Cisco Virtual Office spoke routers.

Please refer to the ManageExpress® Virtual Office Hardware and Software page for more information about the solution and its components.

Introduction

Cisco® Virtual Office (CVO) is an end-to-end solution that provides an office-caliber end-user experience for employees working outside the traditional office environment. Integrating voice, video, wireless, and real-time data, Cisco Virtual Office offers the advantage of deployment with no need for administrator intervention, thus simplifying management and allowing rapid scaling. This document describes how to set up and configure Cisco Virtual Office using ManageExpress Virtual Office (MEVO).

This document assumes a working knowledge of Cisco Virtual Office concepts. For more information and details about specific components of Cisco Virtual Office, please email us at mevo-sales@arcananet.com or submit a request through our web form.

Cisco Virtual Office Architecture

Figure 1 shows the basic Cisco Virtual Office architecture.

Figure 1. Cisco Virtual Office Architecture

MEVOTopology.png
 
 

Components on the corporate network or hub side include:

  • VPN headend router serving as the VPN termination point

  • Certificate authority (CA) server to issue certificates for both remote and headend routers

  • Secure device provisioning (SDP) server for provisioning the remote routers

  • Authentication, authorization, and accounting (AAA) server for device and user authentication: Typically an ACS or ISE server. Please note that ACS has been marked end of life.

  • ManageExpress Virtual Offfice (MEVO) on a compatible Windows server for Cisco Virtual Office management and provisioning

Typical deployments on the remote side include:

  • Cisco Virtual Office router: Typically a Cisco Integrated Services Routers Generation 2 (ISR G2)

  • IP phone if voice is required

  • A video endpoint if required

  • Laptop computer for connecting to the corporate network; provided by the end user or employer

 In a typical production environment, at least two headend hub-routers are recommended to provide for failover. Additionally, a third headend router will often host the SDP server, however, one of the two hub routers can double as the SDP server as well if the hub routers are ISR G2s. The CA server is typically configured as a root authority on the SDP router. It can also be a registration authority for a higher level PKI environment. This document assumes that the CA and SDP servers are on the same router. Note that the SDP server must be on a router that runs Cisco IOS® Software. The SDP functionality is not available on IOS-XE.

On the remote-end side, any Cisco ISR, ISR G2 or ISR G3 router can be used. The platform is determined by the number of hosts that need to connect, throughput and WAN connections.  

Zero-Touch Deployment

One differentiating feature Cisco Virtual Office offers is zero-touch deployment.  With this deployment method, Cisco Virtual Office eliminates the need for preconfigured routers.  In addition, the remote router can be provisioned and configured securely with minimal, nontechnical user intervention.  Deployment is done in two phases: first the administrator phase, and second the remote user phase.

In phase one, the administrator creates a user account in MEVO and submits a provisioning request on behalf of the user at the remote site.  In doing so, MEVO creates a router configuration and one-time password and stores it in its database.  An email notification is sent to the user account’s email, which details the remaining steps to finish provisioning.

In phase two, the remote user will follow these email listed instructions to provision their device. First, connect the power cable into the router and flip its switch to “on”, if it has one. Second, connect an Ethernet cable from the outside interface (this interface name will be listed in the email) into your ISP device (e.g. Comcast modem). Third, connect an Ethernet cable from the lowest numbered port to your laptop and turn off your WiFi. Fourth, check that you have internet connectivity on your laptop by browsing to your favorite website, and then click on the provisioning URL link provided in the email. Last, the provisioning URL web page will prompt you for a username and password; use the username and one-time password given in the email and continue. Provisioning will take place automatically after successful authentication and the remote user will have corporate network access via DMVPN tunnel in 2-5 minutes. Please note that routers ordered for CVO come with a pre-built “factory” config that should be internet ready; devices plugged into CVO-ready routers should have a 10.10.10.x IP address and their hostname “yourname”. Contact your provider if these are not the case.

The figure below shows the typical MEVO workflow with Cisco Virtual Office.

DeploymentFlow.png
 

Sample MEVO State Full Business Workflow with Cisco Virtual Office

There are two other ways to create provisioning requests in MEVO. First, it is also possible to have the end user submit their own provisioning request. After the administrator creates their account, the end user will log into the MEVO page and apply for a provisioning request. The administrator will receive an email, and will have the option to either approve or deny this request. Secondly, an administrator can import a group of users at once via CSV sheet. A template for this can be found on the “teleworkers” page. The steps for provisioning after the request has been submitted are the the same.

The remaining portion of this document focuses on the configuration of the CA and SDP servers, DMVPN headend router, and ManageExpress Virtual Office (MEVO). Using this document, you should be able to fully configure the above and deploy a remote router using the factory default configuration. ACS / ISE policy configuration and the spoke router feature configuration are beyond the scope of this document.

Please refer to the ArcanaNetworks MEVO installation guide for instructions on installing ArcanaNetworks MEVO and to the ArcanaNetworks MEVO user guide for more detailed explanations of ArcanaNetworks MEVO components and functions. Both the ArcanaNetworks MEVO installation guide and user guide can be downloaded from the ArcanaNetworks MEVO download page at http://fileshare.arcananet.com/ (after login). Please contact mevo-sales@arcananet.com if you need a download account.

Platforms and Images

For a complete list of supported and recommended platforms and images, please refer to "Virtual Office Hardware and Software" at www.arcananet.com/virtual-office-hardware-and-software.

MEVO Requirements

ManageExpress Virtual Office (MEVO) must be installed on Microsoft Windows Server 2008R2 or 2012R2 or 2016. (See the ArcanaNetworks MEVO web site for a full list of system requirements: www.arcananet.com/virtual-office. The MEVO installation guide can be found on the ArcanaNetworks MEVO download page at fileshare.arcananet.com. If you need a download account please contact: mevo-sales@arcananet.com.

Setting Up Cisco Virtual Office

The following sections describe how to configure the management components, in the following order:

  • Basic MEVO Tweaks

  • Connecting your ACS / ISE Server to MEVO

  • Configuring the Secure Device Provisioning Router

  • Configuring the DMVPN headend router

  • Creating teleworker classes and settings

  • Provisioning a device

Basic Tweaks

Open a browser and enter http://<ip-address-or-domain-name>/mevo-new to access the ArcanaNetworks MEVO.

MEVO Login

Log in using the default credentials: mevoadmin / mevoadmin

To change the mevoadmin account password, navigate to System > User Accounts. Click on the 3 dots under Action. Then click on the edit button and set a new password and email. Finish by clicking save.

image004.png

By default, all MEVO accounts (excluding mevoadmin) require a one time password from a smart phone app to login. If you would like to disable this, navigate to System > Options. Scroll down until you see the section labeled TOTP Option and uncheck it.

image007.png

Linking ACS / ISE Servers


Note: PKI-AAA is optional, so you can skip these setup instructions if you do not have a server available (such as in a lab PoC). Regardless, we HIGHLY recommended having one.  It provides the only means for MEVO to completely automate the disconnect process.  With PKI-AAA MEVO can remove the spoke account used for authorizing the spoke certificate used to build the VPN tunnel, in addition to revocation checking.  Without PKI-AAA certificates, certificate revocation is the sole means to prevent a device from establishing a vpn tunnel.


 Link the PKIAAA server to MEVO from the Configuration > Server page. First, select the file server with the left checkbox, select More Actions and delete it. Then click save. Then, click on More Actions and select Add. For the role select Authentication Server and then click OK.

Once created, select Radius Server as the device type, type in the IP Address, then click on the 3 dots under Details. Fill out the fields here accordingly. The Server Key is the shared secret configured under your radius commands on your SDP and DMVPN headend routers that will need to match its network device entry in ACS / ISE. For Method and RADIUS Ports PAP and 1645/1646 are your defaults. Under Radius Server, type in the IP address of the ACS / ISE server. Click save, then the back arrow next to where it saves authentication server in the grey header, and then click save again.

If you have not yet set up your PKI-AAA server, please do so before continuing. ACS and ISE setup guides for MEVO are located at http://fileshare.arcananet.com.

Configuring the Headend

This section shows how to setup the headend routers and extra PKIAAA rules for MEVO to follow. Navigate to Configuration > Headends.

image011.png

SDP - Configuration

Select the appropriate device type for your SDP router. If it is missing, you can select any value. Fill in its management IP and outside IP addresses then click on the 3 dots for details.

Select your connection method and supply the username, password, and enable secret, and then click save.

In the left hand nav bar, select variables. You will need to fill out this page with the proper values:

  • Certificate Authority HTTP Port – The port that SCEP will use to do certificate enrollments. Please note that http is required by SCEP, but is solely being used as the transport method for encrypted certificate traffic. This is often flagged by security.

  • Certificate Authority Fingerprint – Leave this field blank

  • SDP Outside Interface – The name of the interface going to the internet (e.g. gi0/0)

  • Organizational Unit thru Country – AD related objects that are used for descriptive information on your certificates. If using a Microsoft CA, we recommend having this match what you already have in place. For IOS based CA, enter items as you see fit

  • Provisioning Mode – Select the mode that fits your deployment model. Self mode has every end user provision their own device. Warehouse mode has a group of technicians provision devices on behalf of the end user. Warehouse mode is not compatible with one-time passwords.

  • PKI Mode – Use CS if your SDP router is also going to be built as the CA in your environment. Use RA if it is acting as a remote authority for an existing CA. If you choose CS, you will also need to supply a Certificate Authority Archive Password which is required to restore your CA in the disaster recovery plan, so keep this password saved. If you choose RA, you will need to supply the originating PKI Server’s Hostname and IP Address.

When finished, click save. Hit the back arrow next to the SDP Registrar header and click save on the main page. MEVO will automatically attempt to connect to your router. It will not do any configuration changes to it yet.

image012.png
image013.png
image016.png

Note: Depending on your version of MEVO, you may need to add a variable called SDP Inside Interface. To do so, click on the 3 dots under details and then click on manage variables in the left nav. Then click on New Variable + and fill out the following:

  • Group – leave blank

  • Type – Text Box

  • Label – SDP Inside Interface

  • Variable Name – sdp_inside_int

You can leave the rest as default. Click on save on the top. Then click on the variables button in the left nav, fill out the details for your new variable, then save again. Click the back arrow, next to the SDP Registrar label and then save again.

image017.png

Note: If the device validation fails, check to ensure you properly inputted the correct access credentials under Passwords. Also ensure that your headend devices are in a pingable location to the MEVO server.


 PKI-AAA - Configuration

You will also need to add your ACS / ISE server to the headends tab. Click on more actions and add. For role, select PKI-AAA Server. You do not need to add a suffix. Click save. Create an entry for a PKI-AAA server if you have not already done so. Fill in the device type, management IP, and click the 3 dots under Details passwords then click save changes. Do not fill out the variables page yet. MEVO will attempt to reach your PKI-AAA server. Note that it will fail if the REST API is not enabled. This must be enabled for MEVO to work properly with your server. For ACS, the REST API must be enabled manually on the CLI.

Once MEVO successfully reaches your server, select it and do more actions > inventory. After this completes, open up the variables page by clicking the details button and selecting variables in the left nav. Fill out the following:

  • Server Ports – the same as you configured under the Configuration > Servers page

  • Server Key - the same as you configured under the Configuration > Servers page

  • Password Type – Internal Users

  • Identity Group – Select the group you created for MEVO spokes. If it does not appear here, you have either selected the wrong device type for the PKI-AAA server or the inventory did not complete successfully.

  • Create Network Device per Spoke – Mark true if your spoke router will need to send RADIUS or TACACS requests to your PKIAAA server. You will need to fill out additional details if you do so

  • Shared Secret – the shared secret your device will use if it has a network device entry created

  • Password should not contain – any excluded words from your password (e.g. cisco)

Click save on this page, back out one level, and click save again to finish.

image021.png

SDP - Deployment

Once the SDP Registrar and PKI-AAA Server validation succeeds, you are ready to deploy the SDP router. Use the check box on the left to select your configured SDP. Then click on more actions > deploy. The resulting popup will prompt you to select which template to use for your SDP’s deployment Click next through the prompts to start the provisioning. You can also view the configuration before it is applied by clicking on the details button on the last prompt page.

After a couple of minutes, the provisioning should be completed. If you have a connection to your SDP, then at this time you can issue show run commands to verify the config.


Note: If you get an error message: failed to replace the variables, there are a few ways to solve it. First, check to make sure that you have configured and saved all the details from the previous steps properly. Second, you can try creating the missing variables in their appropriate location (see the above SDP configuration step for creating “sdp_inside_int”). Third, you can edit your template and replace the variable with its actual value.


Note: If you get the error message “failed to copy configuration to the device”, it is likely that the SDP router’s version of code is not compatible with one of the lines configured in your template. The rest of the commands should have been pushed to the router regardless. You can check its state by doing a “sh run” on your router. Contact Arcana support for questions about necessary configuration for SDP/CA functionality.


Note: If deployment fails and the trace file is showing an I/O error, it usually means that MEVO could not access the specified template to use. This often due to a security / permissions issue on hardened servers. Please contact Arcana support.


Once the provisioning has completed, select your SDP once again, and run More Actions > Inventory. After this process completes, you should be able to open up your Variables popup and see that the Certificate Authority Fingerprint field has now been filled in. You will need this value populated in order to configure your DMVPN hubs.

DMVPN – Configuration

Use the More Actions > Add and select DMVPN Cloud to create entries for your hubs. If you are creating a multi-cloud environment, input a different group suffix for each DMVPN cloud you create (e.g. east, west, California, New York) otherwise leave it blank. When you add a DMVPN cloud, it will automatically generate 5 entries: the cloud itself, and the primary; secondary; tertiary; and quaternary data gateways. If you are not using n+1 gateways, delete them.

Fill in your DMVPN cloud’s device type, management IP, and outside IP.  Open up your details for the DMVPN Cloud entry. Then start configuring the variables. The variables selected here will result in the corresponding configuration for your DMVPN environment. Here are some of our recommendations:

  • Your tunnel network address and subnet mask should be sized to accommodate all future expansions. One address will be used for each tunnel. Tunnel Network information cannot be changed after a spoke has been deployed.

  • Your cryptographic policies (ISAKMP Encryption, IPsec Encryption, IPsec Hash Algorithm, Diffie-Hellman group). You can use the default values supplied unless otherwise specified. We recommend using the same values across all your clouds.

  • The EIGRP AS number for your DMVPN cloud routing. If you are already using EIGRP as your primary routing protocol, your value here can match what is already existing. Alternatively (and for non-EIGRP environments), you can specify a new AS and then manually configure route redistribution on your hubs.

  • The spoke’s EIGRP metrics will determine which DMVPN cloud it considers the primary route to your corporate network. You can manipulate which DMVPN cloud you want to be primary by setting a higher delay value on your secondary clouds.

  • Your tunnel key and NHRP configurations should differ from cloud to cloud. Tunnel keys and NHRP Network IDs are numeric values only. NHRP authentication password is alpha numeric.

  • VPC Gateway – Virtual private cloud for use only with AWS. Leave blank in most cases.

 Click the save button and click the back arrow next to the DMVPN Cloud header. Next, open the details page for your Primary Data Gateway. Fill in its access credentials and hit save. Then on the variables page, fill in is the gateway address (typically the first available IP based on your tunnel network) and click save. Repeat with the appropriate value for your n+1 gateways if in use. Remember to click the save button on the main page. Similar to the SDP configuration, MEVO will attempt to connect to your hubs. 

image025.png
image027.png

Note: If you are deploying a multi-cloud environment, your clouds should have had a group suffix applied to them (in the screenshots above, we created a DMVPN cloud with the suffix “east”). In order to correctly deploy your hubs, you will need to make some changes to the variables stored in your templates.

Navigate to Configuration > Templates and filter by headend. Locate the template for DMVPN  and click on actions > edit.

The resulting window should display the template configuration for your DMVPN hub. By default, MEVO uses the ‘$’ character to mark variables. For each of your DMVPN specific variables, you will need to append your suffix to the end of it: for example, $ipsec_encr$ will become $ipsec_encr_east$. Depending on your version of MEVO, your stock template may already contain your variables in the format $ipsec_encr_SFX$. If this is the case, you can use the Find/Replace option on the right, input “SFX” into the search field and type in the name of your suffix into the replace field. Please note that it is case sensitive. Click save to finish. The screenshots below give an example of changing a DMVPN template for “west” into “east”.

image030.png

 DMVPN – Deployment

Now we are ready to deploy our DMVPN hubs. Select your hubs using the check boxes on the left, then click deploy. Ensure that you map the correct templates to the correct cloud and then follow the next prompts to finish provisioning.

Manual Headend Tweaks

In order to finish setting up the DMVPN hubs, a few manual changes must be made on both the SDP and hub routers. First, the SDP router will need an “outside” certificate manually authenticated and enrolled; this certificate guarantees that its web interface will use 2048-bit security (alternatively, you can purchase and load a public cert for use). Second, the hub router will need an outside facing VRF configured, along with enrolling a certificate from your CA. Connect to your SDP and Hub routers then refer to the following configuration. Ensure that you are in enabled mode and have the proper privileges.


Note: The following commands on the SDP router uses alias that should have been configured from the initial deployment.

Note: Both the SDP and Hub routers will use the name “outside” to refer to their certificate and VRF names respectively.


SDP Outside Certificate

Command

Purpose

Step 1

SDP# conf t

Enters global config mode

Step 2

SDP(config)#crypto pki auth outside

Authenticates the “outside” certificate

Step 3

SDP(config)#crypto pki enrol outside

Enrolls the “outside” certificate

Step 4

SDP#requests

Shows the requests in the certificate databse; “sh crypto pki server cvo-cs requests”

Remember the request number in order to grant it in the next step

Note: you must live global config mode for this alias command

Step 5

SDP#grant <#>

Grant the outside certificate

Hub Outside VRFs

Note that applying VRF forwarding to your interfaces will strip the interface of its IP address. Make sure to record your IP address and gateway of last resort prior to these steps. You can easily view them with a “show run int <interface>” and “show ip route” command.

Command

Purpose

Step 1

Hub#conf t

Enters global config mode

Step 2

Hub(config)#ip vrf outside

Creates a VRF named “outside”

Step 3

Hub(config)#description outside vrf

Gives the VRF a friendly description

Step 4

Hub(config)#int <outside int>

Configure your outside interface

Step 5

Hub(config-int)#ip vrf forwarding outside

Applies the VRF to the interface

Step 6

Hub(config-int)#ip address <ip address> <subnet mask>

Puts your IP address back onto the interface

Step 7

Hub(config)#int tunnel <tunnel address>

Configure your tunnel interface

Step 8

Hub(config-int)#shut

Shuts the tunnel to allow you to apply the VRF

Step 9

Hub(config-int)#tunnel vrf outside

Applies the VRF to the tunnel

Step 10

Hub(config-int)#no shut

Turns the tunnel back on

Step 11

Hub(config)#ip route vrf outside 0.0.0.0 0.0.0.0 <gateway address>

Gives your VRF a gateway of last resort

Hub cvo-pki Certificates

Follow the steps above in the “SDP Outside Certificates” section for the “cvo-pki” certificate that was configured on your DMVPN hub routers during deployment. Depending on what enrolment url and interface your hub router will be using to reach your SDP/CA router, you may need to add the command “vrf outside” under the trustpoint configuration for cvo-pki.

Command

Purpose

Step 1

Hub#conf t

Enters global config mode

Step 2

Hub(config)#crypto pki trustpoint cvo-pki

Edit your cvo-pki trustpoint

Step 3

Hub(config)#vrf outside

Instruct the enrolment to use the outside vrf

You can check the status of your certificate using the command “show crypto pki certificate verbose cvo-pki”. When doing so, look for both the identity and root certificate. If you are not using a PKI-AAA server, use the command “no authorization list pkiaaa” to remove ACS / ISE integration from your environment.

Step 6: Configuring ArcanaNetworks MEVO – Remote-End Variables

Navigate to Configuration > Remote End. Here you will set various values that will be used in your spoke configuration. Every field is required, so if any given field is not applicable to your environment, insert a dummy placement value.

  • Domain Information – the domain your spoke router will be assigned to

  • Credentials – the local username and password and enable secret created for privilege 15 access to the spoke router. If TACACS will be enabled on the spoke, ensure that this account matches the TACACS credentials MEVO will use to manage the device for monitoring and day 2 operations

  • Time Settings – the ntp services your spoke router will use after it is provisioned. The factory config on your spoke routers will automatically sync to a public NTP, which are removed during the provisioning process

  • SNMP – community strings for snmp services. If SNMPv3 is enabled, you will need to supply your security parameters

  • Enable External SSH – mark true if you want to allow SSH to your spoke routers from IP address sources outside of your corporate network environment. You will need to supply an allowed IP range / list

  • SSID and Call Manager TFTP Server – if these are not applicable to your environment, you will either need to remove these variables from your templates, or fill in a dummy value or else MEVO will throw an error (variable cannot be found) when you submit a provisioning request

  • Enable One Time Password: the ACS / ISE setup guide has you setup your environment so that the credentials used to authenticate into the zero-touch provisioning page is a local identity account stored in ACS / ISE. Turning this feature on will have MEVO create these accounts automatically for you with a randomly generated password. You will need to supply the identity group that the users will be created in, along with additional security parameters. Note that this is not compatible with warehouse provisioning mode.

Click save when you are finished.

 

image031.png
image032.png
image033.png
image034.png
image035.png

Subnet Blocks - Configuration

Navigate to Configuration > Subnet Blocks. On this page, you will create the LAN pools that are allocated to your spokes. If you have successfully deployed your DMVPN hubs, you should already see entries for your tunnel network.

Click More Actions > add to create a new subnet block. Give it a friendly name and description. The LAN type is a descriptive field for the type of data used on that network (e.g. in some environments, spokes are assigned multiple LAN pools to separate voice, data, and management networks). The Network Address and Subnet fields defines the address space MEVO can use.  The LAN Subnet Mask determines the size of the LAN given to any router assigned to it.

For example, a network address 172.16.0.0 with subnet 255.255.0.0/16 and LAN Subnet Mask of 255.255.255.240/28 will have MEVO assign a 172.16.0.0/28 network space to every spoke router assigned to it, until it runs out of space in the 172.16.0.0/16 to give out. This totals to 4095 possible spokes, or LAN pools.

image036.png
image037.png
image038.png

Note: You may be prompted to create a user class at this time, you can ignore it.


Templates – Configuration

Navigate to Configuration > Templates. Filter by Spoke and find your spoke device under. Then ensure that Show active is unchecked. Here you will see a listing of all the templates available for that router to use. Ensure the following ones are checked under active installation:

  • Base Configuration – contains basic router configuration such as DHCP, NTP, etc. Also contains the trustpoint configuration

  • DMVPN Configuration – contains the crypto settings and tunnel settings for DMVPN

  • Firewall Configuration – basic zone based firewall

  • QOS Configuration – basic QoS policies with a upload shaper value

  • EEM Configuration – contains device specific changes, such as interface vlan assignment. Where as the previous four templates can be shared among all your device types, this template must be unique

  • Factory Configuration – contains the configuration to be pushed to your spoke routers when they are removed from your DMVPN environment

image039.png

Click save when you have finished. If your device type is not viewable, navigate to System > Options. In the left nav, select device types, find the device type of your spoke and click on the 3 dots under action and check the box that says active. Make sure to save your changes on this page as well.

Templates marked as active will be aggregated to make your spoke configuration. If you would like to add additional configuration for your spokes, such as for Wifi, Tacacs, etc, you would create a new template and mark them as active. If certain templates require a previous configuration to run commands properly, use the priority field to specify the order the templates should be loaded into your config.

Email - Configuration

Navigate to Configuration > E-Mail. In the left nav bar, select SMTP Server. Fill in the following:

  • Hostname/IP of your server

  • Port – if using a non-standard one

  • Sender email – emails from MEVO will have this address

  • Receiver email – emails will be sent to this address when you click the “validate” button

  • Requires Authentication – if your SMTP server has additional security settings, fill these out

image040.png

User Classes and Accounts - Configuration

Every spoke (i.e. teleworker or branch office) must be mapped to a class. A user class is simply a mapped set of configurations, such as a device type and subnet block. You can assign multiple spokes to a single class (e.g. you can have a class called 1941-Default that maps together a 1941 router with the default LAN subnet—all of your standard users that will receive a 1941 router will be a part of this class). Classes are how you create logical groupings based on device types and roles for your spokes.

Navigate to Class then click More Actions > Add.

When creating your class pay particular attention to these three fields

  • Device Type – the model of the spoke to be provisioned. You should have set these templates as “active” during the configuration > templates step.

  • LAN Pool – the LAN address scheme your spoke will be given based off of what you configured during the configuration > subnet blocks step.

  • VPN Cloud – selects which of the hub routers your spoke will form adjacencies with.

Click OK to save.

 

image041.png

Navigate to System > System Users. We will need to add a “manager” before we can move on. Click on More Actions > Add Users. The manager role is only used in deployments were the end user is expected to submit their own provisioning request (instead of an administrator). For most deployments, you can simply create a dummy user on this page—meaning you can set it and forget it. Give the account a name, username, password and email. Make sure the role “manager” is selected and create it. More details on account creation will be listed in the next section. 

While you are on this page, feel free to add yourself an account with the role “administrator” or change the default “mevoadmin” password to something more secure.

image042.png

 

You are now ready to create a user account. Navigate to Groups > Teleworkers and click More Actions > Add Teleworker. Pay attention to the following fields:

  • Name – first and last name of the user. This is for descriptive purposes only

  • Login Name – this will be the username the account appears as in MEVO. This value will also be the username value in ISE that’s created with one time passwords. This value will also be the hostname of the spoke router that is deployed to it

  • Password – this is only used to log into the mevo website. It is not related to spoke SSH credentials, ISE, nor provisioning. Most end users will never need to log into MEVO, so this is another field that you can set it and forget it

  • Class – assign your users to the appropriate class you created in the previous step

  • Manager – select the default manager you just created

Click on save to create your user.

image043.png

Note: If your environment already has local identity accounts for users in ACS / ISE or if you do not want to one time passwords you must make the MEVO account username the same as their ACS / ISE username or the self provisioning process will fail. Warehouse mode has no username restrictions.

Note: MEVO has the ability to import Users in bulk from a CSV file.


In order for your new account to be provisioned, MEVO must generate its configuration. To do so, use the checkbox on the left to select your account, then click More Actions > Request > Send Request. When the page reloads, select the following:

  • Technology – use cable by default

  • Addressing Scheme – use dynamic by default

  • Upload Speed – this the max upload speed your router can send traffic back to your hub. Err on the side of this being too large unless you have concerns about your DMVPN hub health, otherwise you risk throttling the upstream speed of your spoke

Then click send. At this point, MEVO will create the configuration that will be pushed to your spoke router. It will also create the following accounts in ACS / ISE:

  • PKIAAA account as a secondary form of authentication / authorization for your DMVPN cloud. This account takes the form of username.domain (e.g. 111892.arcananet.com)

  • User identity account for one-time-password authentication into the provisioning page (e.g. 111892)

  • Network device account with the TACACS or RADIUS shared secret from the headends page

Sometimes MEVO will throw an error at this step if a problem occurred. Here are some common issues:

  • Failed to replace the variable $variable-name-here$ - if you see this, it is likely due to either a missed variable during your MEVO setup. You may have also forgotten to change the suffix for some of your DMVPN related variables. Alternatively, you can edit your templates by finding and replacing the variable with a hard coded value

  • Failed to create pkiaaa account – caused by MEVO being unable to talk to your pkiaaa server using the REST API. Check that REST is enabled on your pkiaaa server

  • Failed to upload the configuration – often caused by security issues of a hardened Windows server. Contact arcana support

Assuming the provisioning request was sent successfully, you are now ready to deploy your router. See below for instructions on how to complete the process.

End-User Provisioning

This section describes the SDP process from the end-user’s perspective and shows what needs to be done after the user receives the router at the remote location. Typically, the end user will receive a router with factory-default settings with instructions for setup and an email message to access the provisioning page (described in more detail in the steps that follow). In the case of a branch office or clinic, a technician or administrator at the branch office or clinic would most likely perform this process.

The steps presented here assume that an Internet connection is available with DHCP. Variations such as connection through DSL or a static IP address are also possible with a few modifications, but the basic steps performed by the end user remain the same.

Figure 21. Set up the router at the remote site

 
image044.png
 

Routers ordered with the Cisco Virtual Office option come with a factory-default configuration that has DHCP enabled on the WAN side. After connecting according to the setup, you should have Internet connection through your PC. Your pc should have a 10.10.10.x address.

After the configuration is generated in MEVO, you will get an email message similar to the one shown below with a link to start the SDP process. Click the link to continue. If you are using One Time Password, your username and password to provision will also be included here.

 
image045.png
 

Enter the appropriate AAA credentials when the pop-up screen asks for user credentials.

 
image046.png
 

Once authenticated, the provisioning process should begin automatically.

 Enter the username cisco and the password cisco if you see another authentication prompt. This is for the router login credentials to continue the process.

 

image047.png
image048.png

Appendix

Updating the Configuration

After a router is deployed and connected, the administrator can use the steps shown here to add a new configuration template to ArcanaNetworks MEVO and then push the configuration to the remote Cisco Virtual Office routers.

Step 1: Add a New Configuration Template to ArcanaNetworks MEVO.

  1. Create a new configuration in a text file and save it.

  2. Log into ArcanaNetworks MEVO and choose Configuration > Templates.

  3. Click the More Actions then Add a template button. Enter or select the information as listed here. When you are finished, click Ok.

a. Type: Choose the type of configuration to be added: Authproxy, DMVPN, Dot1x, EEM, Base, Other, or Firewall. If you choose Other, provide a name for the configuration.

b. Apply on Module: Select this option if the configuration is to go on a module within the router (for example, wireless configurations on the Cisco 881 ISR will need Apply on Module selected).

c. Device Type: Choose the device platform on which the configuration is to be used. If the configuration is the same for all device types, choose Universal.

d. Post SDP: Select the checkbox if the configuration is to be pushed after SDP is completed. In most cases, this option does not need to be selected.

e. Template File: To upload the configuration file you created, click the Browse and select button and choose the file. Alternatively, you can copy and paste your configuration in the text box below.

 

Step 2: Apply the Configuration Update to Deployed Routers

  1. On the Device tab, select the devices that require a configuration update.

  2. Choose More Actions, then Apply Templates

  3. Select the configuration templates to be applied; then click Next.

  4. To apply the configuration update immediately, select Start Immediately, or to select the date and time to apply the update, select Schedule. Click Next to complete the update or schedule

Updating an IOS Image

This section describes how the administrator can add Cisco IOS Software router images to ArcanaNetworks MEVO and push the images to connected remote routers.

  1. Log into ArcanaNetworks MEVO, choose Configuration > Files, and click Add.

  2. Browse to select the image file to be added, enter the image version, and select the device type. RAM, Flash, and Description are optional.

  3.  When you are done, click Ok to finish adding the image

  4.  Under the Device tab in ArcanaNetworks MEVO, select the devices that require an image update.

  5. At the bottom right, select IOS Upgrade and then click Go.

    If ArcanaNetworks MEVO asks for an inventory run, continue to Step 6; otherwise, skip to Step 7.


Note: Currently, only devices that are online can have image upgraded.


6. Run the inventory.

a. Select the appropriate devices, select Inventory, and click Go.

b. Basic Details and Interface Details should be checked automatically. Click Next to continue

c. Select the Start Immediately button and click Next to complete the inventory run

7. Select the image to be pushed to the routers and click Next to complete the image update.

Disconnecting a Device and Removing a User

This section describes how the administrator can remove a spoke router that has already been provisioned and deployed.

  1. Click the Device tab

  2. Select the device to be removed and click More Actions > Disconnect to remove the device. ArcanaNetwork’s MEVO will use SSH to access that device and reload the router with the default configuration, thereby disconnecting the router from the network. MEVO will also remove the device profile on the Cisco ACS / ISE for that device if PKI-AAA is enabled.

Note: The device must be online in order for it to be removed. If the device is not currently online, you can still remove the user (see step 3).

 3. Delete the user associated with the device under the Teleworkers page.

 

For More Information

Contact us via email or our web form.

Configure and Enroll a Cisco IOS Software Router to Another Cisco IOS Software Router Configured as a CA Server

User Guide for the Cisco Secure Access Control System 5.1