radkit-remote-access
$
npx mdskill add automateyournetwork/netclaw/radkit-remote-accessEnables cloud-relayed access to remote network devices for CLI, SNMP, and inventory tasks
- Solves remote access challenges in air-gapped or multi-site network environments
- Relies on Cisco RADKit cloud infrastructure and on-premises service for secure relay
- Uses certificate-based authentication and encrypted communication for secure access
- Delivers CLI execution, SNMP polling, and device discovery via cloud-relayed connections
SKILL.md
.github/skills/radkit-remote-accessView on GitHub ↗
---
name: radkit-remote-access
description: "Cisco RADKit — cloud-relayed remote device access, CLI execution, SNMP polling, device inventory discovery, attribute inspection. Use when accessing remote network devices through a cloud relay, running CLI on air-gapped devices, polling SNMP metrics remotely, or discovering device inventory via RADKit."
version: 1.0.0
license: Apache-2.0
tags: [cisco, radkit, remote-access, cli, snmp, inventory, cloud-relay]
---
# RADKit Remote Device Access
## MCP Server
- **Repository**: [CiscoDevNet/radkit-mcp-server-community](https://github.com/CiscoDevNet/radkit-mcp-server-community)
- **Transport**: stdio (Python via FastMCP), SSE, or HTTPS
- **Requires**: `RADKIT_IDENTITY`, `RADKIT_DEFAULT_SERVICE_SERIAL`, active RADKit service instance
- **Python**: 3.10+
## How RADKit Works
RADKit provides a **cloud-relayed** path to on-premises devices:
```
NetClaw Agent --> RADKit Cloud --> RADKit Service (on-prem) --> Device (CLI/SNMP)
```
- The **RADKit Service** runs inside the network perimeter, onboarded with access to devices
- The **RADKit Client** (this MCP server) authenticates via certificate-based identity
- All communication is encrypted, relayed through Cisco's RADKit cloud infrastructure
- No direct SSH/SNMP from the agent host to the devices is needed
This is ideal for:
- **Air-gapped networks** where the AI agent cannot directly SSH to devices
- **Cloud-hosted agents** that need to reach on-premises devices
- **Multi-site operations** where a single RADKit service provides access to many devices
- **Secure environments** where certificate-based auth is required (no passwords in transit)
## MCP Tools
| Tool | Parameters | What It Does |
|------|-----------|--------------|
| `get_device_inventory_names` | none | List all onboarded device names from the RADKit service |
| `get_device_attributes` | `target_device` | Retrieve device details in JSON: host, type, configs, SNMP/NETCONF status, capabilities |
| `exec_cli_commands_in_device` | `target_device, commands, timeout?, max_lines?` | Execute CLI commands on a device with timeout and line-limit controls |
| `snmp_get` | `target_device, oid(s), timeout?` | Perform SNMP GET operations without CLI execution |
| `exec_command` | `target_device, commands` | Structured command execution — returns dict/list with status and truncation info |
### Tool Details
#### get_device_inventory_names
Discovers all devices onboarded to the RADKit service. Call this first to know what devices are available.
Returns a set of device names, e.g.: `{"edge-rtr-01", "core-sw-01", "dc-fw-01"}`
#### get_device_attributes
Retrieves detailed JSON attributes for a specific device:
- **Name** and **host** address
- **Device type** (router, switch, firewall, etc.)
- **Configuration capabilities** (SSH, NETCONF, RESTCONF)
- **SNMP status** (enabled, community/v3 config)
- **Platform details** (model, OS, version)
Safe for parallel execution across multiple devices.
#### exec_cli_commands_in_device
Executes CLI commands on a device through the RADKit relay:
- **timeout** — maximum wait time per command (prevents hung sessions)
- **max_lines** — truncate output to N lines (prevents massive output from flooding context)
- Returns raw CLI output as text
Use this for standard show commands, debug captures, and configuration inspection.
#### snmp_get
Performs SNMP GET without executing CLI:
- Query one or more OIDs in a single call
- Useful for metric polling (uptime, interface counters, CPU utilization)
- Lower overhead than CLI for structured data retrieval
Common OIDs:
| OID | Metric |
|-----|--------|
| `1.3.6.1.2.1.1.1.0` | System Description |
| `1.3.6.1.2.1.1.3.0` | System Uptime |
| `1.3.6.1.2.1.1.5.0` | System Name |
| `1.3.6.1.2.1.2.2.1.2` | Interface Description |
| `1.3.6.1.2.1.2.2.1.8` | Interface Operational Status |
#### exec_command
Structured command execution that returns a dictionary or list:
- Includes **status** (success/failure) per command
- Includes **truncation info** if output exceeded limits
- Better for programmatic processing than raw CLI output
## Workflow: Remote Device Discovery
When first connecting via RADKit:
1. **Inventory**: `get_device_inventory_names` — what devices are available?
2. **Attributes**: `get_device_attributes` for each device — type, platform, capabilities
3. **Quick health**: `snmp_get` with sysUpTime (1.3.6.1.2.1.1.3.0) for each device
4. **Report**: device inventory table with type, platform, and uptime
## Workflow: Remote CLI Troubleshooting
When investigating an issue on a remote device:
1. **Identify device**: `get_device_inventory_names` — find the target device name
2. **Check capabilities**: `get_device_attributes` — confirm CLI access is available
3. **Execute commands**: `exec_cli_commands_in_device` with timeout and max_lines
- `show ip interface brief` — interface status
- `show ip route summary` — routing table health
- `show processes cpu sorted` — CPU utilization
- `show logging last 50` — recent syslog messages
4. **Structured output**: `exec_command` for commands needing programmatic parsing
5. **Report**: troubleshooting findings with device state
## Workflow: Remote SNMP Polling
When collecting metrics from remote devices:
1. **Inventory**: `get_device_inventory_names` — target devices
2. **System info**: `snmp_get` with sysDescr, sysName, sysUpTime
3. **Interface status**: `snmp_get` with ifOperStatus for key interfaces
4. **Counters**: `snmp_get` with ifInOctets, ifOutOctets for bandwidth tracking
5. **Report**: SNMP metric summary with uptime and interface health
## Workflow: Multi-Site Health Check via RADKit
When checking health across sites served by the RADKit service:
1. **Inventory**: `get_device_inventory_names` — all devices across sites
2. **Attributes**: `get_device_attributes` for each — group by type and site
3. **Health commands**: `exec_cli_commands_in_device` per device:
- `show version` — uptime, software version
- `show processes cpu | include CPU utilization`
- `show memory statistics`
4. **SNMP baseline**: `snmp_get` for sysUpTime, interface counters
5. **Report**: multi-site health dashboard with per-device status
## Integration with Other Skills
| Skill | How They Work Together |
|-------|----------------------|
| `pyats-network` | RADKit for cloud-relayed access, pyATS for direct SSH — complementary paths to devices |
| `pyats-health-check` | RADKit provides remote device data; pyATS health-check procedures analyze it |
| `pyats-troubleshoot` | RADKit CLI exec for remote devices that pyATS can't reach directly |
| `pyats-routing` | Use RADKit to collect routing state from remote sites, analyze with routing skill |
| `pyats-security` | RADKit CLI for remote security audit commands (ACLs, AAA, CoPP) |
| `meraki-monitoring` | Meraki for cloud-managed devices, RADKit for on-prem devices behind Meraki MX |
| `te-path-analysis` | ThousandEyes external path + RADKit internal CLI for end-to-end troubleshooting |
| `nso-device-ops` | NSO for orchestrated config, RADKit for raw CLI access to same devices |
| `gait-session-tracking` | Record all RADKit remote access sessions in GAIT |
| `servicenow-change-workflow` | Gate any config changes through RADKit with ServiceNow CRs |
## Important Rules
- **RADKit is read-write capable** — if the onboarded user has write access, CLI commands can push configuration. Always gate config changes with ServiceNow CRs.
- **Certificate security is critical** — the RADKit private key must never be shared. Use strong passphrases.
- **Timeout controls prevent hung sessions** — always set reasonable timeouts on CLI commands (default: 30 seconds).
- **max_lines prevents context overflow** — use line limits for commands with potentially large output (show tech, show run on large configs).
- **SNMP is lighter than CLI** — prefer `snmp_get` over CLI for structured metrics (uptime, counters, status).
- **One RADKit service can serve many devices** — the service runs on-prem and proxies to all onboarded devices.
- **Record in GAIT** — log all remote access sessions, commands executed, and findings.
- **This is a community project** — not an official Cisco product. Use for experimentation, learning, and authorized operations.
## Environment Variables
- `RADKIT_IDENTITY` — User email address for RADKit authentication
- `RADKIT_DEFAULT_SERVICE_SERIAL` — RADKit service instance identifier
### Container/CI Deployment (base64-encoded credentials)
- `RADKIT_CERT_B64` — Base64-encoded client certificate
- `RADKIT_KEY_B64` — Base64-encoded private key
- `RADKIT_CA_B64` — Base64-encoded CA chain
- `RADKIT_KEY_PASSWORD_B64` — Base64-encoded key password
### Local Development
For local use, RADKit auto-detects certificates in `~/.radkit/identities/` generated during the setup onboarding wizard (`bash setup.sh` in the cloned repo).
More from automateyournetwork/netclaw
- aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
- aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
- aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
- aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
- aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
- arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
- aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
- aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
- aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
- aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology