The Cisco Catalyst Cellular Gateways are connected to the device using a physical port. The Web-Based User Interface feature acts as an assistive tool to perform configurations and also helps in monitoring the device’s status and performance.

To log in to the Cisco Catalyst Cellular Gateway Web-Based User Interface, open the link (http://192.168.1.1:8008, https://192.168.1.1:8008) in a web browser. For first time users, the default username is admin and the default password is the serialnumber provided on the device. Enter the credentials (username, password) in the login prompt. A default Dashboard opens displaying a summary of the device status.

To log out of the Cisco Catalyst Cellular Gateway Web-Based User Interface, click Logout on the Dashboard.

From the main menu, choose Dashboard.

The Dashboard summarizes the device status and displays the following information:

From the main menu, choose Monitoring.

The Monitoring page displays the following:

The Configuration page allows you to configure the modem and SIM slot settings. There is an option to manage and configure Access Point Name (APN) profiles this page.

1. From the main menu, choose Configuration > Cellular tab, click the Click to configure link.

• In Cellular Configuration page, the General window is used to configure diagnostic monitor (DM) logs

Click Save to activate the new changed DM log parameters.

• In the SIM window, configure the SIM and Slot settings. Choose SIM, from the drop-down, click SIM Primary.

Click Save to activate the new changed parameters.

• From the SIM drop-down, click Slot.

Click Save to activate the new changed parameters.

The Profiles page allows multiple user profiles to be created, edited, and deleted.

1. From the main menu, choose Configuration > Profiles tab, click Add to create a new profile.

   Field	Description
   Profile ID	You can configure the ID between the range of 1 to 16.
   APN Name	Add the name in string format.
   PDN Type	Select the IPv4 or IPv6 address from the drop-down. Authentication: If authentication is configured as none, then there is no requirement to add the username or password. If authentication is configured as CHAP, PAP, PAP or CHAP, you need to add the username and password.
   Username	Enter a new authentication username.
   Password	Enter a new authentication password.

   Click Save to activate the new changed parameters.

1. From the main menu, choose Administration > User.

2. Click on the 3 ellipses > Change Password.

3. Click Submit to activate the new changed password.

The command line interface (CLI) is provided to view all the configurations of the device. This is needed for debugging and troubleshooting. The show commands can be performed to view these details.

1. From the main menu, choose Administration > Command Line Interface.

2. On the Command Line Interface page, in the Exec field, enter a show command and press Enter. A list of all the available commands are displayed on the interface.

1. Click Download Admin Tech Logs on the display page that can be used for troubleshooting purposes.

2. Click the Settings icon, in Preferences > click the radio button for Light mode or Dark mode to change the theme.

3. Click Save to activate the new changed parameters.

Event notification system log (syslog) messages can be logged to files on the local device, and/or sent to a remote host or hosts.

• Logging into a local device’s hard disk of syslog messages with a priority level of “information” is enabled by default.

• The log files are in the local disk under /var/log directory.

The default or configured syslog messages priority values are recorded in a number of files in the directory /var/log:​

• auth.log: Login, logout, and superuser access events, and usage of authorization systems.

• kern.log: Kernel messages.

• messages: Consolidated log file that contains syslog messages from all sources.

• vdebug: All debug messages for modules whose debugging is turned on and all syslog messages above the configured priority value are saved to the file /var/log/tmplog/ vdebug. Debug logging supports various levels of logging based on the module. Different modules implement the logging levels differently.

  For example, the system manager (sysmgr) has two logging levels (on and off), while the chassis manager (chmgr) has four different logging levels (off, low, normal, and high). Debug messages cannot be sent to a remote host. To enable debugging, use the debug operational command.

• vsyslog: All syslog messages from Cellular Gateway processes (daemons) above the configured priority value are stored in the file /var/log/vsyslog. The default priority value is "informational", so by default, all "notice", "warning", "error", "critical", "alert", and "emergency" syslog messages are saved.

• daemon.log: All the boot up, lifecycle information of the daemons being spawned and restarted.

The Cellular Gateways software does not use the following standard LINUX files, which are present in /var/log, for logging: cron.log, debug, lpr.log, mail.log, and syslog.

Oct 20 08:00:34 CellularGateway CWAND[8176]: CWAN:dev_ready_handler:QMI channels initialization failed...retry_count[0] vendor:Sierra

2022-10-20T08:00:34+00:00 CellularGateway CWAND[8176] CWAN:dev_ready_handler:QMI channels initialization failed...retry_count[0] vendor:Sierra

TACACS is a security application that provides centralized validation of users attempting to gain access to a router or network access server. You must have access to and must configure a TACACS server before the configured TACACS features on your network access server are available.

TACACS provides for separate and modular authentication facilities. TACACS allows for a single access control server (the TACACS) to provide each service--authentication. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The goal of TACACS is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS and Cisco IOS XE user interface (for both routers and access servers) can be network access servers.

Network access points enable traditional “dumb” terminals, terminal emulators, workstations, personal computers (PCs), and routers in conjunction with suitable adapters (for example, modems or ISDN adapters) to communicate using protocols such as Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access (ARA) protocol. In other words, a network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks. The entities connected to the network through a network access server are called network access clients; for example, a PC running PPP over a voice-grade circuit is a network access client. TACACS, administered through the AAA security services, can provide the following services:

• Authentication--Provides complete control of authentication through login and password dialog, challenge and response, messaging support.

The authentication facility provides the ability to conduct an arbitrary dialog with the user (for example, after a login and password are provided, to challenge a user with a number of questions, like home address, mother’s maiden name, service type, and social security number). In addition, the TACACS authentication service supports sending messages to user screens. For example, a message could notify users that their passwords must be changed because of the company’s password aging policy.

The TACACS protocol provides authentication between the network access server and the TACACS, and it ensures confidentiality because all protocol exchanges between a network access server and a TACACS are encrypted.

You need a system running TACACS software to use the TACACS functionality on your network access server.

Cisco makes the TACACS protocol specification available as a draft RFC for those customers interested in developing their own TACACS software.

The Cisco Catalyst Cellular Gateway acts as a passthrough device when configured in the passthrough mode. It can also act as a router when configured in the Network Address Translation (NAT) mode. Classification is based on the Differentiated Services Code Point (DSCP) marking in the IP header. The possible DSCP values range from 0-63 and the classified traffic is queued into one of the 8 priority queues. These 8 priority queues can be mapped to a particular priority. The scheduler algorithm prioritizes the traffic based on the priority and the shaper queues the traffic accordingly. If DSCP is not configured, then the traffic is considered as low priority and maps to priority zero.

The traffic shaping algorithm is implemented based on the industry standard Token Bucket Algorithm. A token can be viewed to send certain amount of traffic. These tokens are deposited into a bucket at a certain rate. As the packets arrive, the shaper checks if there are enough packets in the bucket to send traffic. If there are less tokens in the bucket, the traffic is delayed and sent when tokens are available.

If the tokens fill up the packets, the excess tokens are dropped. This happens if the incoming traffic rate is lower than the traffic shaping rate.

Classifier queues the traffic into various queues and the scheduler determines and prioritizes according to the bandwidth. In the Strict Priority mode, egress traffic from the highest priority queue is transmitted first. Traffic from lower priority queues is processed only after the highest queue has been processed.

User configuration is required to map DSCP values to priority. Refer below for example configuration.

The show qos status interface Cellular1 <0..7> is the primary means of verifying any QoS behaviour based on the priority level on the Cellular Gateway platforms.

Federal Information Processing Standard (FIPS) 140-2 is a security standard used to validate cryptographic modules. The cryptographic modules are produced by the private sector for use by the U.S. government and other regulated industries (such as financial and healthcare institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

Note

From Cisco IOS CG 17.14 and Catalyst SD-WAN Manager 20.14 onwards, support for FIPS is available on Catalyst SD-WAN Manager. FIPS can be configured for CG522 using CLI commands. After you configure the FIPS feature via CLI, a router reload is required to enable or disable FIPS. After enabling the feature, if you need to move back to an earlier image that is not compliant with FIPS, ensure to disable FIPS and then proceed.

To display the status of FIPS on the Cisco Catalyst Cellular Gateways device, perform the following step:

CellularGateway# show gw-system:system status
..
TEMPERATURE
Ambient temperature    = 49 deg C
 
Power source           = AC
 
FIPS mode              = Enabled