Skip to content

Lab 3 - Creating a Cognitive AI Agent in Cisco Workflows

Overview

In this lab, you will configure Cisco Workflows to act as an AI Agent that can respond, investigate, and remediate (with your approval) incoming events. By the end of this lab, you will have:

  • Installed and configured RADKit Service for device management
  • Set up the RADKit MCP Server for tool integration
  • Imported the AI Agent workflow definitions from GitHub
  • Configured OpenAI API credentials for LLM access
  • Connected the AI Agent to your existing webhook trigger
  • Tested the cognitive agentic response to a network event

The event flow remains the same as Lab 1, but now with cognitive analysis:

flowchart LR
    A[Device] -->|syslog| B[Splunk]
    B -->|webhook| C[Cisco Workflows]
    C -->|agentic analysis| A

However, the agentic response will be a series of LLM calls which trigger tools (sub workflows) until work is completed.

flowchart TB
    subgraph agent["AI Agent Workflow"]
        direction TB
        subgraph llm["OpenAI Chat Completion"]
            L1[system prompt]
            L2[tools JSON]
            L3[messages]
        end

        subgraph toolbox["ToolBox"]
            T1[execute_terminal_command]
            T2[scratchpad_read/write]
            T3[request_change_approval]
            T4[webex_notification]
            T5[ask_clarifying_question]
        end

        llm -->|tool calls| toolbox
        toolbox -->|process response| llm
    end

Step 1: Install RADKit Service

RADKit (Remote Access and Diagnostic Kit) provides secure remote access to network devices. We'll install it as a Docker container on the ubuntu-server.

1.1 Connect to the Ubuntu Server

  1. From your workstation, SSH to the radkit-server: 

    ssh root@198.18.1.250

    Windows Users

    Use PuTTY to connect to 198.18.1.250 with username root.

    1.2 Verify Pre-loaded Files

The RADKit service container and MCP server files are pre-loaded on the ubuntu-server.

  1. Verify the pre-loaded files exist: 

    ls -la /home/cisco/

    Pre-loaded Files

    The following files are pre-loaded on the ubuntu-server in /home/cisco/:

    • radkit-service.tar - RADKit Docker image (already loaded)
    • radkit-mcp-server-community/ - MCP server source code repository
    • scripts/ - Setup scripts for this lab. Some have already been run for you.

  2. Check if the RADKit service container is already running: 

    docker ps | grep radkit

    If you see radkit-service in the output (which should be the case for you), proceed to Step 2: Configure RADKit Service.

1.3 Run the RADKit Installation Script (If Needed)

  1. If the container is not running but exists, try to start it: 

    docker start radkit-service

  2. If radkit won't start or stay up, then run the installation script, specifying the pre-loaded tar file: 

    ./radkit-install.sh -t /home/cisco/radkit-service.tar

  3. When prompted for the superadmin password during bootstrap, enter: 

    0e52nsq5jf7f-bxq8whdi7dnT

    The script will:

    • Load the RADKit Docker image
    • Create a data directory at /tmp/radkit
    • Bootstrap the RADKit service
    • Start the container on port 8081

  4. Verify the container is running: 

    docker ps | grep radkit

Step 2: Configure RADKit Service

Now we'll configure RADKit through its web interface to enroll with Cisco Cloud, add devices, and set up remote users.

2.1 Login to RADKit WebUI

  1. Open a browser and navigate to: https://198.18.1.250:8081/
  2. Accept the self-signed certificate warning
  3. Login with:
    • Username: superadmin
    • Password: 0e52nsq5jf7f-bxq8whdi7dnT

2.2 Enroll RADKit Service with SSO

  1. Click Connectivity in the left menu
  2. Click Enroll with SSO
  3. Enter your email for Cisco ID
  4. Click Submit
  5. Click the CLICK HERE link to complete SSO authentication

  6. After SSO completes, close the SSO tab and return to the RADKit WebUI

    Important

    Note the Service ID displayed in the top banner, center of the screen (e.g., xxxx-yyyy-zzzz). You will need this for MCP server setup in Step 3.

2.3 Add Network Devices

  1. Click Devices in the left menu
  2. Click Add Device

  3. Add the following three devices:

    Name IP Address Device Type
    r1 198.18.1.101 IOS XE
    r2 198.18.1.102 IOS XE
    r3 198.18.1.103 IOS XE

For each device:

  1. Enter the Name and IP Address
  2. Select IOS XE as the device type
  3. Check Active (remotely manageable)
  4. Under Available Management Protocols, click the checkbox for Terminal
  5. Scroll down to Terminal Settings
  6. Add SSH credentials:
    • Username: cisco
    • Password: cisco
  7. Click Add & continue (or Add & close for the last device)
    RADKit device adding

2.4 Add Remote Users

  1. Click Remote Users in the left menu
  2. Click Add User
  3. Enter your email address
  4. Check Activate this user. You may also want to extend the user's default active duration beyond 24 hours if doing this lab over the course of more than one day.
  5. Click Add & close

Step 3: Setup RADKit MCP Server

The MCP (Model Context Protocol) server allows Cisco Workflows to interact with RADKit-managed devices through a standardized API.

About MCP

We will be setting up an MCP server that acts as an intermediary for Cisco Workflows to send JSON RPC requests over HTTP to the MCP server, which then runs commands in the RADKit SDK. MCP is explained in more detail here: What is Model Context Protocol (MCP) Explained

3.1 Update the RADKit MCP Server Repository

The RADKit MCP server source code is pre-loaded in /home/cisco/ and maintained in a community repository on GitHub.

  1. On the ubuntu-server (still connected via SSH), update the MCP server repository to get the latest version: 
    cd /home/cisco/radkit-mcp-server-community
git pull

Note: If the directory doesn't exist, clone it, but for lab participants it will be there for you: 

cd /home/cisco
git clone https://github.com/CiscoDevNet/radkit-mcp-server-community

3.2 Copy Setup Scripts

  1. You should see setup_mcp.sh and enroll_client.py in /home/cisco/radkit-mcp-server-community. If not, the scripts are also in /home/cisco/scripts/mcp and can be copied over, or pulled from this repo: 
    cp /home/cisco/scripts/mcp/setup_mcp.sh .
cp /home/cisco/scripts/mcp/enroll_client.py .
chmod +x setup_mcp.sh enroll_client.py

3.4 Enroll RADKit Client Certificates and setup MCP server

The enrollment process authenticates you with RADKit cloud and generates client certificates.

  1. From /home/cisco/radkit-mcp-server-community, run the setup, which will enroll certificates and setup the mcp server in a container: 

    bash setup_mcp.sh

  2. When prompted, enter your Cisco email address (same one used in Step 2.2)

  3. IMPORTANT: After hitting Enter when instructed, the script will display a URL like this: 

    https://id.cisco.com/oauth2/default/v1/authorize?response_type=code&client_id=radkit_prod...

    Action Required

    You MUST copy this URL and paste it into your browser to complete OAuth authentication. The script will wait for you to complete the login.

  4. After completing OAuth in your browser, return to the terminal

  5. When prompted for a private key password, enter: 

    0e52nsq5jf7f-bxq8whdi7dnT

Note: This password is hardcoded in the setup script to simplify the lab. In production, you would use a unique, strong password.

  1. Confirm the password when prompted

    More Information

    For detailed information about setting up the MCP server outside of this lab, see the official documentation at https://github.com/CiscoDevNet/radkit-mcp-server-community

  2. You are now enrolled, and the MCP server setup is starting. When prompted, enter:

    • Your email address (the same one used for RADKit registration)
    • Your RADKit Service Serial (the Service ID from Step 2.2, e.g., xxxx-yyyy-zzzz)

The script will:

  • Check DNS configuration and fix if needed
  • Verify your RADKit enrollment
  • Create a Docker network for RADKit communication
  • Build the MCP server Docker image

  • Start the MCP server container on port 8000

    Re-running the Script

    The script is designed to be idempotent. If you need to re-run it (e.g., after fixing an error), it will clean up existing resources automatically.

3.6 Verify MCP Server

  1. Run the test script to verify the MCP server is working: 

    bash /home/cisco/scripts/mcp/radkit-mcp-test.sh

  2. Verify all tests show [OK]:

    • Test 1: Initialize MCP Session
    • Test 2: List Available Tools
    • Test 3: Call Tool

    Success Criteria

    All three tests should pass. The MCP endpoint is now available at: http://198.18.1.250:8000/mcp

Step 4: Import the Cognitive Response Workflows

We will need to import the cognitive response workflow definitions from GitHub into your Cisco Workflows instance.

4.1 Add Git Repository to Cisco Workflows

  1. Go to Meraki Dashboard on your workstation
  2. Go to Automation -> Workspace
  3. On the right, click the Actions button and then Manage Git Repositories
  4. Click New git repository
  5. Fill the repository details:
    • Display Name: LTRAI-1487 - AI Agent
    • Click Default Account Keys -> Add New
      • Account Key Type: Git Token-Based Credentials
      • Display Name: LTRAI-1487 GitHub
      • Token: Use the GitHub token provided by your administrator (found in the lab-assistant.com lab details)
    • REST API Repository: api.github.com/repos/ciscomanagedservices/ciscolive26_cw_ai_agents
    • Branch: main
    • Code Path: workflows/ai_agent

  6. Click Save

    Git repository configuration with GitHub credentials and repository details

4.2 Import Workflows

You will now import workflows from the Git repository. Follow the steps below in order, as some workflows depend on others.

Note

When importing workflows, you may be prompted for credentials or API keys. Keep your Webex access token from Lab 1 handy.

About Atomic Workflows

The OpenAIChatCompletion, MCPListTools, and MCPRunTool workflows are Atomic workflows. Atomic workflows are immutable, reusable workflow components found in the Activities panel or in the 'Atomics' section of workspace. See the Atomic Actions documentation for more details.

Import Order Overview

flowchart LR
    A["1. OpenAI Chat Completion"] -->|Core LLM interface| B["2. MCP Server Tools"]
    B -->|Tool execution layer| C["3. ToolBox"]
    C -->|Tool registry| D["4. AI Agent"]

4.2.1 Import OpenAI Chat Completion

  1. Go to Automation -> Workspace
  2. Click Actions -> Import Workflow, then click the Git tab
  3. Select the following:
    • Repository: LTRAI-1487 - AI Agent
    • Workflow: OpenAIChatCompletion
    • Version: Latest (the most recent version is always the top option in the pulldown)
  4. Click Import
  5. When prompted for i_api_key:
    • Enter your lab OpenAI API key
    • This is available in lab-assistant.com under LLM_KEY. Ask your instructor for this key if you don't have it
  6. Click Import

4.2.2 Import MCP Server Tools

  1. Click Actions -> Import Workflow, then click the Git tab
  2. Import MCPListTools:
    • Repository: LTRAI-1487 - AI Agent
    • Workflow: MCPListTools
    • Version: Latest
    • Click Import
  3. Import MCPRunTool:
    • Repository: LTRAI-1487 - AI Agent
    • Workflow: MCPRunTool
    • Version: Latest
    • Click Import

4.2.3 Import ToolSendWebexNotification

  1. Click Actions -> Import Workflow -> Git tab
  2. Select the following:
    • Repository: LTRAI-1487 - AI Agent
    • Workflow: ToolSendWebexNotification
    • Version: Latest
  3. Click Import
  4. When prompted for the Webex Access Token variable, enter the Webex Access Token you created in Lab 1

4.2.4 Import ToolBox

The ToolBox workflow includes all tool subworkflows as embedded components, so you only need to import this single workflow to get all the tools.

  1. Click Actions -> Import Workflow -> Git tab
  2. Select the following:
    • Repository: LTRAI-1487 - AI Agent
    • Workflow: ToolBox
    • Version: Latest

  3. Click Import

    Warning

    You will see a warning about a missing remote connection. This is expected - we will fix this after all imports are complete.

    Note

    The ToolBox workflow bundles all individual tools (scratchpad, Webex notifications, change approval, terminal commands, and RADKIT tools) as subworkflows. You do not need to import them separately.

4.2.5 Import AI Agent

  1. Click Actions -> Import Workflow -> Git tab
  2. Select the following:
    • Repository: LTRAI-1487 - AI Agent
    • Workflow: AIAgent
    • Version: Latest

  3. Click Import

    Warning

    You will see a warning about a missing remote connection. This is expected - we will fix this in the next step.

4.2.6 Validate All Workflows

Change the Rows per page to 100. You should see these workflows in Automation -> Workspace:

  • AI Agent
  • ToolBox
  • Tool - Send Webex Notification
  • Tool - Request Change Approval
  • (...and several other Tool - [*] workflows)

You should also see these atomics:

  • OpenAIChatCompletion
  • MCPListTools
  • MCPRunTool
  • Tool - Send Webex Notification

After importing all workflows, validate that they are configured correctly:

  1. Go to Automation -> Workspace
  2. For each imported workflow and atomic:
    • Click on the workflow name to open it
    • Click Validate in the upper right corner
    • Ensure there are no validation errors
  3. If you see any errors, check that all required credentials were entered correctly

4.2.7 Verify OpenAI Endpoint Configuration

  1. Go to Automation -> Targets
  2. Click on OPENAI_ENDPOINT
  3. Verify the following settings:
    • Host: ciscolive-llm.com
    • Port: 443
    • Path: (leave blank)
  4. If any settings are incorrect, update them and click Save

4.2.8 Configure Variables and Targets

After importing the workflows, we need to configure the variables and targets properly.

  1. Go to Automation > Variables and click on OPENAI_API_KEY. Set it to the API key found in the dCloud pod information. If you can't find it, ask the instructor.

    Note

    In a production environment, API keys and passwords should be set to secure strings so users can't reverse and see them, but for troubleshooting and ease for workflow importing, we use a plain string variable.

  2. Go to Automation > Variables and click on Webex Access Token. Make sure it has a password set on it from import. You won't be able to validate the string since it is a secure string.

  3. While still in Variables, find and update the following:

    • AIAgent_Webex_Notification_Space_Name: Set this to the name of the Webex space you created in Lab 1 (e.g., <your_name>-workflows-lab)
    • AIAgent_Meraki_Dashboard_URL: Set this to your Cisco Workflows URL prefix. Look at your browser's address bar - the URL should look something like https://n219.dashboard.meraki.com/o/XXXXXX/manage/organization/overview. Truncate everything after /manage and ensure it ends with a / (e.g., https://n219.dashboard.meraki.com/o/XXXXXX/manage/).

    Note

    The AIAgent_Meraki_Dashboard_URL variable is used to generate clickable links in Webex notifications that take you directly to the workflow run. If this doesn't match your environment, the links in notifications won't work correctly.

  4. Go to Automation > Targets and click on RADKit MCP - Lab. Set the Remote Keys to your Automation Remote you configured earlier.

    Warning

    If you forget to set the Remote Keys, your requests will go out over the internet instead of through your Automation Remote to the MCP Server which talks to the RADKit server.

4.3 Test Individual Tools

Before testing the full AI Agent, let's verify that the individual tools work correctly.

4.3.1 Test RADKit Exec Command Tool

  1. Go to Automation -> Workspace
  2. Click on Tool - RADKIT Exec Command to open the workflow
  3. Click Run in the upper right corner
  4. When prompted, fill out the input variables:
    • i_device_name: r1
    • i_commands: show version
  5. Click Run to execute the workflow

  6. Verify the workflow completes successfully and returns the device output

    Success Criteria

    The workflow should complete without errors and display the show version output from device r1.

4.3.2 Test Webex Notification Tool

  1. Go to Automation -> Workspace
  2. Click on Tool - Send Webex Notification to open the workflow
  3. Click Run in the upper right corner
  4. When prompted, fill out the input variables:
    • i_instance_id: test (or optionally copy the workflow instance ID from your browser's address bar - this is only used to generate a hyperlink in the Webex notification)
    • i_message: Hello from the AI Agent lab! This is a test notification.
  5. Click Run to execute the workflow

  6. Check your Webex space to verify you received the message

    Success Criteria

    You should see your test message appear in your Webex space from Lab 1.

4.4 Test the AI Agent

Now let's verify the full AI Agent workflow runs correctly.

  1. Go to Automation -> Workspace
  2. Click on AIAgent to open the workflow
  3. Click Run in the upper right corner
  4. When prompted, fill out the input variables:
    • i_agent_task: Go to r1, get the current time and interfaces which are up. Output these results exactly to webex and include a short summary.
  5. Click Run to execute the workflow
  6. Monitor the workflow execution and verify it completes without errors

  7. Check your Webex space to confirm the agent sent the results

    Success Criteria

    The workflow should complete successfully, and you should receive a Webex message containing the device time, interface status, and a summary from the AI Agent.

    Troubleshooting

    If the workflow fails:

    • Verify the OPENAI_API_KEY is set correctly
    • Check that the OPENAI_ENDPOINT target is configured properly
    • Ensure your Webex access token is valid
    • Re-run the individual tool tests (4.3.1 and 4.3.2) to isolate the issue

Step 5: Create AI Agent Workflow for Event Remediation

Now that you have the AI Agent working, let's connect it to respond to the same network event from Lab 2. Instead of hardcoded commands, the AI Agent will cognitively analyze the event and determine the appropriate remediation.

5.1 Duplicate the Lab 2 Workflow

We'll start by duplicating your Lab 2 workflow and modifying it to use the AI Agent.

  1. Go to AutomationWorkspace
  2. Find your workflow <your_name>-unshut-int from Lab 2
  3. Click the ... menu on the workflow and select Duplicate

5.2 Configure the New Workflow

  1. Click on the duplicated workflow Copy(1) <your_name>-unshut-int to open it
  2. In the General tab, rename the workflow to <your_name>-ai-fix-shut-interface
  3. Delete the Terminal activity (the static remediation commands)
  4. Delete the Webex notification activity that was added in Lab 2

5.3 Add the AI Agent Activity

  1. On the left side panel, click Workflows
  2. Search for AI Agent. Don't choose the AI Agent - Execute Single Tool workflow here by mistake.
  3. Drag the AIAgent workflow into the flow after the JSON Path Query activity

5.4 Configure the AI Agent Task

  1. Click on the AI Agent block to select it
  2. In the right side panel, expand the i_agent_task input variable

  3. Configure it with the following text, replacing the placeholders with reference variables from the Variable Browser:

    A network event was received for device {target_device}:

raw event:

{webhook_request_body}

You MUST proceed with investigation. If any change is required to resolve alert, you MUST call tool to request change approval.

Replace the placeholders as follows:

  • {target_device} → Click the variable reference icon variable reference icon and select Activities > get_device_ip > JSONPath Queries > target_device

  • {webhook_request_body} → Click the variable reference icon variable reference icon and select Rule > Webhook Rule > Output > Request Body

    Note

    We're keeping it simple - giving the agent minimal parsing and letting it analyze the raw event. The final instruction ensures the agent requests your approval before making any changes.

    AI Agent workflow with i_agent_task configuration and variable references

5.5 Validate the Workflow

  1. Click Validate in the upper right corner
  2. Ensure there are no validation errors
  3. If errors appear, verify the reference variables are correctly linked

5.6 Update the Trigger Rule

  1. Go to AutomationRules
  2. Find your rule from Lab 1
  3. Enable the action for the new <your_name>-ai-fix-shut-interface workflow
  4. Disable the action for the prior <your_name>-unshut-int workflow

5.7 Test the AI Agent Response

  1. SSH to R3 (198.18.1.103)
  2. Execute the following commands to shut down the interface: 
    conf t
int lo0
shut
  3. Wait for the webhook to fire and observe the AI Agent workflow execution

5.8 Respond to Clarifying Questions (If Any)

The AI Agent may ask clarifying questions before proceeding - that's OK! It's just trying to make sure it's doing the right thing.

  1. Check Webex for any clarifying questions from the agent
  2. If the agent asks a question, click the Cisco Workflow Run link in the Webex message
  3. In the Cisco Workflows UI, click View Task

  4. Provide as much detail as possible to help the agent understand the situation:

    • Confirm the interface should be brought back up
    • Specify that this is a loopback interface on R3
    • Indicate that the interface was administratively shut down and needs to be restored
    • Note: The AI Agent may think that the loopback should be left down, so it will want to confirm with you before opening a change request

    Tip

    The more context you provide, the better the agent can proceed with confidence and open a change request!

5.9 Approve the Change Request

Once the agent has enough information, it will request your approval before making changes:

  1. Check Webex for a change approval notification from the agent
  2. Click the Cisco Workflow Run link in the Webex message
  3. In the Cisco Workflows UI, click View Task

  4. Review the agent's proposed action and click Approve to allow the agent to bring the interface back up

    Note

    The next lab uses a workflow with more detailed prompting for complex ThousandEyes troubleshooting scenarios.

5.10 Validation

  1. Check R3: Run show ip int brief - loopback0 should be up after approval
  2. Check Webex for the agent's completion notification
  3. Review the workflow run to see the agent's reasoning chain

Summary

You have successfully configured a cognitive AI Agent for network operations:

Component Status Purpose
RADKit Service Installed & Configured Secure remote access to network devices
RADKit MCP Server Running API interface for device tool execution
AI Agent Workflow Imported Orchestrates LLM-driven analysis and tool execution
OpenAI Integration Configured Provides cognitive reasoning capabilities
ToolBox Imported Gives agent access to device commands, notifications, and approvals
Event-Triggered Agent Working Responds to network events with intelligent remediation

Key Differences: Lab 2 vs Lab 3

Aspect Lab 2 (Static) Lab 3 (Cognitive)
Logic Hardcoded: conf t, int lo0, no sh AI analyzes event and decides action
Flexibility Only handles loopback0 Can handle any interface/device
Approval None - auto-executes Human-in-the-loop via change approval
Transparency Just runs commands Agent explains reasoning in Webex

In the next lab, you will integrate ThousandEyes for network performance monitoring and see the AI Agent troubleshoot more complex scenarios with enriched path data.

Congratulations! Once the AI Agent successfully brings loopback0 back up, Lab 3 is complete!

Updated at 2026-03-18 16:54:41