In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x ...
You may have found that trying to get the ASAv to work in GNS3 isn’t the easiest thing to do and in order for it to function correctly, we have a few tweaks we need to make to the QEMU. NOTE: I will not provide the file, you will need to obtain this. The instructions I have prepared below should be enough to get going, if you have any further questions please reach out to me 1. Install Cisco ASAv appliance from the GNS3 Marketplace 2. When promoted for the missing file, create a new version and insert the .qcow file and add your file 3. Go to the QEMU settings and change console type to “VNC” 4. Click on “Advanced Settings” and insert one of the following based on your CPU FOR INTEL CPU -cpu Nehalem -smp 4,sockets=4,cores=1,threads=1 or -cpu SandyBridge -smp 4,sockets=4,cores=1,threads=1 FOR AMD CPU -cpu Opteron_G5 -smp 4,sockets=4,cores=1,threads=1 5. Untick option “Use as a linked base VM” 6. Run the ASAv and select the 1st option – the device should reboot after fir...
In this article I would like to go through a typical Identity Based Networking Services (IBNS 2.0) configuration, breaking down each so that we can better understand the configuration. While there are many configuration elements of secure network access, this article will focus on the Cisco Common Classification Policy Language (C3PL) configurations. I must admit, when I first got a glance of some IBNS 2.0 configuration, I was a little taken back at the amount of configuration. However, after reading up about it, and refreshing parts of my CCNP R&S skills, I was able to understand how IBNS 2.0 configuration comes together. This article will NOT focus on use cases for using IBNS 2.0, however, I would like to point out some good, online documentation that will provide you with some useful information. IBNS 2.0 at a glance Identity Based Networking Command Reference Guide Cisco Live IBNS 2.0 Lab Guide Configuring Identity Service Templates Configuring IEEE 802.1x Port-Based Authent...
In this article I would like to focus on virtual machines, in particular Cisco ISE virtual machines running on VMware. I will explain why virtual ISE deployments DO NOT support snapshots as well as the potential issues that you could face if snapshots are enabled. So what is a snapshot? A snapshot is a copy of a virtual machines disk file (.VMDK) at a particular point in time. VMware allows you to take manual snapshots of a virtual machine or even automatically take snapshots of devices at a specific time. Snapshots are useful in situations where an operational device is rendered useless for whatever reason and you would like to restore that device back to a working state. So why doesn't Cisco ISE support snapshots? Cisco ISE comes with its own backup and restore utilities and not only that, Cisco ISE doesn't support backups because the data within the nodes is constantly changing and is being synchronised with the database. What happens if snapshots are taken of ISE nodes? If...
Throughout my time working with Cisco ISE, I’ve come across a few different errors when configuring ISE to perform Certificate Revocation Lists (CRL) lookups using Microsoft’s Public Key Infrastructure (PKI). In this article I would like to show you how we can avoid CRL download issues that could ultimately stop an endpoint from authenticating onto a network when configured for Network Authentication Control (NAC). CRL checking is useful for checking of expired certificates and when an environment has Cisco Identity Services Engine deployed for secure network access, this can be useful for ensuring revoked digital certificates are not reused when they’ve been revoked. CRL lookups can be costly to your network because of the lookups that are performed and Online Certificate Status Protocol (OCSP) can be used as a more efficient way to check revoked certificates. However for the purpose of this article we will focus only on Certificate Revocation Lists. In this article I will demonstrate...