In this video, we take a look at how EEM scripts can be utilized alongside Low Impact mode to enable ports to fail open.
Below are EEM Scripts that can be reused and modified for your environment.
Note: For single RADIUS Servers use the “%RADIUS-4-RADIUS_DEAD” syslog pattern and for a group of RADIUS servers use the “%RADIUS-3- ALLDEADSERVER” syslog pattern.
If your devices utilize command authorization then you need to ensure that the script can still run in the event of a failure. Enter the following command at the end of each applet to ensure command authorization is bypassed.
In this article I would like to focus on virtual machines, in particular Cisco ISE virtual machines running on VMware. I will explain why virtual ISE deployments DO NOT support snapshots as well as the potential issues that you could face if snapshots are enabled. So what is a snapshot? A snapshot is a copy of a virtual machines disk file (.VMDK) at a particular point in time. VMware allows you to take manual snapshots of a virtual machine or even automatically take snapshots of devices at a specific time. Snapshots are useful in situations where an operational device is rendered useless for whatever reason and you would like to restore that device back to a working state. So why doesn't Cisco ISE support snapshots? Cisco ISE comes with its own backup and restore utilities and not only that, Cisco ISE doesn't support backups because the data within the nodes is constantly changing and is being synchronised with the database. What happens if snapshots are taken of ISE nodes? If...
In this quick tip Cisco ISE article I would like to point out how ISE administrators can displays usernames for failed authentications. The following has been tested on ISE 2.4 but is relevant for older ISE versions. When a user/machine fails authentication ISE will mask the identity automatically. This can be seen in the RADIUS Live Logs and looks like the screenshot (1) shown below. Although you can click on the details of each live log, sometimes it’s good to know what the identity is to troubleshoot further. The good news is that with ISE, we can unmask the identity, however, the bad news for some is that you can only keep identities unmasked for a limited time, depending on ISE version. As of up to ISE 2.4 patch 3 you cannot keep identities unmasked permanently, in fact, the maximum time in which you can keep identities unmasked for is 30 minutes before ISE masks them again. As mentioned, this is not convenient and was in fact raised as a bug (CSCvh91118). I believe ISE releases ...
You may have found that trying to get the ASAv to work in GNS3 isn’t the easiest thing to do and in order for it to function correctly, we have a few tweaks we need to make to the QEMU. NOTE: I will not provide the file, you will need to obtain this. The instructions I have prepared below should be enough to get going, if you have any further questions please reach out to me 1. Install Cisco ASAv appliance from the GNS3 Marketplace 2. When promoted for the missing file, create a new version and insert the .qcow file and add your file 3. Go to the QEMU settings and change console type to “VNC” 4. Click on “Advanced Settings” and insert one of the following based on your CPU FOR INTEL CPU -cpu Nehalem -smp 4,sockets=4,cores=1,threads=1 or -cpu SandyBridge -smp 4,sockets=4,cores=1,threads=1 FOR AMD CPU -cpu Opteron_G5 -smp 4,sockets=4,cores=1,threads=1 5. Untick option “Use as a linked base VM” 6. Run the ASAv and select the 1st option – the device should reboot after fir...
In this article I would like to go through a typical Identity Based Networking Services (IBNS 2.0) configuration, breaking down each so that we can better understand the configuration. While there are many configuration elements of secure network access, this article will focus on the Cisco Common Classification Policy Language (C3PL) configurations. I must admit, when I first got a glance of some IBNS 2.0 configuration, I was a little taken back at the amount of configuration. However, after reading up about it, and refreshing parts of my CCNP R&S skills, I was able to understand how IBNS 2.0 configuration comes together. This article will NOT focus on use cases for using IBNS 2.0, however, I would like to point out some good, online documentation that will provide you with some useful information. IBNS 2.0 at a glance Identity Based Networking Command Reference Guide Cisco Live IBNS 2.0 Lab Guide Configuring Identity Service Templates Configuring IEEE 802.1x Port-Based Authent...
In this article, I will demonstrate how to configure the ASAv so that you use a virtual serial port. This article assumes that you have installed the virtual Cisco Adaptive Security Appliance using VMware workstation or it’s equivalent and that you can only access the ASAv CLI via the VMware client. By default, the virtual serial console on the ASAv is disabled, so that it can be enabled, a few commands are required. Use Case At present, I only have access to the ASAv CLI using VMware Fusion but I want to use my computers terminal software to access the CLI for use with GNS3. The following steps assume you have already installed the ASAv Steps Power on the ASAv and access the CLI via VMware workstation or it’s equivalent Enter the following commands on the ASAv Enable Configure terminal cd coredumpinfo Copy coredump.cfg disk0:/use_ttyS0 – This will enable the serial console once saved to Disk0:/ Now shutdown the ASAv and upon reloading the ASAv will now send its output to the s...
