In this video, we take a look at how EEM scripts can be utilized alongside Low Impact mode to enable ports to fail open.
Below are EEM Scripts that can be reused and modified for your environment.
Note: For single RADIUS Servers use the “%RADIUS-4-RADIUS_DEAD” syslog pattern and for a group of RADIUS servers use the “%RADIUS-3- ALLDEADSERVER” syslog pattern.
If your devices utilize command authorization then you need to ensure that the script can still run in the event of a failure. Enter the following command at the end of each applet to ensure command authorization is bypassed.
In this video demonstration, I’ll show you how to reset your administrator password on a standalone Cisco Identity Services Engine. This method is used if you have forgotten your administrator password. Note: A reboot is required in order to complete the following procedure.
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x ...
In this article I would like to cover how to configure SNMPv3 for Cisco Identity Services Engine (ISE). In a few deployments I’ve done, I’ve come across the need to configure ISE to send SNMPv3 traps to a Network Management System (NMS). SNMPv3 is perfect for ensuring the authentication and encryption of SNMP traffic, something that can’t be done with inferior SNMP versions. Now, one would assume that we could just go ahead and configure ISE for SNMP via the GUI however, unfortunately that’s not the case. To actually configure ISE to send traps to an NMS system we need to configure the settings via the CLI. The demonstration in the article is performed using a standalone ISE. This demonstration also assumes that you have connectivity between your NMS platform and ISE. To see a live demonstration with testing, refer to the video that accompanies this article. Configuration Steps Enable SNMP So that we can configure the required SNMPv3 settings for ISE, SNMP needs to be enabled. iselab/a...
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack. Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to res...
In this article, I want to point out something that could save you time in the future and potentially save you a TAC case. Note: This article is perfect for environments where you wish to keep the same password for local user accounts. The Cisco Identity Services Engine (ISE) comes packed with many good features, some of which include handy default security features for local user accounts and in this article, I will touch on one of those features. By default, Cisco ISE will disable local user accounts after 60 days if the account passwords haven’t been changed. This behaviour can be changed within ISE but if you choose not to change this setting and you surpass the 60 days all user account will need to be re-enabled every 24-hours. Luckily ISE will allow you to disable this setting without having to change all the passwords for the local users, to do this follow the steps below. Log into ISE using the GUI Navigate to Administration >>> Identity Management >>>...
