EEM Scripts for ISE Low Impact Mode

-

In this video, we take a look at how EEM scripts can be utilized alongside Low Impact mode to enable ports to fail open.


Below are EEM Scripts that can be reused and modified for your environment.

Note: For single RADIUS Servers use the “%RADIUS-4-RADIUS_DEAD” syslog pattern and for a group of RADIUS servers use the “%RADIUS-3- ALLDEADSERVER” syslog pattern.
If your devices utilize command authorization then you need to ensure that the script can still run in the event of a failure. Enter the following command at the end of each applet to ensure command authorization is bypassed. 
 




  
authorization bypass
 
Example:
event manager applet pre-auth-acl-fallback authorization bypass

event manager applet pre-auth-acl-recovery authorization bypass 
event manager applet pre-auth-acl-fallback
event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended PRE-AUTH-EEM"
action 3.0 cli command "1 permit ip any any"
action 4.0 cli command "end"

event manager applet pre-auth-acl-recovery
event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended PRE-AUTH-EEM"
action 3.0 cli command "no 1 permit ip any any"
action 4.0 cli command "end" 
 
 

 
 
 
 
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x ...
Read more

Demystifying IBNS 2.0 Configuration

-
Image
In this article I would like to go through a typical Identity Based Networking Services (IBNS 2.0) configuration, breaking down each so that we can better understand the configuration. While there are many configuration elements of secure network access, this article will focus on the Cisco Common Classification Policy Language (C3PL) configurations. I must admit, when I first got a glance of some IBNS 2.0 configuration, I was a little taken back at the amount of configuration. However, after reading up about it, and refreshing parts of my CCNP R&S skills, I was able to understand how IBNS 2.0 configuration comes together. This article will NOT focus on use cases for using IBNS 2.0, however, I would like to point out some good, online documentation that will provide you with some useful information. IBNS 2.0 at a glance Identity Based Networking Command Reference Guide Cisco Live IBNS 2.0 Lab Guide Configuring Identity Service Templates Configuring IEEE 802.1x Port-Based Authent...
Read more

Add Firepower Management Center Certificate using CLI

-
Image
In this article I want to demonstrate how too add signed certificates to the Firepower Management Center (FMC) using the CLI. If you've worked with the FMC for some time, you'll know that the GUI can be quite limited when it comes to the sort of information you enter before generating a CertificateCSR. In fact a particular use case for wanting to use the CLI to generate CSR's for the FMC is when you want to issue the same certificate to more than one FMC. As it stands today there isn't a way to accommodate this use case via the GUI an although possible, this request can only be fulfilled by using the CLI. With that, in this article we will focus on how we can fulfill the mentioned requirement and have one certificate issued for more than one FMC. We will have our internal CA (Microsoft Server) issue an internal signed certificate that will be imported to both FMC's. Demonstration Hardware & Versions Microsoft Server 2019 (CA Server) Firepower Management Center v...
Read more

Configuring Cisco ISE for SNMPv3

-
Image
In this article I would like to cover how to configure SNMPv3 for Cisco Identity Services Engine (ISE). In a few deployments I’ve done, I’ve come across the need to configure ISE to send SNMPv3 traps to a Network Management System (NMS). SNMPv3 is perfect for ensuring the authentication and encryption of SNMP traffic, something that can’t be done with inferior SNMP versions. Now, one would assume that we could just go ahead and configure ISE for SNMP via the GUI however, unfortunately that’s not the case. To actually configure ISE to send traps to an NMS system we need to configure the settings via the CLI. The demonstration in the article is performed using a standalone ISE. This demonstration also assumes that you have connectivity between your NMS platform and ISE. To see a live demonstration with testing, refer to the video that accompanies this article. Configuration Steps Enable SNMP So that we can configure the required SNMPv3 settings for ISE, SNMP needs to be enabled. iselab/a...
Read more