In this video, we take a look at how EEM scripts can be utilized alongside Low Impact mode to enable ports to fail open.
Below are EEM Scripts that can be reused and modified for your environment.
Note: For single RADIUS Servers use the “%RADIUS-4-RADIUS_DEAD” syslog pattern and for a group of RADIUS servers use the “%RADIUS-3- ALLDEADSERVER” syslog pattern.
If your devices utilize command authorization then you need to ensure that the script can still run in the event of a failure. Enter the following command at the end of each applet to ensure command authorization is bypassed.
In this article I would like to cover how to configure SNMPv3 for Cisco Identity Services Engine (ISE). In a few deployments I’ve done, I’ve come across the need to configure ISE to send SNMPv3 traps to a Network Management System (NMS). SNMPv3 is perfect for ensuring the authentication and encryption of SNMP traffic, something that can’t be done with inferior SNMP versions. Now, one would assume that we could just go ahead and configure ISE for SNMP via the GUI however, unfortunately that’s not the case. To actually configure ISE to send traps to an NMS system we need to configure the settings via the CLI. The demonstration in the article is performed using a standalone ISE. This demonstration also assumes that you have connectivity between your NMS platform and ISE. To see a live demonstration with testing, refer to the video that accompanies this article. Configuration Steps Enable SNMP So that we can configure the required SNMPv3 settings for ISE, SNMP needs to be enabled. iselab/a...
In this article, I want to point out something that could save you time in the future and potentially save you a TAC case. Note: This article is perfect for environments where you wish to keep the same password for local user accounts. The Cisco Identity Services Engine (ISE) comes packed with many good features, some of which include handy default security features for local user accounts and in this article, I will touch on one of those features. By default, Cisco ISE will disable local user accounts after 60 days if the account passwords haven’t been changed. This behaviour can be changed within ISE but if you choose not to change this setting and you surpass the 60 days all user account will need to be re-enabled every 24-hours. Luckily ISE will allow you to disable this setting without having to change all the passwords for the local users, to do this follow the steps below. Log into ISE using the GUI Navigate to Administration >>> Identity Management >>>...
In this video demonstration, I’ll show you how to reset your administrator password on a standalone Cisco Identity Services Engine. This method is used if you have forgotten your administrator password. Note: A reboot is required in order to complete the following procedure.
In this article I would like to go through a typical Identity Based Networking Services (IBNS 2.0) configuration, breaking down each so that we can better understand the configuration. While there are many configuration elements of secure network access, this article will focus on the Cisco Common Classification Policy Language (C3PL) configurations. I must admit, when I first got a glance of some IBNS 2.0 configuration, I was a little taken back at the amount of configuration. However, after reading up about it, and refreshing parts of my CCNP R&S skills, I was able to understand how IBNS 2.0 configuration comes together. This article will NOT focus on use cases for using IBNS 2.0, however, I would like to point out some good, online documentation that will provide you with some useful information. IBNS 2.0 at a glance Identity Based Networking Command Reference Guide Cisco Live IBNS 2.0 Lab Guide Configuring Identity Service Templates Configuring IEEE 802.1x Port-Based Authent...
If you're familiar with Cisco ISE deployments, then no doubt you've encountered a time where an Administrator password has expired and needs to be reset. This can happen for a number of reasons however the most common would be because of the admin password expiry setting that hasn't been disabled in ISE. When setting up a new Cisco ISE deployment, you will set the admin password. It is important to note that the CLI and GUI admin password can be different. Although you can reset the admin GUI password via the CLI when it has expired, if the CLI password expires or you forget it, you will be required to boot from the .ISO in order to reset the password. Booting from the .ISO can be a pain if ISE nodes are in a production environment and you may find that you need a change window to do this. Whatever the case may be, this article focuses on how to reset the admin passwords while ISE is in production. These steps were taken when I encountered a similar issue with a distributed...
