In this video, we take a look at how EEM scripts can be utilized alongside Low Impact mode to enable ports to fail open.
Below are EEM Scripts that can be reused and modified for your environment.
Note: For single RADIUS Servers use the “%RADIUS-4-RADIUS_DEAD” syslog pattern and for a group of RADIUS servers use the “%RADIUS-3- ALLDEADSERVER” syslog pattern.
If your devices utilize command authorization then you need to ensure that the script can still run in the event of a failure. Enter the following command at the end of each applet to ensure command authorization is bypassed.
You may have found that trying to get the ASAv to work in GNS3 isn’t the easiest thing to do and in order for it to function correctly, we have a few tweaks we need to make to the QEMU. NOTE: I will not provide the file, you will need to obtain this. The instructions I have prepared below should be enough to get going, if you have any further questions please reach out to me 1. Install Cisco ASAv appliance from the GNS3 Marketplace 2. When promoted for the missing file, create a new version and insert the .qcow file and add your file 3. Go to the QEMU settings and change console type to “VNC” 4. Click on “Advanced Settings” and insert one of the following based on your CPU FOR INTEL CPU -cpu Nehalem -smp 4,sockets=4,cores=1,threads=1 or -cpu SandyBridge -smp 4,sockets=4,cores=1,threads=1 FOR AMD CPU -cpu Opteron_G5 -smp 4,sockets=4,cores=1,threads=1 5. Untick option “Use as a linked base VM” 6. Run the ASAv and select the 1st option – the device should reboot after fir...
In this article I would like to focus on virtual machines, in particular Cisco ISE virtual machines running on VMware. I will explain why virtual ISE deployments DO NOT support snapshots as well as the potential issues that you could face if snapshots are enabled. So what is a snapshot? A snapshot is a copy of a virtual machines disk file (.VMDK) at a particular point in time. VMware allows you to take manual snapshots of a virtual machine or even automatically take snapshots of devices at a specific time. Snapshots are useful in situations where an operational device is rendered useless for whatever reason and you would like to restore that device back to a working state. So why doesn't Cisco ISE support snapshots? Cisco ISE comes with its own backup and restore utilities and not only that, Cisco ISE doesn't support backups because the data within the nodes is constantly changing and is being synchronised with the database. What happens if snapshots are taken of ISE nodes? If...
In this quick tip Cisco ISE article I would like to point out how ISE administrators can displays usernames for failed authentications. The following has been tested on ISE 2.4 but is relevant for older ISE versions. When a user/machine fails authentication ISE will mask the identity automatically. This can be seen in the RADIUS Live Logs and looks like the screenshot (1) shown below. Although you can click on the details of each live log, sometimes it’s good to know what the identity is to troubleshoot further. The good news is that with ISE, we can unmask the identity, however, the bad news for some is that you can only keep identities unmasked for a limited time, depending on ISE version. As of up to ISE 2.4 patch 3 you cannot keep identities unmasked permanently, in fact, the maximum time in which you can keep identities unmasked for is 30 minutes before ISE masks them again. As mentioned, this is not convenient and was in fact raised as a bug (CSCvh91118). I believe ISE releases ...
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x ...
Throughout my time working with Cisco ISE, I’ve come across a few different errors when configuring ISE to perform Certificate Revocation Lists (CRL) lookups using Microsoft’s Public Key Infrastructure (PKI). In this article I would like to show you how we can avoid CRL download issues that could ultimately stop an endpoint from authenticating onto a network when configured for Network Authentication Control (NAC). CRL checking is useful for checking of expired certificates and when an environment has Cisco Identity Services Engine deployed for secure network access, this can be useful for ensuring revoked digital certificates are not reused when they’ve been revoked. CRL lookups can be costly to your network because of the lookups that are performed and Online Certificate Status Protocol (OCSP) can be used as a more efficient way to check revoked certificates. However for the purpose of this article we will focus only on Certificate Revocation Lists. In this article I will demonstrate...
