Cisco IOS – Find The ‘Default Route’ For A VRF
KB ID 0001086 Problem Routing is one of my weaker subjects, and today I was trying to chase some routes though a network to locate all the firewalls. The core of the network has a bunch of 6500 Switches in various data centers. I tracked the network I was working on to an SVI on one of the core switches, that was in a VRF. But how could I find the ‘next hop’, the routing table on these switches is very large. Solution...
Cisco ISE – Replace the Self Signed Certificate
KB ID 0001068 Problem Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2). Solution Step 1: Import the CA Certificate into ISE Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY...
Cisco ISE NFR Appliance Setup
KB ID 0001066 Problem The Cisco ISE NFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah. Solution The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance....
Cisco ISE – Upgrading
KB ID 0001071 Problem Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’. Solution If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you...
Cisco ISE – Basic 802.1x With Windows Part One (Active Directory Integration)
KB ID 0001074 Problem To carry out this procedure you should have your ISE appliance deployed, with all the basic settings on it. Over the next few articles I’m going to connect the ISE appliance to Active Directory, then configure the ISE Appliance for 802.1x. Configure RADIUS on both the appliance, and on my Cisco Switches. Then finally configure Windows Group Policy to enable the clients to authenticate to 802.1x. Solution 1....
Cisco ISE – Basic 802.1x With Windows Part Two – Configuring 802.1x Policies
KB ID 0001075 D Problem Back in Part One, we joined Cisco ISE to Active Directory, now we we will take the built in ISE policies and change them. This will allow our clients to authenticate, with the correct protocols. Solution 1. By default ISE will use pretty much any available protocol, we are going to use PEAP, although I’m also going to allow EAP-TLS (it’s more secure and if I start rolling out certificates I’ve...
Cisco ISE – Basic 802.1x With WindowsPart Three – Adding Network Devices (Authenticators)
KB ID 0001077 Problem Back in Part Two we configured the specific 802.1x policies in Cisco ISE. Remember with 802.1x it is a three tier system there is a supplicant, (a machine that wants to authenticate), the Authenticator, (the device the supplicant connect to, in our case a switch), and finally an Authentication server (Cisco ISE). Below I will add our switch into ISE, as a RADIUS device and create some groups, and locations for...
Cisco ISE – Basic 802.1x With WindowsPart Four – Configuring The Windows Clients (Supplicants)
KB ID 0001083 Problem Back in Part Three we setup the switches ready to plug in our clients. I’m going to configure the Windows clients by Group Policy. But I suggest you carry out tests using single Windows clients and LOCAL policy until you know you have everything setup correctly. WARNING: Rolling this out without adequate testing, can resolve in all your Windows clients falling off the network Solution 1. On a DC or a...
Cisco CSC Module – Stop it scanning its own update traffic
KB ID 0000156 Problem The CSC module when it’s installed in your firewall and running, by default scans all traffic in and out including all its own updates and web traffic, this can cause quite a performance hit, to stop this happening exempt the CSC modules traffic from being scanned. NOTE: your access-lists and port groups may well have different names, so I’ll list all the commands to chase them though the...
Cisco CSC Module Error – Activation Warning
KB ID 0000392 Problem You try to connect to your Cisco CSC module, and see the following error. Error: Activation Warning CSC is not activated. Please run setup wizard under Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup to perform setup process. Click OK button to to to Trend Micro Content Security Setup wizard. Naturally if you’ve never setup the CSC you are going to see this, but what if it...