Thursday, September 22, 2016

Single SSID - Multi VLAN - FlexConnect

An configuration example that I feel is under documented and not particularly clear is how to deploy a single SSID on a cisco WLC with ISE authentication on multiple VLANs based on authorization profiles.

It is actually very simple.

1st:

You build out you ISE policies just as you would for Wired.1x or Wireless.1x and make sure to add the VLAN assignment to the authorization result that you match.


2nd:

On your WLC, make sure that your SSID has the box for Flexconnect local switching checked and AAA override checked on the advanced tab.  

Make sure that you AP has VLAN support turned on and a local VLAN (Native) configured.

3rd:

Create a flexconnect group on your WLC from the wireless tab and add your APs to that group.
From the AAA VLAN-ACL mapping tab, create all of the VLANs that you will need to add users to from dynamic ISE assignments. 


This will cause sub-interfaces to be auto-generated on all of your APs in that flexconnect group.



Finally:

Test a user/device that ISE will assign to one of the VLANs and verify that they are authenticated and placed into the desired VLAN.  If everything connects you are good to go.

ISE

WLC


TIPS:

Make sure your VLANs are extended to the switch that the AP is connected to.
Make sure the WLC is running code level 7.4 or higher.




Friday, July 22, 2016

Network Engineers need Linux

Although I am my no means an expert in Linux (yet), I have done the swap.  I have dropped Windows for a Mint 17.3 Linux.  Since I work in the network consulting realm, it does make things (some things) a little simpler.  I am a fan of Windows 10, but the good about Linux far out weighs the good about Windows.



Benefits:
  • Become more familiar with commands that are regularly used to install and troubleshoot Cisco and other vendor appliances
  • terminal services are much more fluid and many variants are available
  • VIRL and GNS3, in my opinion, run much more efficiently on Linux.
  • Over all performance increase 
  • Less bloat in my OS
  • The new Linux distros' GUIs are as good as, if not better than Windows
  • IT'S FREE!
Drawbacks:

  • Visio and a few other office like products
  • I like Outlook much better than Thunderbird or Evolution

*** I still have Windows 10 installed on my hard drive for now if I need to use certain applications


More info on current Linux distributions: Click Here

More info on Mint: Click Here

Wednesday, July 6, 2016

Cisco VIRL Installation

So I finally had the chance to install Cisco VIRL.


Here are a few things that I learned:

  • Installation on bare metal is a pain
    • it is totally possible and is doable, but installing on a free esxi host is much easier
    • interfaces get tricky unless your box matches the base config exactly
  • ESXi is your friend
    • if you have an old PowerEdge 710 server laying around you might as well run ESXi on it an load the pre-configured OVA
    • no messing with linux interfaces in the server
    • just have to build the back end networking in ESXi
  • Don't use the minimum required RAM
    • purchased the 30 node license, but quickly ran out of 32GB (only ran 14 nodes)
    • maxed out the server at 128GB and I can max out my node limit
  • Cisco's community links don't work (as of 7/6/16)
    • all of the google results redirect you to a parked domain
    • this makes troubleshooting and tips a pain if something gets screwed up
    • community forum exists, but it hard to get to threads directly at the moment
  • YOU CAN EXPORT TO GNS3!
All in all I think its great that you can run multiple types of devices (NXOS, IOS, IOSXE, switches).  If you have someone paying for it I would get it, but GNS3 will still be my personal go-to software.  

Here is a link to Cisco's documentation: Click Here
If you'd like some detailed info on doing a Bare Metal install (on a poweredge server): Click Here

Wednesday, September 16, 2015

SYNful Knock

Maybe downloading that IOS/firmware from bit torrent isn't such a great idea.  Watch your back, they're taking things from you.

FireEye
Cisco Blog Post
SNORT Rule


Thursday, April 23, 2015

WPA(WPA2)-PSK not supported for ISE guest CWA?

I ran across this one very recently. 

If you are using ISE for CWA, then you are "limited" in what you can do from and SSID security standpoint.
Basic constraints:

  • Set Layer2 security to None with MAC filtering. 
  • Select the ISE IP address for both Authentication and Accounting Servers. 
  • Advanced tab, enable AAA Override and set the Network Admission Control (NAC) State to RADIUS NAC (CoA support)
This means that you cannot use a PSK when you want to do central web auth with ISE.  Its sounds bad (unsecure) until you think about the security mechanisms behind it.  

  • Your guest VLAN should not have access to anything besides the internet once authenticated.  
  • All devices must get registered in ISE before they can authentication, so even if an unencrypted packet is sniffed, the device still gets redirected to the Guest portal page.  
  • Absolute worst case, the "hacker" gets on your guest network: your guest VLAN ACLs peel them off to the internet only and you disallow peer to peer communication on the SSID.

I realize this might make some people uncomfortable with "no security" in the SSID, but keep in mind that this is for guest only and ISE is validating clients.

Links to ISE/WLC Guest Configuration:

Friday, April 10, 2015

Cisco ISE Fail Open Ports

One thing that you have to to consider when installing ISE in an organization is complete ISE failure.  In this scenario ISE has failed because of complete power outage or network access to ISE has been removed and no access can be granted to end devices.  This could in effect shut down your entire company.  This is a very big problem when dealing with a multi-site business with a singular data center.

On your switch ports, add the following command to your standard 802.1x config:
authentication event server dead action authorize vlan X

This command will grant access and dump all traffic on the specified VLAN in the event of total ISE failure/unreachability.

Wednesday, April 8, 2015

Simple IP SLAs

One of the easiest ways adjust routing for a backup link it to simply use an IP SLA.

Basic premise:

Create an SLA to track a specific IP from a specific IP.  You ideally want to track from an external interface the is always going to be able to reach the tracked IP unless there is an outage.

ip sla 7
 icmp-echo (IP to track) source-ip (your local interface IP)
 timeout 6000
 threshold 3000
 frequency 30

Now you have to start your SLA.

ip sla schedule 7 life forever start-time now

Next you setup tracking of that SLA for reachability

track 7 ip sla 7 reachability
***(track 7 rtr 7 reachability) code version differences

Now for the implementation.  You simply add the track statement to the route you want to be preferred and add the backup route with a worse metric.

ip route DestinationNetwork Mask NextHop track 7
example:
ip route 172.16.48.0 255.255.255.0 172.18.8.129 track 7

ip route DestinationNetwork Mask NextHop Distance
example:
ip route 172.16.48.0 255.255.255.0 10.14.32.1 200

You can get way more complicated with this, but this is a simple solution for backup links.

references:
Cisco SLAs