SYNful Knock

Maybe downloading that IOS/firmware from bit torrent isn't such a great idea.  Watch your back, they're taking things from you.

FireEye
Cisco Blog Post
SNORT Rule

WPA(WPA2)-PSK not supported for ISE guest CWA?

I ran across this one very recently. 

If you are using ISE for CWA, then you are "limited" in what you can do from and SSID security standpoint.
Basic constraints:

• Set Layer2 security to None with MAC filtering. 
• Select the ISE IP address for both Authentication and Accounting Servers. 
• Advanced tab, enable AAA Override and set the Network Admission Control (NAC) State to RADIUS NAC (CoA support)

This means that you cannot use a PSK when you want to do central web auth with ISE.  Its sounds bad (unsecure) until you think about the security mechanisms behind it.  

• Your guest VLAN should not have access to anything besides the internet once authenticated.  
• All devices must get registered in ISE before they can authentication, so even if an unencrypted packet is sniffed, the device still gets redirected to the Guest portal page.  
• Absolute worst case, the "hacker" gets on your guest network: your guest VLAN ACLs peel them off to the internet only and you disallow peer to peer communication on the SSID.

I realize this might make some people uncomfortable with "no security" in the SSID, but keep in mind that this is for guest only and ISE is validating clients.

Links to ISE/WLC Guest Configuration:

ISE 1.3 CWA DOC

Cisco ISE Fail Open Ports

One thing that you have to to consider when installing ISE in an organization is complete ISE failure.  In this scenario ISE has failed because of complete power outage or network access to ISE has been removed and no access can be granted to end devices.  This could in effect shut down your entire company.  This is a very big problem when dealing with a multi-site business with a singular data center.

On your switch ports, add the following command to your standard 802.1x config:
authentication event server dead action authorize vlan X

This command will grant access and dump all traffic on the specified VLAN in the event of total ISE failure/unreachability.

Simple IP SLAs

One of the easiest ways adjust routing for a backup link it to simply use an IP SLA.

Basic premise:

Create an SLA to track a specific IP from a specific IP.  You ideally want to track from an external interface the is always going to be able to reach the tracked IP unless there is an outage.

ip sla 7
 icmp-echo (IP to track) source-ip (your local interface IP)
 timeout 6000
 threshold 3000
 frequency 30

Now you have to start your SLA.

ip sla schedule 7 life forever start-time now

Next you setup tracking of that SLA for reachability

track 7 ip sla 7 reachability
***(track 7 rtr 7 reachability) code version differences

Now for the implementation.  You simply add the track statement to the route you want to be preferred and add the backup route with a worse metric.

ip route DestinationNetwork Mask NextHop track 7
example:
ip route 172.16.48.0 255.255.255.0 172.18.8.129 track 7

ip route DestinationNetwork Mask NextHop Distance
example:
ip route 172.16.48.0 255.255.255.0 10.14.32.1 200

You can get way more complicated with this, but this is a simple solution for backup links.

references:
Cisco SLAs

ISE and iPads

I do a lot of customer site install these days.  There are varying levels of infrastructure at all of them so here is a solution I ran into recently.

Needs:
ISE authentication for Wired Domain Joined PC
ISE authentication for Wired Non-Domain Joined (printers)
ISE authentication for Wireless Domain Joined PC
ISE authentication for Wireless Non-Domain Joined (ipad, iphone, scan gun)

Most of this is straight forward.

For starters they wanted to use Certificate authentication.  This worked great for all of the domain joined PCs, wired and wireless alike.  I simply allowed EAP-TLS connections only for each and used computer based authentication with a machine cert validation.  I pushed out the machine certs with a GPO and did the roll out the following week.  Piece of cake.

MAB was an easy solution for all of the printers, scanners, and misc devices in the manufacturing/warehouse areas.

The issue came in when they wanted secure access via their iPads.  Had these devices been domain joined it would have been simple.  Issue them a machine cert.  Alternately I could have used NDES to join the iPads (but they're running windows server 2008 standard... Not NDES).  A third option would be to manually generate certs for each device (not an option, too many and spread out across the country).

My solution was to add all users that needed WiFi via iPads into an AD group.  I then profiled all apple devices joining the network and created an identity group mapping.

My policy was simple and just required that after a cert failure, check to see if the devices has been profile as an apple-device and that the user is a member of the ipadUser group.  Not as secure as certificates or checking for domain joined machines, but a lot better than just allow all devices coming and going onto the corp-WiFi.

Ipad/Iphone SSID Join issue

I have seen this happen to more people than I can count.

Symptoms:

• Ipad/Iphone can't join a wireless network
• Ipad/Iphone can't roam properly
• Laptops and androids join/roam just fine
• Debugs on the Controller show the Ipad/Iphone joining 

Solution:

Turn on Fast SSID switching.


















The apple devices for whatever reason try to join a 2nd SSID before they receive the response from the controller. With the option disabled the WLC sets a delay before the devices and join a different SSID.  The vicious cycle begins.

Nothing make people more irritated than not being able to use their shiny apples.

References:
rscciew