802.1x VLAN User Distribution (VLAN Group)

In this blog post, I will be going over 802.1x VLAN User Distribution (sometimes referred to as "VLAN Groups") in Cisco IOS and a use case scenario that involves Cisco ISE (Identity Services Engine). First, some background around VLAN Groups. Based on my research it seems there are two major types of VLAN Groups: The … Continue reading 802.1x VLAN User Distribution (VLAN Group)

Advertisements

Cisco ISE REST API & Python

I've been faced with a fun little challenge on how to make sure our ISE deployment has every NAD (Network Access Device) configured appropriately to allow for successful EAP communications. Originally I was planning on utilizing a CSV and the bulk import tool to regularly import new devices into ISE as they were built. This allows … Continue reading Cisco ISE REST API & Python

IKEv2 with RSA Signatures

Currently my studies have taken me on an adventure into the wonderful world of Cisco Security. I am studying for the 300-209 (SIMOS) certification exam which is VPN technologies including DMVPN, FlexVPN, and a few other flavors of VPN.I find it interesting that so many try very hard to avoid having to implement security because its … Continue reading IKEv2 with RSA Signatures

Hiding (filtering) a specific user from reporting in Cisco ISE

I ran into an interesting problem preparing for an 802.1x deployment - the authentications report in Cisco ISE was full of all the network devices checking to make sure ISE was still available (health checks). As seen below the load balancer's keep alive fill the logs pretty much on their own, imagine trying to troubleshoot a … Continue reading Hiding (filtering) a specific user from reporting in Cisco ISE

Controlling Traffic to a Virtual Server on F5

There are multiple ways to control what traffic is allowed or not allowed through a BIG-IP F5 system or for specific Virtual Servers (VS). The following method uses F5's AFM (Application Firewall Manager) module to create security policies which are then applied to a specific VS. For this method example, traffic from three specific hosts … Continue reading Controlling Traffic to a Virtual Server on F5

Lets just go ahead and use DTP & VLAN 1… Part 1: Attacking DTP – getting those server files

In my previous post, I discussed the vulnerabilities introduced from using the defaults of DTP and VLAN1 along with ways to mitigate the vulnerabilities. In this post a basic example of attacking DTP will be reviewed. To make things easier to follow the following diagram will be used throughout the series: Before the attack, for demonstration purposes, … Continue reading Lets just go ahead and use DTP & VLAN 1… Part 1: Attacking DTP – getting those server files

Lets just go ahead and use DTP & VLAN 1… Part 0: What using DTP & VLAN 1 means

By default, DTP auto negation is enabled on Cisco switches on all layer 2 ports and they are placed in VLAN 1. These two defaults allow for an easy way to just deploy a switch, or attach another switch to gain more port density, without needing any configuration knowledge. While this is very helpful, the … Continue reading Lets just go ahead and use DTP & VLAN 1… Part 0: What using DTP & VLAN 1 means