Cisco ISE Profiler in action

by jimmy on 20 February, 2012 · 0 comments

I am a huge fan of Cisco ISE and Trustsec. I have done a few live implementations as well as at home (anyone should run Trustsec at home! :-) ). There will probably be a lot of ISE-related posts here in the near future.

 

Here I just want to reflect on how well the built-in profiler works in ISE (1.04). I have run the profiler for a few days now and have automatically gathered a complete list of devices in my home network. From here I can build my 802.1x authorization policies to give granular access to devices of a specific type, rather on plain user-based 802.1x.

 

For example: All NintendoWII-devices will automatically get Internet-only access. The HP-Device can be automatically moved to the Printer-Vlan (which does only have access to elsewhere on the jetdirect-ports) and the Microsoft Workstations should only get access to the core network if they are successfully authenticated via EAP-TLS. The sky is the limit…

{ 0 comments }

Cisco Live 2012 in London – short resume of my sessions

February 10, 2012

I just returned home after spending almost a week in London attendingCisco Live. Much can be said about the event and many has already summarized their experience, so the plan for this blog post is to make a short resumé of the sessions I attended to. Many were great, most were good but a few [...]

Read the full article →

Quick note: Inactive Anyconnect sessions not removed.

February 6, 2012

I recently had a TAC-case regarding a Cisco ASA 5510-firewall with Anyconnect-clients which had issues with VPN-clients not being able to connect due to “no address available”. It turned out that the “show vpn-sessiondb anyconnect”-command showed 50+ anyconnect-sessions that were over one month old! Like this:   sh vpn-sessiondb anyconnect Session Type: AnyConnect Username : [...]

Read the full article →

Cisco Ironport WSA – what happened?

January 30, 2012

I have recently implemented a few Cisco Ironport WSA-solutions. When doing a follow-up after the implementation, the customer usually reacts with “Oh… WSA? We forgot about that. It probably works…” But what difference does it make? If the customer forgets about their web proxy, what good does it do? Lets have a look at an [...]

Read the full article →

How to play case status table-tennis with Cisco TAC

January 26, 2012

The problem have you ever had an open TAC case with Cisco, just waiting for them to provide either a solution or some other kind of feedback, and all that happens is that the TAC engineer sends you an email telling you that they “have work in progress” or something else not-making-the-case-evolve? If so, I [...]

Read the full article →

Happy new year – Again! :-)

January 24, 2012

When purging and cleaning ancient posts I found this post where I wished everyone a Happy New 2011. And I felt that it was time for an update.   So, what happened during 2011 – did I become a Cisco CCIE Security? The short answer is: No.   In february 2011 my written CCIE Security exam [...]

Read the full article →

RSS-feeds with partial content sucks!

January 22, 2012

I am fan of RSS readers. I use Google Reader all the time to keep track of interresting blog and news sites. Actually, i rarely visit blog sites direct, just from my RSS reader. And I love it.   But there are a few really good blogs that are configured not to post the full [...]

Read the full article →

ISE host name and AD joining

January 21, 2012

Recently we tried to join an Cisco ISE instance to Active Directory without success. The problem seemed to be because of the length of the ISE host name. Even though the system supports host names up to 19 characters long, we couldn’t add the ISE to AD until we shortened the name to be maximum [...]

Read the full article →

Stuck with an auth-proxy task

January 3, 2012

Hello I am currently working on a task (INE CCIE Security WB 1 Task 2.9) where I am supposed to configured an radius-based IOS auth-proxy. The task is this:   Configure Authentication PRoxy settings on R3 per the following requirements. US the radius server at 10.0.0.100 with the authentication key CISCO. The authentication proxy should [...]

Read the full article →

WLC2100 and ASA 5505 uses same hardware. Can they be converted?

October 9, 2011

I wonder if one can convert a Cisco Wireless Controller 2106 into an ASA 5505 or vice versa. It seems to be the same hardware. Anyone that knows if there is any burned-in differences, or is it just a matter of replacing the software?   I will try to swap the CF-card in an ASA5505 [...]

Read the full article →

← Previous Entries