User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - gvoden

Pages: [1]
Security / Cisco ISE 1.4 SNMP traps support?
« on: January 06, 2017, 01:09:36 PM »
Hi all,

it appears that SNMP traps are not supported on ISE 1.4, I cannot configure that using CLI. Is this a limitation of this version? ISE 2.1 does support the "snmp-server trap" command but only for disk space.

We want to send SNMP traps to our monitoring tools (in addition to email alerts).

Thank you.

Security / ISE 1.4 EAP TLS failing - multiple accounts found for user
« on: November 24, 2016, 11:16:47 AM »
Hi all,

I've got a problem authenticating certain users via wired EAP TLS as they have AD accounts in multiple active directory domains - ISE complains about multiple matches found.
The problem is the username is taken from the certificate CN and is exactly the same in two separate AD domains. Is there a way to make ISE distinguish between the two, we have tried playing with Scope, etc but no luck so far.

Hi all,

we have a distributed Cisco ISE deployment with 4 PSN's. We have configured logging to external syslog (Splunk) which works fine. The question is, does each PSN send syslog individually, it seems to be the case. And is there a way to configure PSNs in a primary Data Center to log to a local collector and PSNs in recovery Data Center to log to their local collector?
There is no option in the CLI or the GUI, this is ISE 1.4.

Security / Cisco ISE high memory on all nodes
« on: April 23, 2016, 11:26:26 AM »
Hi everyone,

another issue I have noticed with my ISE deployment is that almost all nodes are constantly running at 80-85% memory utilization ( I have 32GB per node, 3495's).
This makes no sense as some of my PSN are not authenticating any users yet.
psn3/admin# sh memory
total memory:   32880364 kB
free memory:      689036 kB
cached:          4661596 kB
swap-cached:           0 kB

output of free command:
             total       used       free     shared    buffers     cached
Mem:      32880364   32191328     689036          0     197960    4661596
-/+ buffers/cache:   27331772    5548592
Swap:      8185112          0    8185112

psn3/admin# sh ver

Cisco Application Deployment Engine OS Release: 2.2
ADE-OS Build Version:
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2014 by Cisco Systems, Inc.
All rights reserved.
Hostname: psn3

Version information of installed applications

Cisco Identity Services Engine
Version      :
Build Date   : Tue Jun 16 03:29:53 2015
Install Date : Fri Oct  9 11:47:06 2015

Cisco Identity Services Engine Patch
Version      : 4
Install Date : Mon Nov 16 11:39:43 2015

Security / Cisco ISE stale wired authentication sessions
« on: April 06, 2016, 05:51:15 PM »
Hi all,

we are in the middle of rolling out ISE 1.4 on a Cisco 4507 switch access network (NAD's)
We are using the native Windows 7 supplicants on our endpoints for 802.1x. Windows computers are plugged in behind Avaya IP phones. Avaya phones are configured with EAP proxy logoff so that they will notify ISE of any workstation disconnect provided the workstations are setup for 802.1x. The issue is with computers not setup for 802.1x yet, they seem to generate stale authentication sessions that get stuck in "UNKNOWN" domain instead of voice or data. Please advise if you have seen this behavior.

Security / SFR monitor only on ASA 5585-X
« on: March 27, 2016, 01:49:06 PM »
I am trying to use my ASA 5585-X as a pure sniffer where it sends all traffic to the SFR module without having to use the policy map redirect method.

I am following this doc:
You are not allowed to view links. Register or Login

When I enter the below command at interface level it's all good:
traffic-forward sfr monitor-only

However doing a "show run" doesn't list that command and even though traffic is received on the physical port it does not get processed.
Does it matter which ASA ports I am using?

Security / ASA FirePOWER TCP state bypass
« on: March 24, 2016, 11:42:29 AM »
 To accommodate for asymmetric traffic in our network we had to enable TCP state bypass on the ASA Firepower. At the same time we are applying the SFR forwarding policy (configuration below).
Is this a supported setup, and would FirePOWER be able to see the respective traffic?

wka00acw1/pri/act#         sh run class-map
class-map alltraffic
 match any

class-map tcp-traffic
 match access-list riverbed_tcp
class-map inspection_default
 match default-inspection-traffic
wka00acw1/pri/act# sh run poli
wka00acw1/pri/act# sh run policy-map
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
 class alltraffic
  set connection advanced-options tcp-state-bypass
  sfr fail-open monitor-only
 class tcp-traffic
  set connection advanced-options allow-probes

Security / Renaming Cisco ISE nodes
« on: March 07, 2016, 05:22:04 AM »
Hi everyone,

we are moving a few of our nodes to a new data center and will have to eventually rename them using a new naming standard.
Has anyone experienced any gotchas?
My understanding is this is what needs to be done:
1. Deregister node from cube
2. Unjoin node from active directory
3. Remove DNS entry for old name
4. Create DNS entry for new name
5. Join Active Directory
6. Generate new CSR for all nodes that are changing names
7. Import new certificate for node

- what is the risk of doing all of the above, from what I am reading some people are suggesting that changing a hostname can actually make the node unusable. My deployment is based on physical appliances.

thank you!

Pages: [1]
SimplePortal 2.3.5 © 2008-2012, SimplePortal