User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Administrator

Pages: [1] 2 3
Any configuration related to URL reputation or category requires you to have URL Filter license. Although we have not tested this, you should be able to create object based on just the URL name (eg. You are not allowed to view links. Register or Login) to match traffic as that should not require additional license.


I’m wondering if anyone has tried to configure SSL Decryption with the criteria of a custom URL [object] category in Cisco SourceFire. The reason I want to do this is due to a testing scenario—put a couple of URL’s in a URL group (Ex., & others), tell the SSL decryption policy that user “jdoe” needs decryption when going to these URL’s, have that user download test malware from to demo the functionality etc. Without the ability to do this, there is a whole demo I cannot do. From what I can see—I created the custom URL object & URL group (objects > object management, URL etc.) That custom URL object is there if I go to Policies > Access Control Policies & look at my URL based ACP. In other words, I can click on that custom URL object & do some action with it. When I go to Policies > SSL & create an SSL decryption policy, click on the “category” tab, the regular well-known URL pre-defined URL categories are there. But the custom URL object / category is not even there, not even selectable (With or without having done a “deploy” after I created the URL object). I’m now thinking that you cannot configure a custom URL object to be included as a URL category where you’re doing SSL decryption as the custom URL object does not show up as a selectable item in the config. Because of that, I’m also thinking that, if you need to do SSL decryption off of URL categories in Cisco SourceFire, you need the URL filtering license Thoughts? Thanks!

Wireless / Re: wireless multi tenant (On behalf of Abraham D.)
« on: September 18, 2017, 08:52:26 PM »
We do not specifically have a video on mentioned scenario.  However, you should be able to achieve it doing the following.
1. Create SSID per tenant
2. Point SSID to either same or different ISE RADIUS server
3. In case of same ISE server, you can identity connection based on SSID and make it authenticate against various AD join point
4. Once traffic tunneled to WLC, you can drop them into an intermediate switch and sort them into different tenant network.

Please keep in mind that WLC does not support multi-tenant management

Wireless / wireless multi tenant (On behalf of Abraham D.)
« on: September 18, 2017, 08:48:14 PM »
hello i would like to know if you have a cisco series on wireless multi tenant design? where you have a multi dept business with some areas having shared space that requires separate SSID along with controllers and AD. would ISE be able to do this type of control? user data traffic needs to stay separate from AP to the end users own network. but AP would be broadcasting multi SSID. thank you

Firepower can operate without FMC so FMC can fail and FP will continue to operate. You always upgrade FMC first then follow by the sensors. FYI.. FMC take around 1-2hr to upgrade.

what is the impact to live network if firesight (Defense Center) got fail at the time when we upgrade it ?

kindly share the details about the risk of upgrading the Defense center(source fight) & sensors(SFR) parallel .

Security / Re: ISE 2.3 IP Pool Assignment (On behalf of Keyvan)
« on: September 14, 2017, 08:27:29 PM »
DHCP server feature on ISE is not really meant for general purpose. It is for helping client with URL redirect on 3rd party switch by assigning IP with ISE being DNS server so when client tries to resolve URL, it is redirected to ISE.
For integrating ISE to MDM, you can check out videos on our websites. There are several videos that walk you through this.
Good luck.

Security / ISE 2.3 IP Pool Assignment (On behalf of Keyvan)
« on: September 14, 2017, 08:23:11 PM »
Hi there, first thanks for ur useful info. I would like to ask u about Dynamic IP Assignment feature in ISE 2.3! is it possible that use it instead of DHCP!? I mean without buying extra Module to support it! actually we wanna use ISE as our Radius-Server for Mobile-Devices joinng to our MDM. if yes, how should I config it? that would be nice, if you can guide/help me. good time Keyvan

Routing and Switching / Re: RS0076-RS0097 missing videos
« on: November 30, 2016, 08:37:40 PM »
Hi. Those videos are vNAM and Prime 3.1 (Basic).

Please do 'sh cry ipsec sa' and check encrypt packet on headend. If it's 0, check return traffic routing. If non-0, do the same on remote router and see if you see decrypt packets.

Security / I need your help on this video SEC0015 (On behalf of Olushola)
« on: November 08, 2016, 05:36:33 PM »
I watched this video "LabMinutes# SEC0015 - Cisco Router Easy VPN (EZVPN) with Pre-Shared Key and Hardware Client" and follow the steps one after the other. The Head-end and  Hardware Client were configured correctly and Nat translation is also working as I debug the packet. PC behind Hardware Client is not getting reply but the Head-end Hardware Client are seeing the echo reply and Nat translation. Please what do you think can cause this problem while my PC is not receiving echo reply. I look forward to from you. Thanks a lot

Assuming the member switch did not exist, you can connect the stacking cable per link below. Make sure the new switch has no config and powered down. Power on switch only after the stack connection is in place.

You are not allowed to view links. Register or Login

Routing and Switching / STACKWISE 480 FOR 3850 SWITCHES (On behalf of Syed)
« on: November 08, 2016, 05:30:29 PM »
i need to know how to add a new stack member in switch stack of 3850 switches please help.

Security / Re: Cisco ISE (on behalf of hamidreza)
« on: April 05, 2016, 10:09:48 PM »
Are you running something like VMware workstation on the client machine? If so, do both PC and VM run .1x. What pass, what fails?

Security / Cisco ISE (on behalf of hamidreza)
« on: April 05, 2016, 10:06:38 PM »
 i have a question about cisco ise. please help me. with following port configuration :

authentication event fail action next-method
authentication event server dead action reinitialize vlan 2
authentication event server alive action reinitialize
authentication host-mode multi-auth authentication order dot1x mab
authentication priority dot1x mab authentication port-control auto
authentication violation restrict mab
dot1x pae authenticator
dot1x timeout tx-period 10

client`s pc authorize successful and when client use virtual machine with Bridge network interface , the virtual machine authorize successful ,after it the host dot1x changed to authentication fail. - in nat interface there is no problem . please help me. thanks

Pages: [1] 2 3
SimplePortal 2.3.5 © 2008-2012, SimplePortal