|
|
91
I’m wondering if anyone has tried to configure SSL Decryption with the criteria of a custom URL [object] category in Cisco SourceFire. The reason I want to do this is due to a testing scenario—put a couple of URL’s in a URL group (Ex. yahoo.com, eicar.org & others), tell the SSL decryption policy that user “jdoe” needs decryption when going to these URL’s, have that user download test malware from eicar.org to demo the functionality etc. Without the ability to do this, there is a whole demo I cannot do. From what I can see—I created the custom URL object & URL group (objects > object management, URL etc.) That custom URL object is there if I go to Policies > Access Control Policies & look at my URL based ACP. In other words, I can click on that custom URL object & do some action with it. When I go to Policies > SSL & create an SSL decryption policy, click on the “category” tab, the regular well-known URL pre-defined URL categories are there. But the custom URL object / category is not even there, not even selectable (With or without having done a “deploy” after I created the URL object). I’m now thinking that you cannot configure a custom URL object to be included as a URL category where you’re doing SSL decryption as the custom URL object does not show up as a selectable item in the config. Because of that, I’m also thinking that, if you need to do SSL decryption off of URL categories in Cisco SourceFire, you need the URL filtering license Thoughts? Thanks!
92
« Last post by Wutchanut on December 03, 2017, 11:28:04 PM »
I also want to know what to do to be able to use it. I want to know the details.
93
« Last post by MC on October 26, 2017, 09:35:06 PM »
That's certainly unusual. How was cert installed? Was it manually or via GPO? Who issued the cert and if it was Windows CA, which template was used?
94
« Last post by MC on October 26, 2017, 09:33:07 PM »
Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.
95
« Last post by aris on October 26, 2017, 02:12:31 AM »
Hello,
We would like to authenticate Cisco IP Phones with ISE with the use of certificates. From the IP Telephony for 802.1X Design Guide states that you can use X.509 certificates for phone authentication and that they can be validated by the ACS in a single authorization rule without the need to configure and maintain a database of phone usernames and/or passwords, so I guess this is true of ISE.
It also states that in an 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the certificate of the phone. The root certificates for both LSCs and MICs can be exported from the Unified CM Operating System Administration interface and imported into your AAA server.
Now the question is that we want to use a self-signed CAPF of the CUCM to sign the LSCs, so we need to export that and import it in ISE, but under system certificates in ISE in Used by we can only have one certificate selected.
So if my understanding is correct, we can not have a CA to issue PC certificates and a self-signed CAPF for the phones and both be active on ISE, right?
Thank you,
Aris.
96
« Last post by bhatsy on October 18, 2017, 01:36:49 PM »
Hey Guys,
I am running into an issue with User authentication with Certs on WIFi. When i try connecting to wlan using User authentication windows doesnt seem to find the user certificate. Machine Certificate works just fine. When i do MMC and look at the personal directory in users i see the certificate issued to my username just fine. Would there be a reason why Windows is not using the user cert in local store? See the attachment
97
« Last post by Administrator on September 18, 2017, 08:52:26 PM »
We do not specifically have a video on mentioned scenario. However, you should be able to achieve it doing the following.
1. Create SSID per tenant
2. Point SSID to either same or different ISE RADIUS server
3. In case of same ISE server, you can identity connection based on SSID and make it authenticate against various AD join point
4. Once traffic tunneled to WLC, you can drop them into an intermediate switch and sort them into different tenant network.
Please keep in mind that WLC does not support multi-tenant management
98
« Last post by Administrator on September 18, 2017, 08:48:14 PM »
hello i would like to know if you have a cisco series on wireless multi tenant design? where you have a multi dept business with some areas having shared space that requires separate SSID along with controllers and AD. would ISE be able to do this type of control? user data traffic needs to stay separate from AP to the end users own network. but AP would be broadcasting multi SSID. thank you
99
« Last post by Administrator on September 18, 2017, 08:42:49 PM »
Firepower can operate without FMC so FMC can fail and FP will continue to operate. You always upgrade FMC first then follow by the sensors. FYI.. FMC take around 1-2hr to upgrade.
100
« Last post by Administrator on September 18, 2017, 08:38:43 PM »
what is the impact to live network if firesight (Defense Center) got fail at the time when we upgrade it ?
kindly share the details about the risk of upgrading the Defense center(source fight) & sensors(SFR) parallel .
|
Recent Posts