I came across a couple of issues during an ISE upgrade project I was working on recently which are not really common and you would rarely see them. These issues were, an ISE PSN got stuck at step 4 during the upgrade process, and a PAN went out of synch. This project was to upgrade a distributed ISE cube with six nodes from version 2.2 to 2.4 and all appliances were virtual.
As we know Cisco ISE does not support increasing the disk space, so if we run out of disk space, then the only option in theory would be to re-image the ISE node allocating more disk space. I said in theory because in reality you would be able to increase ISE disk space at the Linux level.
In this post I will share with you one caveat and its fix with redirect ACL with C9300 switches. In the last few months I was working on a project for a medium size customer. The main requirements were to implement Firepower IPS, dot1x, pxGrid, AnyConnect client provisioning and posture assessment for both VPN and local clients. The customer has a few sites spread across the globe, and all of them are connected through VPLS. There are different network devices that we were working on and in one of the sites we had a stack of Cisco C9300 switches. The customer has ISE deployed for identity management.
In my previous post “FMC external authentication with RADIUS” I showed you how to configure FMC access with RADIUS. In this post instead, I will show you how to configure FTD CLI access with RADIUS, we will use ISE as our RADIUS server. The configuration is very similar to what we have done in the FMC post, and the main difference will be how to bind the FMC External Authentication Object to the FTD device.
Recently I came across a command to reset Cisco C9000 switches to factory default. The command is factory-reset and it was introduced in IOS XE 16.8.1a. This command can be handy and harmful. It can be harmful if you use it without paying attention to what option you use with it.
In this post, I am going to show you how to set up FMC external authentication with RADIUS. Why we would need that?!, simply put, to have a scalable solution in our environment that will allow us to manage accesses to our FMC appliance. Even if we configure the FMC with an external authentication server, we do still have the local admin account enabled that we can use in case the external authentication server is down.
In this post, I am going to show you how to run a packet capture on Cisco Firepower Management Center (FMC). As we know, both FTD and FMC are Linux based which means we can rely on a few tools that are embedded in Linux operating system. In fact, when you log into the FMC or when you go into Expert mode on FTD, you will see that the majority of the commands you use are simply Linux commands.
In this post I am going to show you how to configure crypto keypair without configuring host name or domain name on Cisco devices. A few network admins still have some confusion about if configuring the domain name on Cisco devices is a requirement to generate a crypto keypair or not. I believe this confusion comes from the error we get when we try to create a crypto keypair on Cisco devices before we’ve configured the domain name. The error would explicitly ask us to define the domain name first to generate the crypto keypair.
What are the Snort HOME_NET and EXTERNAL_NET Variables?! To know that let’s see how Snort rules work. Snort rules rely on variables to know what traffic they should inspect and what to ignore. Each Snort rule has a header where a bunch of variables are defined such as the action to be taken, protocol, source IP, source port, destination IP and destination port. The most important two bits among these variables are the source and destination IP addresses.
In this post, I am going to show you how creating multiple admin accounts on FDM for GUI accesses can be possible by using some tools you would most likely have in your environment. First, as we know Firepower Device Management (FDM) does not support creating multiple admin accounts for FDM GUI accesses. This is a known limitation and as a result it would mean that all the admins will use the same admin account to log into the FTD. Of course this would lead to share the admin account credentials between the admins which could potentially breach our security.
