An overview to Cisco DUO

On October 1, 2018, Cisco announced the completion of its acquisition of Duo Security, a privately-held, unified access security and multi-factor authentication company headquartered in Ann Arbor. What is DUO? Cisco Duo allows secure connections to applications (on premises or in the cloud). Using multi-factor authentication (MFA) and contextual user...

12 high-severity bugs in ASA and Firepower

Few days ago, Cisco Psirt published twelve Cisco ASA and FTD vulnerabilities with "high" score. Eight of them can cause denial of service, while three can bypass authentication. Below the details of the bypass authentication vulnerabilities (CVE-2020-3125 - CVE-2020-3187 - CVE-2020-3259). Researchers at Silverfort discovered (CVE-2020-3125) that an attacker who could hijack network...

Cisco FMC user control with ISE-PIC

In the article "How to configure PassiveID in Cisco ISE", I explained how PassiveID gathers information from the Microsoft Active Directory environment allowing user-to-IP mapping information with or without having 802.1X deployed. But how this data is sent to Cisco Firepower? Using pxGrid, a protocol that is now IETF-approved standard described in RFC 8600...

802.1X Deployment Guide: Global configuration

In the previous article, I illustrated what are the dot1x and the benefits related to it. Just to remember that 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. In this post I explain how to configure dot1x in a switch (authenticator) with the best practice suggested by Cisco engineers.

An overview to Cisco ISE-PIC

The Cisco ISE Passive Identity Connector aka Cisco ISE-PIC is a software designed to gather authentication data (user-ip mapping) from numerous sources (active directory, Syslog, SPAN, ...) and distribute it to its subscribers. It is a subset of the functionality compared to the Cisco ISE; in fact, ISE-PIC does not authenticate users directly like...

How to configure PassiveID in Cisco ISE

Starting from ISE 2.2, PassiveID is a feature to gather user-to-IP mapping information with or without having 802.1X deployed. PassiveID gathers information from the Microsoft Active Directory environment using the Microsoft Windows Management Interface or the Active Directory agent, or through a switched port analyzer (SPAN) port on a switch. It can also gather...

802.1x: Introduction and general principles

IEEE 802.1X is an IEEE Standard for port-based Network Access Control to prevent unauthorized devices from gaining access to the network. It defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, known as "EAP over LAN" or EAPOL. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

How to set up raid on Cisco ISE appliance

Recently, I have installed an ISE 2.6 cluster based by two SNS3615 appliances. After some months, the customer asked me to redundant each hard disk with RAID1. To accomplish this request, it is mandatory access to the CIMC interface (if you don't know what is CIMC read this article). First of...