The Cisco Firepower can be managed with two different solutions: Firepower Device Manager (FDM)Firepower Management Center (FMC) FDM lets you configure the basic features of the software that are most commonly used for small networks. It is especially designed for networks that include a single device or just a few, where...

On October 1, 2018, Cisco announced the completion of its acquisition of Duo Security, a privately-held, unified access security and multi-factor authentication company headquartered in Ann Arbor. What is DUO? Cisco Duo allows secure connections to applications (on premises or in the cloud). Using multi-factor authentication (MFA) and contextual user...

Few days ago, Cisco Psirt published twelve Cisco ASA and FTD vulnerabilities with "high" score. Eight of them can cause denial of service, while three can bypass authentication. Below the details of the bypass authentication vulnerabilities (CVE-2020-3125 - CVE-2020-3187 - CVE-2020-3259). Researchers at Silverfort discovered (CVE-2020-3125) that an attacker who could hijack network...

In the article "How to configure PassiveID in Cisco ISE", I explained how PassiveID gathers information from the Microsoft Active Directory environment allowing user-to-IP mapping information with or without having 802.1X deployed. But how this data is sent to Cisco Firepower? Using pxGrid, a protocol that is now IETF-approved standard described in RFC 8600...

In the previous article, I illustrated what are the dot1x and the benefits related to it. Just to remember that 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. In this post I explain how to configure dot1x in a switch (authenticator) with the best practice suggested by Cisco engineers.

The Cisco ISE Passive Identity Connector aka Cisco ISE-PIC is a software designed to gather authentication data (user-ip mapping) from numerous sources (active directory, Syslog, SPAN, ...) and distribute it to its subscribers. It is a subset of the functionality compared to the Cisco ISE; in fact, ISE-PIC does not authenticate users directly like...

Starting from ISE 2.2, PassiveID is a feature to gather user-to-IP mapping information with or without having 802.1X deployed. PassiveID gathers information from the Microsoft Active Directory environment using the Microsoft Windows Management Interface or the Active Directory agent, or through a switched port analyzer (SPAN) port on a switch. It can also gather...

IEEE 802.1X is an IEEE Standard for port-based Network Access Control to prevent unauthorized devices from gaining access to the network. It defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, known as "EAP over LAN" or EAPOL. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.