Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About cpaquet
Stats
Member since
08-05-2003
55
Posts
0
Helpful
0
Solutions
Created by
cpaquet
in Policy and Access
in Policy and Access
10-07-2019
01:38 PM
10-07-2019
01:38 PM
Thank Mike for your answer. 1. The customer is not doing TrustSec (my bad for misleading you when I mentioned that under the FMC, thanks to pxGrid, we were seeing attributes from ISE. The only attribute that populates through pxGrid is Device Type, since TrustSec hasn't been turned on). 2. Blocking at the firewall would not be the solution to stop non-authenticated endpoint from leaving the Network. We need to have a way to find out : is endpoint authenticated? [another frustrating point at that customer is that the entire network endpoints (IP Phones, printers, workstations) are all on the same 10.0.0.0/16 network (don't ask me why!!!)]. Remember the requirement of my original question: A. Endpoints are all MAB, (not 1x) B. The customer is not using pre-AuthC ACLs on switchport!!! So, the moment the command authentication open is added, the traffic starts going through the port. That traffic could find its way to the edge firewall and leave for the internet. Thus, it would be nice if NGFW could query ISE with "is device authenticated". My personal opinion is that the customer needs to implement more features of 1X/MAB to fix this issue. The piece meal approach is not working here. Thanks anyway. Consider this case close.
... View more
Created by
cpaquet
in Policy and Access
in Policy and Access
10-03-2019
08:24 AM
10-03-2019
08:24 AM
FMC is integrated with ISE. In FMC Access Control Policies, we can now see, under the tab SGT/ISE Attributes, Device Type, IP Location, SGT. We are using the Device types to block some devices like printers from reaching to the Internet. However, is there a way to learn from ISE, the devices that have been successfully MABbed? Long story but: the customer setup is that they do MAB on all devices (printers, computers, etc. They don't do 1X or CWA). But on the switch port, they don't apply an Access-List pre-AuthC in. So, basically, traffic is allowed on the switch port. However, from the Edge Firewall, we would like to say that only devices that have successfully passed the MAB authentication are allowed to go out. Thanks.
... View more
Labels:
Created by
cpaquet
in Advanced Threats
in Advanced Threats
09-09-2019
08:36 AM
09-09-2019
08:36 AM
If AMP4E receives a disposition: CLEAN regarding a fingerprint sent to the cloud, will AMP4E still have that file scanned through the builtin Anti-Virus? Thanks.
... View more
Labels:
09-09-2019
08:14 AM
Thank you for your reply. My question wasn't probably clear enough. Let me rephrase it: What is the purpose of the port listed in the HTTP CONNECT Ports configuration of the Access policy? See attachment. This screenshot was created from the dCLoud Instant demo of WSA. what are the consequences of listing ports here? is it that the traffic arriving on the WSA for those ports will not be proxied? that the WSA will simply let the original session go through the WSA, without proxying that session? Thanks.
... View more
08-23-2019
09:54 AM
When ports are listed under HTTP CONNECT ports, the WSA passes the HTTP traffic without evaluating it. So: 1. What would be a good reason to have port 20/21 listed under HTTP Connect Ports? 2. If port 20/21 is listed under HTTP Connect ports, then browser-based FTP traffic wouldn't be checked against AV, AMP, etc, right? Thanks.
... View more
Labels:
08-01-2019
04:04 AM
Could you provide me examples of what would be blocked by the 'Suspect User Agent Scanning'? Exampes of Suspect User Agents? Would that be an unknown browser type, other than Chrome, MS IE, Mozilla FF, etc? Thanks.
... View more
Labels:
Created by
cpaquet
in Policy and Access
in Policy and Access
05-24-2018
02:13 PM
05-24-2018
02:13 PM
Is it possible to use EasyConnect with MAR? I couldn't get it to work.
MAR works great with 1X. Easy Connect works great wtih User authentication.
But when I create an EasyConnect AuthZ policy to check for both user and machine authentication, the session doesn't pick that rule and ends up using the Default AuthZ rule of EasyConnect.
I have attached screen captures for the 3 scenarios :
1. Works: Easy Connect checks User Authentication
2. Works: 1X checks User and Machine Authentication
3. Doesn't work: Easy Connect checks for User and Machine Authentication
Regards,
CP
... View more
Labels:
03-07-2017
09:47 AM
Andrew, glad to see that I have company in misery. Keep me posted please if you find anything.
Regards,
Cath.
... View more
03-07-2017
05:11 AM
Is there a way to see the content of the ISE MAR cache?
I know that I can look, one-by-one, to the authenticated sessions in Live Log, and see there if the session "WasMachineAuthenticated".
But what I'm looking for, is a way to see a listing of all the AD Machines currently in the MAR cache and their timeout values.
I look under Live Sessions for a filter, and I look also under reporting, but I can't find a way to see MAR cache, which is part of the Network Access Dictionnary.
Oh, and please don't mention that I should use EAP chaining with AnyConnect EAP-FAST instead of the Windows Native Supplicant with MAR. I'm aware of that option, but my question is really about how can I see the content of the current MAR cache. That's all I wish to know.
Thanks for your help.
Cath.
... View more
Labels:
Created by
cpaquet
in Advanced Threats
in Advanced Threats
08-31-2016
02:23 PM
08-31-2016
02:23 PM
By reading the FirePOWER documentation and by looking at Cisco Live slides (see uploaded slide), it seems that files are submitted for dynamic analysis by the ASA-SFR directly for dynamic analysis.
Could the files be submitted for dynamic analysis by FMC 6.0 instead of SFR?
Thanks,
Cath.
... View more
05-24-2016
03:09 PM
1. With Modular Policy Framework, what is the meaning of the drop count? See below output of a SFR policy.
2. Does it represent packets that were dropped by the ASA prior to being punted to SFR?
3. If the ASA is dropping those packet, what would be the cause? tcp normalisation? IP option inspection? congestion?
HQ-ASA# show service-policy sfr Interface inside: Service-policy: asasfr_policy Class-map: class-default SFR: card status Up, mode fail-close packet input 252138, packet output 234665, drop 21592 , reset-drop 8 Interface dmz: Service-policy: asasfr_policy Class-map: class-default SFR: card status Up, mode fail-close packet input 133754, packet output 133646, drop 4831 , reset-drop 0 HQ-ASA#
I looked at the ASA Command Reference guide,but it doesn't mention what the drop packet count represent.
Would appreciate if anyone could shed light on this counter.
Thanks.
Cath.
... View more
Labels:
Created by
cpaquet
in Other Wireless - Mobility Subjects
in Other Wireless - Mobility Subjects
09-14-2013
02:41 PM
09-14-2013
02:41 PM
With Cisco ISE, we can define time-based rules (example: if 2am, user Nancy can't connect via VPN using a non-corporate laptop). With MSE, can we have a rule: if passenger walking through an airport between 4pm and 7pm, advertise the Happy Hour special for a restaurant in the terminal but don't advertise the special if it's after 7pm? Thanks.
... View more
07-31-2013
09:19 AM
Situation: Windows native supplicant configured for "Machine or User authentication." ISE configured for MAR with cache timeout of 24 hours. Questions in Red: 1. Every morning Machine boots and successfully authenticates wiht 802.1X. Machine dACL pushed by ISE to switch for Machine session. 2. Few minutes later, UserA logs on successfully with 802.1X. UserA dACL pushed by ISE to NAD for UserA Session. UserA dACL supercede Machine dACL. 3. UserA logs off. What is happening to the UserA dACL on the switch for that session? Does the workstation supplicant tells the NAD that UserA has disconnected? Does the workstation supplicant performs a new Machine authentication so the Machine dACL will now be reapplied to the session or is the switch still stuck with UserA dACL for that session? 4. UserB logs. ISE will push UserB dACL. Thanks. Cath.
... View more
Labels:
Created by
cpaquet
in Policy and Access
in Policy and Access
07-19-2013
07:21 AM
07-19-2013
07:21 AM
Good Morning Tarik, Have you heard from TAC about an automatic purging feature for profiled device? Regards, Cath.
... View more
Created by
cpaquet
in Identity Services Engine (ISE)
10-08-2019
10-08-2019
Great explanations. Make sense. Thanks Colby.
Created by
cpaquet
in Identity Services Engine (ISE)
10-07-2019
10-07-2019
How does the reauthentication works for a MAB devices, once the intf
reaches the end of the reauth t...
Created by
cpaquet
in Identity Services Engine (ISE)
10-07-2019
10-07-2019
I saw the same issue at a customer last week, on C3850 IOS 16.09.04.The
interface has a pre-AuthC pA...
Created by
cpaquet
in Policy and Access
10-07-2019
10-07-2019
Thank Mike for your answer.1. The customer is not doing TrustSec (my bad
for misleading you when I m...
10-03-2019
FMC is integrated with ISE. In FMC Access Control Policies, we can now
see, under the tab SGT/ISE At...
09-09-2019
If AMP4E receives a disposition: CLEAN regarding a fingerprint sent to
the cloud, will AMP4E still h...
09-09-2019
Thank you for your reply. My question wasn't probably clear enough. Let
me rephrase it:What is the p...
08-23-2019
When ports are listed under HTTP CONNECT ports, the WSA passes the HTTP
traffic without evaluating i...
08-01-2019
Could you provide me examples of what would be blocked by the 'Suspect
User Agent Scanning'? Exampes...
11-02-2018
Is this right: According to the attached figure, there is no Network
Discovery performed with a rule...
Created by
cpaquet
in Identity Services Engine (ISE)
09-12-2018
09-12-2018
Question: Is there a way to have ISE block MAC addresses that are
repeatitively connecting to the gu...
Public Statistics
| Date Registered | 08-05-2003 04:26 PM |
| Date Last Visited | 10-09-2019 01:23 PM |
| Total Messages Posted | 55 |
Helpful Votes Given To
.jpg "Hall of Fame Master"){kind=icon}
