I would like to use multi-factor authentication for admin access to my switches and routers.  Currently TACACS and an ISE (2.4) are being used.  My first question is the switch commands.  Does anything in the switch or router configuration need to change to support multi-factor authentication?  I am used to enter a username and being prompted for a password.  I am assuming the ISE configuration will trigger the switch/router to prompt me (the admin) for additional info (a token).  The multi-factor solution selected (Centrify) allows for multiple methods for the second authentication:  text message, email or a phone call.   For example, when I log into a server, I get an option to select the 2nd method authentication.  I might select text message, then enter the received code.  Does a switch or router support this?   below are my aaa commands, as originally asked....do I need something else?  I will address ISE at a later point.   aaa new-model aaa authentication login default group tacacs+ local aaa authentication dot1x default group radius aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 2 default group tacacs+ local aaa authorization commands 3 default group tacacs+ local aaa authorization commands 4 default group tacacs+ local aaa authorization commands 5 default group tacacs+ local aaa authorization commands 6 default group tacacs+ local aaa authorization commands 7 default group tacacs+ local aaa authorization commands 8 default group tacacs+ local aaa authorization commands 9 default group tacacs+ local aaa authorization commands 10 default group tacacs+ local aaa authorization commands 11 default group tacacs+ local aaa authorization commands 12 default group tacacs+ local aaa authorization commands 13 default group tacacs+ local aaa authorization commands 14 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa accounting update newinfo periodic 1440 aaa accounting identity default start-stop group radius aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default stop-only group tacacs+ aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 2 default stop-only group tacacs+ aaa accounting commands 3 default stop-only group tacacs+ aaa accounting commands 4 default stop-only group tacacs+ aaa accounting commands 5 default stop-only group tacacs+ aaa accounting commands 6 default stop-only group tacacs+ aaa accounting commands 7 default stop-only group tacacs+ aaa accounting commands 8 default stop-only group tacacs+ aaa accounting commands 9 default stop-only group tacacs+ aaa accounting commands 10 default stop-only group tacacs+ aaa accounting commands 11 default stop-only group tacacs+ aaa accounting commands 12 default stop-only group tacacs+ aaa accounting commands 13 default stop-only group tacacs+ aaa accounting commands 14 default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default start-stop group radius aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group radius ... View more

I having difficulty with EIGRP route distribution.  I do NOT want static routes to be redistributed into EIGRP yet both 10.0.0.0/8 and 192.168.0.0/16 are being redistributed.    router eigrp 100  network 192.168.100.0  network 192.168.100.232 0.0.0.3  redistribute connected route-map redistro_conn  redistribute bgp 65100 metric 300000 100 255 1 1500   There are no static routes.  I want to add two static routes   10.0.0.0 255.0.0.0 null 0 254 192.168.0.0 255.255.0.0 null 0 254   When I add the above routes, my EIGRP neighbor has an external route for 10.0.0.0/8 and 192.168.0.0/16.  As a test, I added two additional routes   10.3.64.0 255.255.255.0 null 0 254 192.168.100.0 255.255.255.0 null 0 254   As expected, neither of these routes are advertised to the EIGRP neighbors.   This feels like a classful issue.  Why are the 10 and 192.168 networks redistributed?   Auto-summary is disabled.   Connected route-map ip prefix-list redistro_conn seq 5 permit 192.168.105.3/32 ip prefix-list redistro_conn seq 20 permit 192.168.100.16/30 ip prefix-list redistro_conn seq 30 permit 192.168.100.20/30 ip prefix-list redistro_conn seq 40 permit 192.168.106.0/30 ip prefix-list redistro_conn seq 50 permit 192.168.106.4/30 ip prefix-list redistro_conn seq 60 permit 192.168.106.8/30 ip prefix-list redistro_conn seq 70 permit 192.168.106.12/30 ip prefix-list redistro_conn seq 80 permit 192.168.106.16/30 ip prefix-list redistro_conn seq 90 permit 192.168.106.20/30 ip prefix-list redistro_conn seq 100 permit 192.168.106.28/30 ip prefix-list redistro_conn seq 110 permit 192.168.106.32/30 ip prefix-list redistro_conn seq 120 permit 192.168.106.36/30 ip prefix-list redistro_conn seq 130 permit 192.168.106.40/30 ip prefix-list redistro_conn seq 140 permit 192.168.106.44/30 ip prefix-list redistro_conn seq 150 permit 192.168.106.48/30 ip prefix-list redistro_conn seq 160 permit 192.168.106.52/30 ip prefix-list redistro_conn seq 170 permit 192.168.106.56/30 ... View more

I am building a dot1x configuration for my switches.  I am using the new-style (authentication display config-mode).  I have built the configuration to work correctly for MAB and dot1x authenticates successfully.  I am at the point of creating the configuration to handle the exceptions.  Currently I am focused on if the AAA server is down. So does any have any sample configurations on how to fail open when the AAA server is down?  Possibly try retry authentication after a period of time. The current configuration is below.  My (failed) attempts to included proper handling of the AAA being down are included. class-map type control subscriber match-all DOT1X_NO_RESP match method dot1x match result-type method dot1x agent-not-found class-map type control subscriber match-all MAB_FAILED match method mab match result-type method mab authoritative class-map type control subscriber match-all SERVER_DOWN match result-type aaa-timeout class-map type control subscriber match-all dot1x_FAILED_PASSWORD match method dot1x match result-type authoritative policy-map type control subscriber user_default event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first 10 class SERVER_DOWN do-until-failure 10 authorize 20 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template null_vlan 30 authentication-restart 60 30 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 activate service-template null_vlan 40 authentication-restart 60 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 event timer-expiry match-all 10 class SERVER_DOWN do-until-failure 10 authorize event absolute-timeout match-all 10 class SERVER_DOWN do-until-failure 10 authorize ... View more

I am testing AnyConnect's "always on" feature.  The connect failure policy is working as I expected.  I thought I would others input.  The Automatic VPN policy has been in place for sometime.  Trusted - disconnect.  Untrusted - connect   At this point, I enable Always On, Allow VPN disconnect and set the failure policy to Open.  Connection failure policies - grey out.   From Cisco documentation. http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#pgfId-1205144 The fail-open policy permits network connectivity.  Regardless of the connect failure policy, AnyConnect continues to try to establish the VPN connection. From the "advantage" section of the table. Grants full network access, letting users continue to perform tasks where access to the Internet or other local network resources are needed.   I successfully disconnected and canceled my VPN session.  I expected to be able to continue browsing the internet.  I was not.  I also expected AnyConnect to prompt me again for a username/passwd (from AnyConnect continues to try to establish the VPN connection - above).   What am I missing? ... View more

I have a 2951 routers with 3 T1's connected to controller cards/serial interfaces.  How does the router determine which serial interface to use?   ... View more

TCP Window Size and Network Bandwidth   I am learning TCP window size and the impact window size has on data transfer and bandwidth.  I have captured traffic between my field office server (over WAN) to a HQ backup server.  I have noticed that some offices do not consume all available bandwidth (1, 2 or 3 T1's at each office).  I captured traffic to investigate.  I selected a series of 4 packets for analysis. First packet (of the series) - HQ server to field office server – this packet is acknowledging the previous set of data and (I assume) is setting the stage for the next set of data (using window size). Window size value = 1129 Window size scaling factor is 128 Calculated window size is 144,512   Next 3 packets – field office server to HQ server (the packet represent the data this being backed up).  For these packets, I don’t believe window size is relevant.  Instead the bytes in flight are important.  Each of the 3 packets has a length of 1380.  The bytes in flight increments by 1380 for each packet (1380, 2760 and 4140). Next packet is from HQ server to field office server.  This packet acknowledges the previous set.  The cycle begins again.   Should the field server send more data between acknowledgements?  Instead of 3 packets, I was thinking more like 13 packets (1380x13=17,940bytes * 8 bits = 143,520 which is pretty close to 144,512). Am I missing something?   ... View more

I am moving a network from a n7k to an ASA.  With the network on the ASA, the clients on the local subnet are not getting IP addresses from the DHCP server.   Years ago, I moved the network a 6500 to the N7k.  I recall adding "ip dhcp relay subnet-broadcast" to the n7k SVI to make DHCP to work.  I am now trying to move the network from the n7k to the ASA. On the ASA... interface net995  description netmotion  nameif net995  security-level 70  ip address 172.18.0.1 255.255.0.0 standby 172.18.0.2 dhcprelay server 192.168.200.14 outside dhcprelay server 192.168.200.15 outside dhcprelay enable net995   Other networks needing DHCP are working correctly.  I can't help but feel the ASA is missing something similar to the n7k from years ago.   ... View more

I am opening this post OS upgrade for my Nexus 5k devices.  The upgrade completed successfully but I am not comfortable with events during the upgrade. I have a pair of 5596 with 17 fex connected to both 5596.  Prior to issuing the “install all” command, I set up an extended ping to both 5596.  I begin the upgrade with the primary vPC device.  After the initial check, I answered “yes” to begin the disruptive upgrade.  After answering “yes”, both 5596 stopped responding to ping.  After 10 minutes, the other 5596 (not install all) began responding to ping.  I connected to the device and began monitoring vPC and fex status.  After another 5 to 10 minutes passed, the original 5596 (install all) begin responding to ping.  I was now connected to both 5596.  I monitored the status of the fex for the next hour.   The status for each fex varied between online, offline, connected, downloading, and AA mismatch.  After waiting an hour and without any apparent progress in the upgrade of the fex, I decided to “install all” the 2 nd 5596.  Again, 10 minutes of no ping response for each 5596 before the original 5596 (the first install all) began responding.  Another 5 to 10 and the 2 nd 5596 (second install all) began responding to ping.  At this point, I connected to both 5596.  I monitored the fex status.  Within 20 to 30 minutes all 17 fex had come “online” for both 5596. In addition to loss of ping, I also experienced significate loss of server resources.  Services connected to the 5596 and n2k were not available.   Is what I experienced normal?   What I was expecting… Install all the first 5596 Loss of ping during upgrade of 5596 (about 10 minutes) Once 5596 is up Each fex upgrades sequentially No network outage.  90+% of my infrastructure is dual connected. During the fex upgrade, I expect to see. Upgraded 5596 – shows each fex downloading then “online”. The not yet upgraded 5596 – shows each fex as AA mismatch Once all fex have stabilized Assuming 30 minutes but I don’t know how long it takes the fex to upgrade (17 total). Upgrade the second 5596 No network impact Expect loss of ping to the upgrading 5596 ... View more

I am getting started with AnyConnect and profiles.  I have multiple profiles on my laptop.  Is there a way to prioritize the profiles on my laptop?  Of my 3 profiles, one is the more or less the default.  This default profile will automatic connect on untrusted networks.  The other 2 profiles will rarely be used.  I am finding that when I disconnect from one of the less used profiles, the auto connect from the "default" profile is not active. ... View more