Is it possible to match upon initial Authentication against an AD Group to then have a different Identity Source used? Generally I'm only aware of it being possible to match against an AD Group AFTER a User has authenticated via an Authorization Policy. Use Case is for VPN users, and the client wants to slowly role out changing authentication sources (AD to MFA). I've gotten the standard method I'm aware of working, which is via matching on a different Group-Policy and/or Tunnel-Group from the ASA, but they were looking for an easier method to deploy to end users. If they can't get it to work this way, then I'll just work on modifying the AnyConnect Profile to point to the new FQDN URL and call it good, but I wanted to ask this space if they had ever tried matching against AD Group during initial Authentication Queries. I'm thinking not, the more I think of it, as the endpoint/user hasn't been sent to the Identity Source which would then pull/provide those details.
... View more
This month we see the following vulnerability:
Bug: ISE Apache Struts CVE-2016-1000031 Vulnerability
Cisco Bug ID: CSCvn17524
This is a new bug on an old vulnerability, which is noted as impacting all of the current Cisco ISE versions. I see new patch #'s listed for 2.2, 2.4 and 2.5 - but nothing for 2.3. Is there a patch 6 coming out for ISE Version 2.3 to correct this problem?
On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.
I've already read the following as well, and see it was successfully patched:
Bug: Evaluation of positron for Struts remote code execution vulnerability August 2018
Cisco Bug ID: CSCvm14030
I see there is an add on patch to resolve this via a .tar file which needed to be ISE via an upload from a Repository when ISE 2.3 has Patch 4 installed, and then in the release notes it appears this was resolved as well within Patch 5.
... View more
ISE Version: 2.1, patch 6 (soon to be patch 7) Cisco Switch Image: c3750e-ipbasek9npe-mz.150-2.SE11/c3750e-ipbasek9npe-mz.150-2.SE11.bin Open TAC Case: 683828357 Question: Looking for some support on apparently random dACL deployment issues with a Cisco Catalyst Switch. Additional details are below Issue: Occasionally a domain computer will be locked out of the network and work as if it had been quarantined – and then just start working. Timeframe is hard to pinpoint - generally within a 5-60 min period. When personal MacBook is connected (non-Domain computer) you could issue the command show ip access-list int gi1/0/25 and it would show the correct ACL (GUEST-INET-ONLY). Give it a couple minutes and issues the same command and there would be NO ACL. Give it a few minutes and – back and forth. We don't appear to be having a similar issue with wired endpoints connected to a Cisco 2960XR switch. It was locking down domain computers and allowing visitor computers full access. They had me delete the voice vlan and then put it back on my interface. The non-domain computer was locked down – makes not sense, but the domain computer still had issues. Final thoughts - now that ISE V2.2 is defined as the safe-harbor, we have considered upgrading to that; however, want to ensure it is not a problem with just the Cisco Catalyst code on the 3750 switches.
... View more
Hello, I had a couple of questions I was hoping some in the Community could help me answer. I'm setting up a new deployment which consists of the following: Critical Applications & Services Cisco ISE 2.1 Cisco ASA 5525, v9.5 AnyConnect Mobility Client v4.2 RSA SecurID Server - don't remember the version, but it is fairly updated Need: Remote VPN session (AnyConnect 4.x) client o Wants to build 2 policies SBL – validation with certificate installed, limited access to network Full – UserPASS (RSA token exchange); MachinePASS (certificate exchange) I know that within Cisco ASA, I can setup an AnyConnect VPN profile to perform both a Certificate as well as a RADIUS based authentication. Basically the ASA would query and validate the Certificate, and then forward a RADIUS request for User authentication - in this case to the Cisco ISE, which then is associated with the 3rd party RSA server. What I was trying to do was to have the Cisco ISE support both certificate & RSA authentication, but feedback I've received so far seems to indicate such is not possible at this time. Such would be possible with EAP-Chaining, but EAP-Chaining is only possible for WIRED/WIRELESS deployments and not with VPN deployments (AnyConnect NAM isn't supported for VPN it appears). My questions come down to the following: 1) Are Certificate & User-based authentications as described above planned in the near future to be possible on the ISE for VPN authentications? 2) Is EAP-Chaining ever planned to be available for VPN connections? 3) Does anyone have a good reference, website or suggestion where I can look and review regarding Best Practice configurations for Cisco ASA, AnyConnect VPN with 2-factor authentications? Thanks for your help.
... View more