Cisco - yar145/mytestrepo1 GitHub Wiki
macsec
How to Configure WAN MACsec and MKA Support Enhancements Configuring MKA
ECMP load-balancing
How to ECMP load-balancing for CISCO? (ECMP Hashing)
Load Splitting IP Multicast Traffic over ECMP
ip cef load-sharing algorithm include-ports source destination
router bgp 64516 address-family ipv4 maximum-paths 6
PKI , Certificates, rsa-sig
Setting Up Cisco IOS Router as CA Server
Cisco IOS XE Certificates Install/Regeneration
Chapter: Configuring Certificate Enrollment for a PKI
DMVPN with PKI as the authentication method
Configuring IOS CA Server on Internet_CAServer NOTE It’s Cisco recommended to configure a loopback interface as the ntp source through which the NTP packets are sent, but I didn’t configure it for simplicity. Also, use ntp authentication for deployment in a real world.
clock timezone GMT 0
ntp master
!
ip domain-name juantron.com
crypto key generate rsa general-keys modulus 2048 label CA-Key exportable
!
ip http server
!
crypto pki trustpoint CA-Server
revocation-check crl
rsakeypair CA-Key
!
crypto pki server CA-Server
database url nvram:
database level complete
issuer-name C=sp,L=juantrontown,O=juantronCo,OU=x.509 certs,CN=juantron.com VPN
hash sha1
lifetime crl 1
lifetime certificate 730
lifetime ca-certificate 1825
grant auto
no shut
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: juantron
Re-enter password: juantron
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
Internet_CAServer#show crypto pki server
Configuring certificate enrollment on Hub and Spokes If you wish, see before my article: PKI - CA Server and Client enrollment using Cisco Routers Configuring certificate enrollment on R1_Hub clock timezone GMT 0
ntp server 15.0.0.2
!
ip domain-name juantron.com
crypto key generate rsa general-keys modulus 2048 label VPN-client exportable
!Add this command to use PKI instead of a preshared key as the authentication:
crypto isakmp policy 5
authentication rsa-sig
group 5
encryption aes 256
!Use show run all to see the authentication rsa-sig line; it’s Cisco default.
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile OUR_IPSEC_PROFILE
set transform-set OURSET
!
interface tunnel 0
tunnel protection ipsec profile OUR_IPSEC_PROFILE
!
crypto pki trustpoint CA-Server
enrollment url http://15.0.0.2
revocation-check crl
fqdn R1_Hub.juantron.com
subject-name CN= R1_Hub,OU=X.509,O=juantronCo,C=sp
rsakeypair VPN-client
EASYVPN
Easy VPN Configuration Guide, Cisco IOS Release 15M&T
Routing
EIGRP Introduction and Overview
Types of EIGRP Packet in Computer Network
BGP Session Types: iBGP vs eBGP
WIRELESS
AIR-CT5500-AP_BUNDLE-K9-8-5-182-0.aes
Cisco Wireless LAN Controller 5508 Configuration Lap
Understand how AireOS WLCs Handle DHCP Protocol
DHCP Proxy Vs. DHCP Bridging (Cisco Wireless LAN Controllers)
Local switching or central switching on the WLAN If you are using local switching then don´t matter if the WLC is proxy or not. The DHCP request sent from client will be floaded locally on the Site A and B network and the WLC will not care about it.
Now, if you are using Central switching then the DHCP request sent by client will get to the WLC through the capwap tunnel . On this case, if DHCP proxy is enable, you should to have the DHCP server IP address configured under the WLC dynamic interface. This way, the WLC will know to where ask for IP address for any specific client.
DHCP Proxy vs DHCP Bridging
the Wireless client send broadcast DHCP request DHCP bridge will only forward if from AP to VLAN (crosponding to SSID) DHCP proxy the broadcast will convert into unicast and send to Server directly (like dhcp relay)
Configure internal DHCP server on the WLC
High Availability (SSO) Deployment Guide
WLC 5508 - Replace Primary Unit in HA Pair
How to Configure HA on Cisco WLC using GUI
Cisco Wireless Controller Configuration Guide, Release 8.5
Cisco WLC or AP device certificate expired - what you can do
Lightweight AP - Fail to create CAPWAP/LWAPP connection due to certificate expiration
WLC 5508 Failure to upgrade code
Troubleshoot Certificate Installation on WLC
[Tutorial] Upgrading the firmware on a Cisco 5508 Wireless LAN Controller
How do I install a certificate onto Cisco WLAN Controller (WLC)?
ISE
Cisco ISE: Wired 802.1X Deployment in Monitor Mode
Perform Password Recovery for ISE Command Line Interface (CLI)
Cisco ISE Machine Authentication
CISCO ISE Machine authentication
CISCO ISE Machine authentication
Machine/computer Authentication in ISE
Cisco ISE – Basic 802.1X Policy Set w/ AD Group Based Authorization
Machine Access Restriction Pros and Cons
Cisco ISE – Basic 802.1X Policy Set w/ AD Group Based Authorization
supplicant
sc config dot3svc start= demand
The second option for mab is using EAP-MD5 authentication. The password (mac address) is encrypted but from security perspective it doesn’t improve anything.
interface FastEthernet1/0/2 mab eap You should remember that now the device has to be in ‘hosts’ database with username and password = mac address. Be careful with password because it is case sensitive !
ISE 2.7 Radius suppression and CTS
Configuring Cisco ISE MAB Policy Sets
Cisco ISE: Wired 802.1X Deployment in Monitor Mode
EAP-TEAP
TEAP for Windows 10 using Group Policy and ISE TEAP Configuration
802.1x supplicant
Configuring 802.1x Authentication for Windows Deployment
Using TEAP for more secure 802.1X authentication
Cisco ISE Wired 802.1X with EAP-TEAP (EAP-Chaining)
Cisco ISE Tips, Tricks, and Lessons Learned
Cisco ISE Wired 802.1X with EAP-TEAP (EAP-Chaining)
windows, certificates
Certutil -store My
Certutil –viewstore My
Certutil -store My
- Посмотреть мои сертификаты: certutil -store -user my > my.txt Экспорт в PFX (PKCS#12): certutil -p test -user -exportPFX 0123456788e8cb1a18e cert.pfxВ качестве параметров указывается серийник и пароль (через -p) Импорт: certutil -p test -user -importpfx cert.pfx Подробнее: https://www.securitylab.ru/blog/personal/reply-to-all/155909.php?R=1
Create and assign SCEP certificate profiles in Intune
dot1x port configuration
dot1x / mab priority and order
order: mab dot1x
priority: dot1x mab
This made sense in our environment as we wanted to accommodate MAB devices quickly and not make them wait for dot1x timeout. Using the priority allows for dot1x to overrule the MAB process if it sees EAPoL traffic. This assists with quick connection time as well for dot1x nodes.
Issues we faced was that dot1x supplicants could not re-authenticate properly and send EoPLan packet to restart dot1x process. This occurred on Windows, MAC, native as well as AnyConnect supplicants. Only way we found at the time to resolve was to either change order to dot1x mab OR turn off re-auth.
We just recently modified one of our AuthZ profiles to use cisco av-pair = termination-action-modifier=1 .
This will have ISE instruct the switch to re-use the last successful method wether it was dot1x or mab for that session.
CA
ISE Digital Certificate Administration
OCSP
How to check the certificate revocation status
URI of the OCSP server can be retrieved from the client’s certificate with the following command:
openssl x509 -in cert.crt -noout -ocsp_uri
Prifiling
ODBS
Manage Users and External Identity Sources
Simplified Access Policy using ODBC & ISE DB (Custom Attribute) for Large Scale Campus Network
Configure ISE 2.2 for integration with MySQL server
Cisco Identity Services Engine Administrator Guide, Release 3.2
CREATE TABLE users (
user_id int(10) unsigned NOT NULL AUTO_INCREMENT,
username varchar(50) NOT NULL,
password varchar(50) NOT NULL,
PRIMARY KEY (user_id),
UNIQUE KEY username_UNIQUE (username)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO users (user_id, username, password) VALUES (1, "hp-win11", "");
INSERT INTO users (user_id, username, password) VALUES (2, "hp-guest1", "");
CREATE TABLE groups (
group_id int(10) unsigned NOT NULL AUTO_INCREMENT,
groupname varchar(50) NOT NULL,
PRIMARY KEY (group_id),
UNIQUE KEY groupname_UNIQUE (groupname)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO groups (group_id, groupname) VALUES (1, "corp_group");
CREATE TABLE user_group (
user_id int(10) unsigned NOT NULL,
group_id int(10) unsigned NOT NULL,
PRIMARY KEY (user_id,group_id),
KEY group_id (group_id),
CONSTRAINT user_group_ibfk_1 FOREIGN KEY (user_id) REFERENCES users (user_id)
ON DELETE CASCADE,
CONSTRAINT user_group_ibfk_2 FOREIGN KEY (group_id) REFERENCES groups
(group_id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO user_group (user_id, group_id) VALUES (1, 1);
INSERT INTO user_group (user_id, group_id) VALUES (2, 2);
attrib:
CREATE TABLE user_attributes (
user_id int(10) unsigned NOT NULL,
attribute_name varchar(50) NOT NULL,
attribute_value varchar(50) NOT NULL,
PRIMARY KEY (user_id),
CONSTRAINT user_attr_ibfk_1 FOREIGN KEY (user_id) REFERENCES users (user_id)
ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO user_attributes (user_id, attribute_name, attribute_value) VALUES (1, "complianed","yes"); INSERT INTO user_attributes (user_id, attribute_name, attribute_value) VALUES (1, "employee","yes");
INSERT INTO user_attributes (user_id, attribute_name, attribute_value) VALUES (2, "complianed","yes");
INSERT INTO user_attributes (user_id, attribute_name, attribute_value) VALUES (2, "employee","no");
attrib:
DELIMITER //
CREATE DEFINER=root@localhost PROCEDURE ISEAttrs(username varchar(64), OUT result INT)
begin
IF EXISTS (select * from users where users.username = username) THEN
SET result = 0;
select attribute_name , attribute_value from user_attributes
inner join users ON users.user_id = user_attributes.user_id
where users.username = username;
ELSE SET result = 1; END IF; end //
CREATE PROCEDURE [dbo].[ISEAttrsRetrieval] @username varchar(255), @result int output AS BEGIN if exists (select * from ISE_Users where username = @username) begin set @result = 0 select attribute_name , attribute_value from user_attributes where USER_ID in(SELECT USER_ID from ISE_Users where username = @username) end else set @result = 1 END
lookup:
DELIMITER //
CREATE DEFINER=root@localhost PROCEDURE ISEUserLookupReturnsRecordset(username varchar(64))
begin
IF EXISTS (select * from users where users.username = username) THEN
select 0,11,'This is a very good user, give him all access','no error';
ELSE
select 3, 0, 'odbc','ODBC Authen Error';
END IF;
end //
DELIMITER //
CREATE DEFINER=root@localhost PROCEDURE ISEGroups(username varchar(64), OUT result INT)
begin
CASE username
WHEN '*' THEN
select distinct groupname from groups;
ELSE
select groupname from user_group
inner join users ON users.user_id = user_group.user_id
inner join groups ON groups.group_id = user_group.group_id
where users.username = username;
END CASE;
SET result = 0;
end //