Informazioni personali

Cerca nel blog

Translate

martedì 27 marzo 2012

ISE basic installation and configuration. Part 2

Image via CrunchBase

When something can go wrong it will, at the end our friend Murphy was right. So I passed the day to to solve a weird problem, and I have to thanks a couple of colleagues of mine that were able to sort out what was wrong.

By the way at the end I survived the effort and after a whole day of troubleshooting I just reinstalled the appliance from scratch Sorriso and everything worked.

The Web Interface

 

Now we can go on and see what we can do.

open a supported browser and go to:

http://<IP address or host name>/admin/

once we have installed the appliance we can finally log I to the web interface that looks like this:

image

enter the credentials you have created to login.

the interface is quite clean and clear:

image

with a dashboard reporting the main index and with menu on the top that refers to the various function and operations you can perform on ISE.

image

 

on the right upper part there is the Task Navigator that show some standard “wizard style” task to perform.

image

 

Task Navigators do not retain information about the tasks you have completed. It is a visual
guide that takes you directly to the user interface screens where you perform its related tasks.

the tasks are:

• Setup—Perform the first part of the Cisco ISE setup process.
• Profiling—Profile endpoints.
• Basic User Authorization—Establish basic user authorization.
Client Provisioning and Posture—Configure client provisioning and posture.
• Basic Guest Authorization—Establish basic guest authorization.
• Advanced User Authorization—Establish user authorization, along with client provisioning and posture.
• Advanced Guest Authorization—Establish guest authorization, along with client provisioning and posture.

ok it’s late and my arm hurts like hell so I will continue in the next post Sorriso

ISE basic installation and configuration. Part 2

Image via CrunchBase

When something can go wrong it will, at the end our friend Murphy was right. So I passed the day to to solve a weird problem, and I have to thanks a couple of colleagues of mine that were able to sort out what was wrong.

By the way at the end I survived the effort and after a whole day of troubleshooting I just reinstalled the appliance from scratch Sorriso and everything worked.

The Web Interface

 

Now we can go on and see what we can do.

open a supported browser and go to:

http://<IP address or host name>/admin/

once we have installed the appliance we can finally log I to the web interface that looks like this:

image

enter the credentials you have created to login.

the interface is quite clean and clear:

image

with a dashboard reporting the main index and with menu on the top that refers to the various function and operations you can perform on ISE.

image

 

on the right upper part there is the Task Navigator that show some standard “wizard style” task to perform.

image

 

Task Navigators do not retain information about the tasks you have completed. It is a visual
guide that takes you directly to the user interface screens where you perform its related tasks.

the tasks are:

• Setup—Perform the first part of the Cisco ISE setup process.
• Profiling—Profile endpoints.
• Basic User Authorization—Establish basic user authorization.
Client Provisioning and Posture—Configure client provisioning and posture.
• Basic Guest Authorization—Establish basic guest authorization.
• Advanced User Authorization—Establish user authorization, along with client provisioning and posture.
• Advanced Guest Authorization—Establish guest authorization, along with client provisioning and posture.

ok it’s late and my arm hurts like hell so I will continue in the next post Sorriso

lunedì 26 marzo 2012

ISE basic installation and configuration. Part 1

Ok since I have to do some activity on ISE I think would be nice to write a little journal that can be also used as a quick guideline.

ISE is the acronym for Identity Service Engine, an identity policy manager released by cisco, now in version 1.1 available also on cisco cco website.

It comes in different format, as appliances or as virtual machine on VMware, as well as as upgrade to other cisco engine.

I will not look at the other release I will play a bit with the appliance.

The Software Upgrade

First of all I have had to upgrade it to the latest release (1.1)

to do so you need an mastered ISO image of the software to put inside the ISE DVD reader. as simple as at, turn on the appliance and let the fun begin.

to connect to the appliance you have to use a serial connection (usual 8N1), of course since the serial port is not more available on most of our laptop (nor in mine) you will need an use-serial adapter.

Second advise, if you have a standard cisco serial cable you also need an adapter since the serial interface on ISE is the standard 9 pin interface.

so take a look at the front of the appliance:

image

here you can find:

1 Front USB port 1

2 Front USB port 2

3 Hard disk drive (HDD) bay 0

4 HDD bay 1

    5 CD-ROM/DVD drive

It should not be hard for you to find the dvd bay where put the mastered dvd isn’t it?

Talking about led references is not the issue here but yes there are also some led blinking Occhiolino

On the rear panel we find:

image

1 AC Power supply cable socket

2 NIC 3 (eth2) add-on card

3 NIC 4 (eth3) add-on card

4 Serial port

5 Video port

6 NIC 2 (eth1) Gigabit Ethernet interface

7 NIC 1 (eth0) Gigabit Ethernet interface

8 Rear USB port 4

9 Rear USB port 3

so I used my serial connection and putty instead of monitor and keyboard, just because it would be easier Sorriso.

After you installed the correct release the system will shut down and turn on again, please remember to remove the dvd otherwise you will start again the cycle of installation.

NOTE: I made a scratch installation of the appliance, and not the upgrade one. if you have an ISE with rules and other stuffs on would be better to run the upgrade iso dvd also available on cisco CCO website.

The First installation:

Now we can run the CLI wizard in order to make the first installation:

the data required will be

Hostname Must be not exceed 19 characters. Valid characters include
alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the
first character must be an alphabetic character.

(eth0) Ethernet interface address Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

Netmask Must be a valid IPv4 netmask.

Default gateway Must be a valid IPv4 address for the default gateway.

DNS domain name Cannot be an IP address. Valid characters include ASCII characters,
any numbers, hyphen (-), and period (.).

Primary name server Must be a valid IPv4 address for the primary name server.

Add/Edit another name server Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server Must be a valid IPv4 address or hostname of an NTP server. (example:clock.nist.gov)

Add/Edit another NTP server Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services
Engine CLI Reference Guide, Release 1.0.4, which provides a list of time zones that Cisco ISE supports. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note: Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric
characters (A-Z, a-z, or 0-9).

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Database Administrator Password Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also include underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them by using the same entry. After you configure this password, Cisco ISE uses it “internally”; that is, you do not have to enter it when logging into the system.

Database User Password Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also includes underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them using the same entry. After you configure this password, Cisco ISE
uses it “internally”; that is, you do not have to enter it when logging into the system.

 

The wizard will perform the required operations creating the database and the needed object. Some reboot are needed so be patient.

At the end you should be able to see something like a prompt requiring your username and password.

I use always user admin (lazy one Angelo) . just to check if everything goes smoothly check ISE status with:

ise-server/admin# show application status ise

you should see something like:

ISE Database listener is running, PID: 4845
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 6344
ISE M&T Session Database is running, PID: 4502
ISE M&T Log Collector is running, PID: 6652
ISE M&T Log Processor is running, PID: 6738
ISE M&T Alert Process is running, PID: 6542
ise-server/admin#

next post will cover the User interface and go through the rest of the installation process…

NOTE: do not forget that for the installation you need a (better if) gigabit switch port (no trunk or whatsoever) and an IP able to access the internet and reach dns and ntp otherwise you will fail the installation

ISE basic installation and configuration. Part 1

Ok since I have to do some activity on ISE I think would be nice to write a little journal that can be also used as a quick guideline.

ISE is the acronym for Identity Service Engine, an identity policy manager released by cisco, now in version 1.1 available also on cisco cco website.

It comes in different format, as appliances or as virtual machine on VMware, as well as as upgrade to other cisco engine.

I will not look at the other release I will play a bit with the appliance.

The Software Upgrade

First of all I have had to upgrade it to the latest release (1.1)

to do so you need an mastered ISO image of the software to put inside the ISE DVD reader. as simple as at, turn on the appliance and let the fun begin.

to connect to the appliance you have to use a serial connection (usual 8N1), of course since the serial port is not more available on most of our laptop (nor in mine) you will need an use-serial adapter.

Second advise, if you have a standard cisco serial cable you also need an adapter since the serial interface on ISE is the standard 9 pin interface.

so take a look at the front of the appliance:

image

here you can find:

1 Front USB port 1

2 Front USB port 2

3 Hard disk drive (HDD) bay 0

4 HDD bay 1

    5 CD-ROM/DVD drive

It should not be hard for you to find the dvd bay where put the mastered dvd isn’t it?

Talking about led references is not the issue here but yes there are also some led blinking Occhiolino

On the rear panel we find:

image

1 AC Power supply cable socket

2 NIC 3 (eth2) add-on card

3 NIC 4 (eth3) add-on card

4 Serial port

5 Video port

6 NIC 2 (eth1) Gigabit Ethernet interface

7 NIC 1 (eth0) Gigabit Ethernet interface

8 Rear USB port 4

9 Rear USB port 3

so I used my serial connection and putty instead of monitor and keyboard, just because it would be easier Sorriso.

After you installed the correct release the system will shut down and turn on again, please remember to remove the dvd otherwise you will start again the cycle of installation.

NOTE: I made a scratch installation of the appliance, and not the upgrade one. if you have an ISE with rules and other stuffs on would be better to run the upgrade iso dvd also available on cisco CCO website.

The First installation:

Now we can run the CLI wizard in order to make the first installation:

the data required will be

Hostname Must be not exceed 19 characters. Valid characters include
alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the
first character must be an alphabetic character.

(eth0) Ethernet interface address Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

Netmask Must be a valid IPv4 netmask.

Default gateway Must be a valid IPv4 address for the default gateway.

DNS domain name Cannot be an IP address. Valid characters include ASCII characters,
any numbers, hyphen (-), and period (.).

Primary name server Must be a valid IPv4 address for the primary name server.

Add/Edit another name server Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server Must be a valid IPv4 address or hostname of an NTP server. (example:clock.nist.gov)

Add/Edit another NTP server Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services
Engine CLI Reference Guide, Release 1.0.4, which provides a list of time zones that Cisco ISE supports. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note: Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric
characters (A-Z, a-z, or 0-9).

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Database Administrator Password Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also include underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them by using the same entry. After you configure this password, Cisco ISE uses it “internally”; that is, you do not have to enter it when logging into the system.

Database User Password Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also includes underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them using the same entry. After you configure this password, Cisco ISE
uses it “internally”; that is, you do not have to enter it when logging into the system.

 

The wizard will perform the required operations creating the database and the needed object. Some reboot are needed so be patient.

At the end you should be able to see something like a prompt requiring your username and password.

I use always user admin (lazy one Angelo) . just to check if everything goes smoothly check ISE status with:

ise-server/admin# show application status ise

you should see something like:

ISE Database listener is running, PID: 4845
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 6344
ISE M&T Session Database is running, PID: 4502
ISE M&T Log Collector is running, PID: 6652
ISE M&T Log Processor is running, PID: 6738
ISE M&T Alert Process is running, PID: 6542
ise-server/admin#

next post will cover the User interface and go through the rest of the installation process…

NOTE: do not forget that for the installation you need a (better if) gigabit switch port (no trunk or whatsoever) and an IP able to access the internet and reach dns and ntp otherwise you will fail the installation

Rapport clusit sulla sicurezza informatica in italia

È uscito il rapporto clusit sulla sicurezza informatica in italia, una finestra autorevole per conoscere lo stato della cybersecurity nel nostro paese.

La documentazione si può scaricare direttamente e gratuitamente dal sito clusit 🙂 o direttamente dal link del security summit.

It's Monday

How to have a better start the day: another surgery on my forearm :-).

This time the scar will be bigger 🙂 and a bit more painful… How hard is to look as a macho…:'(

Well the next tests on the removed flash will tell if the tumor has been completely removed. And,  of course, i will keep u on the Loop! 🙂
Ciao

  • It’s Monday (thepuchiherald.wordpress.com)
  • Again on my forearm’s surgery: may be an Atypical Spitz tumor (thepuchiherald.wordpress.com)
  • 4 stiches removed from my right forearm (thepuchiherald.wordpress.com)

mercoledì 21 marzo 2012

Home

Home:

  • Cisco Live VirtualGain knowledge and network without leaving your desk. Read More
  • Social MediaBe a part of the online Cisco Live community today.  Read More
  • Exhibit with Cisco LiveNowhere else is such a focused audience brought together under one roof.  Read More

Cisco Live Global Events

  • Cisco Live, MelbourneMarch 20-23, 2012
    Melbourne, Australia. Event site.
  • Cisco Live, USJune 10-14, 2012
    San Diego, California. Event site.
  • Cisco Live, LondonJan 28 – Feb 1, 2013
    London, UK
    Event site.

ise training day 3

Posture posture and posture 🙂

interesting but long labs

  • Ise Training day 2 (aitechupdate.wordpress.com)
  • ISE basic installation and configuration. Part 2 (aitechupdate.wordpress.com)
  • ISE basic installation and configuration. Part 1 (aitechupdate.wordpress.com)
  • Open a file in PowerShell ISE via cmdlet – Version 3 Update (powertoe.wordpress.com)
  • Proliferation of “Bring Your Own Device” (houstonchannels.wordpress.com)

martedì 20 marzo 2012

Ise Training day 2 « The Puchi Herald: A.I. Tech Update

Ise Training day 2 « The Puchi Herald: A.I. Tech Update

Ise Training day 2

March 20, 2012antonio ieranoEditLeave a commentGo to comments

Ok my turn to talk today:  We talked about one of the most interesting features of ISE, profiling.

Worth to explain a little what profiling is, and what discovery and classification means. it is a very useful and powerful engine but it needs to be understood, also on what it means and why should be used.

other great new, finally  ise 1.1 is available on CCO, worth the upgrade absolutely.

http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html

new stuffs:….

Related articles

  • APTs, hacktivists have organizations in their crosshairs (portadiferro2.blogspot.com)
  • Cisco study finds The Who was right! (portadiferro2.blogspot.com)
  • Members of Congress Download A Lot of Illegal Torrents (portadiferro.blogspot.com)
  • Cisco slurps News Corp’s telly software biz for $5bn (go.theregister.com)
  • Anonymous Plans To Take Down The Internet? We’re Being Trolled (portadiferro.blogspot.com)
  • City of Sacramento Website Hacked (portadiferro2.blogspot.com)
  • Fingers Itch for a War on Iran (portadiferro2.blogspot.com)
  • Chambers Reinventing Cisco, Or Recycling Tactics? (informationweek.com)
  • New Cisco CCNA Certification Targets Service Provider Installs (crn.com)
  • Configure cisco ISE for Cisco Access Points (aitechupdate.wordpress.com)

Ise Training day 2

Ok my turn to talk today:  We talked about one of the most interesting features of ISE, profiling.

Worth to explain a little what profiling is, and what discovery and classification means. it is a very useful and powerful engine but it needs to be understood, also on what it means and why should be used.

other great new, finally  ise 1.1 is available on CCO, worth the upgrade absolutely.

http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html

new stuffs:

– Support for IOS Sensor for advanced features and remote profiling on the switch.
– Active scan with NMAP.
– A new portal guest type Device Registration webauth (DRW) to allow guests to self-classify their equipment more immediate.
– Authentication of administrators by AD, LDAP, or RSA SecurID.
– Support of Online Certificate Status Protocol (OCSP) for validating client certificates as an alternative to CRLs.
– Improved management of access lists based on Security Group Tag (SGT) for full integration with the philosophy TrustSec.
– Internationalization automatic captive portal for guests according to the language of the browser.

  • Supporting The iPad – Answers To IT’s Top Five Questions (cultofmac.com)
  • Symantec: Stripping online certificate revocation checks from Chrome is misguided (infoworld.com)
  • Configure cisco ISE for Cisco Access Points (aitechupdate.wordpress.com)
  • Canon Powershot SX210IS Best Buy (canondigitalslrcamerasbuy.wordpress.com)
  • LDAP Proxy Increases Protection And Elevates AD Capabilities (pctechmojo.com)
  • Squaring Numbers from 30-70 (mathema-tricks.blogspot.com)
  • Beyonce is Back on Stage After Baby Blue Ivy Carter Birth, Starts Twitter Trend (celebs.gather.com)
  • New IsDB aid supports Nigeria’s education sector (devex.com)
  • Can SSL Certificate Checking System Be Saved? (informationweek.com)
  • Good practice to delete rows from database by attribute(eg. is_removed) (stackoverflow.com)

lunedì 19 marzo 2012

CLUSIT Security Summit:domani al via l'edizione 2012!

CLUSIT Security Summit

 

Milano, 20-21-22 Marzo 2012 AtaHotel Executive – v.le Don Luigi Sturzo, 45 ore 9-18

 

Aggiornamento, formazione e informazione per manager e tecnici della ICT Security!

Today ISE training day 1

Image by Getty Images via @daylife

and the day is gonna be at its end for the first day of ISE training here, tomorrow I will have to talk about Profiling, we’ll see Sorriso

Today ISE training day 1

Image by Getty Images via @daylife

and the day is gonna be at its end for the first day of ISE training here, tomorrow I will have to talk about Profiling, we’ll see Sorriso

martedì 13 marzo 2012

bad day :(

Ok some days are worse than others.

I mean, it is not only that I felt sick tonight, and believe me kidney pain is really painful, and I will not speak about the other symptoms that required frequent visit at the restroom .

 

Is that sometimes I find really hard to cope with some people, well I hope at least he enjoyed the ride and felt superior (any sarcasm here is understandable).

 

sayonara

  • bad day 🙁 (thepuchiherald.wordpress.com)

Configure cisco ISE for Cisco Access Points

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy

 

Login to ISE

clip_image002

The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” Caldo.

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save Sorriso otherwise it will not work Occhiolino

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

AttributeValue
NameCisco_Access_Points
DescriptionPermit access to Cisco Access Points
Access TypeACCESS_ACCEPT
Common Tasks
DACL Name[ ✓ ] PERMIT_ALL_TRAFFIC
VLAN90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:90

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6

DACL = PERMIT_ALL_TRAFFIC

finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the clip_image006 selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

StatusRule NameIdentity GroupsOther ConditionsPermissions
clip_image002[4]Profiled Cisco IP PhonesCisco-IP-PhoneCisco_IP_Phones
clip_image002[5]Profiled Cisco Access PointsCisco-Access-PointCisco_Access_Points

 

Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x

or

cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3

permit ip host 10.1.90.100 any

 

To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

SUsernameEndpoint IDIP Address NADDevice PortAuthZ
Profiles
Identity GroupEvent
#ACSACL#-IP-PERMIT_ALL_TRAFFIC3k-accessAuthorize OnlyDACL Download
nn:nn:nn:nn:nn:nnnn:nn:nn:nn:nn:nn10.1.10.1003k-accessGi0/3Cisco_Access_PointsCisco-Access-PointAuth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

Configure cisco ISE for Cisco Access Points

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy

 

Login to ISE

clip_image002

The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” Caldo.

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save Sorriso otherwise it will not work Occhiolino

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

AttributeValue
NameCisco_Access_Points
DescriptionPermit access to Cisco Access Points
Access TypeACCESS_ACCEPT
Common Tasks
DACL Name[ ✓ ] PERMIT_ALL_TRAFFIC
VLAN90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:90

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6

DACL = PERMIT_ALL_TRAFFIC

finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the clip_image006 selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

StatusRule NameIdentity GroupsOther ConditionsPermissions
clip_image002[4]Profiled Cisco IP PhonesCisco-IP-PhoneCisco_IP_Phones
clip_image002[5]Profiled Cisco Access PointsCisco-Access-PointCisco_Access_Points

 

Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x

or

cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3

permit ip host 10.1.90.100 any

 

To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

SUsernameEndpoint IDIP Address NADDevice PortAuthZ
Profiles
Identity GroupEvent
#ACSACL#-IP-PERMIT_ALL_TRAFFIC3k-accessAuthorize OnlyDACL Download
nn:nn:nn:nn:nn:nnnn:nn:nn:nn:nn:nn10.1.10.1003k-accessGi0/3Cisco_Access_PointsCisco-Access-PointAuth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

martedì 6 marzo 2012

Introduction To Network Security - Part 2

Introduction To Network Security – Part 2:
By Sahir Hidayatullah – Firewall.cx Security Advisor

Tools An Attacker Uses

Now that we’ve concluded a brief introduction to the types of threats faced by both home users and the enterprise, it is time to have a look at some of the tools that attackers use.

Keep in mind that a lot of these tools have legitimate purposes and are very useful to administrators as well. For example I can use a network sniffer to diagnose a low level network problem or I can use it to collect your password. It just depends which shade of hat I choose to wear.


General Network Tools

As surprising as it might sound, some of the most powerful tools especially in the beginning stages of an attack are the regular network tools available with most operating systems. For example and attacker will usually query the ‘whois’ databases for information on the target. After that he might use ‘nslookup’ to see if he can transfer the whole contents of their DNS zone (called a zone transfer — big surprise !!). This will let him identify high profile targets such as webservers, mailservers, dns servers etc. He might also be able to figure what different systems do based on their dns name — for example sqlserver.victim.com would most likely be a database server. Other important tools include traceroute to map the network and ping to check which hosts are alive. You should make sure your firewall blocks ping requests and traceroute packets.


Exploits

An exploit is a generic term for the code that actually ‘exploits’ a vulnerability in a system. The exploit can be a script that causes the target machine to crash in a controlled manner (eg: a buffer overflow) or it could be a program that takes advantage of a misconfiguration.

A 0-day exploit is an exploit that is unknown to the security community as a whole. Since most vulnerabilities are patched within 24 hours, 0-day exploits are the ones that the vendor has not yet released a patch for. Attackers keep large collections of exploits for different systems and different services, so when they attack a network, they find a host running a vulnerable version of some service and then use the relevant exploit.


Port Scanners

Most of you will know what portscanners are. Any system that offers TCP or UDP services will have an open port for that service. For example if you’re serving up webpages, you’ll likely have TCP port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so on.

A portscanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker which systems can be attacked.
For example, if I scan a webserver and find that port 80 is running an old webserver — IIS/4.0, I can target this system with my collection of exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting.

This is when the attacker is still footprinting the network — feeling his way around to get an idea of what type of services are offered and what Operating Systems are in use etc. One of the best portscanners around is Nmap https://nmap.org/). Nmap runs on just about every operating system is very versatile in how it lets you scan a system and has many features including OS fingerprinting, service version scanning and stealth scanning. Another popular scanner is Superscan https://www.mcafee.com/) which is only for the windows platform.

Network Sniffers

A network sniffer puts the computers NIC (network interface card or LAN card) into ‘promiscuous mode’. In this mode, the NIC picks up all the traffic on its subnet regardless of whether it was meant for it or not. Attackers set up sniffers so that they can capture all the network traffic and pull out logins and passwords. The most popular network sniffer is TCPdump as it can be run from the command line — which is usually the level of access a remote attacker will get. Other popular sniffers are Iris and Ethereal.

When the target network is a switched environment (a network which uses layer 2 switches), a conventional network scanner will not be of any use. For such cases, the switched network sniffer Ettercap https://ettercap.sourceforge.net/) and WireShark https://www.wireshark.org/) are very popular. Such programs are usually run with other hacking capable applications that allow the attacker to collect passwords, hijack sessions, modify ongoing connections and kill connections. Such programs can even sniff secured communications like SSL (used for secure webpages) and SSH1 (Secure Shell – a remote access service like telnet, but encrypted).

Vulnerability Scanners

A vulnerability scanner is like a portscanner on steroids, once it has identified which services are running, it checks the system against a large database of known vulnerabilities and then prepares a report on what security holes are found. The software can be updated to scan for the latest security holes. These tools are very simple to use unfortunately, so many script kiddies simply point them at a target machine to find out what they can attack. The most popular ones are Retina https://www.beyondtrust.com/), Nessus https://www.tenable.com/products/nessus) and GFI LanScan (http://www.gfi.com). These are very useful tools for admins as well as they can scan their whole network and get a detailed summary of what holes exist.


Password Crackers

Once an attacker has gained some level of access, he/she usually goes after the password file on the relevant machine. In UNIX like systems this is the /etc/passwd or /etc/shadow file and in Windows it is the SAM database. Once he gets hold of this file, its usually game over, he runs it through a password cracker that will usually guarantee him further access. Running a password cracker against your own password files can be a scary and enlightening experience. L0phtcrack cracked my old password fR7x!5kK after being left on for just one night !

There are essentially two methods of password cracking :

Dictionary Mode – In this mode, the attacker feeds the cracker a word list of common passwords such as ‘abc123’ or ‘password’. The cracker will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. Say I know that the passwords for the servers in your business are the names of Greek Gods (yes Chris, that’s a shout-out to you ;)) I can find a dictionary list of Greek God names and run it through the password cracker.

Most attackers have a large collection of wordlists. For example when I do penetration testing work, I usually use common password lists, Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company website). Many people think that adding on a couple of numbers at the start or end of a password (for example ‘superman99’) makes the password very difficult to crack. This is a myth as most password crackers have the option of adding numbers to the end of words from the wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.

Brute Force Mode – In this mode, the password cracker will try every possible combination for the password. In other words it will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack every possible password — its just a matter of how long it takes. It can turn up surprising results because of the power of modern computers. A 5-6 character alphanumeric password is crackable within a matter of a few hours or maybe a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and John the Ripper for UNIX style passwords.

For each category, I have listed one or two tools as an example. At the end of this article I will present a more detailed list of tools with descriptions and possible uses.


What is Penetration-Testing?

Penetration testing is basically when you hire (or perform yourself) security consultants to attack your network the way an attacker would do it, and report the results to you enumerating what holes were found, and how to fix them. It’s basically breaking into your own network to see how others would do it.

While many admins like to run quick probes and port scans on their systems, this is not a penetration test — a penetration tester will use a variety of specialised methods and tools from the underground to attempt to gain access to the network. Depending on what level of testing you have asked for, the tester may even go so far as to call up employees and try to social engineer their passwords out of them (social engineering involves fooling a mark into revealing information they should not reveal).

An example of social engineering could be an attacker pretending to be someone from the IT department and asking a user to reset his password. Penetration testing is probably the only honest way to figure out what security problems your network faces. It can be done by an administrator who is security aware, but it is usually better to pay an outside consultant who will do a more thorough job.

I find there’s a lack of worthwhile information online about penetration testing — nobody really goes about describing a good pen test, and what you should and shouldn’t do. So I’ve hand picked a couple of good papers on the subject and then given you a list of my favourite tools, and the way I like to do things in a pen-test.

This is by no means the only way to do things, it’s like subnetting — everyone has their own method — this is just a systematic approach that works very well as a set of guidelines. Depending on how much information you are given about the targets as well as what level of testing you’re allowed to do, this method can be adapted.

Papers Covering Penetration Testing

I consider the following works essential reading for anyone who is interested in performing pen-tests, whether for yourself or if you’re planning a career in security:

Related articles