Advertising Healthy F5 LTM VIPs using BGP

What’s the point? I have come across some environments where combining the capabilities of dynamic routing and the F5 LTM monitoring capabilities provide a worthwhile benefit. Of course, in many (perhaps most) cases, an LTM advertising only healthy and reachable resources via dynamic routing may not be needed since it may be the only place the resources exist. In this case, if the one set of resources goes down, there’s no where else for the traffic to go so there’s no point in taking advantage of this.

Posted

#How To

EAP-TLS with a Broken Private Key

When going through a standard EAP-TLS deployment recently, a seemingly new problem reared its head. We had tested it out and validated EAP-TLS on a couple of laptops using the Microsoft Native Supplicant. All of the ISE policies were good to go, and everything was working as expected. Then came along a new laptop. This one had other plans. We plug it in and get to authenticatin’. Troubleshooting Well, it didn’t seem to want to send many 802.

Posted

#Cisco ISE #Troubleshooting

Setting up an iPerf3 Server on a Raspberry Pi

I was recently battling for server time when doing to internet-based performance testing against one of the publicly listed iperf3 servers. Unfortunately, iperf3 only supports one test at a time. This makes sense in order to provide full resources to an individual test for reliable results. In any case, I didn’t want to wait when I’m smack in the middle of some heart throbbing troubleshooting. So, I decided to set my own up from my home and let internet traffic in to use it.

Posted

#How To

Allowing Mobile App Stores through a WLC Redirect ACL

Cisco ISE provides the ability to redirect users through an MDM workflow to assist in the on-boarding of mobile devices. Using integration of MDMs like MobileIron or AirWatch, you can allow registered and compliant devices onto your network, while automatically facilitating MDM enrollment for other devices. While the authorization policy for these workflows is relatively straightforward, the specification of traffic flows for redirection to the MDM portal can be somewhat challenging.

Posted

#Cisco ISE #Troubleshooting

Oh, you wanted to save that NAT?

I recently stumbled across an “undocumented feature” on the Cisco Firepower Threat Defense managed by Firepower Management Center (FMC) that caused quite the frustration. When entering certain parts of the FMC, the “Save” and “Cancel” buttons won’t show up in the top right corner. The downside of this, of course, is that I can’t save whatever I was working on. The most consistent occurrence of this was the NAT Policy. When managing the NAT Policy, about 9⁄10 times, or probably more, the “Save” option just wouldn’t show up.

Posted

#Troubleshooting

The Tale of the Eternal Packet

All of us went through that early on network training and heard about loops and how they can cripple a network. Depending on when you got your start in networking, you were then told that you’re not likely to see those types of problems due to Spanning Tree or other network improvements since back in the day. Well, every once in a while, if you try really hard, you can still come across a good ole loop to give you a run for your money.

Posted

#Troubleshooting

The Importance of "I Don't Know"

When interviewing people, one of the biggest things I’m looking for is someone to say the words “I don’t know.” It doesn’t have to be that exact phrase, but it should be something similar, “I’d have to do some more research,” or, “I’m not sure but I’ll look further into it.” It doesn’t necessarily have to be the person being interviewed, it could even be who is actually conducting the interview.

Posted

#Consulting

Cisco ISE and Client Certificate Chain with Any Purpose EKU

I recently came across quite an interesting issue during a Cisco ISE implementation using EAP-TLS. This was using EAP-FAST to perform EAP Chaining using the Cisco AnyConnect NAM module; however, the inner method was EAP-TLS and that’s where the problem resided. My authentication was failing due to “unsupported certificate in client certificate chain.” Ultimately, the problem was that the certificate the client was authenticating with was sending its certificate chain along with its authentication request.

Posted

#Cisco ISE #Troubleshooting

Failed Machine Authentication with AnyConnect NAM on Windows 8+

Starting with Windows 8, Microsoft changed a default security setting that only allows third party software to access the machine’s domain password in an encrypted format. This results in a third party supplicant sending an encrypted password string to the domain that then compares it against an unencrypted password string. The authentication then fails with the error “Machine authentication against Active Directory failed due to wrong password.” If you look in the authentication steps, you will see the 24344 RPC Logon request failed - STATUS_WRONG_PASSWORD, ERROR_INVALID_PASSWORD,pclthp10156.

Posted

#Cisco ISE #Troubleshooting

VMware NSX Distributed Firewall (DFW) Viewer

I’ve spoken to a few people who use VMWare NSX with the Distributed Firewall (DFW). Most of them, myself included, had some gripes about the NSX interface. While it’s web-driven interface is an improvement on many firewall managers, it left something to be desired. At many points in its use, it’s easy to find yourself falling deep down a menu-clicking hole while trying to check the contents of a security group, or modify some object that you’re using in the policy.

Posted

#Development #VMware NSX