Security – InfraWorld

Cisco Firepower Chassis Manager Radius Configuration

January 20, 2017 Rob Rademakers Leave a comment

There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).
In this document, you can read the following comment:

Remote User Role Policy

Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information:

Assign Default Role—The user is allowed to log in with a read-only user role.
No-Login—The user is not allowed to log in to the system, even if the username and password are correct.

But… it’s very hard to find what attributes are needed to assign a user the administrator role.
Read more

Cisco ISE 2.0 – Guest authentication ISE configuration

July 26, 2016 Rob Rademakers 2 comments

Configure Cisco ISE

The Authorization profile will be created first, then the authentication and authorization policies are configured.
Read more

ISE
Security

Cisco ISE 2.0 – Guest Authentication

June 30, 2016 Rob Rademakers Leave a comment

Navigate to WLAN’s, Create new

2. Configure General Settings:
Read more

ISE
Security

Cisco ISE 2.0 – Employee Authentication Based on 802.1x (User auth)

May 24, 2016 Rob Rademakers Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
For more guides about configuring (previous) Cisco ISE, see this page.This is part 2, creating authentication and authorization policies.
Create authentication policy

Navigate to Policy, Authentication
Edit, Wired_802.1X to include Wireless_802.1X, and select “ehlo.lan” domain store.

ISE
Security

Cisco ISE 2.0 Active Directory & Radius

April 28, 2016 Rob Rademakers Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
ISEimage For more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.
Add ISE to Active Directory domain
Login into ISE and add ISE to the Active Directory domain by following these steps:
Read more

ISE
Security

Cisco WSA Acceptable Use and HTTPS inspection

December 18, 2014 Rob Rademakers Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 5th part of the series
How can you enforce the Acceptable use?
Acceptable use is mostly defined by Application Visibility Control (AVC). Websites are classified by a URL lookup in the cisco database, based on the URL itself, or a dynamic scan of the website.
To configure this, click Security Services > Acceptable Use Controls

AVC is enabled by default.
HTTPS Inspection (HTTPS Proxy)
It’s getting more important to decrypt HTTPS sessions to check against your policies. You can receive a lot of nasty stuff inside your HTTPS session. But there is one major drawback: the WSA shows the user a SSL certificate of the WSA appliance. In almost all circumstances this certificate wouldn’t match all requirements, so the users receive SSL certificate errors. Make sure your users are familiar with your HTTPS inspection!
How does it works? It’s pretty simple: the WSA creates the HTTPS session to the webserver and creates a new HTTPS session to the user. The responses from the webserver are checked and scanned and deliverd over the new HTTPS session to the user.
Read more

Cisco WSA Policies

November 11, 2014 Rob Rademakers Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 4th part of the series.
Creating policies is one the major (en most fun) part of the WSA. In this blog I’ll cover the configuration of access policies and identities.
Click Web Security Manager > Access Policies

Only one policy can be applied. This is based on first match (top-down). If no policy matches, the Global Policy will be used.
First, you have to create a identity. An identity doesn’t identify a user, but it identifies a client or transaction that may require authentication. Identity membership is determined before authentication is done. Policy group membership is determined after authentication is performed.
Click Web Security Manager > Identities > add identity and create the identity, based on IP’s ip ranges or IP subnets. Possible identities are:

Kiosk users
Update agents
Company users

Cisco WSA Deploying Proxy Services

November 3, 2014 Rob Rademakers Leave a comment

Explicit Forward Mode
Transparent Mode

In Explicit Forward Mode the client does have an Proxy configuration. There is no configuration needed on the network infrastructure (routers/switches). Authentication is easy and there are three methods for providing the proxy information:

Automatic Proxy script
Enter the proxy server IP address
Automatic detect settings using WPAD protocol

In transparent mode, there is no configuration needed on the clients. The network infrastructure redirects the traffic (WCCP). Authentication could be an issue.
Redirection options are:

Web Cache control protocol (WCCP, used in Cisco ASA, ASR and Catalyst switches)
Policy based routing
Layer 4 switch
Layer 7 switch (like a Citrix Netscaler)

WCCP is the most used redirection option for transparant proxies. For more information about WCCP and the configuration, check this link.
PAC files
PAC files are used in Explicit Forward Mode. The PAC file link is configured on the clients’ proxy settings. If you need help with creating PAC files, check this link.
You can host the PAC file on any webserver, but hosting on the WSA is possible too. Click Security Services > PAC File Hosting and upload your PAC file. It’s recommended to host the PAC file on a seperate web server.
Read more

Cisco Web Security Appliance introduction

October 10, 2014 Rob Rademakers Leave a comment

In this and upcoming posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda for the upcoming weeks:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
In this blog we’ll talk about the product introduction.
The Cisco Web Security Appliance (WSA) is an appliance for securing http, https and ftp traffic from (and to) the internet.
The WSA replaces all, or most of these devices in your network:
Firewall
Webproxy
Anti spyware
Antivirus
URL Filtering
Policy management
As you can see, it’s more than just a regular proxy server.
The internet provides a lot of websites, good websites and bad websites. There are a lot of websites which are not work related for a lot of companies. If you want to limit or block those websites for users, the WSA is the product for you. Limitation can be time based, bandwidth based, user based or category based (79 categories). Road warriors (remote users) can be protected too by Anyconnect security or Web cloud Security, also known as Scansafe.
Read more

Cisco WSA Defending Malware

October 2, 2014 Rob Rademakers Leave a comment

1 2 »