Posts

Stop Using PEAP/MS-CHAPv2

I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers.  STOP!   MS-CHAPv2 uses broken MD5 encryption and should no longer be used to pass sensitive credentials over any network.  Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11.  You can get around this with a registry hack but it's still a BAD idea.  If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS.  Even better, use TEAP with user and machine authentication using certificates.   Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice.  SAML Assertion sometimes can remove the need for a RADIUS server all together.  Having a secure, robust PKI is essential for certificate based
Post a Comment
Read more

Aruba Networks Airheads MVP Expert 2024

I'm happy to announce that I have received the Aruba Network Airheads MVP Expert designation for 2024 for my assistance in the Airheads forum around ClearPass design, implementation, and troubleshooting.  Be sure to check out all of the 2024  MVPs .
Post a Comment
Read more

Cisco Designated VIP 2024

I'm pleased  to announce that I have been recognized as a Cisco Community Designated VIP for 2024 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the   Cisco Community Designated VIPs .
Post a Comment
Read more

Cisco Meraki MS130R Ruggedized Switch

Today Cisco Meraki announced the MS130R rugged switch .  This is the first rugged Meraki switch; it's IP30 certified with an operating temperature of -40 to 70 degrees Celsius.  This enables the cloud first Meraki configuration and support model in harsh/challenging environments.  The switch includes eight 30W POE+ capable 1GbE RJ45 ports and two 1GbE SFP ports.  As with any industrial/rugged switch it can be powered by DIN rail DC power or an external AC power supply.  The two SFP ports support a variety of Cisco ruggedized SFPs: GLC-SX-MM-RGD, GLC-LX-SM-RGD, GLC-ZX-SM-RGD, and GLC-T-RGD. One of the most exciting things to me is that the MS130-X (also announced today) and MS130R will  support Adaptative Policy in a future MS firmware update.  This will extend the Adaptive Policy boundary to harsh environments to enable micro-segmentation in even more locations.  Meraki Adaptive Policy also seamlessly integrates with Cisco Identity Services Engine for syncing Security Group Tags
Post a Comment
Read more

How to Upgrade Juniper EX JunOS using the Mist Dashboard

Image
In this article I'm going to go through updating Junos OS on an EX2300-C switch using the Mist Dashboard.  This functionality is included in the Wired Assurance Subscription.  Once the switch is claimed in your Mist organization (maybe a topic for another post?) the switch will be added to the Switches view and various statistics will be displayed. Next, check the selection box for the switch(es) to upgrade and click the Upgrade Switches button in the top right.  A new window will appear with a selection of the version of Junos to upgrade to. This pane also includes checkboxes to force a switch reboot once the image is copied.  A reboot can also be performed at later time (for example during a maintenance window) instead of automatically at the end of the Junos image download.  A recovery snapshot can also be created for easy rollback to the currently running version of Junos in case of a code related issue.  Finally, the End User License Agreement must be accepted.  Select the tar
Post a Comment
Read more

So I tried Google Bard…

This article was written by Google Bard with the prompt “write a blog post on the importance of zero trust”.  Pretty neat but I really do question the ethics around using AI for media/publication generation.  Anyways here is what Bard gave me: Zero trust is a security model that assumes that no device, user, or service should be trusted by default. Instead, every request for access to a system or data should be verified and authenticated. Zero trust is based on the principle of "never trust, always verify." This means that organizations should never assume that any user or device is safe, even if they are inside the network perimeter. Instead, they should always verify the identity of each user and device before granting access to any resources. Zero trust is a critical security model for organizations that operate in today's digital world. The traditional security model of "trust but verify" is no longer effective in the face of modern threats. Zero trust helps
Post a Comment
Read more

How To: Cisco ISE Captive Portals with Aruba Wireless

See myself and Brad Johnson's   Cisco Community post .
Post a Comment
Read more

Popular posts from this blog

Fix Cisco ISE Messaging Service

Cisco Identity Services Engine 2.6 introduced the concept of the ISE Messaging Service as an encrypted, lightweight protocol to replace syslog communication between the ISE nodes for logging purposes.  The ISE Messaging Services runs over TCP/8671.  In 2.6 Patch 2 and later, the Cisco ISE Messaging Service is enabled by default.   The overall implementation of the ISE Messaging Service has been buggy (but has gotten much better in recent versions) in both new ISE builds and upgrades.  One solution is simply to disable the ISE Messaging Service within Administration > System > Logging.  But then the ISE logging traffic isn't encrypted and the legacy syslog delivery method is not as efficient as the ISE Messaging Service so we will focus the rest of this article on how to identity and fix the ISE Messaging Service. Problem Identification Usually problems with the ISE Messaging Service involve a blank Live Logs page.  You know authentication is working as you have devices/users
Read more

ClearPass MPSK per Device Type with Profiling

Image
Multiple Pre-Shared Key or MPSK helps solve for IOT or other endpoint device types that are not 802.1X capable.  The Aruba ClearPass default implementation of MPSK (the configuration created by the wizard) requires manually registering, enrolling, and managing individual PSK keys per endpoint using the ClearPass Guest dashboard.  While the most secure approach, excluding any sort of API based automation, this can obviously be a nightmare to manage and support due to the sheer number of PSKs.  This approach instead delivers a unique PSK per device type (printer, thermostat, etc.) so that each flavor of endpoint would have its own PSK.  If one PSK was compromised, then only those endpoints would need to be manually re-configured.  PSK rotation would also be limited to only those specific device types allowing rotation to take place slowly over several weeks rather than all devices at the same time on the SSID with a traditional single PSK; lessoning the burden on IT staff and minimizing
Read more

Cisco Designated VIP 2023

I'm happy to announce that I have been recognized as a Cisco Community Designated VIP for 2023 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the Cisco Community Designated VIPs .
Read more