Adam Hollifield

Below is a template for Aruba AOS-CX Switches for 802.1X and MAB. This template can be used with any standards-based RADIUS server such as Aruba ClearPass, Cisco Identity Services Engine, Fortinet FortiAuthenticator, FortiNAC, FreeRADIUS, etc. This configuration is just basic 802.1X and MAC Address Bypass, it does not cover Downloadable User Roles (DUR) or other advanced Aruba segmentation features.  The various sections of the configuration are explained prior to each as a comment denoted by !. This configuration should be valid for any version of AOS-CX and has practically been tested with both Cisco ISE and Aruba ClearPass. !Define the RADIUS servers. This can be a ClearPass VIP, a load-balancer, or the actual RADIUS servers. Replace the x.x.x.x with your RADIUS server IPs. radius-server host x.x.x.x key plain-text SuperSecureKey! radius-server host x.x.x.x key plain-text SuperSecureKey! !Place the RADIUS servers inside a AAA group. Replace [name] with the whatever name you...

I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers.  STOP!   MS-CHAPv2 uses broken MD4 encryption and should no longer be used to pass sensitive credentials over any network.  Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11.  You can get around this with a registry hack but it's still a BAD idea.  If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS.  Even better, use TEAP with user and machine authentication using certificates.   Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice.  SAML Assertion sometimes can remove the need for a RADIUS server all together.  Having a secure, robus...

I'm happy to announce that I have received the Aruba Network Airheads MVP Expert designation for 2024 for my assistance in the Airheads forum around ClearPass design, implementation, and troubleshooting.  Be sure to check out all of the 2024  MVPs .

I'm pleased  to announce that I have been recognized as a Cisco Community Designated VIP for 2024 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the   Cisco Community Designated VIPs .

Today Cisco Meraki announced the MS130R rugged switch .  This is the first rugged Meraki switch; it's IP30 certified with an operating temperature of -40 to 70 degrees Celsius.  This enables the cloud first Meraki configuration and support model in harsh/challenging environments.  The switch includes eight 30W POE+ capable 1GbE RJ45 ports and two 1GbE SFP ports.  As with any industrial/rugged switch it can be powered by DIN rail DC power or an external AC power supply.  The two SFP ports support a variety of Cisco ruggedized SFPs: GLC-SX-MM-RGD, GLC-LX-SM-RGD, GLC-ZX-SM-RGD, and GLC-T-RGD. One of the most exciting things to me is that the MS130-X (also announced today) and MS130R will  support Adaptative Policy in a future MS firmware update.  This will extend the Adaptive Policy boundary to harsh environments to enable micro-segmentation in even more locations.  Meraki Adaptive Policy also seamlessly integrates with Cisco Identity Services Engi...

In this article I'm going to go through updating Junos OS on an EX2300-C switch using the Mist Dashboard.  This functionality is included in the Wired Assurance Subscription.  Once the switch is claimed in your Mist organization (maybe a topic for another post?) the switch will be added to the Switches view and various statistics will be displayed. Next, check the selection box for the switch(es) to upgrade and click the Upgrade Switches button in the top right.  A new window will appear with a selection of the version of Junos to upgrade to. This pane also includes checkboxes to force a switch reboot once the image is copied.  A reboot can also be performed at later time (for example during a maintenance window) instead of automatically at the end of the Junos image download.  A recovery snapshot can also be created for easy rollback to the currently running version of Junos in case of a code related issue.  Finally, the End User License Agreement must be ...

This article was written by Google Bard with the prompt “write a blog post on the importance of zero trust”.  Pretty neat but I really do question the ethics around using AI for media/publication generation.  Anyways here is what Bard gave me: Zero trust is a security model that assumes that no device, user, or service should be trusted by default. Instead, every request for access to a system or data should be verified and authenticated. Zero trust is based on the principle of "never trust, always verify." This means that organizations should never assume that any user or device is safe, even if they are inside the network perimeter. Instead, they should always verify the identity of each user and device before granting access to any resources. Zero trust is a critical security model for organizations that operate in today's digital world. The traditional security model of "trust but verify" is no longer effective in the face of modern threats. Zero trust helps...