Posts

Stop Using PEAP/MS-CHAPv2

I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers.  STOP!   MS-CHAPv2 uses broken MD5 encryption and should no longer be used to pass sensitive credentials over any network.  Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11.  You can get around this with a registry hack but it's still a BAD idea.  If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS.  Even better, use TEAP with user and machine authentication using certificates.   Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice.  SAML Assertion sometimes can remove the need for a RADIUS server all together.  Having a secure, robust PKI is essential for certificate based

Aruba Networks Airheads MVP Expert 2024

I'm happy to announce that I have received the Aruba Network Airheads MVP Expert designation for 2024 for my assistance in the Airheads forum around ClearPass design, implementation, and troubleshooting.  Be sure to check out all of the 2024  MVPs .

Cisco Designated VIP 2024

I'm pleased  to announce that I have been recognized as a Cisco Community Designated VIP for 2024 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the   Cisco Community Designated VIPs .

Cisco Meraki MS130R Ruggedized Switch

Today Cisco Meraki announced the MS130R rugged switch .  This is the first rugged Meraki switch; it's IP30 certified with an operating temperature of -40 to 70 degrees Celsius.  This enables the cloud first Meraki configuration and support model in harsh/challenging environments.  The switch includes eight 30W POE+ capable 1GbE RJ45 ports and two 1GbE SFP ports.  As with any industrial/rugged switch it can be powered by DIN rail DC power or an external AC power supply.  The two SFP ports support a variety of Cisco ruggedized SFPs: GLC-SX-MM-RGD, GLC-LX-SM-RGD, GLC-ZX-SM-RGD, and GLC-T-RGD. One of the most exciting things to me is that the MS130-X (also announced today) and MS130R will  support Adaptative Policy in a future MS firmware update.  This will extend the Adaptive Policy boundary to harsh environments to enable micro-segmentation in even more locations.  Meraki Adaptive Policy also seamlessly integrates with Cisco Identity Services Engine for syncing Security Group Tags

How to Upgrade Juniper EX JunOS using the Mist Dashboard

Image
In this article I'm going to go through updating Junos OS on an EX2300-C switch using the Mist Dashboard.  This functionality is included in the Wired Assurance Subscription.  Once the switch is claimed in your Mist organization (maybe a topic for another post?) the switch will be added to the Switches view and various statistics will be displayed. Next, check the selection box for the switch(es) to upgrade and click the Upgrade Switches button in the top right.  A new window will appear with a selection of the version of Junos to upgrade to. This pane also includes checkboxes to force a switch reboot once the image is copied.  A reboot can also be performed at later time (for example during a maintenance window) instead of automatically at the end of the Junos image download.  A recovery snapshot can also be created for easy rollback to the currently running version of Junos in case of a code related issue.  Finally, the End User License Agreement must be accepted.  Select the tar

So I tried Google Bard…

This article was written by Google Bard with the prompt “write a blog post on the importance of zero trust”.  Pretty neat but I really do question the ethics around using AI for media/publication generation.  Anyways here is what Bard gave me: Zero trust is a security model that assumes that no device, user, or service should be trusted by default. Instead, every request for access to a system or data should be verified and authenticated. Zero trust is based on the principle of "never trust, always verify." This means that organizations should never assume that any user or device is safe, even if they are inside the network perimeter. Instead, they should always verify the identity of each user and device before granting access to any resources. Zero trust is a critical security model for organizations that operate in today's digital world. The traditional security model of "trust but verify" is no longer effective in the face of modern threats. Zero trust helps

How To: Cisco ISE Captive Portals with Aruba Wireless

See myself and Brad Johnson's   Cisco Community post .

Popular posts from this blog

Fix Cisco ISE Messaging Service

ClearPass MPSK per Device Type with Profiling

Cisco Designated VIP 2023