我有很多人问我有什么事思科现场是什么样子，我作为一个长期的与会者和名人堂精英的大厅，为扬声器成员的观点。  While my perspective may be a bit different than your average attendee, I thought I’d give it a shot and write it up.

Cisco Live is an amazing event.  Some years, I may present at Cisco Live up to 4 times per year, and this was one of those years. 

• Cancun, Mexico – December 2017
• Barcelona, Spain – February 2018
• Melbourne, Australia – March 2018
• Orlando, Florida, USA – June 2018

When I was a young buck and started attending Cisco Live they were actually called “Networkers” and to me, that still describes the best part of Cisco Live.  Not networking in the technology sense, but the human networking that goes on.  It’s like a reunion with the people that I get to see year after year; and I get to meet new people every single time.

To read this article in full, please click here

最近，我一直在安全系统整合在一起，并特别侧重于思科的高级威胁安全产品系列我的很多精力花费了大量的时间。(Disclosure: I am employed by Cisco.)

Which is what brings me to Cisco’s Advanced Malware Protection (AMP), which is a solution to enable malware detection, blocking, continuous analysis and retrospective actions and alerting.

In fact, when the Talos cyber-vigilantes parachute into an environment and performs their forensics analysis and active defense against attacks—AMP is one of the primary tools that they use.

To read this article in full, please click here

有一件事我一直很热情正在安全地接入网络部署更容易，其中包括了我们喜欢叫适用性。可维护性是关于制造产品更容易排除故障，更易于部署和更容易使用。最终的目标是始终以客户的成功。

有知名度和任何NAC项目的成功之间存在明显的相关性。如果你是盲目地发生了什么，如果你不能很容易地得到帮助弄清楚什么是错的信息，它可以是非常令人沮丧，也让一个贫穷部署的外观。

我的目标这个帖子是要突出很多服务性项目思科已投入ISE，你可能不知道的。I'll do my best to not only call out the feature or function that was added, but explain why it matters and what version it was added in. 

To read this article in full, please click here

引发的NetFlow：一个Woland-Santuka专业提示

维韦克Santuka，CCIE＃17621，是思科系统咨询系统工程师，谁侧重于I​​SEfor Cisco’s largest customers around the world. He and I devised, tested and deployed the methodology discussed in this blog entry, which we like to call “Triggered NetFlow.”

NetFlow is an incredibly useful and under-valued security tool. Essentially, it is similar to a phone bill. A phone bill does not include recordings of all the conversations you have had in their entirety; it is a summary record of all calls sent and received.

Cisco routers and switches support NetFlow, sending a “record” of each packet that has been routed, including the ports and other very usable information.

To read this article in full, please click here

//m.banksfrench.com/article/3077339/triggered-netflow-bra-trick-of-the-trade.html#tk.rss_securenetworkaccess Security Cisco Systems 周三年，2016年9点58分00秒-0700 5月25日 Aaron Woland Aaron Woland <本文> <节课=“页面”>

在的问题几个月，他们终于恢复到我的博客我的访问！这样的沉寂之后，我很高兴把这个特殊的职位。我敢肯定很多人会找到它至少是一个酷“我是一个怪胎网络”样的方式，甚至更好：你会发现它很有教育意义，甚至利用它在自己的世界。 

This is a solution I have been wanting to write about for a long time now, and let's be clear—it is not mine. This entire post is owed to a long-time personal friend of mine who is also one of the most talented and gifted technologists roaming the earth today. His name is Epaminondas Peter Karelis, CCIE #8068 (Pete).

Pete designed this particular high-availability solution for a small ISE deployment that had two data centers, as is crudely illustrated by me in the below figure. 

To read this article in full, please click here

//m.banksfrench.com/article/3074954/how-to-use-anycast-to-provide-high-availability-to-a-radius-server.html#tk.rss_securenetworkaccess Security Router 网络安全 Cisco Systems Tue, 15 Dec 2015 06:16:00 -0800 Aaron Woland Aaron Woland

I recently had to dive very deeply into doing device administration AAA with Cisco Wireless LAN controllers and the SourceFire/Cisco FirePower Manager software. Given the interest that others have shown, I decided to write this Blog entry to share my experience.

How Device Admin AAA works on the Cisco WLC

Device Administration with a Cisco Catalyst switch is capable of command-level authorizations. With the WLC, however, it is based on the sections of the menu system. It does not prevent access to those sections of the GUI, but instead prevents changes from being saved when inside a menu section that is not authorized. 

Figure 1 shows the different menus in the orange box, with three of the individual menus highlighted with a yellow box.  

To read this article in full, please click here

//m.banksfrench.com/article/2982952/device-administration-with-cisco-wlc.html#tk.rss_securenetworkaccess Cisco Systems Security 网络安全 Tue, 03 Nov 2015 04:00:00 -0800 Aaron Woland Aaron Woland

Sitting in my hotel room, after an evening of Sake' and war stories with the guys - what better thing to do then write a blog entry for you all to read and hopefully enjoy?  

At the time of this writing, Cisco's ISE 2.0 has been in BETA is soon to be released to the public. This may be the single most anticipated release ever, so why not go through some of the cool things that are in it? Here's my top 10 list. Some are big items, and some are just small little gems that I think everyone will love:

1. TACACS+ support for Device Administration AAA

It's no secret that I have been publicly vocal against adding device administration AAA to a product that is designed to be a Network Access AAA solution. If you had any doubts, just check out my RADIUS vs. TACACS blog entry from last year!  

To read this article in full, please click here

//m.banksfrench.com/article/2989871/10-cool-things-about-ise-12.html#tk.rss_securenetworkaccess Cisco Systems 网络安全 星期三，2015年7月29日四点48分00秒-0700 Aaron Woland Aaron Woland

There is this sort of living legend at Cisco whose name is Pete Davis. Everyone who deals with security knows who he is because, frankly, he's awesome! The guy has forgotten more about remote-access VPN than most of us will ever know, and he's a total geek - which is the ultimate compliment from a guy like me.

Pete came to Cisco via the acquisition of Altiga, Cisco's former VPN 3000 series concentrator, the EZ VPN technology, and the classic Cisco IPSEC VPN client. He is also one of the original guys to come up with the AnyConnect concept for a light-weight client, using SSL VPN, being modular, pulling configurations from the policy server (ASA / ISE), etc.  

To read this article in full, please click here

//m.banksfrench.com/article/2953517/anyconnect-day-1-support-for-windows-10-and-osx-el-capitan.html#tk.rss_securenetworkaccess Cisco Systems 网络安全 Sat, 18 Jul 2015 04:30:00 -0700 Aaron Woland Aaron Woland

"My organization wants to authenticate the machine AND the user." 

That quote is something that I am hearing all the time from customers and implementers all over the world!  

Sometimes it gets quite funny.  In June of 2015 I was presenting at the Cisco Live conference and one of the session attendees asks me "when is Cisco going to provide EAP Chaining for MAC OS"!  My response was designed to elicit participation & garner more attention from audience members, which was to scream at the participant "Cisco doesn't write MAC OS!!!!"  I immediately apologized for using him as a guinea pig & explained that I was just trying to make an entertaining point.  He laughed right along with the rest of the room & I got away without offending him :)  

To read this article in full, please click here

//m.banksfrench.com/article/2940463/machine-authentication-and-user-authentication.html#tk.rss_securenetworkaccess Skills and Training Fri, 15 May 2015 14:26:00 -0700 Aaron Woland Aaron Woland

When we added a certificate authority (CA) to Cisco's ISE in version 1.3, there was a tremendous interest level from the field. Companies were looking for this functionality to make BYOD and secure network access from endpoints more secure and there was a LOT of buzz about this functionality.

As the guy who flew all over the world carrying the "flag" for a built-in CA in ISE - forcing my message onto all the executives I could find why it was so important, I was naturally ecstatic to see the success of something I championed and fostered since inception.

However, as with everything, there is always a need for more! ISE admins all over the world felt it was great for the devices that are capable of onboarding, but they needed to issue endpoint certificates to devices that couldn't go through the automated onboarding process, such as Medical Devices, Point of Sale systems, Linux, etc.

To read this article in full, please click here

//m.banksfrench.com/article/2922797/cisco-ise-api-for-certificate-provisioning.html#tk.rss_securenetworkaccess Skills and Training Cisco Systems 周五，2015年10:44:00 -0700 5月8日 Aaron Woland Aaron Woland

In ISE 1.0 Cisco introduced an integrated Guest solution with a next-generation RADIUS-based policy server. That policy server was game-changing, certainly. Other companies responded to this market changing model by making some very strategic moves with their chess pieces to be similarly positioned.

Figure 1 shows an example of the ISE 1.2.x (and below) Sponsor Group Policy.

Aaron T. Woland

While ISE 1.0 was and is an extremely powerful policy server, it was also viewed as being overly complex and not flexible enough in the areas of Guest life-cycle management. This was especially true when comparing ISE with it's closest competitors in the guest access management space.

To read this article in full, please click here

//m.banksfrench.com/article/2920287/give-me-my-attribute-mapping-back-for-sponsor-groups.html#tk.rss_securenetworkaccess Skills and Training Access Control Security Cisco Systems 太阳，2014年10月26日18点08分00秒-0700 Aaron Woland Aaron Woland

As a regular speaker at Cisco Live and other industry conventions, I have literally spoken to tens-of-thousands of industry professionals, and I have yet to experience a public speaking engagement where someone does not ask me "when will Cisco Identity Services Engine" have TACACS+ support?" 

I fully understand that there are millions of deployed instances of Cisco's Access Control Server (ACS) which is a AAA server that communicates with both RADIUS and TACACS+.  I fully understand that a large percentage of these deployments would like to replace their existing ACS deployment with an ISE deployment and gain all the newer functionality that has been added to ISE, and in order to do so they require ISE to have all the features that ACS has, including TACACS+ support. 

To read this article in full, please click here

//m.banksfrench.com/article/2838882/radius-versus-tacacs.html#tk.rss_securenetworkaccess Access Control 联网 星期一，2014年8月18日12时07分00秒-0700 Aaron Woland Aaron Woland

I'm amused at how often I hear negative comments about proprietary enhancements from Cisco. I am one of many (many, many, many) employees of Cisco who is actively involved in standards body organizations, including the IETF. Many of today's networking standards started out as proprietary solutions that were available years prior to the standards being completed.

As someone who is passionate not only about innovation in security but also about the standardization of those innovations, I thought I'd point out a few of the recent efforts that I've either been involved in, or am just very interested in.

Tunneled EAP (TEAP):

In May of this year, the Tunneled EAP (TEAP) specification was officially published as RFC-7170. This RFC officially makes Cisco's innovative use of EAP-Chaining in EAP-FASTv2 a standard that may be implemented in any 802.1X supplicant or authentication server. Note that, as with all EAP communication in a Dot1X environment, the EAP-Type is completely transparent to the authenticator (switch | wireless | etc.). This means that it does not require Cisco switches or wireless controllers to use TEAP, just a supplicant and authentication that both support the protocol.

To read this article in full, please click here

//m.banksfrench.com/article/2466000/industry-standards-for-secure-network-access.html#tk.rss_securenetworkaccess Security Skills and Training 联网 Cisco Systems 星期四，2014年8月7日7点23分00秒-0700 Aaron Woland Aaron Woland

I'm sure Cisco would love to be the only network device that its customer have, and to be honest, there are many companies where that is true. However, it is just not the reality of 100% of companies that deploy Cisco ISE or ACS.

One item in particular that I am asked about frequently is MAC Authentication Bypass (MAB).  This is the process of a non-authenticating device (a device without an 802.1X supplicant running on it) connecting to a network with 802.1X enabled.  Since there is no supplicant to answer the EAP identity requests from the authenticator (switch, wireless controller, etc) the authenticator will generate the authentication request FOR the endpoint using the endpoint's MAC address as the username/password for the Access-Request message.

To read this article in full, please click here

//m.banksfrench.com/article/2461433/mab-with-non-cisco-switches.html#tk.rss_securenetworkaccess Skills and Training 网络安全 Cisco Systems Mon, 10 Mar 2014 12:07:00 -0700 Aaron Woland Aaron Woland

I find a few universal truths when mentioning certificates to people. Most people I speak with consider them to be a very secure concept almost without fail. However upon mentioning that I want to talk about certificates: that person’s face turns a slightly lighter shade, their eyes get a bit wider, and they have this immediate fight or flight instinct kick in.

To read this article in full, please click here

（内幕故事）//m.banksfrench.com/article/2226498/infrastructure-management-simply-put-how-does-certificate-based-authentication-work.html#tk.rss_securenetworkaccess 基础设施 网络安全 移动安全 联网 IDG Insider 周一，2014年1月27日15:14:00 -0800 Aaron Woland Aaron Woland

I am often asked about support for “Realm Stripping,” albeit mostly by those in the university space. It’s an interesting concept, certainly. The idea is that someone will issue an identity that includes some “routing” information within the identity. For example, a user may issue a username of: johndoe@somedomain.com. From that username, the RADIUS server should be able to strip out the username “johndoe” and use the “@somedomain.com” to specify the identity store to query for the username and password.

Think about it. It would allow federation of identity in a pretty clean way, because my domain name is included as part of my username, and therefore your RADIUS server would be capable of asking my identity store to validate the user or not.

To read this article in full, please click here

//m.banksfrench.com/article/2226225/a-primer-on-support-for-realm-stripping.html#tk.rss_securenetworkaccess 基础设施 星期三，2013年8月14日12点33分00秒-0700 Aaron Woland Aaron Woland

Dog Tag is an Enterprise-class open source Certificate Authority that Red Hat purchased from AOL back in 2004.  Red Hat opened it up to the open source community in 2008.  Dog Tag supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.

Most importantly, it is an available CA that has been tested for use with Cisco’s BYOD solution using Cisco’s Identity Services Engine 1.2 & newer.

Note: There is also an Enterprise level version of DogTag known as the Red Hat Certificate System.

Before we go any further, I need to send a huge call-out to Vivek Santuka who prototyped & pioneered this initiative at work.  Also a call-out to Brian Sak for updating the work that Vivek did.

To read this article in full, please click here

//m.banksfrench.com/article/2225170/using-the-dogtag-ca-with-ise-1-2.html#tk.rss_securenetworkaccess 网络安全 移动安全 Security Tue, 06 Aug 2013 10:44:00 -0700 Aaron Woland Aaron Woland

A little less than 1/2 of all Identity Service Engine installations are on VMWare.  Yes it’s true.  About 45% of all ISE nodes deployed in this world are Virtual.  What I don’t know is:  how many are in production and how many are in a lab.

Let me give you another statistic (my own).  When I work with a company that is using VMWare in production, 90% of the time the VMWare infrastructure is managed by a completely different team than the one who owns ISE & the management of the appliances (virtual and physical).

One more statistic.  Of that 90% who do not manage VMWare, 80% of those are not permitted to access the console of their ISE nodes.  That’s right, a security team that has a security appliance installed on a VMWare ESX server & is not permitted to access the console; only SSH / Web into the device.

To read this article in full, please click here

//m.banksfrench.com/article/2225114/using-vnc-for-console-access-to-ise-and-other-vm-s.html#tk.rss_securenetworkaccess 网络安全 网络管理 Access Control Cisco Systems VMWare Wed, 24 Jul 2013 14:53:00 -0700 Aaron Woland Aaron Woland <文章> <节类=“页”>

一个通配符证书是一个使用通配符符号（在域名前一个星号和周期），并允许在一个组织在多个主机共享证书。  An example CN value for a wildcard certificate’s Subject Name would look like the following:  *.company.local

If you configure a Wildcard Certificate to use *.company.local, that same certificate may be used to secure any host whose dns name ends in “.company.local”, such as:

• aaa.company.local
• psn.company.local
• mydevices.company.local
• sponsor.company.local

Figure 1 shows an example of using a wildcard certificate to secure a web site (specifically, the web interface of an ISE node).  Notice in figure 1 that the URL entered into the browser address bar is “atw-lab-ise01.woland.com”, but the certificate’s common name is “*.woland.com”.

To read this article in full, please click here

//m.banksfrench.com/article/2225032/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html#tk.rss_securenetworkaccess 基础设施 网络安全 移动安全 Cisco Systems Wed, 19 Jun 2013 15:09:00 -0700 Aaron Woland Aaron Woland <本文> <节课=“页面”>

在我的上一篇博客（这固然是有点长，冗长）我讨论身份联网的景观变化。随着身份联网有基于用户和设备的情况下控制网络访问的许多不同的方式。有：

VLAN分配，其中访问是在第3层边缘控制，或者通过分离该VLAN成分段虚拟网络（的VRF）

ACL分配，其可以是本地ACL，由RADIUS属性，或下载的ACL（DACL）称为为行动。这些ACL是在无线局域网控制器（WLC）的情况下，交换机端口或虚拟端口应用的入口。

我们刚刚谈到了被称为安全组标记一个新的可扩展执法机制的话题。

This new technology, Security Group Tagging, is going to be the focus of today’s blog.

To read this article in full, please click here

//m.banksfrench.com/article/2224825/security-group-tagging-basics.html#tk.rss_securenetworkaccess Security 移动安全 网络安全 Cisco Systems Mon, 03 Jun 2013 16:07:00 -0700 Aaron Woland Aaron Woland

I was asked to travel to the 2013 InfoSec security conference in Europe this year, and speak about the trends I am seeing in the identity networking game, and possibly speculate on the future of identity in networking as I see it. So I thought to myself: “what a great blog post this could make."

The Phases of Identity Networking (as seen by an overworked identity nut like me):

Phase 1: [Circa late 1990’s] Identity networking stems from the age-old question: “How do I Control Who Gains Access to the Network?” Along comes IEEE 802.1X! 802.1X provides Extensible Authentication Protocol (EAP) over Local Area Network (LAN) capabilities, to allow a client to transmit their identity credential into the network before gaining access.

To read this article in full, please click here

//m.banksfrench.com/article/2224731/changing-the-landscape-of-identity-networking.html#tk.rss_securenetworkaccess 数据泄露 2020欧洲杯预赛 联网 硬件 Cisco Systems 星期二，2013年2月19日14时02分00秒-0800 Aaron Woland Aaron Woland <本文> <节课=“页面”>

我只是从几个星期在欧洲旅行回来后，在思科直播欧洲呈现，并与客户和合作伙伴会议。很明显，这个博客是非常需要的很多，我们讨论的部署，从而保证在负载均衡博客，我下面了如何“破解”了思科身份服务引擎的证书博客（ISE）节点，使我们可以在主题条目备用名称（SAN）领域。

为什么我们需要做到这一点？ 

There will be plenty of occasions in which you’ll want to reach ISE with a DNS name that is not the exact same as its hostname. If you’ve ever tried to reach an https:// website by IP address, you most likely have experienced the web browser arguing that the certificate name is mismatched and that the browser requires you to accept the warning in order to proceed. An example is shown below.

To read this article in full, please click here

//m.banksfrench.com/article/2224062/how-to-hack-the-certificate-for-a-cisco-identity-services-engine-node.html#tk.rss_securenetworkaccess 数据泄露 基础设施 Cisco Systems Wed, 12 Dec 2012 11:19:00 -0800 Aaron Woland Aaron Woland <本文> <节课=“页面”>

在更多的互动我与谁是入门标识项目的客户，我越来越意识到，一个简单的解释和EAP类型之间的差异比较是必要的。

例如，一般的看法，我从客户那里获得的是EAP-TLS是最安全的EAP类型来使用，因为它是X.509证书的基础。好吧，我可以接受意见;但你是否意识到，EAP-TLS也可作为PEAP的内部方法或EAP-FAST？否，而不是一个简化版本，但可以孤立地使用相同的EAP-TLS协议也可以被一个PEAP或EAP-FAST隧道内使用。

因此，对于此博客条目，我想检查的主要（最常见）EAP类型及其用途。 的要在充分阅读这篇文章，请点击这里 //m.banksfrench.com/article/2223672/which-eap-types-do-you-need-for-which-identity-projects.html#tk.rss_securenetworkaccess Access Control Wed, 07 Nov 2012 10:56:00 -0800 Aaron Woland Aaron Woland

So, this is my first blog post on here. Hope it goes well.

One of the most commonly asked questions of late is how to properly use a load-balancer with Cisco's Identity Services Engine. Here are some basic guidelines to use when configuring a Load Balancer for the ISE Policy Services Nodes (PSNs).

Understanding terms:

• PSN: Policy Services Node. The PSN is the ISE persona that handles all of the radius requests and make the policy decisions. If you are using profiling, the PSN is also handling the profiling for you.
• PAN: Policy Administration Node. The PAN is the ISE persona that handles all the database synchronization/replication, and provides the administrative GUI. This node must talk to the PSN directly, without going through NAT.
• VIP: Virtual IP Address. This is the IP Address that Load Balancer listens on, and will redirect traffic destined to the VIP to the real IP Addresses of the servers in the Server Farm.
• Server Farm: The Grouping of servers that will be load balanced when traffic is destined to the VIP.
• Endpoint: The actual device accessing the network.
• NAD: Network Access Device. The Access-Layer device (switch/wireless controller) that provides and enforces network access to the endpoint.
• SNAT: Source Network Address Translation. Function of load balancers to hide the source IP address of the NAD, which allows the load-balancer to run "out of band.”
• Server NAT: The reverse of Source NAT. This is hiding the IP Address of the actual ISE PSN when it initiates communication to the NAD for things like Change of Authorization (CoA), and replacing that IP Address with the VIP instead.

General Guidelines

When using a Load-Balancer (anyone's) you must ensure a few things.

To read this article in full, please click here

//m.banksfrench.com/article/2223464/how-to-properly-use-a-load-balancer-in-cisco-s-identity-services-engine.html#tk.rss_securenetworkaccess Access Control Cisco Systems