If using the Cisco Firepower Management Center (FMC) to manage sensors such as the FTD, secure communication must be established between the FMC and the FTD. A registration key is defined on the FTD via the CLI, the device is then added within the FMC, specifying the same registration key entered on the CLI of the FTD. If successful secure connectivity between the 2 devices is established, the registration key is no longer used from this point on. This post will describe the steps to setup connectivity between the FTD and FMC, as well as some basic troubleshooting steps.
Step 1 – Define the Manager and Registration Key on the FTD
On the CLI of the FTD enter the command configure manager add
Step 2 – Configure the Device on the FMC
- Navigate to Devices > Device Management
- Click Add > Add Device
- Configure the FTD IP address, Display Name, Registration Key (the same key configured on the CLI of the FTD), select ACP and Smart Licensing options
- Finally click the Register button
If successful, the device will be added to the FMC, ready to be configured for use.
Continue reading “FTD registration with FMC”
MACsec provides secure communication on wired networks; it encrypts each packet on the wire so that communication cannot be monitored. There are 2 deployment types:- User facing/downlink MACsec or switch-to-switch MACsec.
When using downlink MACsec a supplicant that supports 802.1x with MACsec is required, Cisco AnyConnect version 3.0+ supports this functionality. When AnyConnect is configured with MACsec it authenticates the user/computer using 802.1x and then encrypts all traffic using MACsec that is sent to the directly attached Access Layer switch. Once the packet has been received by the Access Layer switch the packet is decrypted, this allows the possibility to apply QoS polices or monitor with Netflow. The switch could then route packet in clear text or if switch-to-switch MACsec is enabled re-encrypt the traffic.
Switch-to-Switch MACsec secures the packets on a hop by hop basis, decrypting and encrypting on each network device (meaning all traffic inside the switches are in clear text). The MACsec sessions are completely independent as they are routed through the network.
Continue reading “MACsec with Cisco AnyConnect and ISE”
Cisco ISE and Firepower can exchange attributes such as TrustSec SGT (Security Group Tag), endpoint profile information and IP address via pxGrid. These attributes can then be used in Firepower Access Control Policies to permit/deny access as required. In addition, this integration can also be used to quarantine users/hosts in the event the user performs a malicious activity. When Firepower detects the malicious activity this will match a correlation rule on the FMC, which instructs ISE to perform a remediation action such as sending a CoA (Change of Authorization) and quarantining the user by apply a DACL and/or applying a new SGT.
This post will describe how to configure the pxGrid integration between the FMC and ISE, it is assume that you already have a working ISE environment with users/computers authenticating using dot1x and a working Firepower FMC/FTD environment.
Refer to these previous ISE posts on how to configure ISE, dot1x authentication and more information about configuring TrustSec.
The following software versions were used:-
- Firepower Management Centre 22.214.171.124
- Firepower Threat Defence Virtual 126.96.36.199
- Identity Services Engine 2.4
- Windows Server 2008 R2 (Domain Controller and PKI)
- Windows 7 Enterprise
Continue reading “Cisco ISE pxGrid integration with Firepower”
This post will describe the process to install the FTD boot image and FTD system image v6.2.3 on a Cisco ASA 5506-X firewall. The images listed below will be required and can be downloaded from the Cisco website here.
In order to download the images to the ASA a TFTP, FTP or HTTP server will be required.
- TFTP Server (e.g. Solarwinds TFTP) required to load the Boot Image
- FTP or HTTP Server required to load the FTD System Image
Upgrade Boot Image
- Connect a console cable to the CONSOLE port on the ASA 5506-X
- Connect the MGMT interface into a switch on the same subnet as the TFTP/FTP/HTTP server and turn on the ASA
Continue reading “Install FTD 6.2.3 on Cisco ASA 5506-X”
The purpose of this blog post is to document the configuration steps required to configure Wireless 802.1x authentication on a Cisco vWLC v8.3 using Cisco ISE 2.4 as the RADIUS server.
Define AAA Servers
This post describes the procedure to reset the Cisco Wireless AP to factory defaults; you will need to connect a console cable to the AP in order to complete the procedure.
- Connect the console cable
- Unplug the power or network cable if connected to a POE switch
- Press and hold the Mode button
- Plug the power back into the AP
- Wait until the output on the console says button is pressed. Wait for button to be released…
- Once that message is displayed release the button and allow the AP to boot
Continue reading “Reset Cisco AP to factory defaults”
Adaptive Network Control (ANC) is a feature of Cisco ISE that can be used to monitor and control network access of authenticated (via ISE) endpoints. With ANC you have the ability to quarantine and endpoint by restricting access with a DACL or shutting down the interface. ANC is a manual process that can be triggered by an administrator. ANC requires ISE Plus License, the Base license is also required.
This post covers only the configuration of ANC and assumes Cisco ISE and 802.1x is setup and working. The posts below maybe useful to assist when configuring Cisco ISE and Cisco switches in order to authenticate users/computers with 802.1x.
Continue reading “Cisco ISE Adaptive Network Control (ANC)”