tag:blogger.com,1999:blog-314659082024-03-13T15:25:18.135-04:00Mike's Cisco Blog - Now Focusing on Not FocusingA blog dedicated the wild world of Cisco networking technologies. This blog has grown from a focus on Cisco MARS to now encompass other technologies I work with, such as VoIP and wireless.Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-31465908.post-54898241059247115862008-08-14T20:58:00.002-04:002008-08-14T21:02:26.306-04:00Cisco Security Agent 6.0 Out!For all you Cisco security freaks out there, the long awaited CSA 6.0 is now released. This latest version of Cisco Security Agent bring some great enhancements, including Vista agent support, an integrated signature-based anti-virus scanner, and a very cool data leakage protection (DLP) feature. I've been part of the beta the past couple months and have seen the terrific changes from 5.2 to 6.0. All you 5.2 owners with SAU, start downloading 6.0 and try it out. Checke the rather verbose release notes <a href="http://www.cisco.com/en/US/docs/security/csa/csa60/release_notes/CSA60RN.html">here</a>, and enjoy. If there's enough interest I can do a few posts on the new features bundled with 6.0.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com73tag:blogger.com,1999:blog-31465908.post-44226121588579697322008-05-23T19:24:00.002-04:002008-05-23T19:29:00.018-04:00CCNP BCMSN: Passed!Just thought I'd share my excitement on succesfully passing my BCMSN exam this past Monday. This is my first CCNP-level exam and gets me renewed on my CCNA until 2011! The certification exams have certainly gotten more brutal. I was expecting lots of spanning tree questions, but there ended up being a lot of focus on QoS and HSRP/GLBP. Just goes to show you that anything is up for grabs with these exams. What should be next: ONT, ISCW, or BSCI?<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com5tag:blogger.com,1999:blog-31465908.post-31859967123115312812008-04-26T21:45:00.002-04:002008-04-26T21:54:11.812-04:00Mike's Blog: A New DirectionWhat's this... it's changing? Well, not really. The title of my blog is going to be changing (domain name still the same) to reflect the new direction I plan to take this blog. I try to focus on security, but with the project load I have, I'm finding not everything focuses on security. I'm learning a lot, much like everyone reading this. I want to share the ups and downs, and I think by lifting the security-focus of this blog, I can discuss topics on some of the newer systems I work on. You've already seen some posts about wireless and VoIP. I consider Chris over at <a href="http://ciscomars.blogspot.com/">The Unofficial MARS Blog</a> the man to go to about everything CS-MARS. I'd hate to take away any attention from him by having a competing blog (I never saw it as a competition), when he has a wealth of knowledge on MARS to share. I'll still post about MARS and security, but now you'll see some topics I previously saw as not necessary on a MARS/security blog. Stay tuned...<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com4tag:blogger.com,1999:blog-31465908.post-29596212577709951862008-04-20T11:49:00.003-04:002008-04-20T12:40:24.555-04:00Data Breach: Are You Next? - Part 2So last time I talked a little bit about the current state of affairs in IT security. We've seen attack that have gone from D0<span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">S'ing</span></span> perimeter system to application-based attacks that are stealthy and can cause <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">equal</span> or more damage. I wanted to dedicate this part of my series on Data Breaches to talking about way we can protect our data without spending money or burying ourselves in purchased solutions. Some of these may seem like standard practice, but take this opportunity to reflect on each of these and if there's a way to improve.<br /><br /><strong>Data Classification</strong><br />This long journey down the never-ending path of security starts with this key step. You must define what your organization sees as sensitive data. Something basic like <span class="blsp-spelling-error" id="SPELLING_ERROR_1">SSN</span> is practically a given in every company, but look beyond that and clearly define the data you consider sensitive. This can be credit card numbers, sales data, or any other type of data that is sensitive to your company. This is important, as you'll need to know the data to protect in order to define the rest of you security blueprint.<br /><br /><strong>Policies</strong><br />I can't speak enough about a good security policy. A policy defines a set of standards that yield repeatable results. So, if we take my definition of a policy and apply it to security, a good security policy will define security standards and yield results that consistently meet security standards. I don't think you can find a security book today that doesn't talk to having a firm security policy. I joke with one of my co-workers who is learning <span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">IPS</span></span>, and just about every chapter he turns to talks to implementing <span class="blsp-spelling-error" id="SPELLING_ERROR_3"><span class="blsp-spelling-error" id="SPELLING_ERROR_3">IPS</span></span> based upon your corporate security policies.<br /><br />I see too often that policies are too broad and are open for too much <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">interpretation</span>. A policy <em>must </em>be exact in it's definition, and the sum of all policies should reflect the security goal for an organization. Where do you start though? If you must define policies for all systems, how do you begin and provide immediate protection for day one? If you must start from the beginning, I urge you to define you policies for protection of you sensitive data, which I'll talk about next. This can include something as basic as password policies and something more complex like all sensitive data cannot travel using clear text protocols (FTP/Telnet/HTTP). I can't define how each organization should write a policy, but as we move onto our next discussion, I think the proper policy design should come to light.<br /><br /><strong>Know Your Data</strong><br />I want you to memorize this: you cannot protect the data you do not know about. This is similar to data <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">classification</span> above, but goes a step further. All too often, systems are implemented on-the-fly as <span class="blsp-spelling-corrected" id="SPELLING_ERROR_5">organizations</span> expand. This can cause a centralized data model to become more of a mesh, where data must be passed from system to system during processing. This means that data you previously classified as sensitive, is being passed through multiple systems. Take your sensitive data classification, and now map out where the data travels on the network and where it stays at-rest. This is very important, as you'll need to define auditing around these systems so you can record data access and flow.<br /><br /><strong>Audit Yourself</strong><br />The final practice you can use is auditing. I could go on-and-on about this, but I'll keep it brief. Now that you have your data defined, understand it's flow, and have the policies to protect it, check you work.... and check it often. This is auditing. Plan to review server/network security logs periodically for any <span class="blsp-spelling-corrected" id="SPELLING_ERROR_6">anomalies</span>. Get your system to log to a common location (a basic <a href="http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/"><span class="blsp-spelling-error" id="SPELLING_ERROR_7">syslog</span></a> server will do), and use the central repository to audit access and flow of data. This is as important as every other step, because it keeps your policies and data in check, so you don't end up in the situation of not knowing where you sensitive data is again. Another great audit technique is trying to breach yourself. Take a security tool, such as <a href="http://www.nessus.org/nessus/"><span class="blsp-spelling-error" id="SPELLING_ERROR_8">Nessus</span></a>, and scan the systems defined in your sensitive data map. <span class="blsp-spelling-error" id="SPELLING_ERROR_9">Nessus</span> will audit the system for <span class="blsp-spelling-corrected" id="SPELLING_ERROR_10">vulnerabilities</span> and give recommendations how to patch or mitigate the issue.<br /><br />If you start this process by employing all of the above, you are well on your way to being secure. Some of these items may be trivial, but none of them are any less important then the others. I'll see you all next week for part 3 on this topic, where I'll talk about the current generation of security products to build a fortress around your data.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com0tag:blogger.com,1999:blog-31465908.post-37103212133318391542008-04-12T16:04:00.005-04:002008-04-12T17:31:00.268-04:00Data Breach: Are You Next? - Part 1I thought I'd take some time to have a little talk about the growing trend of data breaches at organizations. There's no lack of these in the news, with the most recent being the loss of over 4 million credit cards by <span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">Hannaford</span></span>. This gained a lot of publicity due to the scale of the breach. Just look at this month alone... there's already been 9 reports of data stolen from companies/organizations. I think it makes this an appropriate time to talk openly about breaches like the one at <span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="blsp-spelling-error" id="SPELLING_ERROR_1">Hannaford</span></span>, and what options network professionals have to combat these attacks.<br /><br />If you're on my blog, you're at least starting in the right direction. Not every issue can be solved with money though, and that's the same with IT security. Security isn't something you implement or buy, security becomes a methodology by which you deploy all systems. The most secure networks can be ridden with applications that can leave holes open that firewalls can't protect against. These type of attacks are becoming the fad of data breaching. Previous hacks involved finding a way to <span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">DoS</span></span> (denial-of-service) attack perimeter security measures, then breaching the systems behind them. The latest wave of attacks are much more intelligent and stealthy. These attacks actually target application vulnerabilities and inject malicious code on systems that are trusted by <span class="blsp-spelling-error" id="SPELLING_ERROR_3">perimeter</span> application servers. A common form of this is <span class="blsp-spelling-error" id="SPELLING_ERROR_4"><span class="blsp-spelling-error" id="SPELLING_ERROR_3">SQL</span></span> injection. <span class="blsp-spelling-error" id="SPELLING_ERROR_5"><span class="blsp-spelling-error" id="SPELLING_ERROR_4">SQL</span></span> injection allows the attacker to execute raw <span class="blsp-spelling-error" id="SPELLING_ERROR_6"><span class="blsp-spelling-error" id="SPELLING_ERROR_5">SQL</span></span> code against <span class="blsp-spelling-error" id="SPELLING_ERROR_7"><span class="blsp-spelling-error" id="SPELLING_ERROR_6">backend</span></span> database servers. Within a few steps from the <span class="blsp-spelling-error" id="SPELLING_ERROR_8"><span class="blsp-spelling-error" id="SPELLING_ERROR_7">initial</span></span> <span class="blsp-spelling-error" id="SPELLING_ERROR_9"><span class="blsp-spelling-error" id="SPELLING_ERROR_8">SQL</span></span> injection attack, the attacker has access to system level commands deep within the <span class="blsp-spelling-error" id="SPELLING_ERROR_10"><span class="blsp-spelling-error" id="SPELLING_ERROR_9">backend</span></span> database servers. The most hardened <span class="blsp-spelling-error" id="SPELLING_ERROR_11">perimeter</span> ASA (<span class="blsp-spelling-error" id="SPELLING_ERROR_12"><span class="blsp-spelling-error" id="SPELLING_ERROR_10">Cisco</span></span> Adaptive <span class="blsp-spelling-corrected" id="SPELLING_ERROR_13">Security</span> Appliance) won't block these ports, as the traffic is passed via standard web ports.<br /><br />So what can we do? Is the answer to write more secure applications? That's one important change that can happen, but defenses cannot be left to the applications alone. Looks to part 2 of this series where I'll talk more in details about the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_14">logistics</span> of these attacks and how you can defend with little investment in current technology. Part 3 will look at how we secure the environment end-to-send, and use MARS to correlate the massive amount of security data into actionable events. Happy defending...<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com0tag:blogger.com,1999:blog-31465908.post-80654970635066394152008-03-08T23:17:00.003-05:002008-03-08T23:28:02.129-05:00CMPC v1.5 In the Wild!I'm <span style="font-family:georgia;">happy</span> to announce v1.5 is now released and available to download <a href="http://www.mediafire.com/?pdwjevtb3dz">here</a>. This version includes a number of enhancements and new packages. Here's some snippets from the release:<br /><br /><span style="font-family:courier new;">- Added support for CCO tree-style release listing.<br />- Removed restriction on number of runtime arguments.<br />- Added the following package options for notifications:<br />- Cisco Wireless LAN Controllers<br />- Cisco Wireless Control System<br />- Cisco ACS (Windows Version)<br />- Cisco VPN 3000 Concentrator<br />- Cisco VPN Client for Windows<br />- Cisco CSS 11500<br />- Cisco WAAS<br />- Added the ability for CMPC to check your current MARS apppliance version via SSH.</span><br /><span style="font-family:arial;"></span><br /><br /><span style="font-family:courier new;">CONFIGURING CMPC TO CHECK MARS APPLIANCE VERSION<br />================================================<br />CMPC now has the ability to check your MARS appliance version via SSH. This is made possible by use of libraries from the SharpSSH project (<a href="http://sharpssh.sourceforge.net/">http://sharpssh.sourceforge.net/</a>). There is a bit of configuration to make this possible. First, make sure the following dlls from the releases zip file are in the CMPC running directory:<br /></span><br /><span style="font-family:courier new;">DiffieHellman.dll<br />Org.Mentalis.Security.dll<br />Tamir.SharpSSH.dll</span><br /><span style="font-family:courier new;"><br />Now you'll need to add the following lines to your config.xml file:<br /></span><span style="font-family:courier new;">SEE RELEASE NOTES<br /><br />The "mars_check_version" field should be set to "1" to enable the processing of your MARS appliance. Switch to "0" (or anything besides 1) to disable this feature). You'll also need to make sure your pnadmin password is encrypted in the XML file. Run CMPC like so to have it encrypt your password.<br /><br />Example: "C:\>cmpc.exe --encryptpass <mars>"<br /><br />Now when you run CMPC with the --ciscomars option, it will get the current software version of your MARS appliance and add that to the e-mail notification.<br /><br /></span><span style="font-family:georgia;">Enjoy this latest release and any comments or issues let me know.</span><br /></span><span style="font-family:georgia;"></span><br /><span style="font-family:georgia;">-Mike</span>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com4tag:blogger.com,1999:blog-31465908.post-86859255581550338232008-03-01T23:55:00.002-05:002008-03-02T00:03:04.514-05:00User Question: MARS on 3rd Party Hardware?Another great question from the community. Fabio writes in and asks:<br /><br /><blockquote>Does <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Cisco</span> Mars come only on box or could I get the software and install it on<br />my server?</blockquote>The short answer: No. But why? I'm sure in a way it has to do with costs and how <span class="blsp-spelling-error" id="SPELLING_ERROR_1">Cisco</span> is able to required <span class="blsp-spelling-error" id="SPELLING_ERROR_2">Cisco</span> hardware to be used. There's also less cynical reasons. One <span class="blsp-spelling-corrected" id="SPELLING_ERROR_3">that</span> I know of is that MARS is using Oracle embedded for it's database. As part of using Oracle on an appliance and having it licensed as embedded, is that the distributor of the appliance must no allow users to alter the database or exploit it for unlicensed purposes. Mandating the use of a purchased appliance keeps greater control over how the software is installed and the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">experience</span> it provides to it's users. Hope this helped!<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com295tag:blogger.com,1999:blog-31465908.post-29543574151438657462008-02-28T21:54:00.002-05:002008-02-28T22:05:23.285-05:00Unified Communications Manager: 6.0(1) to 6.1(1) Stalled UpgradeWhat's this... Cisco voice now? I'm working on a few Cisco voice projects right now so you'll see some posts in the future about the exciting voice offerings from Cisco. Today I was running an upgrade of our Unified Communications Manager (UCM, formerly CallManager) to version 6.1(1) from 6.0(1). The upgrade went well for about 45 minutes, and then seemed to stall out. The update log, viewable on the web console from OS Administration -> Software Upgrades -> Install/Upgrade, was "stuck" on this step:<br /><br /><span style="font-family:courier new;">Create new OS image for future upgrades</span><br /><br />Come to find out, this was just a <span class="blsp-spelling-error" id="SPELLING_ERROR_0">UI</span> log issue. By refreshing the page I was able to see the upgrade completed. I made the new partition active and the upgrade worked great. When in doubt... refresh.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com2tag:blogger.com,1999:blog-31465908.post-45489767122321121112008-02-24T16:52:00.003-05:002008-02-24T16:57:46.492-05:00Congrats to Chris @ The Cisco MARS Blog!Doing my normal scouring on the Internet, I see <a href="http://www.networkworld.com/community/node/25115">Network World</a> has posted a list of the top 20 Internet resources for Cisco networking professionals. The list is chock full of great sites, and my friend Chris from http://ciscomars.blogspot.com has been listed in the top 20. I just wanted to say congrats to Chris and all the other great Cisco bloggers out there. They all deserve the recognition of dedicating their free time to sharing the wealth of knowledge they all have.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com3tag:blogger.com,1999:blog-31465908.post-10462153321946503902008-01-28T10:12:00.001-05:002008-01-28T10:21:38.658-05:00Cisco Nexus 7000: Next Generation Data Center SwitichingWhile doing some work this morning, I stumbled across a product announcement from <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Cisco</span> that is pretty exciting. <span class="blsp-spelling-error" id="SPELLING_ERROR_1">Cisco</span> has introduced a new line of data center-class switching known as the <a href="http://www.cisco.com/en/US/products/ps9512/index.html">Nexus 7000 Series Switch</a>. That name is about as catchy as it gets! Reviewing some of the information <span class="blsp-spelling-error" id="SPELLING_ERROR_2">Cisco</span> has about this next generation platform, there's a slew of innovations that include security and availability. Here's what the new behemoth looks like:<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixCTJ6rK-Q9A7n0eX5-0L7e-rYVtLinz6G8pYB8Kjvd6TPlc28n_IjaCIBUq3qC4ztYfAYQWEnr5BQTNEYzO0QYS5DF9zcclabVwwlG6hwjh51fBErbn45Qid2Y4zu6pKBciT0/s1600-h/nexus7000.jpg"><img id="BLOGGER_PHOTO_ID_5160546649693085506" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixCTJ6rK-Q9A7n0eX5-0L7e-rYVtLinz6G8pYB8Kjvd6TPlc28n_IjaCIBUq3qC4ztYfAYQWEnr5BQTNEYzO0QYS5DF9zcclabVwwlG6hwjh51fBErbn45Qid2Y4zu6pKBciT0/s320/nexus7000.jpg" border="0" /></a><br />There's a lot of details about this new platform on <span class="blsp-spelling-error" id="SPELLING_ERROR_3">cisco</span>.com. Make sure to check it out and read about the features included in it's OS known as the <a href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps9494/ps9372/Data_Sheet_NX-OS_Software_Release_4.html"><span class="blsp-spelling-error" id="SPELLING_ERROR_4">NX</span>-OS</a>. The link-layer <span class="blsp-spelling-error" id="SPELLING_ERROR_5">AES</span> encryption looks <span class="blsp-spelling-corrected" id="SPELLING_ERROR_6">particularly</span> interesting for those wondering about the security benefits of the platform. When I get a chance I'll browse the available info and share anything interesting I find.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com2tag:blogger.com,1999:blog-31465908.post-18561274803099418782008-01-25T15:40:00.000-05:002008-01-25T15:55:30.418-05:00User Question: Difference Between Gen 1 & Gen 2Blogger user <span style="font-style: italic;">axiom</span> posted this question in response to my recent post about the EOL/EOS announcement from Cisco about the MARS Generation 1 platform:<br /><br /><blockquote>How do you find out if your product is a Gen 1 or Gen 2 product?</blockquote><br />This is a great question. The easiest way is to visually look at the appliance and the difference will be apparent (click the images for larger versions).<br /><br />Cisco MARS Generation 1 Appliance<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9CxFvhyy3YgypDOTTNzyBpJTaSoldoQBttjrsE4ia7AOpv07yEV9Z3qrYQ3EyqUlFqXuj3sv_Vw8JkkElKAmWgHJ3JQjp9mgTs3G7iAG4jz7TTONpEskG9vyIfkUOwgOdu4N6/s1600-h/marsgen1.JPG"><img style="cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9CxFvhyy3YgypDOTTNzyBpJTaSoldoQBttjrsE4ia7AOpv07yEV9Z3qrYQ3EyqUlFqXuj3sv_Vw8JkkElKAmWgHJ3JQjp9mgTs3G7iAG4jz7TTONpEskG9vyIfkUOwgOdu4N6/s320/marsgen1.JPG" alt="" id="BLOGGER_PHOTO_ID_5159520624955744050" border="0" /></a><br /><br />Cisco MARS Generation 2 Appliance<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnb2eM52U9Ia6A2k4LcDfD5amNViHb6kAPj1XHHBrWfftdbiQcekOdgphlN7rlsbzbLFTzVdoZYIF06jsY2oMVQlRmRXJQacpJ41AqH2KWoNNsTd9FDSg_Kt3JUGIBkfpVppYL/s1600-h/marsgen2.JPG"><img style="cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnb2eM52U9Ia6A2k4LcDfD5amNViHb6kAPj1XHHBrWfftdbiQcekOdgphlN7rlsbzbLFTzVdoZYIF06jsY2oMVQlRmRXJQacpJ41AqH2KWoNNsTd9FDSg_Kt3JUGIBkfpVppYL/s320/marsgen2.JPG" alt="" id="BLOGGER_PHOTO_ID_5159519632818298658" border="0" /></a><br /><br />As you can see, the gen 2 appliance has the common Cisco logo and color scheme. The 2nd generation represents the migration of the MARS platform to a standard hardware configuration governed by Cisco. The gen 1 appliances has had known hardware issues that were the result of poort components used by Protego (acquired by Cisco for the MARS product line) within the MARS appliance. The gen 2 models now use all Cisco certified components and show significant performance and reliability increases versus the gen 1 platform.<br /><br />You can also SSH into the appliance and run the command <span style="font-family:courier new;">show version</span>. Any version 4.x is a gen 1 appliance, while version 5.x is a gen 2 appliance. I hope this brief post answered your question axiom and can help others discern between the MARS generations.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com0tag:blogger.com,1999:blog-31465908.post-69746034642484666082008-01-05T00:24:00.001-05:002008-01-25T15:13:50.288-05:00CMPC v1.4 Released!As promised, the latest version of CMPC is now available. You can download v1.4 from <a href="http://www.mediafire.com/?5lkv40db9cx">here</a>.<br /><br />Please read the readme for information about important updates in this release. Take special note about the inclusion of encryption to your CCO password information in your config.xml file. Here's the info from the readme:<br /><br /><span style="font-family:courier new;">CONFIGURING CCO PASSWORD ENCRYPTION AND CMPC</span><br /><span style="font-family:courier new;">============================================<br />A long standing issue I've had with CMPC has been the fact that users were leaving their passwords as clear-text in the config.xml. Users will now be required to place encrypted passwords in the config.xml. Encryption is handled by running CMPC like so:</span><br /><span style="font-family:courier new;"><br />Example: "C:\>cmpc.exe --ccoencryptpass SomePassword"<br /><br />Upon running this you'll receive a dialog box with the new CCO password line for use in your config.xml file. Unencrypted passwords are NOT supported in the config.xml file beginning with release 1.4.</span>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com23tag:blogger.com,1999:blog-31465908.post-36410366944441118612007-12-27T17:44:00.000-05:002008-01-04T15:15:50.569-05:00CMPC Testers Needed!The newest version of CMPC is nearing release. It's functionality has been restored since the Cisco switch to the new login scheme, along with some enhancements. Before I release it I'd like a brave soul or two to test it to make sure the new authentication class is working, along with testing some of the newer functionality. Expect a release soon after. Sorry again for it breaking<br />previously.<br /><br /><strong>NOTE: Testing completed. Thanks to all. Release coming soon!</strong><br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com0tag:blogger.com,1999:blog-31465908.post-79283015506328691702007-12-23T14:37:00.000-05:002007-12-23T14:42:06.659-05:00CS-MARS Generation 1 EOL/EOS AnnouncementFor all CS-MARS customers with gen 1 appliances, <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Cisco</span> has formally announced <span class="blsp-spelling-error" id="SPELLING_ERROR_1">EOL</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_2">EOS</span> for the product line. You can find the detail <a href="http://www.cisco.com/en/US/products/ps6241/prod_eol_notice0900aecd807189ef.html">here</a>. I'd recommend talking to your <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Cisco</span> account rep about replacement of the gen 1 appliance with a gen 2. The 2<span class="blsp-spelling-error" id="SPELLING_ERROR_4">nd</span> generation of MARS appliances have numerous enhancements to speed and reliability. I had a <span class="blsp-spelling-corrected" id="SPELLING_ERROR_5">dialogue</span> with <span class="blsp-spelling-error" id="SPELLING_ERROR_6">TAC</span> about issues we were having and it seems that the 1st generation of hardware (labeled <span class="blsp-spelling-error" id="SPELLING_ERROR_7">Protego</span>) had numerous issues due lackluster hardware. This is why <span class="blsp-spelling-error" id="SPELLING_ERROR_8">Cisco</span> created the 2<span class="blsp-spelling-error" id="SPELLING_ERROR_9">nd</span> generation of hardware outfitted with components that meet <span class="blsp-spelling-error" id="SPELLING_ERROR_10">Cisco's</span> hardware requirements. Lean on your account reps to get replacements for you 1st generation appliance if you had issues. TAC and the account teams know of the issues and are willing to help. Keep in mind that TAC cannot upgrade you to a 2nd generation appliance, only your account team can.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com2tag:blogger.com,1999:blog-31465908.post-52214042627375178612007-12-21T11:21:00.000-05:002007-12-21T11:29:17.183-05:00Cisco NAC Appliance 4.1(3) ReleasedCisco had promised version 4.1(3) of their NAC appliance would be out for Christmas. Talk about cutting it close. The latest version was just released (found by luck, I miss my CMPC!) and can be downloaded off of CCO. Release notes can be found <a href="http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html">here</a>. Some major enhancements are:<br /><ul><li>New web agent for client scanning</li><li>Enhanced HA support (fixes the ARP issue of switching IPs it seems)</li><li>Enhanced guest access option (policy acceptance and flexible ID fields)</li><li>OOB enhancement for VoIP environments</li></ul><p>Get downloading!</p><p>-Mike</p>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com0tag:blogger.com,1999:blog-31465908.post-5472020649127862442007-12-20T09:58:00.000-05:002007-12-20T10:11:07.179-05:00CS-MARS Package Checker (CMPC) Broken!Your comments haven't fallen of deaf ears at all. My beloved CMPC is no longer working. It looks like Cisco changed the authentication schema to their website and now uses forms-based authentication (seen <a href="https://www.cisco.com/authc/forms/CDClogin.fcc">here</a>) rather than the previous method of an authentication pop-up. This has broken my CiscoWebReader class that was used to authenticate to CCO and pull package information. It looks they use SSL for authentication, along with requiring cookies and generating a new viewstate for each session. Well, I'm no developer but I'm re-writing the CiscoWebReader class to get around these hurdles. Expect to see more new on CMPC, along with enhanced features and a new name coming soon. A big sorry to all of those that have used CMPC and lost it's functionality.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com0tag:blogger.com,1999:blog-31465908.post-19651542563518453022007-07-04T17:40:00.000-04:002007-07-04T17:44:56.362-04:00CS-MARS Package Checker (CMPC) v1.2 Released!As promised... the latest CMPC is now available for download. Here's what's been updated:<br /><br />- Re-written to no longer run as a command line executable (no more black box popping up!)<br />- Added the following package options for notifications: <br /> - Cisco Adaptive Secuirty Appliance OS and Device Manager <br /> - Cisco PIX Secuirty Appliance OS and Device Manager <br /> - Cisco Security Manager <br /> - Cisco IPS v6 OS updates <br /> - Cisco IPS v6 signature updates <br /> - Cisco Security Agent Management Center <br /> - Cisco Anomaly Detector<br /><br />The latestest version can be downloaded from <a href="http://www.mediafire.com/?7xgxllle3sr">here</a>.Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com3tag:blogger.com,1999:blog-31465908.post-89517547468351547462007-06-18T15:24:00.000-04:002007-06-18T15:29:31.212-04:00Cisco ASA v8.0 and AnyConnect VPN Client Released!To all those loyal Cisco VPN customers, some exciting news. Cisco has announced the release of ASA 8.0 and the long-awaited AnyConnect VPN Client. Release notes for ASA 8.0 can be found <a href="http://www.cisco.com/en/US/products/ps6120/prod_release_note09186a00808045d1.html">here</a>, while release notes for AnyConnect can be found <a href="http://www.cisco.com/en/US/products/ps8411/prod_release_note09186a008086536c.html">here</a>. Lots of reading to keep everyone busy. Very exciting news for those admins waiting to support Vista VPN connections. Hopefully I'll get some time in the coming weeks to get this loaded into the lab and play around with it. Expect to see ASA and AnyConnect updates to be available for notification via CMPC very soon!<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com68tag:blogger.com,1999:blog-31465908.post-56989450435578641622007-06-15T10:23:00.000-04:002007-06-18T15:43:51.800-04:00Some of My Favorite LinksI know my blog may seem like the <em>best </em>resource for everything networking, but I have to share the love (hmm... if blogger only had a button for showing sarcasm). There are some terrific resources available out there and I wanted to take a post to dedicate to linking to some fellow bloggers and project from around the Internet.<br /><br />Blogs:<br />- <a href="http://ciscomars.blogspot.com/">Cisco MARS Blog</a> - A terrific blog operated by Chris from the UK. Chris shares a wealth of knowledge about his MARS experiences in his excellent and detailed posts.<br />- <a href="http://network-response.blogspot.com/">Network Response</a> - Another terrific blog by Chris. This one is more focused on security offerings from Cisco other than MARS.<br />- <a href="http://www.ciscoblog.com/">Cisco Blog</a> - A general Cisco blog from JC. Offers some very well written posts about some advanced Cisco networking topics. Gave me the inspiration to start this blog.<br /><br />Projects (free network sh*t!!):<br />- <a href="http://www.cacti.net/">Cacti</a> - An amazing open-source project aimed at providing an easy-to-use web interface for graphing a variety of SNMP statisticis. Highly customizable and a very extensive plugin offering available via their forums. I'll soon integrate this into CMPC to provide notification when updates are available.<br />- <a href="http://iptrack.sourceforge.net/">IPPlan</a> - Another amazing open-source project. This one aims to provide an architecture to manage IP address tracking and provisioning. If you have any more than 5 subnets... download this and love it. I'll soon integrate this into CMPC to provide notification when updates are available.<br />- <a href="http://www.nessus.org/download/">Nessus</a> - Software provides one of the most extensive network threat scanners I have ever dealt with. This used to be very hard to use and configure... but the Windows version is ridiculously easy to configure. I'll soon integrate this into CMPC to provide notification when updates are available.<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com36tag:blogger.com,1999:blog-31465908.post-4827241080162847232007-06-14T13:16:00.000-04:002007-06-14T13:31:56.757-04:00CS-MARS Package Checker (CMPC) v1.0.0.0 ReleasedI'm pleased to <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">announce</span> the first release of <span class="blsp-spelling-error" id="SPELLING_ERROR_1">CMPC</span> v1.0.0.0. You may download the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_2">distribution</span> from the following location:<br /><br /><a href="http://www.mediafire.com/?c2wwmbmbzxh">http://www.mediafire.com/?c2wwmbmbzxh</a><br /><br />Enjoy and leave feedback!<br /><br />-MikeMikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com3tag:blogger.com,1999:blog-31465908.post-12854374122175764532007-06-13T13:52:00.000-04:002007-06-14T13:32:51.520-04:00CS-MARS Package Checker (CMPC) v1.0.0.0 Upcoming ReleaseAs promised... CS-MARS Package Checker (CMPC) will be released within the next 24 hours. I'm finalizing some code clean-up and the first release should be ready very soon. As a preview, here's the readme that will be included with the release (doesn't paste well into Blogger... sorry for formatting):<br /><br /><span style="font-family:courier new;font-size:78%;">CS-MARS Package Checker (CMPC) v1.0.0.0 readme.txt</span><br /><span style="font-family:courier new;font-size:78%;">Updated June 11, 2007 by Mike<br /></span><br /><span style="font-family:courier new;font-size:78%;">Send all feedback/comments/problems to ****** </span><span style="font-family:courier new;font-size:78%;">or let me know on my</span><br /><span style="font-family:courier new;font-size:78%;">blog at </span><a href="http://cs-mars.blogspot.com/"><span style="font-family:courier new;font-size:78%;">http://cs-mars.blogspot.com</span></a><span style="font-family:courier new;font-size:78%;"> </span><br /><span style="font-family:courier new;font-size:78%;"></span><br /><span style="font-family:courier new;font-size:78%;">WHAT IS CS-MARS PACKAGE CHECKER?</span><br /><span style="font-family:courier new;font-size:78%;">================================</span><br /><span style="font-family:courier new;"><br /><span style="font-size:78%;">CS-MARS Package Checker (more easily written as CMPC) is a tool to help the</span></span><br /><span style="font-family:courier new;"><span style="font-size:78%;">growing user community of the Cisco MARS appliance keep it's rules up-to-date.<br /></span><br /></span><span style="font-family:courier new;"></span><span style="font-family:courier new;font-size:78%;">It's very basic by design, but wildly useful. It quite simply parses the </span><br /><span style="font-family:courier new;font-size:78%;">required information from an XML configuration file, uses the CCO credentials</span><br /><span style="font-family:courier new;font-size:78%;">to log into cisco.com to check for updated packages, and e-mails the results</span><br /><span style="font-family:courier new;font-size:78%;">to a specified e-mail.</span><br /><span style="font-family:courier new;"><br /><span style="font-size:78%;">CMPC is current developed as a command line executable. This was easier to port</span><br /><span style="font-size:78%;">nearly directly from the first implementation written in PERL under Linux.</span><br /><span style="font-size:78%;">Feedback is appreciated on the design, but it is already planned to migrate to</span><br /><span style="font-size:78%;">a standard executable.<br /></span><br /></span><span style="font-family:courier new;font-size:78%;">INSTALLATION</span><br /><span style="font-family:courier new;font-size:78%;">============</span><br /><span style="font-family:courier new;"><br /><span style="font-size:78%;">The installation of CMPC is rather basic:</span><br /><span style="font-size:78%;">- Extract to program archive cmpc.zip. This archive should contain: </span><br /><span style="font-size:78%;">- cmpc.exe </span><br /><span style="font-size:78%;">- config.xml </span><br /><span style="font-size:78%;">- readme.txt</span><br /><span style="font-size:78%;"></span><br /><span style="font-size:78%;">- You may place these files wherever you see fit. The only requirement is that </span><br /><span style="font-size:78%;">the cmpc.exe and config.xml are within the same directory. The easiest </span><br /><span style="font-size:78%;">location may be something such as C:\CMPC\<br /></span><br /><span style="font-size:78%;">CONFIGURING CMPC TO RUN</span><br /><span style="font-size:78%;">=======================</span><br /><br /><span style="font-size:78%;">Configuration of CMPC for runtime is handled through the included config.xml</span><br /><span style="font-size:78%;">configuration file. Open the file in your favorite text editor and fill in all</span><br /><span style="font-size:78%;">fields like so:</span><br /><span style="font-size:78%;"></span><br /><br /><span style="font-size:78%;"><?xml version="1.0" encoding="UTF-8" standalone="yes" ?></span><br /><span style="font-size:78%;"><configuration></span><br /><span style="font-size:78%;"><cco_username>someuser@company.com</cco_username> </span><br /><span style="font-size:78%;"><cco_password>Securepassword123</cco_password></span><br /><span style="font-size:78%;"><smtp_server>smtp.company.com</smtp_server></span><br /><span style="font-size:78%;"><smtp_from_to>myemail@company.com</smtp_from_to></span><br /><span style="font-size:78%;"></configuration></span><br /><br /><span style="font-size:78%;">Please keep in mind that all fields are required. Certain validity checks are</span><br /><span style="font-size:78%;">run while CMPC processing, but a majority of issues running this program are</span><br /><span style="font-size:78%;">sourced from an incorrect config.xml. Support is always available on my blog</span><br /><span style="font-size:78%;">or by e-mailing me at </span></span><span style="font-family:courier new;font-size:78%;">******</span><span style="font-family:courier new;font-size:78%;">.</span><span style="font-family:courier new;"><br /></span></span><span style="font-family:courier new;"><br /><span style="font-size:78%;">REMOVAL</span><br /><span style="font-size:78%;">=======<br />Simply remove the directory in which you installed CMPC. </span><br /><span style="font-size:78%;"></span><br /><span style="font-size:78%;">PROBLEMS USING CMPC</span><br /><span style="font-size:78%;">===================</span><br /><br /><span style="font-size:78%;">CMPC has been developed to catch most exceptions and give informative errors</span><br /><span style="font-size:78%;">when issues occur. That being said, errors do occur that I may not catch. If </span><br /><span style="font-size:78%;">you are running the cmpc.exe executable from Windows XP, the error output may be hard to catch as the dialog will close after erroring. To solve this, open up </span><br /><span style="font-size:78%;">the Windows XP command prompt and run the cmpc.exe executable from there. This should allow you to see the error output. If you receive a cryptic error </span><br /><span style="font-size:78%;">message, let me know and I'll debug the code on my side.</span><br /><span style="font-size:78%;"></span><br /><br /><span style="font-size:78%;">CMPC HISTORY</span><br /><span style="font-size:78%;">============</span><br /><br /><span style="font-size:78%;">Apr 27, 2005 v1.0.0.0<br /></span><br /><span style="font-size:78%;">- Initial release.</span></span><span style="font-size:85%;"> </span><br /></span>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com3tag:blogger.com,1999:blog-31465908.post-45280356408934683252007-06-02T18:24:00.001-04:002007-06-02T19:18:27.817-04:00CS-MARS Package Checker: Keeping your MARS appliance up to dateI just thought I'd put a quick blurb about an upcoming release that will be showing up on this blog soon. I'm in the process of finalizing a program I originally wrote for myself that helps me keep my MARS appliance (and some other Cisco products) up to date. The concept behind the program is for it to, on a defined basis, automatically check CCO for the latest device packages and e-mail them to you.<br /><br />CS-MARS, like most security devices, is only as useful as the known threats built into the device. Anyone who operates an IPS/IDS device knows how critical it is to keep such a device up-to-date. CS-MARS is no different. Cisco provides no avenue for automated update checking, so rather than remembering to check CCO every once and a while for package, this program does it all for me, and soon for you.<br /><br />It's very basic in operation. It was originally written in Perl and ran under Linux, but has since been ported to C# for usability. It's an executable, an XML configuration file, and scheduling is done through Windows (scheduled taks). Simply configure the XML file with your CCO credentials, SMTP server, and the From/To mail account. After then, you can execute the program at your leisure or schedule it through Windows.<br /><br />Though this may sounds simple, it's a wildly useful tool. It's so useful, I've begun re-writing it to allow checking of other packages. It now e-mails me daily with the latest packages for CS-MARS, Unified Wireless, ASA/PIX images, and WAAS updates. Don't expect the first release to have the feature of checking for updates for other products, but it is a planned add-on for later releases. Input about other products you'd like to see have similar notifications is welcomed. Just add a comment to this post!<br /><br />I'm bringing up the topic of this app now because I don't want my blog to simply be me throwing up information onto the Internet (though if I drink Jack Daniels... well.. different topic). I want input from anyone that has anything to say. I'm wrapping up development now in my free time, but I'd like to hear input about whether this would be useful or not. Drop a comment or two and expect to see the release in the coming weeks.Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com3tag:blogger.com,1999:blog-31465908.post-82697866399529505842007-05-25T10:03:00.000-04:002007-05-25T10:16:44.642-04:00Unified Wireless Guest Access: Authenticating UsersContinuing on my series of Unified Wireless Guest Access, I want to dive further into detail about configuring authentication for guest users. Why even go so far as to make the users authenticate? Well the most obvious answer is security. If you have open access with no authentication, any user can just walk into your facility, or even sit just outside if the wireless coverage allows it and be on your network. Though they'll be limited to Internet access, any bandwidth alloted can be saturated by an unknown user. Imagine having a saturated Internet connection and all you have is a MAC address to indentify the user with.<br /><div>So what type of options does Cisco give us for "out-of-the-box" authentication of users? We have:</div><ul><li>Web Policy - Authentication</li><li>Web Policy - Passthrough</li><li>Web Policy - Conditional Web Redirect</li></ul><p>For actual guest user authentication, I'm going to focus on using the "Web Policy - Authentication" option. Using this security policy (as configured under our guest SSID), a guest user is re-directed to login if his/her wireless card has just associated to an open SSID and a browser is opened. This is very similar to setups you see in hotels and airports. For this example we will use the canned authentication scheme that Cisco has designed. This requires that a username and password be created for all guest users. With this username/password combination, he or she will authenticate to the guest SSID and be given guest wireless access for a defined period of time.</p><p>The first place to start is with the basic guest authentication screen. This is accessed by clicking Security -> Web Login Page. You can do some basic HTML customization and change titles. Use and abuse the "Preview..." button to make sure it looks like how you would expect. Next... let's take a look at how a guest user is created. Click on Security -> AAA: Local Net Users -> New... Fill out the fields as seen below. Make sure to create the user as a Guest user so you an enable timing out the account. Once the account is created... the user may now login through the guest web portal you designed above.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioklj78kKvmxzVfjnZDoZYXm96WD6sPHOZQBpPy-4rFdRT8ZQIfJgumdpw2zO5bzVrRe4eyglquhDH1nA6mS_xgOKpfOHEXMeRuoN0qolBzHvwcP7nonp6vKfWoP5tZsC0Qr3h/s1600-h/createguest.jpg"><img id="BLOGGER_PHOTO_ID_5068501504476716130" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioklj78kKvmxzVfjnZDoZYXm96WD6sPHOZQBpPy-4rFdRT8ZQIfJgumdpw2zO5bzVrRe4eyglquhDH1nA6mS_xgOKpfOHEXMeRuoN0qolBzHvwcP7nonp6vKfWoP5tZsC0Qr3h/s400/createguest.jpg" border="0" /></a><br /></p><p>Sounds like a good plan, right? Well, the issue I take with this is that it requires your receptionists to access a controller to build in a username and password. I'm thinking an easier way would be to provide some front-end to a receptionist to allow him or her to simply enter a username to authorize a users. The guest user then builds his or her own password and provides a company name to be used for authentication. Problem is... this is not how guest access was designed by Cisco and will require some programming on our side. Interested how this is done? Stay tuned for an in-depth view behind how guest users are created and how we can customize a front-end for guest user registration.</p>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com85tag:blogger.com,1999:blog-31465908.post-2047727768671188152007-03-28T15:24:00.000-04:002007-03-28T15:33:01.102-04:00Unified Wireless Guest Access: Prep'ing the ControllerContinuing on with my discussion of UW and Guest Access, I'd like to go into some detail about how to configure your master controller (the "nexus") to access the guest network. Before we continue we have to have an idea how we want to design our guest network. The goal of the guest network is to allow Internet access that is segemented from all other internal network resources. How this is developed is completely up to your implementation. I'll use our configuration as an example. Our existing guest access is handle through a non-routed VLAN that's switched via our L2 core. For the sake of examples... we'll say this VLAN is VLAN 125.<br /><br /><div><div><div>As I stated this is a non-routed VLAN that in our example will use the IP scheme of 192.68.1.X. The VLAN has a default gateway of 192.168.1.1, which is PIX 506E that has an outside interface on our Internet segment. All clients on this network are NAT'd through the PIX, completely seperate from our existing ASA cluster that's used for employees. This keeps the guest segment completely separate from our existing IP routing infrastructure. Here's an overview of the design. </div><div> </div><div></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip5PK-e123IdYjOlW6pFn5oxnsphckS0zeOniO2uzjAB54fdk3aYF92ZVfqiEFqi12FwYHLDii25RAg_GBX-JcpRhf35fsOFVph7bnZjh5Gy7__kwiPx8yrEQaAxWbZlTSFq2-/s1600-h/GuestFirewall.jpg"><img id="BLOGGER_PHOTO_ID_5047059420630949282" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip5PK-e123IdYjOlW6pFn5oxnsphckS0zeOniO2uzjAB54fdk3aYF92ZVfqiEFqi12FwYHLDii25RAg_GBX-JcpRhf35fsOFVph7bnZjh5Gy7__kwiPx8yrEQaAxWbZlTSFq2-/s320/GuestFirewall.jpg" border="0" /></a><br /><br /><div>Now let's get into how this is configured on the WLAN Controller. Please note that the configuration is being done on version 4.0.206.0 of the WLC. The first step for creating a new WLAN is to create an interface on the controller for the clients. I'll be using the WLC GUI for the configuration. Go to CONTROLLER -> Interfaces -> New... This will bring you to the dialog to build in the new guest interface. Give the interface any name and tag the VLAN for the guest VLAN. So... in my example I'll use VLAN 125. Fill in the fields noted below.<br /></div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cYILSjmGbWzTzG2CMxBRxXPTACjT4UtHwXWtgEwFHBZaczxlA1U9_jMfRHM5f02LbQqUUGXqV5BwPGjGstz3vpGKCzuFpevCeuIU4SuXjhK9GZ-agiPMzptaaMZL2gpEEev-/s1600-h/GuestInterface.jpg"><img id="BLOGGER_PHOTO_ID_5047059674034019762" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cYILSjmGbWzTzG2CMxBRxXPTACjT4UtHwXWtgEwFHBZaczxlA1U9_jMfRHM5f02LbQqUUGXqV5BwPGjGstz3vpGKCzuFpevCeuIU4SuXjhK9GZ-agiPMzptaaMZL2gpEEev-/s320/GuestInterface.jpg" border="0" /></a><br /><br /><div>The above image should explain this part of the configration for the most part. I'd just like to note the importance of the DHCP server option field. Ensure that you are placing the IP of the management interface of the controller. Using any other IP address on the controller will not work. Next lets build the DHCP pool that will be required for the clients. You have the option of using an external DHCP server, but we have opted to use the server local to the WLC. To access the DHCP options, click CONTROLLER -> Internal DHCP Server. Create a new scope and set the necessary options. I don't need to show this as it's very self-explanatory. Obviously we'll set the PIX as the "Default Router" and DNS is provided by an open DNS server on the Internet. You can use your own outside DNS server if you wish.<br /></div><br /><div>Our final step is to setup the WLAN... which for now will have no authentication. To create a WLAN... to to WLANs -> WLANs -> New... Give it an ID and the profile name can be "Open Access" and the <span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">WLAN</span></span> <span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="blsp-spelling-error" id="SPELLING_ERROR_1">SSID</span></span> can be something like "Open Internet Access." This is the name of the <span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">WLAN</span></span> that will be shown on the users laptops. Now lets get into the details. Note the options I have arrows next to.<br /></div><br /><div></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6enn7pHGaTvsk0oS-ZOzxXipu_VfCEzyJeRKPk7LtfrbqRN3uIdNHtN6bA4kVMNsB-jIP31vXQK3pQ_ymgRCEz7olrdM2PAPSJYrPlHaJtc8sCvk__gs6mVN5AzA15MksCipX/s1600-h/GuestWLAN.jpg"><img id="BLOGGER_PHOTO_ID_5047059961796828610" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6enn7pHGaTvsk0oS-ZOzxXipu_VfCEzyJeRKPk7LtfrbqRN3uIdNHtN6bA4kVMNsB-jIP31vXQK3pQ_ymgRCEz7olrdM2PAPSJYrPlHaJtc8sCvk__gs6mVN5AzA15MksCipX/s320/GuestWLAN.jpg" border="0" /></a><br /><br /><div>Again... a pretty easy configuration. Once this step is complete you should be able to connect to your guest <span class="blsp-spelling-error" id="SPELLING_ERROR_3"><span class="blsp-spelling-error" id="SPELLING_ERROR_3">SSID</span></span> and get Internet access. This is just the first step in providing Guest Access. In future posts I'll review enabling web authentication along with developing a customizable interface for users to register that ties into the <span class="blsp-spelling-error" id="SPELLING_ERROR_4"><span class="blsp-spelling-error" id="SPELLING_ERROR_4">WLC</span></span> local user database. Leave feedback and let me know if you're unsure about anything or if I can help at all.</div></div></div>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com252tag:blogger.com,1999:blog-31465908.post-70850463586776597122007-03-27T10:25:00.000-04:002007-03-27T10:28:32.436-04:00Unified Wireless: My Take on Guest AccessAs I said in a previous post, I've been working on a Cisco Unified Wireless implementation. I gave a brief overview of UW (unified wireless) below, but I want to go into depth on the topic of Guest Access. The documentation is limited and I just want to take some time to share how I'm implementing Guest Access and the configuration required.<br /><br />Guest Access is pretty much what it sounds like. It's taking your wireless infrastructure and allowing "guest" users to access it while keeping your existing UW infrastructure secure. This could be used to provide Internet access to vendors visiting your facilities, or could go beyond and actually act as a open hotspot for customers. The version of Guest Access I'm working on involves allowing guests at our corporate campus to use our Internet connectivity for presentations/remote VPN access. Our corporate campus is comprised of multiple facilities all linked over our private MPLS VPN cloud.<br /><br />Let me go a little bit into the architecture behind the implementation. In our headquarters facility we have installed a Cisco 4402 Wireless LAN controller. This controller acts as the "nexus" for our Guest Access infrastructure, along with allowing secure access to internal network resources for mobile employees. Our satellite offices, also part of the corporate campus, are all connected via Cisco 2811 Integrated Services Routers. In these offices we will be using NM-WLC-6 network modules. Essentially these modules are Wireless LAN Controllers which sit on-board ISR routers.<br /><br />I don't want to get too in-depth with Guest Access this first post. Let me leave with a quick diagram of how I've decided to implement Guest Access. In future posts I'll go into detail as to how this can be implemented. Keep in mind that my implementation may not be the same as yours, but the concepts I use may be shared amongst many implementations.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikKMJoLf71OnRjCBxqr-ZKAMsojjeskZ8ihBCSgtfeOY0GTdh_dJuD1n-NCrATL2CjuyJPQbKVx15-Q6lcWKGlzHbnXQuxiRA4XH_pta7GTHucYVvm1t_q98Dw9XGPAaDYrlqn/s1600-h/GuestAccess.jpg"><img id="BLOGGER_PHOTO_ID_5046610646117415442" style="CURSOR: hand" height="192" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikKMJoLf71OnRjCBxqr-ZKAMsojjeskZ8ihBCSgtfeOY0GTdh_dJuD1n-NCrATL2CjuyJPQbKVx15-Q6lcWKGlzHbnXQuxiRA4XH_pta7GTHucYVvm1t_q98Dw9XGPAaDYrlqn/s320/GuestAccess.jpg" width="256" border="0" /></a>Mikehttp://www.blogger.com/profile/02937556218726287896noreply@blogger.com164