Firepower Management Console System Configuration

Categories Cisco, fmc, Security

Syslog

  • Setting up a syslog server prevents allowing another user on the FMC to delete the logs. This also keeps a backup of your logs.
  • Set the ‘send audit to syslog’ as enabled
  • enter in the sys log serves IP address for the host.
  • Change the faility to SYSLOG
  • Set severity to what you would like.
  • Test the syslog server and then Save once verified it’s working.
  • You will be greeted with a Sucess message after the configuration change has took affect.

Login Banner

  • Create a login banner with whatever login greeting you would like.
  • It is a good idea to display an authorization warning for the login banner or any message you would like users to see once logged into the FMC.
  • Save the login banner once completed.

Change Reconciliation

  • Change reconciliation allows a reported to be generated every x hours:minutes to provide a history of what configurations have changed.

Email Notification

  • Enter in your information as needed.
  • The from address can be whatever you like all other information will need to be legitimate

HTTPS Server Certificate

  • Creating an HTTPS certificate.

Management Interfaces

  • Hostname of the device
  • Domain name the device is in.
  • DNS servers
  • Remote management port
  • Don’t forget to hit save!

Remote Storage Device

SNMP

  • Setup snmpv2
  • Create an ACL pointing to ISE or whatever you’re using for SNMP.

Cisco Switch Configuration for ISE

Categories Cisco, ISE, Switch

Switch Configuration

  • Example configuration used
conf t
 radius server ISE_RADIUS
 address ipv4 10.0.30.40 auth-port 1645 acct-port 1646
 key Temp1234!@#$
 exit
 aaa group server radius ISE
 server name ISE_RADIUS
 ip radius source-interface vlan 30
 exit
 aaa authentication dot1x default group ISE
 aaa authorization network default group ISE
 aaa authorization exec default group ISE local if-authenticated
 aaa accounting update perdiodic 3
 aaa accounting dot1x default start-stop group ISE
 aaa server radius dynamic-author
 client 10.0.30.40 server-key Temp1234!@#$
 radius-server attribute 6 on-for-login-auth
 radius-server attribute 8 include-in-access-req
 radius-server attribute 25 access-request include
 end

Explanation

  • Explain commands

ISE Configuration

  • Add in the name, description, IP address, Device profile, Model name, Software version.
  • Enable the RADIUS Authentication Settings and input the shared secret then submit to add the switch in.
  • To verify after you click on submit you will now see the device listed under the Network Devices section.

Authorization Profile

Policy Set

Verification

  • On the switch you can issue:
show cdp neighbor
show authentication session
show aaa server
  • On ISE GUI you can review the live session and logs under the RADIUS section in Operations:

Troubleshooting

  • No authentication sessions are showing on the network device.
  • Run an authentication test using the network device and review the logs in ISE.
  • Verify the aaa server configuration
test aaa group radius test-user test-password new-code
  • In ISE GUI:

Verify NTP is matching for Logs

  • Verify the NTP server matches on all devices.
    Cisco Switch:

ISE Server:

Cisco ISE 2.7 on ESXi

Categories Cisco, ESXi, ISE

What is ISE?

  • Cisco Identity Services Engine (ISE) is a solution to streamline security policy management and reduce operating costs. You can see users and devices controlling access across wired, wireless, and VPN connections to the corporate network.

Image

  • Login with your CCO to Download ISE 2.7 evaluation .OVA file or whichever format you prefer.

System Requirements

  • Clock speed: 2.0 GHz or faster
  • Number of CPU cores: 4 CPU cores
  • 16 GB memory
  • 300 GB Storage
  • 1 NIC interface required (two or more NICs are recommended; six NICs are supported).
    ***Cisco ISE supports E1000 and VMXNET3 adapters.***

License

  • The Cisco ISE image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.
  • Transfer the .OVA file to your datastore on the ESXi server and follow the installation steps.
  • Once the upload and import have completed start the virtual machine.

Initial Setup

  • Boot the image.
  • To begin configuration enter ‘setup’ as the username and then follow along the prompts for initial setup.
  • ***This process can take 30 minutes to multiple hours depending on your hardware resources***

Verify the Installation

  • After ISE starts login with your new credentials and begin to verify the installation.
show application
show application status ise

Web GUI

  • Login to the GUI with your credentials

Initial Login

CLI Admin Vs GUI Admin

  • The username and password that you configure when using the Cisco ISE setup program are intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface.
  • You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. There is no default username and password for a web-based admin.
  • The CLI-admin user is copied to the Cisco ISE web-based admin user database.
  • Only the first CLI-admin user is copied as the web-based admin user.
  • You should keep the CLI- and web-based admin user stores synchronized, so that you can use the same username and password for both admin roles.
  • The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin user and can perform other administrative tasks.

Create a CLI Admin

Cisco ISE allows you to create additional CLI-admin user accounts other than the one you created during the setup process. To protect the CLI-admin user credentials, create the minimum number of CLI-admin users needed to access the Cisco ISE CLI.You can add the CLI-admin user by using the following command in the configuration mode:

username <username> password [plain/hash] <password> role admin
  • Please note the password complexity and requirements.

Create a Web-Based Admin

  • For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup.
  • Choose Administration > System > Admin Access > Administrators > Admin Users.
  • Choose Add > Create an Admin User.
  • Enter the name, password, admin group, and the other required details.
  • Click Submit.

Reset a Disabled Password Due to Administrator Lockout

  • An administrator can enter an incorrect password enough times to disable the account. The minimum and default number of attempts is five.
  • Use these instructions to reset the administrator user interface password with the application reset-passwd ise command in the Cisco ISE CLI. It does not affect the CLI password of the administrator. After you successfully reset the administrator password, the credentials are immediately active and you can log in without having to reboot the system.
  • Cisco ISE adds a log entry in the Administrator Logins window. The navigation path for this window is Operations > Reports > Reports > Audit > Administrator Logins. The credentials for that administrator ID is suspended until you reset the password associated with that administrator ID.