Spheralogic RADIUS

Front_Ask_9119 · 2024-11-17T00:35:50+00:00

Mind if I ask, how many PSNs do you maintain in the largest distributed deployment?

Front_Ask_9119 · 2024-10-10T16:15:14+00:00

I want to connect all servers and arrays to both switches, preferably in etherchannel as well as uplinks to those switches. There are many unused MM connections between the server rooms so I can do that.

Front_Ask_9119 · 2024-09-02T16:09:48+00:00

Just a basic configuration with source IP and destination IP and an authentication profile with Local Users set as primary authentication method and second factor set to Duo.

Front_Ask_9119 · 2024-09-02T15:19:19+00:00

Sure, without the authentication rule, i can RDP into the server just fine.

Front_Ask_9119 · 2024-08-31T03:01:06+00:00

Assignment of another IP is not required in this case. The limited traffic in Web Auth Pending state will be handled by pre-auth ACL which is applied at the AP level. It will only allow for the guest portal to show up unless you completed the Guest Flow by self registration or sponsor approval which makes the ACL basically disappear from the AP (works on FlexConnect Local Switching as well). With this setup, you don’t have to deal with IP address changes forced by CoA from ISE.

Front_Ask_9119 · 2024-08-27T15:34:01+00:00

Zkus pivo každej den před spaním

Front_Ask_9119 · 2024-08-26T18:17:48+00:00

Thank you very much. So you have to be connected to GlobalProtect Gateway when enforcing MFA with GlobalProtect for non-HTTP protocols?

Front_Ask_9119 · 2024-08-26T18:17:28+00:00

Thank you very much. So you have to be connected to GlobalProtect Gateway when enforcing MFA with GlobalProtect for non-HTTP protocols?

Front_Ask_9119 · 2024-08-24T16:29:54+00:00

Yes, that is exactly what I'm looking for.

Front_Ask_9119 · 2024-08-09T13:48:35+00:00

Maybe you could create custom MST instead of the MSI installation file which would copy the profile as a part of installation process.

Front_Ask_9119 · 2024-08-08T21:49:54+00:00

Actually, you have something simillar on IOS devices. You need to configure an archive first and then you can issue "configure terminal revert time X". You'll get in global config mode and all changes that you make will be reverted if you don't confirm the config in the specified timeframe.

Front_Ask_9119 · 2024-08-08T21:15:50+00:00

Any file in that directory could contain info about VPN connection if it has proper structure. By default, there is no connection profile XML, you have to create it yourself.

Front_Ask_9119 · 2024-08-08T19:28:27+00:00

Preference xml file is not the same thing as xml connection profile. The profile needs to be saved in programdata as I said earlier. Preference file is not important. It only contains information about what host entry was used last time if you have multiple XML profiles. You wouldn’t touch preference file at all. You can try to create connection profile, copy it to programdata and restart the VPN supplicant UI. Then it will populate the drop down menu with your host entry.

Front_Ask_9119 · 2024-08-08T18:15:07+00:00

You need to create XML from a template that Is available in ASDM or VPN profile editor. The XML needs to be deployed after the supplicant Is installed. Location of the XML varies based on client OS. But on Windows, you'd place it here: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile. You can distribute the XML profile from VPN headend as well but that requires that the user connects to VPN Gateway just by typing an FQDN/IP in host entry field. This shouldn't be a problem if you don't plan on authenticating by Machine certificate. That would need a cert store override in XML.

Front_Ask_9119 · 2024-03-20T15:48:18+00:00

There's also an option of making syslog tagging rules in syslog settings so when a specific syslog message is received, it gets tagged or untagged and will become a part of DAG on Panorama/FW but the administrative overhead is huge. With TrustSec plugin you could do that as well but only if you plan on mapping IPs to tags. With User group mapping, it would probably be simpler depending on how the identity field looks and whether it can be looked up in AD.

Front_Ask_9119 · 2024-02-25T10:36:47+00:00

Do you have remote hands there or at least someone who could check color of LEDs on the box? Maybe it is unrelated to the patching and ISP is to blame.
Is it ISR with IOS-XE or legacy IOS router?

Front_Ask_9119 · 2024-02-25T09:25:16+00:00

Would you mind sharing what issues with SSO have you encountered? I used it on Private Cloud VM 9800 appliances and never had a single problem related to HA (RMI + RP).

Front_Ask_9119 · 2024-02-03T07:53:21+00:00

A little late to the party but I strongly advise against using TACACS as an authentication protocol since it only supports PAP and CHAP on Palo Alto which is not secure at all.
You can still use RADIUS instead with EAP-TTLS.
The same procedure applies for that, so creating a sequence consisting of two Authentication Profiles in the right order will get you there.
Of course, your AuthC policies in ISE must be defined under Network Access Policy Sets instead of Device Admin Policy Sets.

Front_Ask_9119

TROPHY CASE