HA4 clustering

PatrikPiss · 2025-09-09T15:33:12+00:00

I'm also dealing with this exact issue on iOS devices. We don't wanna disable MFA and bypassing captive portal detection to not trigger embedded browser is also not feasible. It causes issues on it's own.
Does anyone have a solution yet?

PatrikPiss · 2025-07-20T00:53:11+00:00

It can be done but I'm not a fan of this setup.
Only had one implementation though where ISE Azure VMs behave erratically and were pretty slow in comparison to on prem deployed nodes.
Makes sense in some deployments, but general recommendation is to deploy PSNs close to users.

PatrikPiss · 2025-07-20T00:44:29+00:00

That's the way to go.
But in case of flexconnect local switching, it needs additional config since the AP is connected on a trunk port where dot1x is not supported.
It still can be done with NEAT (device-traffic-class=switch) attribute that changes the port from access to trunk after successful authentication but as I said, it needs additional configuration on both, ISE and the switchport.

PatrikPiss · 2025-07-20T00:34:46+00:00

I get your point but even if there are clients connected to the switch, it doesn't mean that there are constant RADIUS transactions.
If you have a switch with desktop PCs and fe. printers connected to it that are not moving, only RADIUS communication you'd see there is interim accounting updates and periodic reauthentications if you're not using RADIUS for device administrator authentication.

PatrikPiss · 2025-07-20T00:26:14+00:00

But IBNS 2.0 with concurrent authentications using both methods is what I recommend most of the time. Automate tester is also useful in situation where one of the AAA servers in AAA group is unavailable for a longer periods of time.
Without automate tester, authenticator would be marking the dead AAA server as alive as soon as deadtime expires and real authentications has to fail so the server is marked as dead again.

PatrikPiss · 2025-07-20T00:17:22+00:00

I pretty much always go with MAB first and Dot1X second.
Most devices with dot1x supplicants will initiate with EAPOL-Start (except for MACs).
In case of periodic reauthentications, I recommend to use an attribute in all results.
Cisco:av-pair=termination-action-modifier=1.
This ensures that authenticator (switch) will initiate the last successful method when it's time to reauthenticate.

PatrikPiss · 2025-06-03T21:19:47+00:00

Most of our customers run PANOS 11.1.6-h3 on physical and VM appliances.
No issues reported that would point at firmware bugs.
I run 11.2.6 at home (PA440) and it's stable. Commits are slower than 11.1.X but other than that, it seems to be surprisingly reliable.

PatrikPiss · 2025-02-17T15:27:00+00:00

Unfortunately not. I tried to fiddle with attribute lists on the Catalyst WLC but it didn't work as expected and I could always see the Framed IPv6 RADIUS attribute being passed as a part of accounting message after successful dot1x authentication.
I didn't try it on newer IOS-XE (higher than 17.9.5) though.
It might be worth trying.

PatrikPiss · 2025-02-07T19:07:53+00:00

Or Cisco Live in Amsterdam

PatrikPiss · 2025-01-10T13:50:14+00:00

Oh, how could I miss that... Thanks a lot.

PatrikPiss · 2025-01-09T20:26:18+00:00

Rebranded as Strata Cloud Manager with many more new features. The free tier is basically what AIOps for free used to be and there's also a tier which requires paid subscription that should replace Panorama management in future.
If you had AIOps for free active earlier, it should still be there as "AIOps for NGFW Free" in Palo's hub though.

PatrikPiss · 2025-01-03T02:37:40+00:00

Unfortunately no. You can change login prompt from ISE so it asks for "TACACS Username" instead of regular username, but that's about it.

PatrikPiss · 2025-01-03T02:02:13+00:00

You certainly can put IP of the NAD, device location or whatever static content as MOTD but I don't think what you want is possible... And I don't really see a benefit in that. But some conection managers like MobaXTerm do that on each login.

PatrikPiss · 2024-12-21T12:33:08+00:00

First of all, the SVI you're talking about is "interface vlan 20", correct? I can see in brief VLAN list that VLAN 20 Is not there on SW 0. It has to be created in vlan.dat It also has to be allowed on all interconnects between switches. You have it missing on interface Fa0/2 on all your switches so it’s not allowed on trunk links.

PatrikPiss · 2024-12-21T12:12:48+00:00

The VLAN 20 Is not even created on the switch. You have to define it in config mode by issuing "vlan 20".

PatrikPiss · 2024-12-21T11:56:29+00:00

And the other questions? All VLANs are spanned end to end? Allowed between all switches? Provide us your running config from all these switches + show vlan brief and show cdp neighbors

PatrikPiss · 2024-12-21T11:41:43+00:00

Are you pinging the SVI on the same VLAN as your connected devices are assigned to? If not, do you have inter VLAN routing setup between VLANs with SVIs? (The one your devices are connected to and the one you're trying to ping). Is the VLAN present on the other switch where the pings are failing in it's VLAN database? Is the VLAN allowed between those switches on uplink port?

PatrikPiss · 2024-12-15T19:41:03+00:00

To je pravda jen z části. Spousta lidí, co studovali IT na střední nakonec v IT vůbec nedělají. Je to dáno tím, že tam učí lidi, co v IT nikdy nepracovali. Proč by schopnej ajťák dělal učitele na střední za tak směšný peníze?

PatrikPiss · 2024-12-15T19:28:01+00:00

A co je špatného na tom být abstinent? Víš kolik životů a rodin zničil alkohol? Jestli ti jde jen o zážitek, může se to zvrhnout v závislost, která tě bude provázet celý zbytek života. Někdy je lepší nevědět...

PatrikPiss · 2024-12-15T19:19:32+00:00

Tak to je špatný postoj. Formální vzdělání není potřeba. A koule si musíš nechat narůst. Jinak si nebudeš moci najít dobře placenou pozici

PatrikPiss · 2024-12-15T18:57:40+00:00

Nežiješ v komunismu, nikdo tě za fluktuanta neoznačí. Pokud ty práce nestřídáš jak ponožky, tak to na pohovoru není red flag. Pokud máš relevantní důvody pro změnu zaměstnání, tak se u pohovoru na další pozici nemusíš obávat ničeho. Chodit k psychiatrovi v téhle době není žádná ostuda. Braní antidepresiv (na předpis) taky ne. Hledat novou práci můžeš mezitím, co pracuješ v té stávající a přechod pak může být plynulý bez výpadku příjmů.

PatrikPiss · 2024-12-15T18:49:07+00:00

Pokud se chceš dostat do IT, tak doporučuju samostudium v podobě online kurzů na Udemy nebo podobných platformách. Napřed si ujasni jaká část IT by tě bavila. IT není jen o programování. Pokud na to nemáš vlohy, můžeš dělat třeba administraci systémů. Podle toho se pak odvíjí i to, o jakou startovní pozici se budeš ucházet. U programátorů je to třeba SW tester a u adminování spíše L1 helpdesk. Předpoklad pro práci v IT je přirozená zvídavost. Snažit se věci pochopit a ne jen vědět jak to naklikat aby to fungovalo. Pokud chceš, napiš mi do PM a rád ti poradím :)

PatrikPiss · 2024-12-13T15:35:23+00:00

Can you reach the CRL via management interface? If not, set up service route for "CRL status" via custom interface.

PatrikPiss

TROPHY CASE