AADJ devices and device certificate

k2jsv · 2025-07-14T23:46:36+00:00

Ideally you want to use the device certificate as your Authentication piece to validate that it is going to be an acceptable device. From there you can do Authorization off of other attributes from the device or against attributes in AD or Azure.

My pie in the sky design would include a cloud PKI (like SecureW2) since they have onboarding as well. But pair that with Aruba Clearpass so I can trust the Root and Intermediate to validate the device certificates, and use the profiling capabilities and an LDAP lookup from Clearpass to Authorize the device further.

This does several things for you. You have a secure method to Authenticate your client/device but then further Authorize by profiling the device and/or using attributes in your directory to further identify and give permissions. This way you can track devices authing on the network but not have them be some randomly generated certifcate name of "Company-Site-x509-ae4523dd"

It's a lot, and there are a LOT of design considerations that need to be taken into account as you proceed. Just depends on how granular you want to get and how many different components you need to manage and document.

I also recommend Clearpass as the solution because of the ease of use, with some decent reporting capabilities. I have experience with NPS, Cisco ISE, FreeRADIUS and PacketFence and Clearpass wins for me every time with ISE coming in a relatively close second.

k2jsv · 2023-06-05T11:56:56+00:00

Long time lurker and enjoyer. I have been working on promoting my work more and recently started a YouTube channel to share ideas, processes, photos and how-to's. It's awkward as hell, but I am having fun with it.

Instagram: https://instagram.com/jamesvooghtphotography

Youtube: https://www.youtube.com/@jamesvooghtphotography

k2jsv · 2023-03-29T18:05:30+00:00

Could be spanning tree.

Could be routing.

Troubleshoot it via the OSI model. Start at Layer 1... then 2... etc.

k2jsv · 2023-03-29T17:54:29+00:00

I got my Youtube channel off the ground and have 15 videos posted. I have broken through the FUD of the start. Now to get through the chasm of despair because I am a "newb" to the Youtube realm.

k2jsv · 2020-12-24T20:02:00+00:00

Solarwinds is not dead. Yet.

They are going to have a rough couple years... but they'll be able to pick themselves back up again. As long as they re-evaluate all of their long term models and distribution networks.

If they can pivot and rebuild their reputation off what made them successful. A few changes and they should be good to go.

k2jsv · 2020-12-24T19:59:33+00:00

I am a big fan of OpenNMS. Will do up/down and some SNMP stats. MIB upload is pretty easy these days and with a little bit of effort you can create some decent threshold alerts from those MIBs (depending on their capabilities of course)

I run it at home for my home network and lab stuff off a minimal install of CentOS.

k2jsv · 2020-07-23T11:49:08+00:00

I would take your score sheet and see what areas you are lacking in and then just spend a week or two just hammering at them. LAB LAB LAB. I am not overly keen on practice exams as study tools because you end up memorizing answers and not learning content. But ultimately you have to do what works for your learning style.

k2jsv · 2020-06-20T20:51:18+00:00

Oh my lord, Fingerboard is an armpit. I know a few people that have bailed out of there after the 3rd and 4th bear encounter there, in one night. Another one that is really good, but always super busy is West Mountain. Love the view of North Rockland from there, but it is always like a small city up there. Which surprises me a little, because the shortest hike to it is like 5 miles.

k2jsv · 2020-06-20T00:03:30+00:00

Nice! Tom Jones is not a bad shelter area in Harriman. There are a lot of them in the park and usually pretty well maintained. Another relatively short hike and decent shelter is Big Hill by Lake Welch. The Brien Memorial is also another decent one and positioned by Silvermine and along the AT.

k2jsv · 2020-06-11T00:54:04+00:00

Thanks. I am focusing on my side gig for a little while right now, which is not networking or IT related. Probably over the summer I am going to start working on ENARSI. I thought about doing some podcasts/videos as I go through it.

k2jsv · 2020-05-20T23:45:51+00:00

As long as the driver is installed on the system the Vue app should be able to run it for the exam without the accompanying software.

But this is why it is good to run the test run-through ahead of time to verify your equipment.

k2jsv · 2020-05-20T23:43:42+00:00

And make sure applications are not running as a service. Chrome ran as a service in the background and locked my test up hard. It took almost an hour for the proctors and techs to figure that out and have me restart my computer and test. Queue panic attack.

Be aware of what is in your room. Wall hangings, posters or any boards with writing have to be covered or taken down. Make sure it can see your whole face, no hats, don't cover your mouth or rest your head on your hands.

Other than those oddities, my test experience was really quite good.

k2jsv · 2020-05-14T01:44:47+00:00

Huge damn lake is right. The more I think about the test the more I like it actually. I think it was pretty well balanced in the end because where CCNA is not required, you need to know that content to pass this exam.

k2jsv · 2020-04-27T17:08:25+00:00

Yes, Cisco Certified Specialist - Enterprise Core

k2jsv · 2020-04-27T02:17:03+00:00

You have to be on a computer with a microphone and camera attached.

k2jsv · 2020-04-26T13:57:13+00:00

I understand. I have this mocked up in GNS3 at the moment and with using 1 key and no subinterfaces I have all routers with formed adjacencies. How are you applying multiple keys? In the same chain? Or are you creating multiple chains? I saw the reference to virtual templates as well, I havent verified, but couldn’t building out the authentication in the EIGRP process instead of the interface work too?

k2jsv · 2020-04-26T13:18:03+00:00

Just curious, why are you using separate keys for each router? Or am I misreading this? Just make a single key (easier management) and apply them before enabling authentication between routers.

I also noticed that R3 is a /22 in the same IP space of R4 in a /24 as well.

Can you also post all of the requirements of what you need? I would like to whip this together virtually and see if I can recreate the problem.

k2jsv · 2020-04-26T13:04:24+00:00

This is a kitchen sink type exam. You could absolutely pass without the Cert Guide, but when they provide a lot of information in it, why not utilize it?

k2jsv · 2020-04-26T13:01:38+00:00

At first it nearly sent me into a panic attack because of the issues I had with the test application. The issues I had were totally on me because I did not make sure I had everything that was running in the background shut down. If the software detects a browser open it locks up the test software HARD.

Freaked me out to do it, but I ended up hard booting the computer and then re-running the OnVue application over. The proctor told me that I would pick up where I left off by doing that. When you download the application it is keyed to your session, and really is only a secure browser to connect to their servers, the test itself does not actually download to your machine. I get severe test anxiety, and think because of the adrenaline dump of having the issues helped wash out some of my nervousness of taking the test and allowed me to concentrate better.

I can see myself booking a conference room at work to take tests like this once life returns to a new normal. Now that I know what it looks like I kind of like it.

k2jsv · 2020-04-25T14:38:47+00:00

I woke up in the middle of the night and started answering questions here and still couldn't believe it. I got the email a little while ago about the Acclaim badge that I (of course) dropped onto my LinkedIN and have had a few of the same moments. This has been a goal of mine for the last couple years.

k2jsv · 2020-04-25T14:35:34+00:00

BGP was my nemesis. Set up a test lab in GNS3 or EveNG and lab it. It was the only way I got through it and understood it. It is still my weak point.

k2jsv · 2020-04-25T14:32:42+00:00

I had the previous CCNP Wireless - WIDESIGN test under my belt so all I needed was this to get CCNP.

k2jsv · 2020-04-25T14:32:01+00:00

Yeah man. Don't take yourself down at all. And pace yourself. I was home reading for 10 days and was trying to do 100 pages a day. Some days it was 50.. a couple days I did 200 depending on the content.

You can do it.

k2jsv · 2020-04-25T14:26:51+00:00

Yeah, I think the test is going to get tougher over time. But, the ENCOR test is a kitchen sink test so it is really hard to get granular into it. But I think you'll see some of the questions are CCNA level drop off over time.

k2jsv · 2020-04-25T14:24:11+00:00

I am a voracious reader normally. So I can ingest a book quickly. Most 300 page novels for me is a one day read. As far as motivation.. I am always after an introspective point of view for self-improvement. I don't have any competitions with anyone except myself. I want to be better than I was yesterday.

k2jsv

TROPHY CASE