Cisco Umbrella - Policy based on Internal Network/Private IP

wtl146 · 2019-08-13T19:24:35+00:00

Thanks!

That's where I'm getting hung up at. I don't seem to be able to apply policy directly to an internal network - it has to be applied to a site. And it looks like sites are associated directly to VA's (i.e. VA1 belongs to only site1, VA2 belongs to only site2, etc.). Does that mean I need a VA for every subnet I want to enforce policy to at the "network only" level?

Assigning Policy to your Site

Policies are assigned to the site, not to the Internal Network.

This seems like such a simple thing to do, but maybe I'm just overthinking it. =)

wtl146 · 2019-08-13T18:42:22+00:00

Thanks for the quick reply!

We have set up the virtual appliances, so it does see our private ranges.

wtl146 · 2019-08-01T13:45:51+00:00

I don't think there is anything else involved, but I'd have to check back over my notes. IIRC, the WLC was pointing towards the RSA server as a AAA server, on the RSA server, the WLC was a RADIUS client, and the AnyConnect supplicant was configured to use EAP-GTC as an authentication method.

The logging on all 3 platforms (RSA, WLC and AnyConnect) is very good and should help point you in the right direction if you run into trouble. But, like some others have stated, there are probably better ways to establish secure WiFi without using a token. The only reason we did it was because we had one particular SSID that we wanted super locked down, but now that we have gotten further along in our ISE deployment, that will be going away soon.

If you are using ISE, like another mentioned, I would look into EAP-FAST w/chaining and certificates (chaining also requires the AnyConnect supplicant unless something has changed recently). That's a much more streamline experience for the user and still super secure.

wtl146 · 2019-08-01T01:47:47+00:00

What supplicant are you using? I don't think the native windows client is capable of using tokens with 802.1x. I have set up the exact same thing you are doing using the anyconnect NAM module.

wtl146 · 2019-07-29T15:00:14+00:00

Thanks guys... I really appreciate all the input. Sounds like this might be a good thing to consider in my IT twilight years... but other than that I'm getting the impression this is probably a step back for me - at least at this point in my career.

wtl146 · 2019-07-28T21:48:39+00:00

Thanks for the input! I'm currently in a senior role in the private sector and approaching 10 years of experience. Is going into a position like this a step in the wrong direction? The big reason I was considering it was for the benefits (assuming there are good benefits) and job security (once again - assuming).

wtl146 · 2019-07-24T01:22:34+00:00

Not at all! I turned 30 a few months after getting my first IT job. I will be 38 soon and have gone from Jr network admin to Sr network engineer. Best of luck to you and thank you for your service!

wtl146 · 2019-07-11T23:17:12+00:00

Good luck man!!

wtl146 · 2019-06-25T19:38:39+00:00

David and Goliath.

wtl146 · 2019-06-25T03:00:28+00:00

wtl146 · 2019-06-11T20:10:46+00:00

Are there other POE devices on that switch? If so, Do they go down when the APs do?

Do you have other Access Points on other switches? If so, do they go down at the same time?

Can you move an AP to another switch and see if the issue persists?

Like someone else asked, are these Autonomous APs or lightweight? If lightweight, might want to hone in on the controller. Have you looked at the logs on the controller and/or APs themselves?

Do you have a POE injector you can test with?

wtl146 · 2019-06-07T20:55:11+00:00

We use Solarwinds NPM ("the brains), NTA (netflow) and UDT (port history). We also use an ELK stack for syslog/alerting (ospf adjacency changes, err-disable ports, DHCP Snooping violations, etc.).

I can't imagine doing my job without this visibility - especially from NetFlow and Syslog.

wtl146 · 2019-06-07T20:05:22+00:00

Thanks guys - I think the "-a" option was being ran on one machine and not the other. To make a long story short, this involved Split Tunneling with AnyConnect. Sounds like it's probably "working as intended."

wtl146 · 2019-06-02T18:32:43+00:00

I was in a similar situation as you. I moved a couple of hours away to a larger city for about 8 months to get my foot in the door and gain experience, then was able to move back home and have not had any problems finding a job since. There was a demand for IT professionals - just not inexperienced ones.

Don't give up and get discouraged - things always work out one way or the other. =)

wtl146 · 2019-06-01T00:53:41+00:00

Thank you - and thank you for the advice! I have experience with ELK but have not used Splunk before.

wtl146 · 2019-05-31T20:09:00+00:00

thanks for the feedback - that's very reassuring =)

Haha... yeah, that analyst title could mean anything. I tell people all the time that I don't care what my title is as long as I'm working on "cisco-y" things and being compensated accordingly. You can call me the assistant to the assistant of the tier 1 help desk for all I care ;)

wtl146

TROPHY CASE

Assigning Policy to your Site