Net Worker World

  1. Start CMD  Run as Administrator . 2.  netsh trace start capture=yes IPv4.Address=X.X.X.X CaptureInterface="" 3.  netsh trace stop 4.  etl2pcapng.exe in.etl out.pcapng ======= https://github.com/microsoft/etl2pcapng/releases netsh trace show capturefilterHelp netsh trace show interfaces

  BYOD in the guest world means I bring my device and get guest internet access, simple done. ISE can do guest for general BYOD. BYOD in the ISE world specifically means for native supplicant and certificate provisioning. Get a client securely onto the network using EAP-TLS. It has nothing to do with guest (it does use guest portal to start the process). It primarily used for wireless user internal network access. For a typical BYOD use cases, BYOD is allowed for employee users and potentially for contractor user. BYOD may simple as allowing personal endpoints connect to the network without automated onboarding process. However, the benefit of ISE BYOD flow is that ISE can assist the end user to onboard their endpoints by provisioning CA signed endpoint certificate as well as configure the network interface and OS native supplicant to utilize the provisioned certificate for network access. The other benefit of ISE BYOD is the ‘My Devices Portal’, which allows end users to Create/R

 Solution 1       Use Meraki Group Policy to configure a VLAN       ISE Authorization policy return Airespace-ACL-Name       Meraki SSID Radius configuration:  RADIUS attribute specifying group policy name > Airespace-ACL-Name Solution 2 ISE Authorization policy result set following Radius attributes. Tunnel-Medium-Type:  802  Tunnel-Private-Group-ID:  VLAN ID . Tunnel-Type: VLAN

 Scenario: Anyconnect user connects to FTD authenticate with remote AD via S2S VPN tunnel. Issue: Assume S2S between FTD and ASAv is fully configured and operational. FTD LDAP configuration has no interface, whereas ASA has FTD67# aaa-server RemoteAD host 10.1.1.10  server-port 389  ldap-base-dn dc=corp,dc=local  ldap-group-base-dn dc=corp,dc=local  ldap-scope subtree  ldap-naming-attribute sAMAccountName  ldap-login-password *****  ldap-login-dn ldap@corp.local  server-type microsoft  ldap-attribute-map RemoteAD FTD67# When FTD S2S VPN has Route Injection for 10.1.1.0/24, the LDAP query to 10.1.1.10 on FTD goes nowhere. Packet captures on FTD outside, inside or ASP-drop don't show ldap query. When FTD S2S VPN doesn't have Route Injection for 10.1.1.0/24, ldap query is sent to FTD outside interface shows as 192.168.2.4 > 10.1.1.10 389 Solution1 s ummary: Add the following to FTD S2S tunnel ACL: permit tcp host 192.168.2.4 host 10.1.1.10 eq ldap on ASA: access-list VPN-ACL ex

 1. Anyconnect DHCP configuration in FMC this is a host object, can be .0 or any number in the scope. 2. Packet capture on DHCP server  DHCP discover packet is unicast DHCP offer is unicast to DHCP replay IP, not FW IP. ================== This article says IP-Helper address is required when DHCP server is not on the same subnet with FTD inside interface, but since DHCP packets we saw above are unicast, IP-Helper address shouldn't be required.   https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215854-configure-anyconnect-vpn-client-on-ftd.pdf Case: AC client didn't receive IP address, capture on DHCP server had the repeated DHCP Discover and Offer packets , packet tracer showed  DHCP offer hit a NAT rule then was sent to outside interface, found the exemption NAT is missing route-lookup keyword caused the DHCP offer wasn't processed as expected .