Cisco ISE is a Web Server!

When deploying BYOD instructions and error messages to end users are key to user satisfaction. The the overhead and additional complexity of a dedicated web server might not be appropriate for your team/security/design.

If you happen to be running Cisco’s ISE as your authentication server then you can use that to host your pages!

The implementation is quite simple, to get started create a new custom portal.. but take care on the name you choose as you’ll need it later; in the picture below mine is called CustomErrorPage.


Next upload your files, notice how my screenshot has a bootstrap CSS file. You need to upload all the HTML/CSS/JS/images/etc.


The final step is to configure the file mappings. You want them all to point to your index.html, that way no matter what the user tries they always get the same response.


Save your work (hit submit!) and you’re done.

Now your page can be found at http://ise.ip.addrdess/guestportal/portals/CustomErrorPage/index.html

(Change CustomErrorPage if you called yours something different)

Below is what mine looks like.


You can then use AuthZ results to redirect people to the page in question :)

Cisco ASA SYSLOG config for Tufin SecureTrack

I’m sure there’s a very good reason that the Tufin Secure Track User Guide (R14-1) has 8 pages of screenshots instead of including these 10 lines of config; I just don’t yet know what the reason is :)

logging enable
logging timestamp
logging facility 23
logging message 111008 level  notifications
logging device-id  hostname 
logging list securetrack message 111008
logging list securetrack message 106100
logging list securetrack message 106023
logging trap securetrack
logging host inside

Replace with the IP address of your ST server.

Cisco ASA – inc – regex examples

I use stuff like show run | inc abc all the time but I’ve never really dabbled with plumbing regex through it, I played a little today. Here’s a couple of examples you might find useful:

Look for either https or www in an access-list

FW01/pri/act# show run access-list inside | inc (https|www) 
access-list inside extended permit tcp object inside any4 eq www 
access-list inside extended permit tcp object inside any4 eq https 

Look for either or in an access-list

FW01/pri/act# show access-list inside | inc 10.10.1.(91|92)
  access-list inside line 8 extended permit udp host host eq 1001 (hitcnt=0) 0xd0cd20cd 
  access-list inside line 8 extended permit udp host host eq 1001 (hitcnt=0) 0xf94e6d62 
  access-list inside line 8 extended permit udp host host eq 1001 (hitcnt=0) 0x0bced66c 
  access-list inside line 8 extended permit udp host host eq 1001 (hitcnt=0) 0x9ceae405 

There’s loads that can be done, google is your friend.

Using bootstrap on Cisco ISE

ISE 1.1 had horrible web portals which didn’t render well on mobile devices at all (which was odd for a BYOD solution), anyway, Cisco have fixed that now in 1.2 with the ability to enable a mobile version… but what if you want something totally custom that works well both on desktops and mobile?

Enter bootstrap!

The trick to getting this working is know the correct paths for the stylesheets so to make things easy I have created a gitgub project called ise-bootstrap. To get started create a custom portal with the name myportal and upload the files. Change your authz result to point an the new file and enjoy the responsive goodness!

Here are some 1.1 screenshots of me creating the portal, the process is pretty similar in 1.2 – I will upload some newer screenshots at some point!

The only gotcha to be aware of are the Glyphicons, if you want to use those then you need to customise the bootstrap download so that it matches the name of your portal.

This is the end result…

ISE 1.1 07 example login page

If you get stuck, there is a README which compliments this blog post.

OS X: Sync’ing keychains in the iCloud

Keychains hold passwords, certificates and general secret stuff – only do this if you understand the Apple will have access to this…. well assuming they can crack your keychain password (which they probably can).

Synchronising a keychain across macs could be useful, for example, having a dedicated keychain for WiFi credentials.

I stumbled across this link (dated Nov 2011) and found that this still works!

The ~Library/Mobile Documents/ folder is pushed to all iCloud enabled computers, so I have created a new folder, and copied my WiFi keychain into it:

$ mkdir ~/Library/Mobile\ Documents/com~linickx~icloud
$ cp ~/Library/Keychains/wifi.keychain ~/Library/Mobile\ Documents/com~linickx~icloud/

If you only have one keychain login.keychain, consider splitting out the really secret stuff and only sync’ing the stuff you want to share with apple.

Now open “Keychain Access”, delete the original keychain and add/open the iCloud copy. On any other Mac, add/open the iCloud keychain. Once complete, any change to the keychain will be pushed to all Macs, simplifying password changes :)

I’m also using this to sync dotfiles!

You could use dropbox for this, one reason to use dropbox is that iCloud sync seems to be a bit hit n miss; however Dropbox already have enough of my secrets, I’m not suggesting that iCloud is more secure, it’s just better to have many baskets.

FOOTNOTE: If your mobile documents folder isn’t sync’ing, see this post by SteveX.

Checkpoint, Gaia, TACACS – two lines of config

If you have a checkpoint firewall, you probably know about Gaia… and if you have more than one firewall admin, you probably want to individually authenticate them to the operating system (as apposed to a encrypted file of usernames & passwords which get’s passed around the office)

 add rba role TACP-0 domain-type System all-features
 set aaa tacacs-servers authentication server key mysecretkey

What you need to know about the above…

  • If a user can successfully authenticate by TACACS they become a super user, if you need different roles read up on “role based administration”, TACP-15 and the enable_tacacs command.
  • The config has been tested on Cisco ACS 5.4, the default TACACS “default device administration” profile works with no changes.
  • This is tacacs authentication only, authorization is handled by the local RBA.

sourcefire virtual sensor system requirements

I don’t know why but the system requirements for sourcefire‘s virtual sensor is burried in the wording of their datasheets… anyway saved here so ease of reference :)


VMware ESX/ESXi 4.1/5.0 or Xen 3.3.2/3.4.2
at least one CPU
min 1GB RAM

Defence Centre

VMware ESX/ESXi 4.1/5.0 or Xen 3.3.2/3.4.2
at lest two CPU
min 2GB RAM

…hum, I wonder if they’re boot in virtualbox? ;)

The sensor provisions 50Gb of disk, and the manager 250Gb, the OVF supports thin disk provisioning so you don’t need all that storage on day1.

mod_security and WordPress with Commands in Permalinks (urls)

For a long while now, one of my oldest posts (nagios ping tool) returned a 403 error and I couldn’t work out why… a recent post about curl also fell foul of the same issue so I’ve been forced to work out why ;)

The main challenge that I faced was that I could not find any errors in my logs, apache’s error_logs were empty, varnish is not catching the error page and my mod_security debuglog didn’t show anything. Now there is clearly a 2do here, I need to look into my logging issues because the issue was mod_security!

modsecurity_crs_40_generic_attacks as a list of system rules which will deny access to commands, on my system ping & traceroute are indeed commands! Looking thru _crs_40 I can see that rule ID 950907 blocks curl, therefore I can create a simple location match to permit access to that page.

<LocationMatch "^/3659/my-lifestream-php-curl-ca-certificate-issues">
    SecRuleRemoveById 950907

Traceroute and Ping are IDs 958837 & 958893 respectively. Going forward I could simply remove those IDs globally, but to be honest I don’t want to, I feel comfort with the restriction they begin… I will just have to be more careful with the titles I use on pages.

Hacking Cisco ISE UDI

ISE Virtual Machine that thinks it a CAM
The back story… you’ve deployed your ISE appliance and the world is great! Your management need you to make a change “right now” but that virtual machine in the lab you have been using for testing is 91 days old and the eval no longer works. You raise a case to get budget and a PO over to Cisco for a lab ISE appliance or license but this change is critical, if only there was a way to use your appliance license on your VM?

Perhaps you should log into your ISE appliance and make a note of the Product Identifier (PID), Version Identifier (VID) and the Serial Number (SN).

What you might want to do now is shutdown your ISE VM and mount the disk… I always have a CentOS server kicking around for this kind of thing, so if I was to do this, I would mount the ISE virtual disk as an extra disk that CentOS has access to.

From within CentOS you can use fdisk -l to view the hard drive partitions… When you’re hacking a VM you mount as many of the ISE partitions as you can (some will fail) to see what’s there. On my test machine /dev/sdb7 was the partition of interest as it had an /opt directory (cisco always install stuff in opt).

Inside mount-point/opt/system/bin/ you might find a file called cars_udi_util, that’s the puppy that the license is bound to.

What you might want to do is rename that file and replace it with something that always gives the “right” answer. Attached is cars_udi_util.txt, a shell script I have been testing, edit the top of the file and insert the PID/VID/SN you found earlier.

Now save the cars_udi_util.txt to mount-point/opt/system/bin/cars_udi_util, that’s right remember to remove the .txt!

Unmount the disk, shutdown Centos and boot up ISE.

Now I’ve been hacking my machine and after this change the services wouldn’t start (show application status ise) to fix that I ran application reset-config ise from the ISE CLI Shell, rebooted and Voila! …The machine booted up with a blank default config.

After changing the default admin password (from cisco) it would now be possible for you to use your proper appliance license on your VM… of course this is only a temporary thing and I fully expect & recommend you undo these changes as soon as your new license arrives from Cisco.

Happy Hacking!

password-less ssh login to JunOS

Juniper (JunOS) SRX’s support ssh public key authentication.

nick> show configuration system login | display set 
set system login user nick uid 2001
set system login user nick class super-user
set system login user nick authentication ssh-rsa "PASTE_KEY"

No-one likes to type passwords!

Blue Coat Proxy, iPhone’s multiple authentication issues.

Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!

To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:

!- BEGIN authentication
security iwa create-realm uk 16101
security iwa edit-realm uk ;mode
alternate-server 16101
security iwa create-realm ukBasicAuth 16101
security iwa edit-realm ukBasicAuth ;mode
alternate-server 16101
credentials-kerberos disable
credentials-ntlm disable

I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad… in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!

Enjoy the CPL goodness below!

;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
end condition __CondList1BasicUserAgents

define condition BasicUserAgents
end condition BasicUserAgents

        condition=BasicUserAgents authenticate(ukBasicAuth)  authenticate.force(no) authenticate.mode(proxy)    ; KB4741
        authenticate(uk)  authenticate.force(yes) authenticate.mode(proxy)      ; All Internet Traffic