Any escape from the limited shell and into the underlying OS is something that vendors always try to avoid.īack in 2007, Cisco acquired Ironport for its world-class content security and centralized online reputation capabilities. Root access to the the operating system is something that secure applications will try to prevent. 03:00:00,000 INFO .EPPurgeEventHandler -:::- Send Endpoint purge event. 01:07:09,915 INFO .FeedServiceConfigNotificationHandler -:::- Enable feed re-profiling after feed download. ISE20-1ek/admin# sh logging application profiler.log tail 01:07:09,879 INFO .ReProfilingEventHandler -:::- Resuming reprofiling. Here's an example of using tail to view the profiler.log file. Show Logging Application and Show Logging System are the commands used to show the files, shown in Figure 27. Wolandįigure 26 - dACL Syntax Check Exposed all the logs from CLI (1.2+)Īll logs, including those from Tail and others, have been exposed in the CLI without needing root patch, along with the ability to tail the files, etc. ISE 1.2 adds the dACL syntax validator, shown in Figure 26. Wolandįigure 25 - Validate Feed dACL Validator (1.2+)ĭownloadable ACLs (dACLS) are configured centrally in ISE and then downloaded to the Cisco IOS network device through the RADIUS control plane. ISE 1.3 also adds a test button for that external feed service that ensures it is reachable and it is functioning correctly, as shown in Figure 25. In addition to the external repositories, ISE also connects to external services, such as the Profiling Feed Service. So in ISE 1.4, a test repository button was added to the GUI, as seen in Figure 24. Many of us got into the habit of creating the repository in the GUI and then in a separate CLI window, we would issue the "show repository" command. The files would be collected, tarred and gziped, and then ISE would try to place that tarball onto the repository and bam-failure. Sometimes admins would start an ISE backup, pointing it to the configured repository for storage of the backup. They are added the configuration in the GUI, but there wasn't any mechanism in the GUI to see if the configuration worked. ISE uses storage repositories for numerous things. Wolandįigure 23 - Which Portals Using Certificates Test buttons for external connections (1.4+) In ISE 1.4, the capability to easily see which portals are associated to the certificate, as seen in Figure 23. It made troubleshooting a bit of a pain but also complicated the operationalizing of certificates in ISE. You used to have to go into each portal one at a time to see which certificate was being used. What was missing prior to ISE 1.4 was the ability to see from a single location what portals were using a given certificate.
Portals for WebAuth or sponsorship, certificate provisioning, BYOD and more. There are a lot of portals hosted in an ISE environment. Wolandįigure 22 - Export Configuration What certificates are in use with which portals (1.4+) Before you ask: no, there is no import function as of ISE 2.1. ISE 1.3 added the ability to export the configuration to a human-readable XML. ISE was one of the first and only times where it seemed we must access the GUI in order to see how it was configured, and there was no way to do it offline/out of band. One of the common attributes of all those devices was the ability to export the configuration and send it to someone else to review or TAC engineers to analyze, etc. I have spent most of my 20-plus year career working with routers, switches, firewalls, IDS/IPS's, email and web security appliances, and so many more.
Of 2 Offline examination of configuration (1.3+)