ISE C3PL Switch Configuration

In this blog post, I'm going to go over a different way to configure your switch for ISE called Cisco Common Classification Policy Language (C3PL). I have known about this configuration for awhile but I will admit that I didn't really try to learn it until recent. If you read the IBNS 2.0 deployment guide here, it's pretty intimidating guide at a whopping 65 pages long and reads like a typical manual. I ended up reading Jamey Heary and Aaron Woland's Cisco ISE for BYOD Second Edition and they broke it down beautifully in 4 pages which made me go "Team C3PL."

ISE 2.3 - New Policy Sets

In this blog post, I'm going to go over the new policy sets in ISE 2.3. A lot of people have come to me and said they were worried about having to learn the new policy sets. Well, I have good news for you: While there are some enhancements, it's not really as initimating or new as you think. Are there enhancements? Sure! But it doesn't mean you have to re-learn the whole thing if you don't want to. 

ISE 2.3 - Passive ID & EasyConnect Enhancements

In this post, I'm going to review the PassiveID features of ISE that are new as of ISE 2.2 and 2.3. In this particular post, I'll be doing it all from ISE 2.3 but bear in mind that you can do all this from ISE 2.3 as well. In ISE 2.0, there was a feature added called EasyConnect which utilized WMI logs from the Active Directory Domain Controller to check for login events. Based on those login events, ISE would make a decision to grant access. This allowed ISE to grant network access beyond the typical 802.1x and profiling methods. This functioned well but required a LOT of backend work to prepare Active Directory to share the WMI logs and if you read my earlier post here, you will see what I mean The creators of ISE decided to revamp this process and create a better way to do this in ISE 2.2 and later. 

CCIE Security: Troubleshooting Site-to-Site IPSec VPN with Crypto Maps

In this post, we are going to go over troubleshooting our VPN using debug commands. This is particularly useful for the folks out there reading this that only have access to only one side of the VPN or have a VPN to a 3rd party. I wanted this to remain a separate post from my ASA and IOS site-to-site VPN configuration posts because troubleshooting this is almost entirely identity on both a router or an ASA so I wanted to combine the troubleshooting to a single post. 

CCIE Security: Site-to-Site IOS VPN with Crypto Maps

In this post, I'm going to go through configuring site-to-site VPN on IOS. We're going to take what we learned in the last blog post and apply it here. I think the best way this was explained to me was by Khawar Butt where you should think about your VPN configuration by break it down by the phases and then create your base VPN configuration on that. For the folks who don't know who Khawar Butt is, I'll be writing a review of his class shortly but you can see a sample of his work here.  

CCIE Security: IPSec VPN Overview (IKEv1)

In this post, I'm going to go over a high level explanation of VPNs and specifically IPSec. This is going to be the first in a series of VPN posts focusing on the various types of VPNs one might see on the CCIE Security lab or on the job. I think it's important to have this overview because as you configure IPSec VPN or troubleshoot it, it'll help you to know what's going on under the covers of that configuration. 

Integrating ISE with Splunk for Reporting

This post is going to be a bit different. I'm configuring Splunk in my lab currently for reporting and as I go through it, I'm going to detail my configurations here. I am going to use Splunk to aggregate my ISE logs to it. In order to do so, we're going to have to install the Spunk for Identity Services (ISE) app onto Splunk. Before starting, please download the app

Installing Splunk

I'm currently adding Splunk to my lab so as I'm going through the configuraitons, I'm going to list out what I do here as a series of blog posts. Splunk is a pretty power SIEM that works to aggregate and correlate data across your network and security tools. If you ever wanted to try it out for free, go to and you should be able to download it for free for use up to a certain point. The nice thing about Splunk is that there are tons of free pre-built apps and dashboards for multiple vendors which you can download