Windows NPS + NXlog to Graylog

Andrew CheremisovSecurity, UncategorizedLeave a Comment

Saving Windows NPS logs to any folder Downloading NXlog Community Edition from here Changing NXlog config file at C:\Program Files (x86)\nxlog\conf\nslog.conf #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\\cert define CONFDIR %ROOT%\\conf define LOGDIR %ROOT%\\data define LOGFILE %ROOT%\\logs\\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\\modules CacheDir %ROOT%\\data Pidfile %ROOT%\\data\ SpoolDir %ROOT%\\data <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists(‘%LOGFILE%’) and \ (file_size(‘%LOGFILE%’) >= 5M)) \ file_cycle(‘%LOGFILE%’, 8); </Schedule> # Rotate our log file every … Read More

Licensing AnyConnect and Cisco FTD

Andrew CheremisovCisco FTDLeave a Comment

As you might already know the new Cisco Firepower Threat Defense appliances have only “Smart License” licensing. Lets say you bought L-AC-PLS-P-100 which is 100 User Plus AnyConnect licensing and in the description it shows “Family: ASA 5500 Series”. How to register it to the Smart Account and activate for Cisco FTD? If you try to “Convert to Smart Licensing”… Nope, doesn’t work The proper way is outlined in AnyConnect Licensing Frequently Asked Questions (FAQ). You need to open a case with Cisco Global Licensing (GLO) at and send following information: … Read More

Cisco ISE Guest API – PHP script

Andrew CheremisovCisco ISE1 Comment

Adds user to ISE via POST request. Returns first/last name and ISE generated username and password. GitHub repository: Postman POST request to the script ISE guest user is created

OSCP Guide. Where to start, what to read, how to practice.

Andrew CheremisovSecurity11 Comments

Around a month ago, I started my preparation for OSCP (Offensive Security Certified Professional)  exam and signed up for PWK course from Offensive Security in the mid-January. If you just started your path to OSCP certification you might have a lot of questions. Is there any official guide? What to read? Where to start? What kind of knowledge is required? In this article, I tried to unite all the information that I gathered from the Internet. I will constantly update the post with the new information.

Cisco ISE 2.2 – Open ports 9102 and 9103

Andrew CheremisovCisco ISE, SecurityLeave a Comment

One of our clients did a vulnerability scan of the new Cisco ISE 2.2 and found out two strange ports 9102 and 9103. After some research I find that those ports are related to ISE Wireless Setup. How to disable? At ISE admin CLI, issue application configure ise  Select option 17 ([17]Enable/Disable Wifi Setup). Note: If you have ISE 2.2 Patch 1 the ports will re-appear after 15-20 seconds and will not be able to disable them permanently. This behaviour is fixed in ISE 2.2 Patch 2

Refresh PMK every X seconds – Cisco ISE and Meraki

Andrew CheremisovCisco ISE, Security, WirelessLeave a Comment

One of our clients requested to refresh PMK (more about PMK) every 5 minutes during deployment of Cisco ISE and Meraki solution. Create new Authorization Profile in Cisco ISE (Policy – Policy Elements – Results – Authorization Profile) –Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) … Read More

Cisco ISE 2.2 OVA image and VMware vCenter 6.5+

Andrew CheremisovCisco ISE, SecurityLeave a Comment

Recently I installed the new ISE virtual appliance for one of our customers and found out that you no longer can natively import OVA image to VMware vSphere center. Cisco has one line explanation in ISE 2.2 guide The ISE 2.2 OVA templates are not compatible with VMware web client for vCenter 6.5. As a workaround, use the VMware OVF tool to import the OVA templates. Workaround: Download OVF tool from VMware site – Download the latest ISE appliance OVA image from Cisco site Go to OVF tool folder in command … Read More

AirWatch can’t identify MAC address of Android 6+ devices

Andrew CheremisovAirWatch, Security2 Comments

According to AirWatch support (see below) AirWatch MDM solution can’t identify MAC addresses of mobile phones with Android 6+ OS. It means that you will not be able to AirWatch-ISE solution using your new and shiny Android phone because Cisco ISE requests for MAC address and authenticate it based on MAC. Summary of issue Unable to identify MAC address of Android 6+ devices: Beginning with Android Marshmallow (6.0), Google has limited the ability of apps using the WiFi and Bluetooth API to programmatically access an Android device’s local hardware identifier.  … Read More

AirWatch and Cisco ISE API – Troubleshoot API access

Andrew CheremisovAirWatch, Security4 Comments

AirWatch can be integrated with ISE using AirWatch ISE API which is already included with all cloud AirWatch (Saas) solutions. Full list of Cisco ISE supported MDM servers can be found here Absolute AirWatch Citrix XenMobile Globo Good Technology JAMF Software Meraki SM/EMM MobileIron SAP Afaria SOTI Symantec Tangoe Microsoft Intune – for mobile devices Microsoft SCCM – for desktop devices