beiyanglong 21 Posted January 14, 2019 (edited) Task 4.2 Question, When I tested the configuration on C3650 switch for dot1x and mab authentication, I don't think I need the following commands (those two VSA commands are ON by default), could be in the lab they need to be turned on manually? ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server vsa send accounting radius-server vsa send authentication Also we are not required to do any accounting here, so the following line is not needed too. ! aaa accounting dot1x default start-stop group ISE ! Please correct me if you see any problem. Thanks! Edited January 14, 2019 by beiyanglong Quote Share this post Link to post Share on other sites
zlatkom 0 Posted January 18, 2019 Hi MrR0b0t, in your post I see that you add specific authentication policy for each task based on NAS IP and flow type. Is that required for getting all points or can also just default authentication policy set can be used as it covers all auth requirments in general ? Also for endpoint groups you define custom one for MAB PC which you used in authorization rule ? Do you think that lab proctor are expecting that candidate create custom one or is it also fine if pre-defined (like workstation) is used ? Quote Share this post Link to post Share on other sites
MrR0b0t 3,749 Posted January 18, 2019 Hi MrR0b0t, in your post I see that you add specific authentication policy for each task based on NAS IP and flow type. Is that required for getting all points or can also just default authentication policy set can be used as it covers all auth requirments in general ? Also for endpoint groups you define custom one for MAB PC which you used in authorization rule ? Do you think that lab proctor are expecting that candidate create custom one or is it also fine if pre-defined (like workstation) is used ? You are right. Although question does not specify any condition for Authentication Policy so any common authentication rule with just MAB condition for example can be used but i prefer to keep all the authentication and authorization rules separate so that i can see the right rule matching to the connection. Also iirc in lab, the policy will be empty so you will not have even default authentication rule. Regarding groups, it does not really matter if you use system defined group or custom unless question asks for it explicitly. I prefer creating my own elements so that i have more control rather than be dependent on automatic elements. Also, you can possibly face an issue in lab where it does not allow you to edit system elements. Quote Share this post Link to post Share on other sites
beiyanglong 21 Posted January 18, 2019 Also iirc in lab, the policy will be empty so you will not have even default authentication rule. Can the default authentication rule be disabled? Just tried it on my test ISE and I don't think I have the option to do so. Quote Share this post Link to post Share on other sites
MrR0b0t 3,749 Posted January 18, 2019 Can the default authentication rule be disabled? Just tried it on my test ISE and I don't think I have the option to do so. Yes, you can disable or delete default authentication policy rules. Quote Share this post Link to post Share on other sites
raymus7 3 Posted January 25, 2019 my friend could you pls help me setup EVE LAB L2/L3 images are working fine with ASA 8XX only IOUL are not working ?! generate iourc key and fixpermissions for warpper still these images are not working appreciate your support .. Quote Share this post Link to post Share on other sites
tonythetiger 232 Posted February 4, 2019 (edited) Hi all, I would like some clarifications/tips for the following questions. Preferably from someone who passed the lab exam. Task 2.1/2.2 After we configure WCCP on R2 and WSA, what IP should we see as the Router Identifier when we perform "sh ip wccp" on R2 ? Is it 150.1.7.232 ? Task 3.5 Can someone verify that the SW2 needs to be provisioned with a PAC file? Correct me if I am wrong, but even if we don't provision SW2 with a PAC file, the ASA will still be able to resolve the SGTs. So the question is , if we don't provision SW2 with a PAC file, do we loose the points of the question? Should I close the RDP connection? Before we submit the CFG section, should we close the RDP connection to "client_pc1" & "client_pc2" or not ? I am asking this because the Notes are not the same for the relevant questions. Task 3.1: Make sure that even when you close the RDP connection to "client_pc2, that should not tear down the established VPN session" Task 4.1: VPN session should be in established state when you have ended the Configuration module. Task 5.2 Is the VLAN assignment to VLAN 102 required? In my opinion is not required. Especially, because we configure the interface on VLAN 102 and the question does not mention anything for VLAN assignment like the Task 4.2 where is says "On successful authorization ISE should assign the session VLAN 8, SGT of "PC2" and push DACL to permit ip traffic from any source to any destination." As always, thanks in advance Hidden Content Give reaction to this post to see the hidden content. /uploads/emoticons/default_cool.png"> Edited February 4, 2019 by tonythetiger 2 Quote Share this post Link to post Share on other sites
cciedreamproton 0 Posted February 27, 2019 Hi, any info from those who passed? in section 1.4 there is a note: In exam read question carefully sometimes they use Allow/Pass/Permit interchangeably apply solution accordingly sample task: rule 1 Permit rule 2 Allow rule 3 Allow based on the FMC: there are only: monitor/trust/block/allow = as you can see there is no Permit option. Quote Share this post Link to post Share on other sites
sharklover 7 Posted March 1, 2019 use Allow on all 3 rules. Quote Share this post Link to post Share on other sites
arsalanraz 1 Posted March 7, 2019 Hi All - I am working on LAB creation on EVE-NG anybody please help me out to make the physical topology for CCIE LAB V5. your support will be highly appreciated. 1 Quote Share this post Link to post Share on other sites
AndreTJ89 178 Posted March 7, 2019 (edited) Hi arsalanraz . I am also preparing for ccie security and preparing lab topologies and initial configs.. Do you want to form study group? Thanks. Edited March 7, 2019 by AndreTJ89 Quote Share this post Link to post Share on other sites
talhant 5 Posted March 7, 2019 Hi folks, Does anyone idea abt registering NGIPSv on FMC in section 1.4. I have lab installed on servers with EVE Community engine. whenever i tried to add/register, it gives me error like "Registration incorrect or network interface is down or software version is different". even though i check the reg_key it is the same and all other possibilities which are showing in the error, already checked. give me any idea plz. Quote Share this post Link to post Share on other sites
talhant 5 Posted March 7, 2019 Hi folks, Does anyone idea abt registering NGIPSv on FMC in section 1.4. I have lab installed on servers with EVE Community engine. whenever i tried to add/register, it gives me error like "Registration incorrect or network interface is down or software version is different". even though i check the reg_key it is the same and all other possibilities which are showing in the error, already checked. give me any idea plz. this is the actual error" Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection" Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection Quote Share this post Link to post Share on other sites
isesec5 180 Posted March 8, 2019 Check if port tcp-8305 is active on FMC. [email protected]irepower1:~$ netstat -na | grep 8305 tcp 0 0 151.1.7.211:8305 151.1.7.206:40182 ESTABLISHED Quote Share this post Link to post Share on other sites
