Friday, July 27, 2012

Active Directory and ASA LDAP Authentication

A quick note on using LDAP for multi-domain authentication with Cisco ASA and an Active Directory global catalog server... when using the ASA to match on an LDAP object name, like this:

ldap attribute-map MY_MAP_NAME
  map-value memberOf "CN=foo,OU=bar,DC=example,DC=com" MY_GROUP_POLICY

...the Active Directory group needs to have certain properties:

  1. It must be a security group with universal scope.
  2. Users in the group must have a primary group different from the group matched by the ASA.
  3. The user's primary group must have universal scope.
I don't know if this still holds true if you have only a single domain and you're using the regular Active Directory LDAP service instead of the global catalog service, but in a multi-domain setup the GCS does not correctly report the "memberOf" attribute unless these conditions are met. This is an Active Directory quirk and thus is not directly related to ASAs, but troubleshooting an ASA issue was how I discovered it.

Sunday, July 1, 2012

CiscoLive 2012 Rundown

Late but better than never:

2012 was my seventh consecutive year at CiscoLive, and for probably the third or fourth year in a row it was the only in-person training event I attended. I've tried to shift to on-line training as much as possible, but the social aspects of CiscoLive are important enough to me that I prefer to go in person. I hadn't been to San Diego in about 15 years, and I really enjoyed the location. I ended up in a hotel that was about 1.5 miles from the conference center, but due to the pleasant location I only ended up taking the shuttle once the entire week; the walk was great.

I didn't have an overall focus this year like I have in years past; I wanted to get exposure to some new stuff, increase depth in other areas, and explore a few things just for fun. I'm not going to review every session, but here are some highlights:

DWDM 101
We don't use DWDM at my company, but it's an area about which I've always wanted to learn more. This was a great introductory session with a lot of new material for me; I'm definitely going to have to review it again if I want to retain it.

Cisco ISR G2: Architectural Overview and Use Cases
My company uses ISRs extensively, so this was a great way to catch up on newer developments in branch routing. The UCS E-series servers that allow you to embed a hypervisor into the branch router were probably the most interesting new product of the show for me. Even though I work for a fairly small company, we are still surprisingly siloed between network and server teams, so it will be interesting to see if the server guys will be interested; they are strongly committed to Dell at this point.

Data Center Design for the Small and Medium Business  
I was pretty excited about this, since it's pitched exactly at my use case. My company is falls into the upper end of Cisco's definition of "medium", and is pushing into the small enterprise category in terms of employee count. However, we have a very distributed network, so our data center needs still fall squarely into the "medium" design category.

Architecting Solutions for Security Investigations and Monitoring
I went to this session because the presenter, Martin Nystrom, is one of the great lesser-known presenters at the show. I've been to several of his sessions over the years, and they're often lightly attended despite being some of the best sessions I've seen. I guess logging and monitoring just don't sound sexy enough. Despite the unfortunate verbification of the word "archtect" in the session title, this was possibly my favorite session this year. The best thing about Martin's sessions is that he is not in marketing: he runs Cisco's incident response team, and if Cisco products can't do the job, they either get them fixed or use something else. He explains exactly how and why Cisco designs for incident detection and response, and helpfully, often talks about what they tried that didn't work.

Global MPLS WAN Redesign Case Study
I went to this purely out of academic interest, but it turned out to be fascinating. This was a detailed case study of a network migration for an unspecified large government agency with the craziest customer requirements EVER. If you sit down and think about what would possibly corner you into NEEDING to build MPLS VPNs over a mesh of static GRE tunnels using 7600s, you would only be scratching the surface. Only the government could design something this weird.

Exploring the Engineering Behind the Making of a Switch
If you don't have a background in electrical or mechanical engineering, check this out: a really well done explanation of what it takes to bring a switch to market, from customer requirements to chassis design to ASIC design.

The NOC at CiscoLive
This is the last session of the show, and is thus sparsely attended, but it's worth seeing. A generally light-hearted, funny, and informative presentation about designing, building, and running the CiscoLive show network. The highlight this year was the revelation that the big outages at the beginning of the show were caused by blade reloads on a 6500 after somebody "borrowed" a bunch of RAM off the blade before it was shipped to San Diego. The wireless network engineer's explanation of how this was blamed on "wireless problems" was hilarious.


  1. I wish John Chambers would stop giving the same keynote every year.
  2. Padmasree Warrior is a better presenter than her boss. Maybe we can start with her next time.
  3. Please find someone new to make the executive slide decks. They are really awful.
  4. Jamie and Adam were awesome. Mythbusters is pretty much the only show I watch and I was psyched to see them. Thanks CiscoLive!
CCIE NetVet Reception
There should be a hard limit on the number of comments to Chambers about problems with specific products. Maybe it should be zero. I like seeing people ask hard questions, but droning on about your problems with the Wizbang 4000 or whatever is a waste of time.

General Comments
Great job with the vegetarian food options! I am not a vegetarian (I just like to see vegetables suffer), but I eat a lot of vegetables and I really appreciate the great selection this year.

I've also enjoyed Cisco's efforts over the years to reduce the amount of garbage produced by the event. For 2012, I appreciated the reduced amount of junk included with the (excellent this year) backpack. Next time I'm going to try to remember a coffee mug to reduce the number of paper cups I use.

All that said: I'm not sure if I'll go next year... getting to Orlando from rural Colorado is a pain, so I may skip it in favor of something like Sharkfest or Splunk's conference. If I don't make it, I'll see everyone in San Francisco in 2014.