Usernames No Longer Appear in Firepower Management Center After Upgrading to 6.0

After upgrading our Firepower Management Center to 6.0, we noticed that usernames were no longer populating in our dashboards. Instead of showing users, all we could see was “No Authentication Required.”

sf-usernames01After opening a support case, TAC pointed me to the following bug: cscux39125 (cisco login required).

To resolve the issue we need to set the active directory domain to our domain’s NetBIOS short name in Firepower’s realm configuration.

To change your realm configuration go to System -> Integration -> Realms

Click Edit

sf-usernames02Go to Realm Configuration and edit the AD Primary Domain field to your domain’s NetBIOS short name.

sf-usernames03For more information see the following support forums post: https://supportforums.cisco.com/discussion/12879381/sourcefire-60-firesight-mc-60-users-not-populating

Upgrading IOS-XE on a Cisco ISR 4400

Just got in a new Cisco ISR 4431 and needed to upgrade IOS-XE out of the box. Cisco has been nice enough to include a 1Gb USB flash drive with their new ISRs, making the software upgrade process a cinch. Here are the steps involved to install a new version of IOS-XE via USB drive.

  • Download your chosen version of IOS-XE from cisco.com. Keep in mind there are often may different trains and revisions of code available.
    • To help you decide which version of code is right for you, there’s the cisco IOS feature navigator found here.
    • To help differentiate the different designations of code, i.e., MD, ED, GD, take a look here.
    • Typically I opt for a gold star release, which are cisco recommended releases “based on software quality, stability and longevity.”

ios-xe01

  • Copy the downloaded image to your USB drive and insert it into the ISR
  • Copy the IOS-XE image from the usb to the ISR’s bootflash
    • copy usb0: bootflash:

isr-xe03

  • Enter global configuration mode and set the ISR to boot from the new image
    • conf t
    • boot system flash bootflash:isr4400-universalk9.03.13.05.S.154-3.S5-ext.SPA.bin
  • Verify the correct boot system parameters
    • show run | include boot
  • Save your configuration
    • copy running-config startup-config
  • Reload the ISR
    • reload

ios-xe04

  • When the device finishes reloading, verify that the device is running the correct version of IOS-XE
    • show version

This type of software installation is referred to as a consolidated package. Cisco also supports the installation of individual packages from an IOS-XE image. To see Cisco’s full documentation for software configuration on an ISR 4400 as well as instructions for consolidated and individual package installs please see here.

Installing a CA Signed SSL Certificate in SourceFire Defense Center 6.0

I don’t know about you, but self-signed certificates seem to trigger my IT OCD. When possible, I like to replace self-signed certs with one signed by our Active Directory CA. Here are the steps involved to replace the self-signed certificate on Cisco’s FirePOWER Management Center/SourceFire Defense Center with one signed by your internal Active Directory Certificate Authority.

  • In Defense Center, go to System -> Configuration -> HTTPS Certificate
  • Click “Generate New CSR”

sfcsr01

  • Fill out the Certificate Signing Request information, paying attention to the common name field. The common name should match the address you use to access defense center, e.g., defensecenter.domain.org

sfcsr02

  • Click generate, and copy/paste the certificate request output to notepad

sfcsr03

  • Next, navigate to your Certificate Services website and click “Request a Certificate”

sfcsr04

  • Click “Submit an advanced certificate request”

sfcsr05

  • Under “Saved Request,”paste your certificate request output from earlier and select the Web Server certificate template. Click Submit

sfcsr06

  • Download your newly generated certificate (Base64 encoded) and open it with your text editor of choice

sfcsr07sfcsr08

  • Copy the output of your cert and go back to Defense Center. Navigate to System -> Configuration -> HTTPS Certificate
  • Click Import HTTPS Certificate and paste your certificate information into “Server Certificate”

sfcsr01

sfcsr09

  • Click “Save” and you should now see your new certificate installed.
  • Reload Defense Center and you should now trust the web server (assuming of course you trust the root CA)

sfcsr10

Using the Built in TFTP Server on OS X El Capitan

On Windows I love the lightweight and open source TFTPD32, but there may come a time when you find youself needing to transfer some files and all you have is your trusty mac.

Luckily there’s a built in tftp daemon that you can use in a pinch.

By default tftpd uses the following folder:

/private/tftpboot

which is hidden in finder, but can be accessed by using “go to folder” or hitting Command+Shift+G and entering /private/tftpboot

osxtftp01

To launch the daemon run the following commands:

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl start com.apple.tftpd

Be sure Read/Write/eXecute permissions are set on the tftpboot folder and any files you wish to transfer:

sudo chmod 777 /private/tftpboot
sudo chmod 777 /private/tftpboot/*

If you’ll be transferring a file TO your TFTP server, the file will technically need to exist on the server beforehand so create it with touch. For example:

sudo touch /private/tftpboot/running-config
sudo chmod 777 /private/tftpboot/running-config

If you’d like a graphical front end for launching tftp then check out the great TftpServer.

osxftp03

Now go ahead and get transferring.

osxtftp02

USB Serial Console Cable on OS X

Recently picked up a new usb cable for connecting to my network devices and needed a refresher on connecting to the console.

After installing device drivers (if necessary) and connecting the cable to your mac, open up a terminal and list the contents of your dev directory, filtering for devices with usb in their name.

ls /dev/*usb*

Find the proper tty device and use screen to open a connection on the port. You can specify the speed of 9600 but screen will use that value by default.

screen /dev/tty.usbmodem1421 9600

usbtty01

You should now find yourself on the console of your network device. To quit screen hold control-a and then hit \

usbtty02

usbtty