topic Re: Cisco ISE/SecurityCenter Integration Credentialed Scans in Endpoint Security

Cisco ISE/SecurityCenter Integration Credentialed Scans

Elbeshti1 — Sun, 15 Nov 2020 11:29:24 GMT

Cisco ISE/SecurityCenter Integration Credentialed Scans

Hello,

We have followed this guide and gotten automated scanning of systems to work:

https://community.cisco.com/t5/security-documents/cisco-tc-nac-with-ise-and-tenable-security-center/ta-p/3647543

Now the only issue is getting credentialed scans on systems.

Using this guide:

https://community.tenable.com/s/article/Scanning-with-non-default-Windows-Administrator-Account

I have worked with our system administrators, network administrators and our HBSS administrator to configure a test laptop with these settings, and we are still not getting credentialed scans.

Now, when setting up the Scan Policy on SecurityCenter, there is no Windows credential option under the Authentication tab. However, if I log into the Nessus scanner directly, this is not the case. I have the option there to create and include Windows credentials ad infinitum within scan policies I build there.

Is there a reason SecurityCenter scan policy creation does NOT have the Windows credential authentication option available? if this were fixed, this would be the path of least resistance instead of trying to push a GPO that disables login requirements for secured laptops, disabling HBSS and opening up ports locally.

Re: Cisco ISE/SecurityCenter Integration Credentialed Scans

Mike.Cifelli — Thu, 19 Nov 2020 13:43:57 GMT

I had the same issue when attempting to test ISE TC-NAC integration with Security Center. Note that at the time we were running ISE 2.4p9. We were advised this is a Security Center side of the house issue. Unfortunately, this is due primarily to Security Center config and the need to run on-demand scans constantly. AFAIK the only option is to look into testing/using nessus clients on all your workstations due to the lack of ability to configure Windows creds in the scan policy. My recommendation would be to look into other options, test/research the local nessus clients (as I think this eliminates the need for credentials from what I remember), and open a ticket/talk to someone on the Nessus side. Lastly, be aware that the local nessus clients eat resources pretty badly. HTH & Good luck!

Re: Cisco ISE/SecurityCenter Integration Credentialed Scans

ttronier — Thu, 27 May 2021 12:43:30 GMT

A workaround if someone else needs this. We are running an integration between Tenable.sc (v5.18.0) and Cisco ISE initiating scans automatically. Additionally we have CyberArk running to pull credentials for various (credentialed) scans. I did encounter the same problem as the Windows credentials are configured for the active scan and not in the "scan policy" used by ISE.

What I did was to look into the Sqlite database on our Tenable.sc server. Then I found the credentials ID ("credID" column) and automatically associated all new on-demand scans with those credentials. This is done with a simple SQL trigger, so every time a new scan is added, a new row with automatically be added to ensure it will run credentialed.

CredID is the first one we added "1000001". You can identify yours with the following command

#sqlite> select * from Credential;

CREATE TRIGGER add_cyberark_win_creds_to_ise_scans

AFTER INSERT ON ScanAsset

BEGIN

INSERT INTO ScanCredential (scanID,credID) VALUES (new.scanID,1000001);

END;

You can modify the trigger to match only the API user used by ISE or other stuff to tweak it.

Re: Cisco ISE/SecurityCenter Integration Credentialed Scans

Elbeshti1 — Fri, 30 Jul 2021 18:43:01 GMT

Very Helpful i will test it and get back to you, many thanks