topic Re: ISE Visibility Wizard Operation / Behavior in Network Access Control

ISE Visibility Wizard Operation / Behavior

scamarda — Fri, 08 Feb 2019 01:06:26 GMT

Experience during a PoC Customer has roughly 3000 LAN switches that sit on a common VLAN per campus site. At some large locations there are upwards of about 60 switches on one subnet (e.g. 10.100.1.0/24) We were using the Visibility Wizard to discover the 30k endpoints in their network. In the beginning of the wizard we put the 10.100.1.0 network in the network device discovery wizard. After running just the network device discovery the results only returned 12 switches even thought there were a lot more on the subnet in the same building. If we run it again, only 1-3 more devices would show up. We could never get more than 15 devices discovered. Is there a limit on the number of network devices that can be returned in a search? SNMPv3 values were all correct and we believe we had no discovery failures.

Second question. For discovery purposes only, can you start another Visibility scan immediately after you wizard-complete the first one. Will ISE be able to run two or more Visibility network scans at the same time (staggered overlapping)?

Third question, we also saw NMAP scans for devices that were not in our specified subnets. For example, we set the visibility wizard up to scan the 10.120.1.0 network. When running a tail of the Nmap.log file we saw that nmap was scanning other networks such as 10.5.0.0 or 10.21.1.0. This ISE is doing no authentication/authorization. The only other thing we have configured is a DHCP/HTTP SPAN. Would nmap automatically be scanning the devices that were learned via those probes?

I have not been able to find any detailed documentation on the Visibility wizard. Pointers would be welcome.

Re: ISE Visibility Wizard Operation / Behavior

howon — Sat, 09 Feb 2019 05:10:10 GMT

Sam, have you ruled out any network issues on the network such as speed duplex settings on the interfaces? It could explain inconsistencies of the result. Also, I would enable debug for profiler log and see if there are any hints on the issue. I don't believe 60 switches would be an issue so odd that you are only discovering subset of the devices. Running simultaneous scan would not help as it will only run one at a time. For the NMAP scan, I would create a TAC SR for root cause. ISE may do triggered scans but should not happen in your case as you are not authenticating endpoints outside of the subnets specified. Lastly, as a test I would limit the initial scan to one or two endpoint subnets as a test.

Re: ISE Visibility Wizard Operation / Behavior

hslai — Sun, 10 Feb 2019 04:22:41 GMT

Adding to Hosuk's...

Actually... it might trigger NMAP scans on endpoints discovered through SNMP queries to the network devices, if the matched profiler policies have scan actions.

Re: ISE Visibility Wizard Operation / Behavior

scamarda — Tue, 12 Feb 2019 15:19:55 GMT

Hi Thanks for the responses. I can understand the additional scanning if the resulting profile has a scan action. Here is response from additional testing:

"We currently have 16,727 devices. I have added 2 other regional locations. Didn't discover any new hosts when I added those though they have about 5000 users in total at those locations. I have identified a few locations that I wanted to verify devices. I have discovered some switches that are in the IP address range that we scanned that weren't discovered when we initially scanned the ranges. I have re-ran the scans and seem to discover a new switch or two each time I run a scan. Still scanning the /26 range. I will continue to look today and add the remaining locations. We have detected around 300 wireless devices. I think there should be a lot more."

The results we are receiving are inconsistent. I don't see how it could be a network or a config issue if the network devices are getting discovered on a 2nd and subsequent scan.

Thanks.

Sam

Re: ISE Visibility Wizard Operation / Behavior

hslai — Fri, 15 Feb 2019 16:47:51 GMT

SNMP query probe needs the ARP table on the target network devices to build IP-ARP cache. This might be the reason for inconsistent results.