ISE device profiling / NMAP OS detected

iagyte — Mon, 19 Nov 2018 11:18:50 GMT

Hello,

Currently working with a customer who is running ISE 2.4 patch 3 and experiencing issues with NMAP OS detected. The devices are being profiled as Apple iPhone devices correctly, but NMAP then reports the OS detected as running "Cisco Nexus 7010 switch (NX-OS 5) (accuracy 98%)".

E4:9A:DC:5B:47:D4

MAC Address: E4:9A:DC:5B:47:D4

Username: removed

Endpoint Profile: Apple-Device

Current IP Address: 10.56.226.59

Location: LocationAll Locations

Applications Attributes Authentication Threats Vulnerabilities

General Attributes

Description

Static Assignment false

Endpoint Policy Apple-Device

Static Group Assignment false

Identity Group Assignment Profiled

Custom Attributes

Attribute Name Attribute Value

Attribute Name

Attribute Value

No data found. Add custom attributes here.

Other Attributes

AAA-Server cosisepsn1

AD-Error-Details Domain trust is one-way

AD-Groups-Names agilent.com/Users/Domain Users

AD-User-Candidate-Identities removed@removed.com

AD-User-DNS-Domain removed.com

AD-User-Join-Point removed.COM

AD-User-NetBios-Name removed

AD-User-Qualified-Name removed@removed.com

AD-User-Resolved-DNs CN=removed\,CN=Users\,DC=removed\,DC=com

AD-User-Resolved-Identities removed@removed.com

AD-User-SamAccount-Name removed

Airespace-Wlan-Id 1

AuthenticationIdentityStore removed

AuthenticationMethod MSCHAPV2

AuthenticationStatus AuthenticationPassed

AuthorizationPolicyMatchedRule PEAP Authentication

BYODRegistration Unknown

Called-Station-ID 00-27-0d-49-5d-30:spark

Calling-Station-ID e4-9a-dc-5b-47-d4

Chargeable-User-Identity c8:

DTLSSupport Unknown

DestinationIPAddress 130.30.1.79

DestinationPort 1812

DetailedInfo Authentication succeed

Device IP Address 10.2.49.200

Device Port 52813

Device Type Device Type#All Device Types

DeviceRegistrationStatus NotRegistered

ElapsedDays 66

EndPointMACAddress E4-9A-DC-5B-47-D4

EndPointPolicy Apple-Device

EndPointProfilerServer cosisepsn1.ns.removed.net

EndPointSource RADIUS Probe

FailureReason -

IPSEC IPSEC#Is IPSEC Device#No

IdentityAccessRestricted false

IdentityGroup Profiled

IdentityPolicyMatchedRule PEAP Authentication

InactiveDays 6

IsMachineAuthentication false

IsMachineIdentity false

IsThirdPartyDeviceFlow false

LastNmapScanTime 2018-Oct-22 08:54:17 UTC

Location Location#All Locations

Location-Capable 00:00:00:01

LogicalProfile Mobile Devices

MACAddress E4:9A:DC:5B:47:D4

MatchedPolicy Apple-Device

MessageCode 3001

NAS-IP-Address 10.2.49.200

NAS-Identifier SGPWLC01

NAS-Port 8

NAS-Port-Type Wireless - IEEE 802.11

Network Device Profile Cisco

NetworkDeviceGroups IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types

NetworkDeviceName SGPWLC01

NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c

NetworkDeviceProfileName Cisco

NmapScanCount 3

OUI Apple, Inc.

PolicyVersion 25

PostureApplicable Yes

PostureAssessmentStatus NotApplicable

RadiusFlowType Wireless802_1x

RadiusPacketType Drop

SSID 00-27-0d-49-5d-30:spark

SelectedAccessService Default Network Access

SelectedAuthenticationIdentityStores Internal Users, removed

SelectedAuthorizationProfiles removed-Permit-Employee, SPARK

Service-Type Framed

StaticAssignment false

StaticGroupAssignment false

StepData 4= Airespace.Airespace-Wlan-Id, 5= DEVICE.Device Type, 6= Radius.User-Name, 70= Radius.NAS-Port-Type, 71= Radius.Service-Type, 72= Network Access.EapAuthentication, 73= Network Access.EapTunnel, 74=removed, 75=Internal Users, 78=removed, 79=removed, 80=removed, 81=removed.com, 82=removed.com, 83=MTP.local\,Domain trust is one-way, 84=dmxtest.removed.com\,Domain trust is one-way, 85=removed.removed.com\,Domain trust is one-way, 87=user&customer.com, 88=Removed, 107= Radius.User-Name, 108= Radius.Called-Station-ID, 109= EndPoints.LogicalProfile, 116=Removed, 117=Removed.com, 118=REMOVED

TLSCipher ECDHE-RSA-AES256-GCM-SHA384

TLSVersion TLSv1.2

Total Certainty Factor 100

User-AD-Last-Fetch-Time 1541753618565

User-Fetch-CountryName *Country Removed*

User-Fetch-Department *Dept Removed*

User-Fetch-Email *Email Address Removed*

User-Fetch-First-Name *First Name Removed*

User-Fetch-Last-Name *Last Name Removed*

User-Fetch-LocalityName *Locality Removed*

User-Fetch-Organizational-Unit *Customer OU Removed*

User-Fetch-StateOrProvinceName 13

User-Fetch-StreetAddress 9-1 *Street Address Removed*

User-Fetch-Telephone *Telephone Removed*

User-Fetch-User-Name *Name Removed*

User-Name *Username Removed*

UserAccountControl 512

allowEasyWiredSession false

operating-system Cisco Nexus 7010 switch (NX-OS 5) (accuracy 98%)

Obviously an Apple iPhone is not running a Nexus 7010 OS, any help or pointers would be greatly appreciated.

thanks..

Re: ISE device profiling / NMAP OS detected

Timothy Abbott — Mon, 19 Nov 2018 14:20:15 GMT

Hi,

This is a known issue and we are working on a fix. Suggest trying to use another profiling probe instead of NMAP OS scan in the mean time.

Regards,

-Tim

Re: ISE device profiling / NMAP OS detected

iagyte — Mon, 19 Nov 2018 14:51:57 GMT

Thanks Tim, appreciate your response.

Just to set expectations with the customer, do you know when we expect to have a fix?

Cheers,

Ian

Re: ISE device profiling / NMAP OS detected

Timothy Abbott — Mon, 19 Nov 2018 15:06:04 GMT

Ian,

Unfortunately we can’t specify an exact date the fix will be issued in a patch. The reason being is that patch dates could potentially slip and bugs are added and removed from patches all the time for various reasons.

Regards,
-Tim

Re: ISE device profiling / NMAP OS detected

paul — Mon, 19 Nov 2018 20:08:00 GMT

Tim,

Is this really a bug? NMAP OS detection has been notoriously sketchy for a long time. I thought it was just a function of NMAP and not so much an ISE issue.

Re: ISE device profiling / NMAP OS detected

Timothy Abbott — Mon, 19 Nov 2018 20:55:04 GMT

Yes, there is a bug against it and you’re correct it is a function of NMAP. Since NMAP is included and not scanning properly, we have to look into it.

Regards,
-Tim

Re: ISE device profiling / NMAP OS detected

paul — Mon, 19 Nov 2018 21:02:04 GMT

Ahh okay. I always just explain it as NMAP being NMAP and most customers shake their head and agree.

Re: ISE device profiling / NMAP OS detected

claudio.rosa@vale.com — Fri, 30 Aug 2019 15:44:35 GMT

Hi,

I have a similar problem but in my case I have:

EndPointSource NMAP Probe

OUI Apple, Inc.

host-name iPhone
operating-system-result Windows 10 Enterprise

But I am not receiving information about "operating-system" parameter only "operating-system-result". Any idea why my iphone is not answering?

Re: ISE device profiling / NMAP OS detected

andrewswanson — Tue, 17 Dec 2019 21:56:17 GMT

topic Re: ISE device profiling / NMAP OS detected in Network Access Control

ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected

Re: ISE device profiling / NMAP OS detected