topic Anyone using NMAP custom ports in profiling condition? in Network Access Control

Anyone using NMAP custom ports in profiling condition?

grant.maynard — Wed, 10 May 2017 16:00:21 GMT

In ISE 2.1 Patch 3 I've created an NMAP scan to include customer ports (tcp 8000, 4767 and 8194) and the NMAP Extensions dictionary is updated, but the attribute names do not appear in the profiling conditions pull-down, so i cannot create the condition.

Also, what would the value be?

For a scan on tcp 8194, the endpoint has an attribute "8194-tcp" with value "sophos", but i cannot enter "8194-tcp" as a profiling condition attribute.

I'm aware of CSCvb31331 but we do not see the same symptoms.

Re: Anyone using NMAP custom ports in profiling condition?

Craig Hyps — Wed, 10 May 2017 18:08:01 GMT

Make sure you are selecting NMAPExtension...

/Craig

Re: Anyone using NMAP custom ports in profiling condition?

grant.maynard — Wed, 10 May 2017 21:22:34 GMT

Hi Craig. Yes, we are using NMAPExtension. I can see it's ok in your screenshot - what version is that?

I was trying 2.1 Patch 3.

I tried 2.1 Patch 2 on a lab setup and it worked.

I applied Patch 3 to this and it didn't work.

So I rolled back to Patch 2 and it worked again.

It must be a problem with Patch 3.

Re: Anyone using NMAP custom ports in profiling condition?

hslai — Thu, 11 May 2017 01:14:34 GMT

I tried it on my ISE 2.1 Patch 3 and it worked fine, with the steps described in the bug you cited. Mine is fresh install 2.1 and has Patch 3 only.

What is the history of your ISE in term of install, upgrade, and patching?

Re: Anyone using NMAP custom ports in profiling condition?

Craig Hyps — Thu, 11 May 2017 01:52:08 GMT

ISE 2.1 Patch 1 is what I used and it worked fine. Try removing the conditions referencing custom ports and then remove the nmap scan template. You should see changes to the Profile Dictionary as you make changes. When re-add the custom ports, you should see dictionary attributes appear. This should then make them visible to profiler conditions as well.

Craig

Re: Anyone using NMAP custom ports in profiling condition?

grant.maynard — Thu, 11 May 2017 22:23:36 GMT

There are five nodes - 2 Admin/Mon and 3 PSN-only.

Originally, for all nodes, we installed 2.1, then patch 1, and patch 2.

Then, due to a disk space problem on M nodes, we rebuilt both Admin/Mon as 2.1 then went straight to patch 2.

Then all nodes had patch 3 applied.

Re: Anyone using NMAP custom ports in profiling condition?

grant.maynard — Thu, 11 May 2017 22:28:36 GMT

We tried this today but there are a few oddities: we could not delete one profile condition based on a custom port, because it said it was referenced somewhere, but we could not find where.

We tried to delete the profile policy which had referenced this condition but got an error that a resource or child policy was using the associated identity group. Again, we could not find where.

We're going to reboot all nodes in a few days to see if this clears it.

if we removed Profiling Services from all PSN, would that cleanly remove the profiling config?

Re: Anyone using NMAP custom ports in profiling condition?

hslai — Thu, 11 May 2017 22:32:21 GMT

Removing profiling services would not help as PPAN has the master copy of the profiling policies and elements. If you really need them removed, then please engage Cisco TAC.

Re: Anyone using NMAP custom ports in profiling condition?

grant.maynard — Mon, 29 May 2017 08:55:29 GMT

In my testing it worked in Patch 2 but then didn't work when Patch 3 was applied, but I rolled back to 2 then re-applied 3 and it did work.

We raised a TAC case which lead to bug ID CSCve51076. Hopefully it will be fixed in ISE 2.1 patch 4.