topic Re: Cisco ISE performing NMAP scans at regular intervals. in Network Access Control

Cisco ISE performing NMAP scans at regular intervals.

network_geek1979 — Tue, 31 May 2022 12:57:20 GMT

Folks,

I understand that the Cisco ISE PSN's should do some NMAP scans on the network at regular intervals.

However, I do not see that to be the case.

e.g. we have few devices where the OS and ports detected in NMAP scan do not show up.

However, if we do a manual scan to this device from the ISE it shows up correctly.

We have all the nodes configured to NMAP in the "Profiling Configuration".

It reads "The NMAP probe will scan endpoints for open ports and OS."

Our challenge is where are we going wrong and why the results show up only after a manual scan.

Any suggestions?

Regards,

balaji.bandi — Tue, 31 May 2022 13:06:23 GMT

what ISE version, how is your autoscan profile looks like compare to Manual scan

check some reference guide :

andrewswanson — Tue, 31 May 2022 13:24:23 GMT

See this previous post on how/when ISE performs nmap scans

NMAP can be triggered in the following cases:

Manual NMAP scan
Automatically when endpoint discovered and profile set to Unknown
Automatically by matching a profile and one of the matching conditions has action to trigger NMAP. The NMAP scan type is defined under the NMAP Scan Actions (under Policy > Policy Elements > Results > Profiling > NMAP Scan Actions).

hth
Andy

network_geek1979 — Tue, 31 May 2022 13:39:21 GMT

Hi Balaji,

Thanks! The ISE version is 3.0.

When you say autoscan, I understand you are referring to NMAP Scan Actions under "Policy Elements".

If yes, there is no difference in the autoscan and the manual scan I did.

Regards.

hslai — Thu, 02 Jun 2022 02:58:19 GMT

ISE needs the mapping of the IP address to the MAC address in order to update the NMAP results to the endpoint.