topic Re: Scanning Cisco ISE in Network Access Control

Scanning Cisco ISE

Lyn17 — Wed, 28 Sep 2022 17:26:34 GMT

Is there a way to scan Cisco ISE? I'm not getting a credentialed scan even with my admin credentials.

Re: Scanning Cisco ISE

Damien Miller — Wed, 28 Sep 2022 19:28:19 GMT

Could you explain more about what you're trying to do and what you were hoping would happen?

Re: Scanning Cisco ISE

Lyn17 — Thu, 20 Oct 2022 10:52:27 GMT

Hi Damien,

I'm trying to get a credentialed scan on our ISE server using ACAS. I used my SSH credentialed and saw our ACAS scanner logged in using the credential I provided but when I checked Nessus Scan Information, it wasn't credentialed. Our cyber team and asking for a credentialed scan.

Re: Scanning Cisco ISE

ahollifield — Thu, 20 Oct 2022 12:23:10 GMT

The ISE CLI isn't a normal Linux prompt. The vulnerability scanner probably doesn't know how to parse it.

Re: Scanning Cisco ISE

Marvin Rhoads — Thu, 20 Oct 2022 13:18:00 GMT

A Nessus/ACAS credentialed scan will make certain assumptions about the target host. For a "Linux" host which ISE (somewhat) is, the assumption would be that your credentials allow you to login with root privileges.

However, ISE does not allow customers access to the underlying RHEL Linux operating system (either as root or any other user). That is only possible with a time-limited root patch that is used exclusively by Cisco TAC.

Logging in to ISE as an admin user only give admin (full) access to the ADE-OS (Application Development Environment - Operating System) that is an abstraction layer "above" the Linux OS.

Re: Scanning Cisco ISE

Lyn17 — Thu, 20 Oct 2022 13:44:46 GMT

Thanks for the response. Yes, I think that is what's happening. I can see the credential that I provided being used to SSH to ISE but I'm getting a non credentialed scan everytime.

Re: Scanning Cisco ISE

Lyn17 — Thu, 20 Oct 2022 14:24:29 GMT

Thanks for the response Marvin.

So, it's not possible to do a credentialed scan on ISE itself without the Cisco TAC involvement?

Re: Scanning Cisco ISE

ahollifield — Thu, 20 Oct 2022 14:30:48 GMT

No, and I don't think TAC will agree that this a valid use-case for a root patch. Why do you feel the need to scan your ISE nodes?

Re: Scanning Cisco ISE

Marvin Rhoads — Thu, 20 Oct 2022 14:41:41 GMT

Like @ahollifield said - no you CANNOT do a credentialed scan, even if you ask the TAC.

The root patch is only for TAC troubleshooting and uses an ssh key that they will not share with the customer. That's by design to keep the system more secure and not allow unauthorized changes (including things that a credentialed scan might do!)

Re: Scanning Cisco ISE

Lyn17 — Thu, 20 Oct 2022 14:54:27 GMT

Personally, I don't think it's necessary, but I need to answer to our cyber team why ISE is not getting a credentialed scan.

Re: Scanning Cisco ISE

Marvin Rhoads — Thu, 20 Oct 2022 15:00:32 GMT

I would tell them it's a secure appliance and the vendor does not support customer access to the underlying operating system.

(nice way of saying "go pound sand")

Re: Scanning Cisco ISE

hector.l.rivera11 — Tue, 14 Mar 2023 19:05:33 GMT

Don't think we are doing anything different but we are able to get credentialed scans, most of the times. Makes sense what it was said before about the Linux OS vs the ISE ADE-OS... When the scanner recognizes the ISE ADE-OS then we get credentialed scans... when it thinks is a linux box then we don't.

Re: Scanning Cisco ISE

Lyn17 — Thu, 13 Apr 2023 16:11:01 GMT

I was able to get a credentialed scan by adding the identity store. Unfortunately, after the upgrade to version 3.2, I'm back to not being able to get a credentialed scan even after double checking that everything on our DC side and domain user account hasn't changed. What version are you using?

Re: Scanning Cisco ISE

hector.l.rivera11 — Thu, 13 Apr 2023 16:26:27 GMT

Good morning,

We started having issues once we upgrade to 3.2 ourselves. I'm working with
our ISE SME to see if we can fix it.

Re: Scanning Cisco ISE

Lyn17 — Thu, 13 Apr 2023 17:29:37 GMT

I opened a ticket with TAC. Can you let me know if you guys fix it and what the solution would be?

Re: Scanning Cisco ISE

hector.l.rivera11 — Thu, 13 Apr 2023 17:37:27 GMT

Will do

Re: Scanning Cisco ISE

Lyn17 — Thu, 04 May 2023 10:27:26 GMT

I'm still working with TAC on the issue. Have you guys figure this out?

Re: Scanning Cisco ISE

hector.l.rivera11 — Thu, 04 May 2023 14:54:39 GMT

Not yet, we are still working on the issue. Will let you know if we are able
to fix the issue.

Hector

Re: Scanning Cisco ISE

Lyn17 — Mon, 15 May 2023 15:20:32 GMT

I'm still t/s the issue with TAC.

Re: Scanning Cisco ISE

Lyn17 — Thu, 15 Jun 2023 12:55:38 GMT

Hi Hector,

Update: The two plugins that's causing the uncredentialed scan for ISE:

The 2 plugins most relevant in this case are 97993 & 12634.

Output of Plugin 97993:

It was possible to log into the remote host via SSH using 'password' authentication.

The remote host is not currently supported by this plugin.

Output of Plugin 12634:

It was possible to log into the remote host using the supplied
password.

The output of "uname -a" is :
Failed to log in 6 time(s)
Last failed login on Tue Jun 13 08:20:21 2023 from 172.20.33.59