topic Re: NMAP Probe - Expected Behaviors? in Network Access Control

NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 03:01:36 GMT

I'm running 3.2 patch 2. I have the NMAP probe enabled (profiling configuration tab) and in General Settings i have "enable profiling service" enabled on the PSN. What I'm not seeing is the PSN actually doing an NMAP scan on a device when it comes online. I'm also letting it sit for sometime and still nothing. The only time i see the NMAP scans doing anything is if i manually kick off a scan. I know this because I'm running a PCAP and when i ping the endpoint from the PSN i see the ICMP packets making it to the client. Is there something else i need to enable? When should i expect to see ISE scan an endpoint?

Re: NMAP Probe - Expected Behaviors?

Greg Gibbs — Fri, 19 Jan 2024 04:58:28 GMT

Have you configured an NMAP scan action for your relevant Profiling Policy as per the ISE Profiling Design Guide?

Re: NMAP Probe - Expected Behaviors?

MHM Cisco World — Fri, 19 Jan 2024 05:04:36 GMT

I think you need policy (profiling policy) to trigger NMAP for specific host/subnet

Policy>Policy Elements>Results>Profiling>Network Scan (NMAP) Actions
MHM

Re: NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 12:37:31 GMT

yes there are three

Re: NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 12:38:08 GMT

Morning, yes they are there.

Re: NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 12:59:59 GMT

i think i see what you're saying. You're saying that i need to go to the attached and tell ISE if it sees something as "Microsoft-Workstation" that it then needs to do some sort of scan. In this case i've told it to do an OS-scan. this filed used to have NONE in it.

Re: NMAP Probe - Expected Behaviors?

MHM Cisco World — Fri, 19 Jan 2024 13:14:56 GMT

sorry I confuse if was set and NMAP not work or now you set it ?
MHM

Re: NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 13:21:15 GMT

Nope. Looks like there is more to the story. Looks like ISE just doesn't do an NMAP scan even though there is an OS scan. Looks like you need to go into the Profiler Policy list to tell it to do the OS-SCAN when in this case it sees the endpoint as a Microsoft-Workstation. However i'm now getting the attached. Digging into it.

Re: NMAP Probe - Expected Behaviors?

MHM Cisco World — Fri, 19 Jan 2024 13:43:00 GMT

Can you more elaborate what condition you use in this profiling policy ?
MHM

Re: NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 13:46:14 GMT

ok think i got it. When it now sees the dhcp-class-identifier containing MSFT, it will trigger an OS scan on the endpoint. I just did the pcap and i now see it.

Re: NMAP Probe - Expected Behaviors?

MHM Cisco World — Fri, 19 Jan 2024 13:47:31 GMT

You are welcome friend
MHM

Re: NMAP Probe - Expected Behaviors?

ryanbess — Fri, 19 Jan 2024 13:50:27 GMT

You or anyone know of a way to just have ISE do an NMAP scan on everything it finds vs having to go into each of these settings and enable it?