https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296984#M596674 <P>Manual NMAP works perfectly as expected. Not sure why it is not triggering an automatic NMAP scan&nbsp;</P> <P>I suspect that ISE PSN is not getting&nbsp;IP addresses to MAC binding information via RADIUS&nbsp;(Framed IP Address)</P> <P>But I am not sure how to check on ISE if PSN is getting the IP addresses to the MAC binding information via RADIUS</P> Thu, 05 Jun 2025 17:43:54 GMT jitendrac 2025-06-05T17:43:54Z https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296478#M596643 <P data-start="212" data-end="325">We are currently facing an issue with the Triggered Endpoint NMAP Scan functionality on our Cisco ISE 3.3 deployment.</P> <P data-start="327" data-end="500">We are attempting to perform NMAP scans on Canon printer devices to obtain detailed information such as model and OS. These printers are configured with static IP addresses.</P> <P data-start="502" data-end="552">To enable this, we have taken the following steps:</P> <UL data-start="554" data-end="948"> <LI data-start="554" data-end="650"> <P data-start="556" data-end="650">Enabled the NMAP probe on the PSN as per the <STRONG data-start="601" data-end="631">ISE Profiling Design Guide</STRONG> (Cisco Community).</P> </LI> <LI data-start="651" data-end="737"> <P data-start="653" data-end="737">Allowed all required NMAP ports from the PSN to the subnet range of the printer IPs.</P> </LI> <LI data-start="738" data-end="948"> <P data-start="740" data-end="948">We are using the default Cisco-provided profiler policy for Canon devices: <STRONG data-start="815" data-end="833">"Canon-Device"</STRONG>, which has defulat condition with an NMAP action based on the OUI (refer to the attached screenshot for reference).</P> </LI> </UL> <P>We are observing that</P> <UL data-start="984" data-end="1280"> <LI data-start="984" data-end="1048"> <P data-start="986" data-end="1048">The printer devices are successfully authenticating using MAB.</P> </LI> <LI data-start="1049" data-end="1142"> <P data-start="1051" data-end="1142">The profiling policy <STRONG data-start="1072" data-end="1090">"Canon-Device"</STRONG> is being matched correctly in the attribute filter.</P> </LI> </UL> <P data-start="950" data-end="982">Despite the above configuration:</P> <UL data-start="984" data-end="1280"> <LI data-start="1143" data-end="1280"> <P data-start="1145" data-end="1280">we do not observe any triggered NMAP scans.</P> </LI> <LI data-start="1143" data-end="1280"> <P data-start="1145" data-end="1280">Attributes such as <CODE data-start="1217" data-end="1232">NmapScanCount</CODE> and <CODE data-start="1237" data-end="1255">LastNmapScanTime</CODE> are not being populated.</P> </LI> </UL> <P data-start="1282" data-end="1410">I would appreciate your assistance in identifying the root cause and helping us enable successful NMAP scans for these devices.</P> Wed, 04 Jun 2025 09:58:57 GMT https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296478#M596643 jitendrac 2025-06-04T09:58:57Z https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296483#M596644 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jitendrac_0-1749031188967.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/245942iBB3798414E851889/image-size/medium?v=v2&amp;px=400" role="button" title="jitendrac_0-1749031188967.png" alt="jitendrac_0-1749031188967.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jitendrac_1-1749031279474.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/245943i9F5DEFEF00BC65D3/image-size/medium?v=v2&amp;px=400" role="button" title="jitendrac_1-1749031279474.png" alt="jitendrac_1-1749031279474.png" /></span></P> <P>&nbsp;</P> Wed, 04 Jun 2025 10:01:27 GMT https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296483#M596644 jitendrac 2025-06-04T10:01:27Z https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296897#M596668 <P>Hi</P><P>Does a manual NMAP Scan show any open ports on the Canon printers? You mentioned that you'd checked that all nmap ports are permitted FROM the psn to printer - is the return traffic also permitted on any firewalls/ACLs?</P><P>hth</P><P>Andy</P> Thu, 05 Jun 2025 13:52:03 GMT https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296897#M596668 andrewswanson 2025-06-05T13:52:03Z https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296984#M596674 <P>Manual NMAP works perfectly as expected. Not sure why it is not triggering an automatic NMAP scan&nbsp;</P> <P>I suspect that ISE PSN is not getting&nbsp;IP addresses to MAC binding information via RADIUS&nbsp;(Framed IP Address)</P> <P>But I am not sure how to check on ISE if PSN is getting the IP addresses to the MAC binding information via RADIUS</P> Thu, 05 Jun 2025 17:43:54 GMT https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296984#M596674 jitendrac 2025-06-05T17:43:54Z https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296985#M596675 Manual NMAP works perfectly as expected. Not sure why it is not triggering an automatic NMAP scan<BR /><BR />I suspect that ISE PSN is not getting IP addresses to MAC binding information via RADIUS (Framed IP Address)<BR /><BR />But I am not sure how to check on ISE if PSN is getting the IP addresses to the MAC binding information via RADIUS<BR /> Thu, 05 Jun 2025 17:48:09 GMT https://community.cisco.com/t5/network-access-control/issue-with-triggered-endpoint-nmap-scan-for-canon-printers/m-p/5296985#M596675 jitendrac 2025-06-05T17:48:09Z