I have worked with our system administrators, network administrators and our HBSS administrator to configure a test laptop with these settings, and we are still not getting credentialed scans.
Now, when setting up the Scan Policy on SecurityCenter, there is no Windows credential option under the Authentication tab. However, if I log into the Nessus scanner directly, this is not the case. I have the option there to create and include Windows credentials ad infinitum within scan policies I build there.
Is there a reason SecurityCenter scan policy creation does NOT have the Windows credential authentication option available? if this were fixed, this would be the path of least resistance instead of trying to push a GPO that disables login requirements for secured laptops, disabling HBSS and opening up ports locally.
I had the same issue when attempting to test ISE TC-NAC integration with Security Center. Note that at the time we were running ISE 2.4p9. We were advised this is a Security Center side of the house issue. Unfortunately, this is due primarily to Security Center config and the need to run on-demand scans constantly. AFAIK the only option is to look into testing/using nessus clients on all your workstations due to the lack of ability to configure Windows creds in the scan policy. My recommendation would be to look into other options, test/research the local nessus clients (as I think this eliminates the need for credentials from what I remember), and open a ticket/talk to someone on the Nessus side. Lastly, be aware that the local nessus clients eat resources pretty badly. HTH & Good luck!
A workaround if someone else needs this. We are running an integration between Tenable.sc (v5.18.0) and Cisco ISE initiating scans automatically. Additionally we have CyberArk running to pull credentials for various (credentialed) scans. I did encounter the same problem as the Windows credentials are configured for the active scan and not in the "scan policy" used by ISE.
What I did was to look into the Sqlite database on our Tenable.sc server. Then I found the credentials ID ("credID" column) and automatically associated all new on-demand scans with those credentials. This is done with a simple SQL trigger, so every time a new scan is added, a new row with automatically be added to ensure it will run credentialed.
CredID is the first one we added "1000001". You can identify yours with the following command
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 188.8.131.52Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 184.108.40.206R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...