Showing results for 
Search instead for 
Did you mean: 

Cisco ISE/SecurityCenter Integration Credentialed Scans

Cisco ISE/SecurityCenter Integration Credentialed Scans



We have followed this guide and gotten automated scanning of systems to work:


Now the only issue is getting credentialed scans on systems.


Using this guide:


I have worked with our system administrators, network administrators and our HBSS administrator to configure a test laptop with these settings, and we are still not getting credentialed scans.


Now, when setting up the Scan Policy on SecurityCenter, there is no Windows credential option under the Authentication tab. However, if I log into the Nessus scanner directly, this is not the case. I have the option there to create and include Windows credentials ad infinitum within scan policies I build there.


Is there a reason SecurityCenter scan policy creation does NOT have the Windows credential authentication option available? if this were fixed, this would be the path of least resistance instead of trying to push a GPO that disables login requirements for secured laptops, disabling HBSS and opening up ports locally.


3 Replies 3


I had the same issue when attempting to test ISE TC-NAC integration with Security Center.  Note that at the time we were running ISE 2.4p9.  We were advised this is a Security Center side of the house issue.  Unfortunately, this is due primarily to Security Center config and the need to run on-demand scans constantly.  AFAIK the only option is to look into testing/using nessus clients on all your workstations due to the lack of ability to configure Windows creds in the scan policy.  My recommendation would be to look into other options, test/research the local nessus clients (as I think this eliminates the need for credentials from what I remember), and open a ticket/talk to someone on the Nessus side.  Lastly, be aware that the local nessus clients eat resources pretty badly.  HTH & Good luck!


A workaround if someone else needs this. We are running an integration between (v5.18.0) and Cisco ISE initiating scans automatically. Additionally we have CyberArk running to pull credentials for various (credentialed) scans. I did encounter the same problem as the Windows credentials are configured for the active scan and not in the "scan policy" used by ISE.

What I did was to look into the Sqlite database on our server. Then I found the credentials ID ("credID" column) and automatically associated all new on-demand scans with those credentials. This is done with a simple SQL trigger, so every time a new scan is added, a new row with automatically be added to ensure it will run credentialed. 


CredID is the first one we added "1000001". You can identify yours with the following command

#sqlite> select * from Credential;


CREATE TRIGGER add_cyberark_win_creds_to_ise_scans

     AFTER INSERT ON ScanAsset


     INSERT INTO ScanCredential (scanID,credID) VALUES (new.scanID,1000001);



You can modify the trigger to match only the API user used by ISE or other stuff to tweak it.

Very Helpful i will test it and get back to you, many thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers