Solved: Do nmap scan on every authentication

kskksaa · ‎12-09-2018

Hello,

we have a few printers which are authenticated with mab.

I would like to do nmap profiling on every authentication to ensure that this devices are real printers....i made it work that the endpoint get profiled once - but after the first successful nmap scan no more scans are made.

The only solution i found is endpoint purge..so every printer gets profiled new after a day....is it possible to scan on every authentication?

Surendra · ‎12-09-2018

NMAP scan is triggered for only new endpoints because of the following reasons:

1. The information collected directly from the endpoint by scanning them is not expected to change over a period of time.
2. NMAP can cause a serious performance and memory issue if run for every authentication that happens for an endpoint. Especially in deployments where there are more than a hundred thousand endpoints and on top of that considering re-authentications configure etc. this could potentially bring down the nodes.
3. Having said, that an NMAP scan is triggered again for an endpoint if the profile of the endpoint significantly changes. (Ex: IP Phone to a Telepresence device)etc.

View solution in original post

Surendra · ‎12-09-2018

NMAP scan is triggered for only new endpoints because of the following reasons:

1. The information collected directly from the endpoint by scanning them is not expected to change over a period of time.
2. NMAP can cause a serious performance and memory issue if run for every authentication that happens for an endpoint. Especially in deployments where there are more than a hundred thousand endpoints and on top of that considering re-authentications configure etc. this could potentially bring down the nodes.
3. Having said, that an NMAP scan is triggered again for an endpoint if the profile of the endpoint significantly changes. (Ex: IP Phone to a Telepresence device)etc.

kskksaa · ‎12-09-2018

Okay thank you for your answer.

Makes sense, but it would be great to define endpoints which should be scanned continous.

How is the nmap scan exactly triggered? Which attributes must change that a new scan is done?

How does this work with other profiling information like dhcp? Are these informations instantly updated and could inititate a coa? For example a new device connects on the printer port with the same mac address (spoofed) an sends some dhcp requests which differ from the one which the printer sends...can this issue a coa?

Best regards

Surendra · ‎12-09-2018

it would be great to define endpoints which should be scanned continous. --> Check with TAC if an enhancement request can be filed for this.

How is the nmap scan exactly triggered? Which attributes must change that a new scan is done? --> The first one i've answered in the previous reply. For the second part, any attributes learnt that cause the profile to change.

How does this work with other profiling information like dhcp? Are these informations instantly updated and could inititate a coa? For example a new device connects on the printer port with the same mac address (spoofed) an sends some dhcp requests which differ from the one which the printer sends...can this issue a coa?

As soon as new attributes are learnt (including DHCP), based on the certainty factor of those attributes, a profile of an endpoint is ought to be changed. Once this happens, based on the type of CoA you set for profiler, a CoA will be issued.