cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1274
Views
0
Helpful
11
Replies

ISE 2.4 Integration with Qualys - VA Scan Not Running

john.kiac
Level 1
Level 1

Hi,

 

I'm trying to perform a VA scan with Qualys and ISE when a workstation executes a 802.1x authentication.

 

I can see that the authorization profile for the VA Scan was called and I've integrated Qualys via the Threat Centric NAC portion of the ISE Web GUI.

 

I've checked the Qualys dashboard and no scan was initiated.

Any insights provided are deeply appreciated.

11 Replies 11

Dan Lukes
VIP Alumni
VIP Alumni

Off-topic in feedback forum, moved.

 

See related: Cisco ISE integration with Qualys - CONSULTANT

thomas
Cisco Employee
Cisco Employee

RadiusLog.JPGRadiusLog-AuthProfile.JPG

 

Yes I've followed every step in the document. As you can see from the result of the Authorization Profile, it has downloaded the Qualys Scan Auth Profile.

John,

 

The Qualys documents are missing a very key setup piece.  In the Qualys setup after you define everything and assign it to a PSN.  There is a field marked Option Profile.  That Option profile needs to exactly match the profile name defined in the Qualys cloud that should be used for the scan.   Your Qualys admins will know what that means.  I think it default to Default.  If you debug things you will see the scan being submitted but you don't have the right Option profile and the Qualys cloud never executes.

 

I have told this to the BU in the past to update the documentation.  

Paul,

 

On the Qualys setup in ISE, I've indicated the same Option Profile name on the configuration which is the same as the one in the Qualys Option Profiles tab.

 

I've waited for few hours now and the scan still does not start.

John,

 

Are you correctly learning the IP of the device?  I didn't see the IP in the RADIUS log you posted, but you may have cut it off.  Also the log entry you posted was definitely not a Dot1x session.  It was a MAB authentication.  Did you mean to apply it to a Dot1x rule?  Not that it should matter I think.

RadiusLog2.jpg

 

Yes the IP address is recognized. And I've applied the profile to both MAB authorization and Wired 802.1x authorization.

Well you hit my limits on this topic. :) 

 

Turn on TC-NAC debugs on the PSN you are running this on and verify the request is being submitted to Qualys.  That way you know which side you need to troubleshoot.  I think there is a way to see the received request on the Qualys side as well.

 

FYI, after spending time working on this at a customer here are my notes I sent to the BU on my thoughts.

 

  1. Currently there is no way on the Qualys cloud TC-NAC definition in ISE to specify the priority of the scan request.  The requests all come in with a priority of 0 which means the scan will run after all the other scan jobs run.  The customer’s scan priority for their normal scan jobs is 5.  There should be an option to set scan priority in the connector.
  2. Why can’t ISE take in CVSS score data from scans ISE did not request?   ISE can take in AMP threat data as soon as it connects to the AMP cloud, but CVSS score data will only show up on scan submitted by ISE.  Is it a correlation to endpoint issue?
  3. ISE doesn’t appear to use/receive the composite CVSS score from Qualys or have the ability to use the composite score.  I had a rule setup to quarantine a device if the CVSS score was 7 or higher (high and critical).  ISE quarantined the device if any single QID was scored at a 7 or higher even though Qualys gave the device an overall CVSS score of 5.  Is there any way to use the composite score?
  4. Right now the option profile is tied to the Qualys adaptor definition.  There is no way to specify the option profile in the authorization profile.  This won’t work in a hospital environment because you can’t VA medical equipment as aggressively as you would a domain joined device.  Would be ideal to specify the Option Profile as part of the authorization profile.  The other thought we were going to try was to see if we could create multiple Qualys adapter definitions to the same cloud but with different Option Profiles, but that is clunky.
  5. Qualys has the ability to specify the installation of a dissolvable agent as part of the scan process.  That can be done at the Option Profile level or specified as part of the scan request.  We don’t have that option in ISE.  
  6. This one may be something I am missing.  Is there any option to tell ISE to rescan a device other than deleting the endpoint from ISE and having it authenticate again?  Say a device gets quarantined and they fix the issue.  The only way I can see to get ISE to issue a new Qualys scan reliably is to delete the endpoint from ISE.

hslai
Cisco Employee
Cisco Employee

Under Context Visibility > Endpoints > Vulnerable Endpoints, there is a button "Clear Threats & Vulnerabilities" if the previous data is preventing the re-auth to match the correct authorization policy rule.

I would also suggest to check this report under Operations > Reports > Reports > Threat Centric NAC > Vulnerability Assessment.

As I've posted, the scan are not being triggered even when the right profile is triggered during authorization. So there's nothing on the Context Visibility / Endpoints / Vulnerable Endpoints.

 

ContextVisibility.JPG

Since the comments so far not helping resolving your issue, please enable DEBUG, generate a support bundle to include all the debug logs, open a Cisco TAC case, and ask TAC to analyze the log files.

In the past, some of our no-scan occurrences were due to API access limits with our demo account and worked with Qualys support team to address it. Therefore, you might want to check with Qualys and verify your account has proper API access privileges and entitlements, too

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: