cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

149
Views
5
Helpful
2
Replies
Beginner

Why or what is need of Cisco ISE automatically scan NMAP in thhe Network & Saves log ?

Why Cisco ISE NMAP scan of the Network & saves log ?

 

My security team find alert in to their system for one IP that scan the Server. PFB Alert.

image.png

 

After I`ve checked the ISE logs & I found below NMAP log & its saves the output to Nmap.log file.

 

# Nmap 7.00 scan initiated Thu Sep 5 01:16:21 2019 as: /usr/bin/nmap -v -sU -p
U:161,162 -Pn --disable-arp-ping -oN /opt/CSCOcpm/logs/nmap.log --append-output
-oX - (File Server IP)
--
Nmap scan report for (File Server IP)

 

ISE NMAP scans mostly all the IP of network. From output We can say that NMAP scans UDP 161, 162 port which is SNMP ports.

My question is Why ISE scans via NMAP automatically or what is need for scan NMAP?

 

PLS Help !!!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Why or what is need of Cisco ISE automatically scan NMAP in thhe Network & Saves log ?

Hi,

ISE uses NMAP in order to profile the devices that authenticate to ISE to determine make/model, OS version etc. The NMAP probe could be disabled, but you do get a lot of useful information from it. I'd suggest whitelisting the ISE IP addresses and let them run the NMAP Probes.

 

Here is the ISE profiling guide with more information.

 

HTH

2 REPLIES 2
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Why or what is need of Cisco ISE automatically scan NMAP in thhe Network & Saves log ?

Hi,

ISE uses NMAP in order to profile the devices that authenticate to ISE to determine make/model, OS version etc. The NMAP probe could be disabled, but you do get a lot of useful information from it. I'd suggest whitelisting the ISE IP addresses and let them run the NMAP Probes.

 

Here is the ISE profiling guide with more information.

 

HTH

Highlighted
VIP Advisor

Re: Why or what is need of Cisco ISE automatically scan NMAP in thhe Network

ISE performs NMAP scanning part of its profiling function. Initially, ISE
will match the device against a parent profile (for example Cisco Access
Point) using enabled probes such as radius, cdp, etc. Most of parent
profiles have NMAP enabled to perform NMAP scan against the device on 1st
match to detect its specific model such as Cisco Aironet 3802

You can enable dot1x on client endpoints instead of servers to avoid
similar cases.