Cisco ISE performing NMAP scans at regular intervals.

network_geek1979 · ‎05-31-2022

Folks,

I understand that the Cisco ISE PSN's should do some NMAP scans on the network at regular intervals.

However, I do not see that to be the case.

e.g. we have few devices where the OS and ports detected in NMAP scan do not show up.

However, if we do a manual scan to this device from the ISE it shows up correctly.

We have all the nodes configured to NMAP in the "Profiling Configuration".

It reads "The NMAP probe will scan endpoints for open ports and OS."

Our challenge is where are we going wrong and why the results show up only after a manual scan.

Any suggestions?

Regards,

N!

balaji.bandi · ‎05-31-2022

what ISE version, how is your autoscan profile looks like compare to Manual scan

check some reference guide :

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

network_geek1979 · ‎05-31-2022

Hi Balaji,

Thanks! The ISE version is 3.0.

When you say autoscan, I understand you are referring to NMAP Scan Actions under "Policy Elements".

If yes, there is no difference in the autoscan and the manual scan I did.

Regards.

andrewswanson · ‎05-31-2022

Hi

See this previous post on how/when ISE performs nmap scans

NMAP can be triggered in the following cases:

Manual NMAP scan
Automatically when endpoint discovered and profile set to Unknown
Automatically by matching a profile and one of the matching conditions has action to trigger NMAP. The NMAP scan type is defined under the NMAP Scan Actions (under Policy > Policy Elements > Results > Profiling > NMAP Scan Actions).

hth
Andy

hslai · ‎06-01-2022

ISE needs the mapping of the IP address to the MAC address in order to update the NMAP results to the endpoint.

NMAP rescan interval