I am developing a profile service on ISE 3.0patch2. I am trying to develop a multi-pass approach where I can profile the endpoint properly based on OUI + class identifier to get me to a point where my system is confident enough that its one of my valid endpoints so I feel good and have that confidence to go and talk to the endpoint. Therefore, allowing my ISE to bind, reach out to it and perform a scan action.
I have device sensor running on my CAT3K NAD - but I don't want CDP/LLDP or SNMP probing from my PSN. I think I have the minimum I need to get me to the scan action. I'm operating in hightened security stance, and have no real control of who connects endpoints to the NAD... So on connect, I need ISE to really profile a box... and I don't consider just a check of an OUI good enough to permit access. We are running ThinOS type endpoints so I need to probe, consider them valid that they are what they advertise themselves to be and then allow them to get session setup parameters with DHCP scope options.
So I have set some conditions in my Profile Policy to Take Network Scan Action and some conditions based on if DHCP Option 55 matches what I expect it to be and all I am doing currently is expect the PSN to scan the endpoint to pickup the custom ports the host is listening on. If my conditions match, I would like my PSN to NMAP the Endpoint. Issue is, I never see the scan happening in the pcap with my Wireshark. I see manual scans happen based on my defined Network Scan (NMAP) Action - but I don't see it done as part of the profiling "If Condition Wyse5070-DHCPOption55 Then Take Network Scan Action" which should kickoff my W5070_NMAP action.
Can you rely on these scan actions inside your profiling pipeline or are they really only reliable when you do them manually? How do you automate and consistently perform the scan (NMAP) action to endpoints that are joined to your network?
Ideally a fracture-fresh device is taken from the box and connected to the network. ISE should go to work without human intervention.