cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2310
Views
0
Helpful
1
Replies

Cisco ISE3.0Patch2 - NMAP Scan Action

chris-lawrence
Level 1
Level 1

Hi Team,

I am developing a profile service on ISE 3.0patch2. I am trying to develop a multi-pass approach where I can profile the endpoint properly based on OUI + class identifier to get me to a point where my system is confident enough that its one of my  valid endpoints so I feel good and have that confidence to go and talk to the endpoint. Therefore, allowing my ISE to bind, reach out to it and perform a scan action. 

 

I have device sensor running on my CAT3K NAD - but I don't want CDP/LLDP or SNMP probing from my PSN. I think I have the minimum I need to get me to the scan action. I'm operating in hightened security stance, and have no real control of who connects endpoints to the NAD... So on connect, I need ISE to really profile a box... and I don't consider just a check of an OUI good enough to permit access. We are running ThinOS type endpoints so I need to probe, consider them valid that they are what they advertise themselves to be and then allow them to get session setup parameters with DHCP scope options.

 

So I have set some conditions in my Profile Policy to Take Network Scan Action and some conditions based on if DHCP Option 55 matches what I expect it to be and all I am doing currently is expect the PSN to scan the endpoint to pickup the custom ports the host is listening on. If my conditions match, I would like my PSN to NMAP the Endpoint. Issue is, I never see the scan happening in the pcap with my Wireshark. I see manual scans happen based on my defined Network Scan (NMAP) Action - but I don't see it done as part of the profiling "If Condition Wyse5070-DHCPOption55 Then Take Network Scan Action" which should kickoff my W5070_NMAP action.

 

Can you rely on these scan actions inside your profiling pipeline or are they really only reliable when you do them manually? How do you automate and consistently perform the scan (NMAP) action to endpoints that are joined to your network?

 

Ideally a fracture-fresh device is taken from the box and connected to the network. ISE should go to work without human intervention.

1 Reply 1

Hi @chris-lawrence ,

 although it's an old post, let me try to give some directions for future references ...

 Please take a look at: ISE Profiling Design Guide, search for Procedure 50 Review NMAP Actions.

 At Procedure 52 Verify NMAP Probe Data Based on a Triggered Endpoint Scan Action - Step 6:

. check the LastNMAPScanTime and NMAPScanCount of your Endpoint;

. check the "If NMAP data does not appear, or not all of the expected attributes appear, then be sure to verify the following".

 

Hope this helps !!!