cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
640
Views
0
Helpful
3
Replies

Do nmap scan on every authentication

kskksaa
Beginner
Beginner

Hello,

 

we have a few printers which are authenticated with mab. 

I would like to do nmap profiling on every authentication to ensure that this devices are real printers....i made  it work that the endpoint get profiled once - but after the first successful nmap scan no more scans are made.

 

The only solution i found is endpoint purge..so every printer gets profiled new after a day....is it possible to scan on every authentication?

1 Accepted Solution

Accepted Solutions

Surendra
Cisco Employee
Cisco Employee
NMAP scan is triggered for only new endpoints because of the following reasons:

1. The information collected directly from the endpoint by scanning them is not expected to change over a period of time.
2. NMAP can cause a serious performance and memory issue if run for every authentication that happens for an endpoint. Especially in deployments where there are more than a hundred thousand endpoints and on top of that considering re-authentications configure etc. this could potentially bring down the nodes.
3. Having said, that an NMAP scan is triggered again for an endpoint if the profile of the endpoint significantly changes. (Ex: IP Phone to a Telepresence device)etc.

View solution in original post

3 Replies 3

Surendra
Cisco Employee
Cisco Employee
NMAP scan is triggered for only new endpoints because of the following reasons:

1. The information collected directly from the endpoint by scanning them is not expected to change over a period of time.
2. NMAP can cause a serious performance and memory issue if run for every authentication that happens for an endpoint. Especially in deployments where there are more than a hundred thousand endpoints and on top of that considering re-authentications configure etc. this could potentially bring down the nodes.
3. Having said, that an NMAP scan is triggered again for an endpoint if the profile of the endpoint significantly changes. (Ex: IP Phone to a Telepresence device)etc.

Okay thank you for your answer.

Makes sense, but it would be great to define endpoints which should be scanned continous. 

 

How is the nmap scan exactly triggered? Which attributes must change that a new scan is done?

 

How does this work with other profiling information like dhcp? Are these informations instantly updated and could inititate a coa? For example a new device connects on the printer port with the same mac address (spoofed) an sends some dhcp requests which differ from the one which the printer sends...can this issue a coa?

 

Best regards

 

it would be great to define endpoints which should be scanned continous. --> Check with TAC if an enhancement request can be filed for this.

How is the nmap scan exactly triggered? Which attributes must change that a new scan is done? --> The first one i've answered in the previous reply. For the second part, any attributes learnt that cause the profile to change.

How does this work with other profiling information like dhcp? Are these informations instantly updated and could inititate a coa? For example a new device connects on the printer port with the same mac address (spoofed) an sends some dhcp requests which differ from the one which the printer sends...can this issue a coa?

As soon as new attributes are learnt (including DHCP), based on the certainty factor of those attributes, a profile of an endpoint is ought to be changed. Once this happens, based on the type of CoA you set for profiler, a CoA will be issued.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers