- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2018 05:34 AM
Hello,
we have a few printers which are authenticated with mab.
I would like to do nmap profiling on every authentication to ensure that this devices are real printers....i made it work that the endpoint get profiled once - but after the first successful nmap scan no more scans are made.
The only solution i found is endpoint purge..so every printer gets profiled new after a day....is it possible to scan on every authentication?
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2018 06:15 AM
1. The information collected directly from the endpoint by scanning them is not expected to change over a period of time.
2. NMAP can cause a serious performance and memory issue if run for every authentication that happens for an endpoint. Especially in deployments where there are more than a hundred thousand endpoints and on top of that considering re-authentications configure etc. this could potentially bring down the nodes.
3. Having said, that an NMAP scan is triggered again for an endpoint if the profile of the endpoint significantly changes. (Ex: IP Phone to a Telepresence device)etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2018 06:15 AM
1. The information collected directly from the endpoint by scanning them is not expected to change over a period of time.
2. NMAP can cause a serious performance and memory issue if run for every authentication that happens for an endpoint. Especially in deployments where there are more than a hundred thousand endpoints and on top of that considering re-authentications configure etc. this could potentially bring down the nodes.
3. Having said, that an NMAP scan is triggered again for an endpoint if the profile of the endpoint significantly changes. (Ex: IP Phone to a Telepresence device)etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2018 07:12 AM
Okay thank you for your answer.
Makes sense, but it would be great to define endpoints which should be scanned continous.
How is the nmap scan exactly triggered? Which attributes must change that a new scan is done?
How does this work with other profiling information like dhcp? Are these informations instantly updated and could inititate a coa? For example a new device connects on the printer port with the same mac address (spoofed) an sends some dhcp requests which differ from the one which the printer sends...can this issue a coa?
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2018 07:53 AM
How is the nmap scan exactly triggered? Which attributes must change that a new scan is done? --> The first one i've answered in the previous reply. For the second part, any attributes learnt that cause the profile to change.
How does this work with other profiling information like dhcp? Are these informations instantly updated and could inititate a coa? For example a new device connects on the printer port with the same mac address (spoofed) an sends some dhcp requests which differ from the one which the printer sends...can this issue a coa?
As soon as new attributes are learnt (including DHCP), based on the certainty factor of those attributes, a profile of an endpoint is ought to be changed. Once this happens, based on the type of CoA you set for profiler, a CoA will be issued.
