I'm trying to perform a VA scan with Qualys and ISE when a workstation executes a 802.1x authentication.
I can see that the authorization profile for the VA Scan was called and I've integrated Qualys via the Threat Centric NAC portion of the ISE Web GUI.
I've checked the Qualys dashboard and no scan was initiated.
Any insights provided are deeply appreciated.
The Qualys documents are missing a very key setup piece. In the Qualys setup after you define everything and assign it to a PSN. There is a field marked Option Profile. That Option profile needs to exactly match the profile name defined in the Qualys cloud that should be used for the scan. Your Qualys admins will know what that means. I think it default to Default. If you debug things you will see the scan being submitted but you don't have the right Option profile and the Qualys cloud never executes.
I have told this to the BU in the past to update the documentation.
Are you correctly learning the IP of the device? I didn't see the IP in the RADIUS log you posted, but you may have cut it off. Also the log entry you posted was definitely not a Dot1x session. It was a MAB authentication. Did you mean to apply it to a Dot1x rule? Not that it should matter I think.
Well you hit my limits on this topic. :)
Turn on TC-NAC debugs on the PSN you are running this on and verify the request is being submitted to Qualys. That way you know which side you need to troubleshoot. I think there is a way to see the received request on the Qualys side as well.
FYI, after spending time working on this at a customer here are my notes I sent to the BU on my thoughts.
Under Context Visibility > Endpoints > Vulnerable Endpoints, there is a button "Clear Threats & Vulnerabilities" if the previous data is preventing the re-auth to match the correct authorization policy rule.
I would also suggest to check this report under Operations > Reports > Reports > Threat Centric NAC > Vulnerability Assessment.
Since the comments so far not helping resolving your issue, please enable DEBUG, generate a support bundle to include all the debug logs, open a Cisco TAC case, and ask TAC to analyze the log files.
In the past, some of our no-scan occurrences were due to API access limits with our demo account and worked with Qualys support team to address it. Therefore, you might want to check with Qualys and verify your account has proper API access privileges and entitlements, too