ISE 2.4 p13: Unable to detect any common ports via NMAP

Walker · ‎03-14-2022

We have some statically assigned endpoints in our environment that are currently only being profiled based off MAC OUI. I would like to scan for additional attributes via NMAP but it seems the common ports are not being detected. I've tested OS and SNMP scan and those seem to work just fine.

I have a known good endpoint I am testing with, it has SSH enabled and I have verified by logging into it myself. When I run a manual common port scan, it still does not detect port 22 being open. I also have Endpoint Attribute Filter enabled, but I am unsure if I should uncheck this for testing in a production environment.

Looking for advice/suggestions on how to get this to work.

TIA!

Arne Bier · ‎03-14-2022

can you test whether you are able to SSH from the ISE CLI to that endpoint, just to confirm that SSH (TCP/22) is allowed from that ISE node (PSN) to the endpoint?

Walker · ‎03-16-2022

There is no firewall or ACL preventing TCP/22 communication between the PSN and endpoint. I just tried to SSH from the PSN to the endpoint. It is attempting to connect but can not find a matching cipher.

Arne Bier · ‎03-21-2022

The NMAP feature in ISE is a bit hit & miss. In my own testing I have found that NMAP scans yield a result when there is an endpoint in ISE. In other words, you can't just unleash an ISE NMAP scan on any host whose endpoint is not in ISE. At least, that is my experience when I tried to run an NMAP against the AD server that ISE uses. it returns nothing. But when I run an NMAP scan against a Cisco IP phone that has performed MAB and has an active Session, then ISE returns a lot of data.