ISE device profiling based on NMAP scan failed on authorization policy

mrimmune · ‎04-13-2021

Hello team,

please help with correct way configuration device profiling based on NMAP scan:

1. if I try to use make profile policy in one policy - OUI (Triger) --> NMAP scan --> using 2 discovered ports for device - does not work.

2. if I try to use 2-3 levels for make the device profile - OUI (Triger) (1 st level) --> NMAP Scan (2nd level) --> compile final profile using discovered port - it is work, but I must to allow all steps above in Authorization policy and I don't want because it opens security breach (every one with spoofed MAC of device ) has access to network.

I review a lot of KBs , but there it mention to use option 1 , but it does not work - scan not run.

any idea?

thanks

Michael

chris-lawrence · ‎04-16-2021

Hi Michael,

In my case, I'm trying to do your option #2.

2. if I try to use 2-3 levels for make the device profile - OUI (Triger) (1 st level) --> NMAP Scan (2nd level) --> compile final profile using discovered port - it is work

MAB PASS #1 - I want to initially profile the endpoint on OUI and dhcp-parameters to give temporary access. Done with NAD device sensor.

MAB PASS #2 - I want to provide enough network access to the endpoint to allow ISE to perform its Endpoint Scan (Automatic, Triggered) custom NMAP Custom Ports Scan.

MAB PASS #3 - Only then I want to provide enough network access to the endpoint to reach its provisioning system to get its configuration based on passes 1 and 2.

Once this is done, the endpoint should be authenticated against DOT1X.

Where within ISE do you find the logging/reporting on the results of the Endpoint Scan? I can't seem to locate it.

Thanks,

Chris