ISE device profiling based on NMAP scan failed on authorization policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-13-2021 06:38 AM
Hello team,
please help with correct way configuration device profiling based on NMAP scan:
1. if I try to use make profile policy in one policy - OUI (Triger) --> NMAP scan --> using 2 discovered ports for device - does not work.
2. if I try to use 2-3 levels for make the device profile - OUI (Triger) (1 st level) --> NMAP Scan (2nd level) --> compile final profile using discovered port - it is work, but I must to allow all steps above in Authorization policy and I don't want because it opens security breach (every one with spoofed MAC of device ) has access to network.
I review a lot of KBs , but there it mention to use option 1 , but it does not work - scan not run.
any idea?
thanks
Michael
- Labels:
-
Identity Services Engine (ISE)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2021 07:44 AM
Hi Michael,
In my case, I'm trying to do your option #2.
2. if I try to use 2-3 levels for make the device profile - OUI (Triger) (1 st level) --> NMAP Scan (2nd level) --> compile final profile using discovered port - it is work
MAB PASS #1 - I want to initially profile the endpoint on OUI and dhcp-parameters to give temporary access. Done with NAD device sensor.
MAB PASS #2 - I want to provide enough network access to the endpoint to allow ISE to perform its Endpoint Scan (Automatic, Triggered) custom NMAP Custom Ports Scan.
MAB PASS #3 - Only then I want to provide enough network access to the endpoint to reach its provisioning system to get its configuration based on passes 1 and 2.
Once this is done, the endpoint should be authenticated against DOT1X.
Where within ISE do you find the logging/reporting on the results of the Endpoint Scan? I can't seem to locate it.
Thanks,
Chris
