Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2537
Views
10
Helpful
8
Replies

ISE device profiling / NMAP OS detected

Go to solution
iagyte
Cisco Employee
Cisco Employee

‎11-19-2018 03:18 AM

Hello,

 

Currently working with a customer who is running ISE 2.4 patch 3 and experiencing issues with NMAP OS detected. The devices are being profiled as Apple iPhone devices correctly, but NMAP then reports the OS detected as running "Cisco Nexus 7010 switch (NX-OS 5) (accuracy 98%)". 

 

E4:9A:DC:5B:47:D4   

MAC Address: E4:9A:DC:5B:47:D4

Username: removed

Endpoint Profile: Apple-Device

Current IP Address: 10.56.226.59

Location: LocationAll Locations

Applications Attributes Authentication Threats Vulnerabilities

General Attributes

Description

Static Assignment false

Endpoint Policy Apple-Device

Static Group Assignment false

Identity Group Assignment Profiled

Custom Attributes

Attribute Name Attribute Value

 

Attribute Name

 

Attribute Value

No data found. Add custom attributes here.

Other Attributes

AAA-Server cosisepsn1

AD-Error-Details Domain trust is one-way

AD-Groups-Names agilent.com/Users/Domain Users

AD-User-Candidate-Identities removed@removed.com

AD-User-DNS-Domain removed.com

AD-User-Join-Point removed.COM

AD-User-NetBios-Name removed

AD-User-Qualified-Name removed@removed.com

AD-User-Resolved-DNs CN=removed\,CN=Users\,DC=removed\,DC=com

AD-User-Resolved-Identities removed@removed.com

AD-User-SamAccount-Name removed

Airespace-Wlan-Id 1

AuthenticationIdentityStore removed

AuthenticationMethod MSCHAPV2

AuthenticationStatus AuthenticationPassed

AuthorizationPolicyMatchedRule PEAP Authentication

BYODRegistration Unknown

Called-Station-ID 00-27-0d-49-5d-30:spark

Calling-Station-ID e4-9a-dc-5b-47-d4

Chargeable-User-Identity c8:

DTLSSupport Unknown

DestinationIPAddress 130.30.1.79

DestinationPort 1812

DetailedInfo Authentication succeed

Device IP Address 10.2.49.200

Device Port 52813

Device Type Device Type#All Device Types

DeviceRegistrationStatus NotRegistered

ElapsedDays 66

EndPointMACAddress E4-9A-DC-5B-47-D4

EndPointPolicy Apple-Device

EndPointProfilerServer cosisepsn1.ns.removed.net

EndPointSource RADIUS Probe

FailureReason -

IPSEC IPSEC#Is IPSEC Device#No

IdentityAccessRestricted false

IdentityGroup Profiled

IdentityPolicyMatchedRule PEAP Authentication

InactiveDays 6

IsMachineAuthentication false

IsMachineIdentity false

IsThirdPartyDeviceFlow false

LastNmapScanTime 2018-Oct-22 08:54:17 UTC

Location Location#All Locations

Location-Capable 00:00:00:01

LogicalProfile Mobile Devices

MACAddress E4:9A:DC:5B:47:D4

MatchedPolicy Apple-Device

MessageCode 3001

NAS-IP-Address 10.2.49.200

NAS-Identifier SGPWLC01

NAS-Port 8

NAS-Port-Type Wireless - IEEE 802.11

Network Device Profile Cisco

NetworkDeviceGroups IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types

NetworkDeviceName SGPWLC01

NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c

NetworkDeviceProfileName Cisco

NmapScanCount 3

OUI Apple, Inc.

PolicyVersion 25

PostureApplicable Yes

PostureAssessmentStatus NotApplicable

RadiusFlowType Wireless802_1x

RadiusPacketType Drop

SSID 00-27-0d-49-5d-30:spark

SelectedAccessService Default Network Access

SelectedAuthenticationIdentityStores Internal Users, removed

SelectedAuthorizationProfiles removed-Permit-Employee, SPARK

Service-Type Framed

StaticAssignment false

StaticGroupAssignment false

StepData 4= Airespace.Airespace-Wlan-Id, 5= DEVICE.Device Type, 6= Radius.User-Name, 70= Radius.NAS-Port-Type, 71= Radius.Service-Type, 72= Network Access.EapAuthentication, 73= Network Access.EapTunnel, 74=removed, 75=Internal Users, 78=removed, 79=removed, 80=removed, 81=removed.com, 82=removed.com, 83=MTP.local\,Domain trust is one-way, 84=dmxtest.removed.com\,Domain trust is one-way, 85=removed.removed.com\,Domain trust is one-way, 87=user&customer.com, 88=Removed, 107= Radius.User-Name, 108= Radius.Called-Station-ID, 109= EndPoints.LogicalProfile, 116=Removed, 117=Removed.com, 118=REMOVED

TLSCipher ECDHE-RSA-AES256-GCM-SHA384

TLSVersion TLSv1.2

Total Certainty Factor 100

User-AD-Last-Fetch-Time 1541753618565

User-Fetch-CountryName *Country Removed*

User-Fetch-Department *Dept Removed*

User-Fetch-Email *Email Address Removed*

User-Fetch-First-Name *First Name Removed*

User-Fetch-Last-Name *Last Name Removed*

User-Fetch-LocalityName *Locality Removed*

User-Fetch-Organizational-Unit *Customer OU Removed*

User-Fetch-StateOrProvinceName 13

User-Fetch-StreetAddress 9-1 *Street Address Removed*

User-Fetch-Telephone *Telephone Removed*

User-Fetch-User-Name *Name Removed*

User-Name *Username Removed*

UserAccountControl 512

allowEasyWiredSession false

operating-system Cisco Nexus 7010 switch (NX-OS 5) (accuracy 98%)

 

Obviously an Apple iPhone is not running a Nexus 7010 OS, any help or pointers would be greatly appreciated.

 

thanks.. 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-19-2018 06:20 AM

Hi,

 

This is a known issue and we are working on a fix.  Suggest trying to use another profiling probe instead of NMAP OS scan in the mean time.

 

Regards,

-Tim

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-19-2018 06:20 AM

Hi,

 

This is a known issue and we are working on a fix.  Suggest trying to use another profiling probe instead of NMAP OS scan in the mean time.

 

Regards,

-Tim

0 Helpful

Go to solution
iagyte
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎11-19-2018 06:51 AM

Thanks Tim, appreciate your response.

 

Just to set expectations with the customer, do you know when we expect to have a fix?

 

Cheers,

 

Ian

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to iagyte

‎11-19-2018 07:06 AM

Ian,

Unfortunately we can’t specify an exact date the fix will be issued in a patch. The reason being is that patch dates could potentially slip and bugs are added and removed from patches all the time for various reasons.

Regards,
-Tim
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎11-19-2018 12:08 PM

Tim,

 

Is this really a bug?  NMAP OS detection has been notoriously sketchy for a long time. I thought it was just a function of NMAP and not so much an ISE issue.

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to paul

‎11-19-2018 12:55 PM

Yes, there is a bug against it and you’re correct it is a function of NMAP. Since NMAP is included and not scanning properly, we have to look into it.

Regards,
-Tim
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎11-19-2018 01:02 PM

Ahh okay. I always just explain it as NMAP being NMAP and most customers shake their head and agree.


Go to solution
claudio.rosa@vale.com
Level 1
Level 1
In response to Timothy Abbott

‎08-30-2019 08:44 AM

Hi,

I have a similar problem but in my case I have:


EndPointSource NMAP Probe

OUI Apple, Inc.

host-name iPhone
operating-system-result Windows 10 Enterprise

 

But I am not receiving  information about "operating-system" parameter only "operating-system-result".  Any idea why my iphone is not answering?

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to claudio.rosa@vale.com

‎12-17-2019 01:53 PM - edited ‎12-17-2019 01:56 PM

 
0 Helpful
Customers Also Viewed These Support Documents