Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3084
Views
0
Helpful
5
Replies

ISE HP-Device profiling rules

Go to solution
ben.posner
Level 1
Level 1

‎10-28-2019 08:38 AM

trying to understand how this default ISE profiling policy works:

 

hp-device-profiler-policy.png

 

the first two rules i can find in the profiler conditions list, the last one i cannot.

 

hp-device-profiling-condtions.png

 

is this an error? this is ISE 2.3 patch 7. i have several hp-printers that are being profiled as only hp-device. and the snmp scan never gets kicked off because i think this rule is broken.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-28-2019 10:44 PM - edited ‎10-29-2019 12:08 AM

If you hover your mouse near '+' the last rule you should see the actual content of the condition popup. It should be identical to the HP-DeviceRule2Check1. The policy will not only increase CF by 10, but also will kick off an NMAP scan. If the endpoint is matching the HP-Device profile but not being scanned, I suggest making sure:

1. NMAP profiler is enabled

2. Do a manual NMAP scan to confirm it can be scanned manually

3. If NMAP works manually but does not triggered with profiler policy then may need to contact TAC. However, if manual scan does not work, then there maybe filtering device between ISE and the client subnet.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-28-2019 10:44 PM - edited ‎10-29-2019 12:08 AM

If you hover your mouse near '+' the last rule you should see the actual content of the condition popup. It should be identical to the HP-DeviceRule2Check1. The policy will not only increase CF by 10, but also will kick off an NMAP scan. If the endpoint is matching the HP-Device profile but not being scanned, I suggest making sure:

1. NMAP profiler is enabled

2. Do a manual NMAP scan to confirm it can be scanned manually

3. If NMAP works manually but does not triggered with profiler policy then may need to contact TAC. However, if manual scan does not work, then there maybe filtering device between ISE and the client subnet.

0 Helpful

Go to solution
ben.posner
Level 1
Level 1
In response to howon

‎10-31-2019 07:59 AM

not sure who marked this as an accepted answer because its not accepted by me!

 

well it may be too late, i already modified the rule to try to create what i believe is the missing scan condition. don't know if there's a reset to default in the profiler policy list or not.

 

i do have NMAP scan enabled.

i have run a manual NMAP scan.

my test device shows that it was profiled based on SNMP but is still an HP-Device and not something more specific, and there is a matching policy type for the type of printer.

 

printer-profile-results.png

 

0 Helpful

Go to solution
ben.posner
Level 1
Level 1
In response to ben.posner

‎10-31-2019 09:12 AM

tested on my lab running 2.4patch10 and it profiles just fine. 

lab-log-good.png

cleared the endpoint from the lab, plugged it into my lab switch and it profiled exactly like it should.

 

prod-log-bad.png

did the same for the production system. device never gets profiled past HP-Device...

 

i even exported the HP-Device profiler rule from the lab and re-imported it into the production 2.3 system and i get the same result.

 

the printer is using public/private snmp keys and both LAB and PRODUCTION ISE are configured to use those keys for SNMP probes initiated by nmap.

 

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to ben.posner

‎10-31-2019 09:30 AM

The SNMPQueryProbe is not related to NMAP. SNMPQueryProbe is where ISE does SNMP read to a network device such as a access switch and grabs CDP and/or LLDP information from the interface or to get ARP table. It probably learned the MAC OUI from the SNMPQueryProbe. I am still suggesting looking into any FW or filtering device between ISE and the client subnet that may impact NMAP scan function if it is working in test environment while not in production.

0 Helpful

Go to solution
ben.posner
Level 1
Level 1
In response to howon

‎10-31-2019 09:54 AM

the lab and the local production ISE nodes are one L3 hop away from the printer and are on the same network as the switch management address. no ACLs. are preventing scanning or access to them.

 

my lab has NONE of the SNMP traps or queries enabled for profiling. it is using RADIUS, NMAP, HTTP and DNS. the snmp probing for profiling is user disabled. 

The printer connected to the lab switch and was profiled properly and below is the the results shown in the profiler report. it shows SNMPQuery Probe as the endpoint static assignment reason. so NMAP and SNMP are related to one another in some way. i believe this is explained in the following document and section: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-1651437215

 

lab endpoint summary.png

 

Regardless of whether NMAP and SNMP are related, it still working on one setup and not on the other. there are no firewalls or ACLs blocking access to the printer or the NAD from either ISE deployments. i wish ISE has better reporting on what exactly it does during the profiling process to help us administrators see where it is falling down. i guess i will open a case.

 

 

0 Helpful
Customers Also Viewed These Support Documents