cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1134
Views
5
Helpful
2
Replies
Highlighted
Cisco Employee

ISE NMAP

Are the manual NMAP scans limited to only scanning things ISE has already seen? Can I use manual NMAP scans to discover a whole subnet out of the box? Do I need to add network devices (switches and WLC) for the manual scan to work?

 

I ask because we have done a number of scans and nothing shows up in the results. Could it be because ISE already has categorized these items? Is there another reason nothing shows up in the result?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE NMAP

ISE requires MAC address for any information collected for profiling. Since NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist. Most common way to pre-populate MAC-IP binding is to add any routers or L3-switches to ISE as NAD with SNMP read so ISE can get the bindings via ARP table prior to NMAP scan.

View solution in original post

2 REPLIES 2
Highlighted
VIP Engager

Re: ISE NMAP

I have had no luck getting manual NMAP scans to work on 2.3 or 2.4.  Not sure if they are broken or I am doing something wrong (although it is pretty simple).  I usually just configure my own scan actions as part of profiling to get more data.

Highlighted
Cisco Employee

Re: ISE NMAP

ISE requires MAC address for any information collected for profiling. Since NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist. Most common way to pre-populate MAC-IP binding is to add any routers or L3-switches to ISE as NAD with SNMP read so ISE can get the bindings via ARP table prior to NMAP scan.

View solution in original post