09-24-2018 12:55 PM
Are the manual NMAP scans limited to only scanning things ISE has already seen? Can I use manual NMAP scans to discover a whole subnet out of the box? Do I need to add network devices (switches and WLC) for the manual scan to work?
I ask because we have done a number of scans and nothing shows up in the results. Could it be because ISE already has categorized these items? Is there another reason nothing shows up in the result?
Solved! Go to Solution.
09-25-2018 09:08 AM
ISE requires MAC address for any information collected for profiling. Since NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist. Most common way to pre-populate MAC-IP binding is to add any routers or L3-switches to ISE as NAD with SNMP read so ISE can get the bindings via ARP table prior to NMAP scan.
09-24-2018 05:34 PM
I have had no luck getting manual NMAP scans to work on 2.3 or 2.4. Not sure if they are broken or I am doing something wrong (although it is pretty simple). I usually just configure my own scan actions as part of profiling to get more data.
09-25-2018 09:08 AM
ISE requires MAC address for any information collected for profiling. Since NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist. Most common way to pre-populate MAC-IP binding is to add any routers or L3-switches to ISE as NAD with SNMP read so ISE can get the bindings via ARP table prior to NMAP scan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide