cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3728
Views
11
Helpful
2
Replies

ISE NMAP

mtkasper
Cisco Employee
Cisco Employee

Are the manual NMAP scans limited to only scanning things ISE has already seen? Can I use manual NMAP scans to discover a whole subnet out of the box? Do I need to add network devices (switches and WLC) for the manual scan to work?

 

I ask because we have done a number of scans and nothing shows up in the results. Could it be because ISE already has categorized these items? Is there another reason nothing shows up in the result?

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

ISE requires MAC address for any information collected for profiling. Since NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist. Most common way to pre-populate MAC-IP binding is to add any routers or L3-switches to ISE as NAD with SNMP read so ISE can get the bindings via ARP table prior to NMAP scan.

View solution in original post

2 Replies 2

paul
Level 10
Level 10

I have had no luck getting manual NMAP scans to work on 2.3 or 2.4.  Not sure if they are broken or I am doing something wrong (although it is pretty simple).  I usually just configure my own scan actions as part of profiling to get more data.

howon
Cisco Employee
Cisco Employee

ISE requires MAC address for any information collected for profiling. Since NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist. Most common way to pre-populate MAC-IP binding is to add any routers or L3-switches to ISE as NAD with SNMP read so ISE can get the bindings via ARP table prior to NMAP scan.