Solved: nessus scanner service account in ISE

Srinivasan Nagarajan · ‎11-06-2019

Hi Experts

We've received an request from the security ops team to create a new service account for the 'nessus' scanner (with AD integration) in ISE with Read only privileges to scan the ISE devices.

Typically, we'll use 'nessus' scanner to scan the endpoints but scanning the ISE devices is new to me..

Can someone please give me the overview to get this done..Thanks for your support

Arne Bier · ‎11-06-2019

Hi @Srinivasan Nagarajan

I would doubt that they meant they wanted to scan the ISE devices (i.e. the ISE nodes: PAN, MnT, PSNs, etc). You can of course run a Nessus Vulnerability scan against any device on the network and they have probably already done that to ISE. They are looking for open ports and vulnerabilities. Logging into the ISE nodes to perform a scan using read only doesn't make sense - there is no such thing.

Unless I am mistaken, what they are referring to is, that you create a service account (an account not to be used by a human) that allows a service (Nessus, in this case) to log into network devices (WLC, switches, etc.) that are using TACACS+ for their device authentication. And since ISE is your TACACS+ server (I am assuming here ... you can also use RADIUS ... but TACACS+ is usually used for device admin) ISE will have to process that service account. And if the service account lives in AD, then ISE will authenticate the account in AD and your Policy Authorization Rule should check which AD Security Group the service account belongs to, and then return the appropriate TACACS+ Privilege Level. e.g. Lvl1 or whatever.

I did a quick check on the Tenable website for examples of Cisco IOS Scans

So in summary, they want a new user account in AD (e.g. svc-tenable) that they can configure into their scanner, that will then go around all your Cisco devices and log in with read-only privileges. You could also achieve the same with an internal ISE Account - but keep things consistent if yoru TACACS+ is already checking AD for authentications.

Your job will be to return the read-only attributes to the Cisco devices when user svc-tenable (or a member of a specific AD Group) performs a TACACS+ authentication,

Hope this helps

View solution in original post

Arne Bier · ‎11-06-2019

Hi @Srinivasan Nagarajan

There is no integration between ISE and Nessus.

It's a great thing that all of your network devices are under TACACS+ management. And that is the only reason we're having this discussion. If you didn't have TACACS+ and you had local user in all of your network devices (e.g. user 'admin_ro' ...) then you would tell Nessus to scan all devices using username admin_ro. No involvement from ISE. The network device would have some locally defined access level defined for that user.

The point I am trying to make here is that ISE is only involved in answering the request from the network devices, when someone tries to log into those devices. In this case, Nessus wants to log in and we need to grant that use a read-only TACACS+ Authorization Profile. Depending on what that device is (IOS, IOS-XR, WLC, etc.) you need to return the correct attributes. It varies per vendor/product etc.

You would need to tell us what you have configured for

Security-Admin-Read-Only

Network-Admin-Read-Only

Are these found under Policy Elements > Results > TACACS+ Profiles?

regards

View solution in original post

Arne Bier · ‎11-06-2019

Hi @Srinivasan Nagarajan

I would doubt that they meant they wanted to scan the ISE devices (i.e. the ISE nodes: PAN, MnT, PSNs, etc). You can of course run a Nessus Vulnerability scan against any device on the network and they have probably already done that to ISE. They are looking for open ports and vulnerabilities. Logging into the ISE nodes to perform a scan using read only doesn't make sense - there is no such thing.

Unless I am mistaken, what they are referring to is, that you create a service account (an account not to be used by a human) that allows a service (Nessus, in this case) to log into network devices (WLC, switches, etc.) that are using TACACS+ for their device authentication. And since ISE is your TACACS+ server (I am assuming here ... you can also use RADIUS ... but TACACS+ is usually used for device admin) ISE will have to process that service account. And if the service account lives in AD, then ISE will authenticate the account in AD and your Policy Authorization Rule should check which AD Security Group the service account belongs to, and then return the appropriate TACACS+ Privilege Level. e.g. Lvl1 or whatever.

I did a quick check on the Tenable website for examples of Cisco IOS Scans

So in summary, they want a new user account in AD (e.g. svc-tenable) that they can configure into their scanner, that will then go around all your Cisco devices and log in with read-only privileges. You could also achieve the same with an internal ISE Account - but keep things consistent if yoru TACACS+ is already checking AD for authentications.

Your job will be to return the read-only attributes to the Cisco devices when user svc-tenable (or a member of a specific AD Group) performs a TACACS+ authentication,

Hope this helps

Srinivasan Nagarajan · ‎11-06-2019

Hi Arne,

Thanks for the reply. Yeah, ISE is the TACACS server here and once the AD service-account is created, we need to add the AD group in Admin policy sets to grant access.

We already have an RBAC on ISE with below AD groups granted for Read Only privileges. So we should create the new service-account and add it to the below user groups, right..

Security-Admin-Read-Only

Network-Admin-Read-Only

And- Is there any thing we need to do with the ISE and tenable nessus scanner integration. I believe, that is for endpoint scan not for the ISE scan. Please correct me if i'm wrong.

Arne Bier · ‎11-06-2019

Hi @Srinivasan Nagarajan

There is no integration between ISE and Nessus.

It's a great thing that all of your network devices are under TACACS+ management. And that is the only reason we're having this discussion. If you didn't have TACACS+ and you had local user in all of your network devices (e.g. user 'admin_ro' ...) then you would tell Nessus to scan all devices using username admin_ro. No involvement from ISE. The network device would have some locally defined access level defined for that user.

The point I am trying to make here is that ISE is only involved in answering the request from the network devices, when someone tries to log into those devices. In this case, Nessus wants to log in and we need to grant that use a read-only TACACS+ Authorization Profile. Depending on what that device is (IOS, IOS-XR, WLC, etc.) you need to return the correct attributes. It varies per vendor/product etc.

You would need to tell us what you have configured for

Security-Admin-Read-Only

Network-Admin-Read-Only

Are these found under Policy Elements > Results > TACACS+ Profiles?

regards

Srinivasan Nagarajan · ‎11-07-2019

Thanks Arne for the reply. Yeah, for all the network and security devices, ISE is the TACACS server and we've already policies under TACACS administration to allow access to these groups provided if the service-account is member of the below AD groups

Security-Admin-Read-Only

Network-Admin-Read-Only

And what if they wanted to scan the ISE devices (i.e. the ISE nodes: PAN, MnT, PSNs) also. Is there anything we need to do more to get this accomplished..As per the request, they need to scan the network devices through the ISE and scan the ISE as well..

Arne Bier · ‎11-08-2019

No idea about that. Best to ask the Nessus folks. In this case you’re checking vulnerabilities in ISE so I don’t think Nessus needs anything specific. It will hopefully interrogate ISE with port Scans etc. They just need the IP address of the ISE nodes and no firewalls in between and off they go.