NMAP Scan Data Endpoint in Limited Access

paul · ‎03-20-2019

I am going to open a TAC case on this, but figured I would ask the community. Our standard setup for ISE grants limited access to endpoints that aren't profiled into a profile we are using in a rule or aren't doing Dot1x. The limited access DACL allows access the PSNs and blocks everything else. In 2.4 patch 6 there were changes made to NMAP to allow it to scale better.

I am seeing endpoints in limited access not showing any NMAP data. The NMAP scan count will be 3 and the Last NMAP Scan field is filled out, but no NMAP data. If I manually put the endpoint into a temporary bypass condition and give it full access to the network I will see full NMAP data within a few minutes.

With the changes in patch 6 is there any communication required from the Admin node or another persona other than the PSNs in order to get NMAP scan data?

Nidhi · ‎03-20-2019

There is no configuration changes needed from ISE to run the NMAP scan in patch 6 .

Best to contact TAC to troubleshoot the issue.

Thanks,

Nidhi

paul · ‎03-21-2019

What was changed in patch 6 I believe was the removal of the -Pn option. This option was causing ISE to not try and ping the endpoint before scanning. If the device was not reachable ISE would get hung up scanning the device and NMAP jobs would back up. Now you can see in the TCP dumps ISE is doing a ping to the device first.

The problem I think I am seeing is if the device is not pingable the NMAP scan will show that it ran on the ISE side (NMAP scan count and Last NMAP scan), but in reality all did was do the ping check of the scan and then realize it couldn't go any further. I am working with TAC to clarify.