Solved: Re: Scanning Cisco ISE

Lyn17 · ‎09-28-2022

Is there a way to scan Cisco ISE? I'm not getting a credentialed scan even with my admin credentials.

Damien Miller · ‎09-28-2022

Could you explain more about what you're trying to do and what you were hoping would happen?

Marvin Rhoads · ‎10-20-2022

Like @ahollifield said - no you CANNOT do a credentialed scan, even if you ask the TAC.

The root patch is only for TAC troubleshooting and uses an ssh key that they will not share with the customer. That's by design to keep the system more secure and not allow unauthorized changes (including things that a credentialed scan might do!)

View solution in original post

Damien Miller · ‎09-28-2022

Could you explain more about what you're trying to do and what you were hoping would happen?

Lyn17 · ‎10-20-2022

Hi Damien,

I'm trying to get a credentialed scan on our ISE server using ACAS. I used my SSH credentialed and saw our ACAS scanner logged in using the credential I provided but when I checked Nessus Scan Information, it wasn't credentialed. Our cyber team and asking for a credentialed scan.

ahollifield · ‎10-20-2022

The ISE CLI isn't a normal Linux prompt. The vulnerability scanner probably doesn't know how to parse it.

Lyn17 · ‎10-20-2022

Thanks for the response. Yes, I think that is what's happening. I can see the credential that I provided being used to SSH to ISE but I'm getting a non credentialed scan everytime.

Marvin Rhoads · ‎10-20-2022

A Nessus/ACAS credentialed scan will make certain assumptions about the target host. For a "Linux" host which ISE (somewhat) is, the assumption would be that your credentials allow you to login with root privileges.

However, ISE does not allow customers access to the underlying RHEL Linux operating system (either as root or any other user). That is only possible with a time-limited root patch that is used exclusively by Cisco TAC.

Logging in to ISE as an admin user only give admin (full) access to the ADE-OS (Application Development Environment - Operating System) that is an abstraction layer "above" the Linux OS.

Lyn17 · ‎10-20-2022

Thanks for the response Marvin.

So, it's not possible to do a credentialed scan on ISE itself without the Cisco TAC involvement?

ahollifield · ‎10-20-2022

No, and I don't think TAC will agree that this a valid use-case for a root patch. Why do you feel the need to scan your ISE nodes?

Lyn17 · ‎10-20-2022

Personally, I don't think it's necessary, but I need to answer to our cyber team why ISE is not getting a credentialed scan.

Marvin Rhoads · ‎10-20-2022

I would tell them it's a secure appliance and the vendor does not support customer access to the underlying operating system.

(nice way of saying "go pound sand")

Marvin Rhoads · ‎10-20-2022

Like @ahollifield said - no you CANNOT do a credentialed scan, even if you ask the TAC.

The root patch is only for TAC troubleshooting and uses an ssh key that they will not share with the customer. That's by design to keep the system more secure and not allow unauthorized changes (including things that a credentialed scan might do!)

hector.l.rivera11 · ‎03-14-2023

Don't think we are doing anything different but we are able to get credentialed scans, most of the times. Makes sense what it was said before about the Linux OS vs the ISE ADE-OS... When the scanner recognizes the ISE ADE-OS then we get credentialed scans... when it thinks is a linux box then we don't.

Lyn17 · ‎04-13-2023

I was able to get a credentialed scan by adding the identity store. Unfortunately, after the upgrade to version 3.2, I'm back to not being able to get a credentialed scan even after double checking that everything on our DC side and domain user account hasn't changed. What version are you using?

hector.l.rivera11 · ‎04-13-2023

Good morning,

We started having issues once we upgrade to 3.2 ourselves. I'm working with
our ISE SME to see if we can fix it.

Lyn17 · ‎04-13-2023

I opened a ticket with TAC. Can you let me know if you guys fix it and what the solution would be?