09-28-2022 10:24 AM - edited 09-28-2022 10:26 AM
Is there a way to scan Cisco ISE? I'm not getting a credentialed scan even with my admin credentials.
Solved! Go to Solution.
09-28-2022 12:28 PM
Could you explain more about what you're trying to do and what you were hoping would happen?
10-20-2022 07:41 AM
Like @ahollifield said - no you CANNOT do a credentialed scan, even if you ask the TAC.
The root patch is only for TAC troubleshooting and uses an ssh key that they will not share with the customer. That's by design to keep the system more secure and not allow unauthorized changes (including things that a credentialed scan might do!)
09-28-2022 12:28 PM
Could you explain more about what you're trying to do and what you were hoping would happen?
10-20-2022 03:52 AM
Hi Damien,
I'm trying to get a credentialed scan on our ISE server using ACAS. I used my SSH credentialed and saw our ACAS scanner logged in using the credential I provided but when I checked Nessus Scan Information, it wasn't credentialed. Our cyber team and asking for a credentialed scan.
10-20-2022 05:23 AM
The ISE CLI isn't a normal Linux prompt. The vulnerability scanner probably doesn't know how to parse it.
10-20-2022 06:44 AM
Thanks for the response. Yes, I think that is what's happening. I can see the credential that I provided being used to SSH to ISE but I'm getting a non credentialed scan everytime.
10-20-2022 06:17 AM - edited 10-20-2022 06:18 AM
A Nessus/ACAS credentialed scan will make certain assumptions about the target host. For a "Linux" host which ISE (somewhat) is, the assumption would be that your credentials allow you to login with root privileges.
However, ISE does not allow customers access to the underlying RHEL Linux operating system (either as root or any other user). That is only possible with a time-limited root patch that is used exclusively by Cisco TAC.
Logging in to ISE as an admin user only give admin (full) access to the ADE-OS (Application Development Environment - Operating System) that is an abstraction layer "above" the Linux OS.
10-20-2022 07:24 AM
Thanks for the response Marvin.
So, it's not possible to do a credentialed scan on ISE itself without the Cisco TAC involvement?
10-20-2022 07:30 AM
No, and I don't think TAC will agree that this a valid use-case for a root patch. Why do you feel the need to scan your ISE nodes?
10-20-2022 07:54 AM
Personally, I don't think it's necessary, but I need to answer to our cyber team why ISE is not getting a credentialed scan.
10-20-2022 08:00 AM
I would tell them it's a secure appliance and the vendor does not support customer access to the underlying operating system.
(nice way of saying "go pound sand")
10-20-2022 07:41 AM
Like @ahollifield said - no you CANNOT do a credentialed scan, even if you ask the TAC.
The root patch is only for TAC troubleshooting and uses an ssh key that they will not share with the customer. That's by design to keep the system more secure and not allow unauthorized changes (including things that a credentialed scan might do!)
03-14-2023 12:05 PM
Don't think we are doing anything different but we are able to get credentialed scans, most of the times. Makes sense what it was said before about the Linux OS vs the ISE ADE-OS... When the scanner recognizes the ISE ADE-OS then we get credentialed scans... when it thinks is a linux box then we don't.
04-13-2023 09:11 AM
I was able to get a credentialed scan by adding the identity store. Unfortunately, after the upgrade to version 3.2, I'm back to not being able to get a credentialed scan even after double checking that everything on our DC side and domain user account hasn't changed. What version are you using?
04-13-2023 09:26 AM
04-13-2023 10:29 AM
I opened a ticket with TAC. Can you let me know if you guys fix it and what the solution would be?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide