Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
10
Helpful
6
Replies

Finding out whether ISE is enabled and working on a Host

Arjun Kumar
Level 1
Level 1

‎09-19-2017 04:32 AM - edited ‎02-21-2020 10:34 AM

Hello,

 

Just got an unusual request from one of our customers, they want to see the clients/hosts which are sucessfully running ise (with posture) using tenable (Nessus), they know it can be checked on ISE but they want to see it on thier Nessus. Just want to know if anyone knows which service to check for or a registry key or any command line (command) could be used. 

 

T&R

 

 

Labels:
0 Helpful
6 Replies 6

agrissimanis
Level 1
Level 1

‎09-20-2017 03:04 AM - edited ‎09-20-2017 03:20 AM

Hi Arjun,

 

You could check if Anyconnect ISE posture agent service is running (aciseagent). You could also check the wired/wireless autoconfig services (dot3svc/Wlansvc) to see if 802.1X supplicant is running.

However even if these two services are running, it wouldn't prove that the authentication has been successful (in monitor mode, for example, the authentication/posture could have failed, but the machine still has network access, the switch might not even be configured for dot1x and the supplicant has the fallback option enabled so network access is allowed regardless, etc)

If you can run psexec style queries from Nessus, you could remotely execute and parse the output from "netsh lan show interfaces" to get the actual authentication status of the interfaces. Similar queries could be executed using WMI and Powershell("get-wmiobject win32_networkadapter" and filter by connection state) , depending on the capabilities of Nessus. I have never looked at registry keys in regards to dot1x, there might be something that you could use.

 

Regards,

Agris

 

Please vote if helpful

Arjun Kumar
Level 1
Level 1
In response to agrissimanis

‎09-20-2017 03:32 AM - edited ‎09-20-2017 05:58 AM

Dear Agris,

 

Thank you for your response,. I will ask the customer to check on nessus side with the psexec query and see if we get a desired output.

------

Update:

There was nothing we could get from the query which would indicate that the user is configured and autheticated via ISE unfortunately.  

 

T&R

0 Helpful

agrissimanis
Level 1
Level 1
In response to Arjun Kumar

‎09-21-2017 07:15 AM - edited ‎09-21-2017 07:18 AM

From the netsh output you should get something like this - 
Name : Local Area Connection
Description : Realtek PCIe GBE Family Controller
GUID : 68eb6c81-93be-4efa-8616-a61c5
Physical Address : AA-BB-24-E2-FB-DF
State : Connected. Authentication succeeded.

If you are able to parse multi-line output, you could check the State: row. This indicates the link status and authentication status. On a PC where authentication fails I get this:

State: Connected. Authentication failed.

Or if the switchport is not enabled for 802.1X, you should get this:

State: Connected. Network does not support authentication

The success of these queries depends on multiple factors, including your OS versions, permissions, credentials, etc. I suspect you would need to spend some time to get it working reliably. This is not a very elegant way obtaining the authentication status remotely, it is just the first method I thought of. WMI and Powershell would probably be more efficient. And even then, this information does not include the posture status, just the authentication status.

Arjun Kumar
Level 1
Level 1
In response to agrissimanis

‎09-23-2017 09:13 AM

Dear Agris,

 

Thank you for the follow up post and i will take note of the outputs and try the same on thier enviormment. Will update tomorrow about the results on the same. 

 

T&R 

0 Helpful

agrissimanis
Level 1
Level 1
In response to Arjun Kumar

‎09-21-2017 07:19 AM

From the netsh output you should get something like this - 
Name : Local Area Connection
Description : Realtek PCIe GBE Family Controller
GUID : 68eb6c81-93be-4efa-8616-a61c5
Physical Address : AA-BB-24-E2-FB-DF
State : Connected. Authentication succeeded.

If you are able to parse multi-line output, you could check the State: row. This indicates the link status and authentication status. On a PC where authentication fails I get this:

State: Connected. Authentication failed.

Or if the switchport is not enabled for 802.1X, you should get this:

State: Connected. Network does not support authentication

 

The success of these queries depends on multiple factors, including your OS versions, permissions, credentials, etc. I suspect you would need to spend some time to get it working reliably. This is not a very elegant way obtaining the authentication status remotely, it is just the first method I thought of. WMI and Powershell would probably be more efficient. And even then, this information does not include the posture status, just the authentication status.

0 Helpful

Arjun Kumar
Level 1
Level 1
In response to agrissimanis

‎09-24-2017 12:53 AM

Hi Agris,

 

I beleive this will hold good if WiredAutoconfig is enabled, .i.e using windows native adapter for authentication, with Anyconnect enabled we get the below output

image.png

T&R

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents