09-19-2017 04:32 AM - edited 02-21-2020 10:34 AM
Hello,
Just got an unusual request from one of our customers, they want to see the clients/hosts which are sucessfully running ise (with posture) using tenable (Nessus), they know it can be checked on ISE but they want to see it on thier Nessus. Just want to know if anyone knows which service to check for or a registry key or any command line (command) could be used.
T&R
09-20-2017 03:04 AM - edited 09-20-2017 03:20 AM
Hi Arjun,
You could check if Anyconnect ISE posture agent service is running (aciseagent). You could also check the wired/wireless autoconfig services (dot3svc/Wlansvc) to see if 802.1X supplicant is running.
However even if these two services are running, it wouldn't prove that the authentication has been successful (in monitor mode, for example, the authentication/posture could have failed, but the machine still has network access, the switch might not even be configured for dot1x and the supplicant has the fallback option enabled so network access is allowed regardless, etc)
If you can run psexec style queries from Nessus, you could remotely execute and parse the output from "netsh lan show interfaces" to get the actual authentication status of the interfaces. Similar queries could be executed using WMI and Powershell("get-wmiobject win32_networkadapter" and filter by connection state) , depending on the capabilities of Nessus. I have never looked at registry keys in regards to dot1x, there might be something that you could use.
Regards,
Agris
Please vote if helpful
09-20-2017 03:32 AM - edited 09-20-2017 05:58 AM
Dear Agris,
Thank you for your response,. I will ask the customer to check on nessus side with the psexec query and see if we get a desired output.
------
Update:
There was nothing we could get from the query which would indicate that the user is configured and autheticated via ISE unfortunately.
T&R
09-21-2017 07:15 AM - edited 09-21-2017 07:18 AM
From the netsh output you should get something like this -
Name : Local Area Connection
Description : Realtek PCIe GBE Family Controller
GUID : 68eb6c81-93be-4efa-8616-a61c5
Physical Address : AA-BB-24-E2-FB-DF
State : Connected. Authentication succeeded.
If you are able to parse multi-line output, you could check the State: row. This indicates the link status and authentication status. On a PC where authentication fails I get this:
State: Connected. Authentication failed.
Or if the switchport is not enabled for 802.1X, you should get this:
State: Connected. Network does not support authentication
The success of these queries depends on multiple factors, including your OS versions, permissions, credentials, etc. I suspect you would need to spend some time to get it working reliably. This is not a very elegant way obtaining the authentication status remotely, it is just the first method I thought of. WMI and Powershell would probably be more efficient. And even then, this information does not include the posture status, just the authentication status.
09-23-2017 09:13 AM
Dear Agris,
Thank you for the follow up post and i will take note of the outputs and try the same on thier enviormment. Will update tomorrow about the results on the same.
T&R
09-21-2017 07:19 AM
From the netsh output you should get something like this -
Name : Local Area Connection
Description : Realtek PCIe GBE Family Controller
GUID : 68eb6c81-93be-4efa-8616-a61c5
Physical Address : AA-BB-24-E2-FB-DF
State : Connected. Authentication succeeded.
If you are able to parse multi-line output, you could check the State: row. This indicates the link status and authentication status. On a PC where authentication fails I get this:
State: Connected. Authentication failed.
Or if the switchport is not enabled for 802.1X, you should get this:
State: Connected. Network does not support authentication
The success of these queries depends on multiple factors, including your OS versions, permissions, credentials, etc. I suspect you would need to spend some time to get it working reliably. This is not a very elegant way obtaining the authentication status remotely, it is just the first method I thought of. WMI and Powershell would probably be more efficient. And even then, this information does not include the posture status, just the authentication status.
09-24-2017 12:53 AM
Hi Agris,
I beleive this will hold good if WiredAutoconfig is enabled, .i.e using windows native adapter for authentication, with Anyconnect enabled we get the below output
T&R
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: