Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
0
Helpful
1
Replies

Cisco ISE 1.2 - Profiling - Newtork Scan Action not working

Sakun Sharma
Level 1
Level 1

‎04-26-2018 09:15 PM - edited ‎02-21-2020 10:54 AM

Hello,

 

I have configured a profile with a specifc MAC address of an HP printer and set the MAC match rule to Take Network Scan Action, and Network Scan Action is set to SNMPPortsAndOS-scan.

 

When I connect the Printer on network, in Identity section it shows Profiling Profile - the one I created, but it doesn't perform the network scan, it doesn't retrieve the deviceDescription, OS and other information. ISE has SNMP access to the VLAN the Printer is assigned in. Printer is using static IP in that VLAN. I can ping printer.

 

Any suggestions why ISE is not performing NMap scan on the Printer?

 

Thanks

Labels:
0 Helpful
1 Reply 1

Octavian Szolga
Level 4
Level 4

‎04-27-2018 12:13 AM - edited ‎04-27-2018 12:14 AM

Hi,

 

It should work.

---------------------------

You have to check for the parent profile configuration:

 

parent profile General_CORP_Printer

total certainty factor = 50 (just an example)

Conditions:

if OUI or entire MAC is/contains X  = 50 points

+ take network scan action

---------------------------

Make sure the global SNMP community string is public or whatever custom community you've configured on your printer.

---------------------------

Check if you printer is indeed identified as being General_CORP_Printer.

---------------------------

The first connection of the printer should match a profile that allows for network access (with dACL allowing access to ISE - return traffic for the scan part)

---------------------------

Your switch should have IP Device Tracking on so that ISE learns printers IP. In order to 'stimulate' the printer you should configure authentication control-direction in

 

If nobody connects to the printer (wants to print), the printer itself will not generate any traffic, thus the switch will not learn its IP, thus ISE will not know the IP to scan.

(do a ping to the printer so that you trigger an ARP on the L3/printer's gateway; the printer will get the ARP request - auth control-direction in - will want to respond; IP Device Tracking will kick in and know the printer's IP.

 

Regards,

Octavian

 

 

0 Helpful
Customers Also Viewed These Support Documents