![]() ![]() There are a number of approaches to creating Nessus scanning policies. To perform this scan an IOS user with privilege 1 is sufficient. You may be running "IP Base" set which doesn't support MPLS but Nessus will show MPLS vulnerability. For example if there is a vulnerability in http server but your device doesn't have it enabled you are not vulnerable. Furthermore there are different feature sets of the same IOS version. You may be running version of IOS that has known vulnerabilities but your device may not be vulnerable. Third: our policy will include checks for IOS, CatOS and Linksys devices.įourth: Probably the most important one. Second: Nessus supports only SSH authentication for Cisco devices. You can export to the list of IPs from CiscoWorks or use NMAP scan and import result to Nessus. The reason for that is that someone could set up a rogue SSH server and intercept the credential you use for scanning. You would need to tell us what you have configured forĪre these found under Policy Elements > Results > TACACS+ Profiles?There are a few caveats to scanning Cisco switches with Nessus.įirst: I recommend scanning only specific management IP addresses of devices rather than network ranges. Depending on what that device is (IOS, IOS-XR, WLC, etc.) you need to return the correct attributes. In this case, Nessus wants to log in and we need to grant that use a read-only TACACS+ Authorization Profile. The point I am trying to make here is that ISE is only involved in answering the request from the network devices, when someone tries to log into those devices. The network device would have some locally defined access level defined for that user. ) then you would tell Nessus to scan all devices using username admin_ro. If you didn't have TACACS+ and you had local user in all of your network devices (e.g. And that is the only reason we're having this discussion. It's a great thing that all of your network devices are under TACACS+ management. This plugin is pre-compiled with the Nessus. There is no integration between ISE and Nessus. Available versions include: Cisco IOS 17.x (2.0.0) Cisco IOS 16 (2.0.0) Cisco IOS 15 (4.1.1) Cisco ASA 9.x Firewall (1.0.0). Nessus Cisco Compliance Checks Carole Fennelly J 5 Min Read T enable has authored a Nessus plugin ( ID 46689) named Cisco IOS Compliance Checks that implements the APIs used to audit systems running Cisco IOS. Your job will be to return the read-only attributes to the Cisco devices when user svc-tenable (or a member of a specific AD Group) performs a TACACS+ authentication, You could also achieve the same with an internal ISE Account - but keep things consistent if yoru TACACS+ is already checking AD for authentications. svc-tenable) that they can configure into their scanner, that will then go around all your Cisco devices and log in with read-only privileges. So in summary, they want a new user account in AD (e.g. I did a quick check on the T enable website for examples of Cisco IOS Scans And if the service account lives in AD, then ISE will authenticate the account in AD and your Policy Authorization Rule should check which AD Security Group the service account belongs to, and then return the appropriate TACACS+ Privilege Level. but TACACS+ is usually used for device admin) ISE will have to process that service account. And since ISE is your TACACS+ server (I am assuming here. Unless I am mistaken, what they are referring to is, that you create a service account (an account not to be used by a human) that allows a service (Nessus, in this case) to log into network devices (WLC, switches, etc.) that are using TACACS+ for their device authentication. Logging into the ISE nodes to perform a scan using read only doesn't make sense - there is no such thing. They are looking for open ports and vulnerabilities. Mark as New Bookmark Subscribe Mute Subscribe to RSS Feed Print Report Inappropriate Content 03-22-2018 08:09 AM - edited 02-21-2020 07:33 AM. ![]() You can of course run a Nessus Vulnerability scan against any device on the network and they have probably already done that to ISE. SSL Self Signed Certificate Findings on Nessus Scans on Cisco 3750 - 24PS-E Go to solution. The Cisco Nexus 5500 platform extends the industry-leading versatility of the Cisco Nexus 5000 Series purpose-built 10 Gigabit Ethernet data center-class switches and provides innovative advances toward higher density, lower latency, and multilayer services. I would doubt that they meant they wanted to scan the ISE devices (i.e. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |