Yes, below solution is not in best practice, but a temporary workaround until you get Cisco ACS or ISE solution. Here is a second round to address the issue. It would be the problem since Tenable / Security Center will execute “show running-config” command instead of the special(hidden command)Īgain, ACS 5.x will be handy to prohibit and permit certain Cisco commands One catch from this method is “show running-config” need to be changed with “show running-config view full” in order for viewing entire running configuration. The new credential will provide all ” show + commands “, but no write memory. Privilege exec all level 7 show running-config Username NESSUS privilege 7 secret Abcd12345 Nessus: One of the most famous vulnerability scanners that supports credentialed or uncredentialed port. Username NESSUS privilege 3 password Abcd12345 Securi Cisco IP Teleph Networ Akhil Behl. If you don’t have Cisco ACS server, try the following way to achieve the goal. If you have Cisco ACS (TACACS+) server, it would be easy to control permitted commands with the dedicated user account for the Nessus scanner. So, now we know what commands that Nessus use for the vulnerability and compliance scanning. Careful, they put together of all commands of Cisco router, switch and ASA in a single spreadsheet. With Cisco NAC Appliance, you can define automatic, immediate responses to scan results. You would need to tell us what you have configured forĪre these found under Policy Elements > Results > TACACS+ Profiles?Once you open it, you will see the whole list of Cisco commands. The Cisco NAC Appliance network scanner uses Nessus plugins to check for security vulnerabilities. Depending on what that device is (IOS, IOS-XR, WLC, etc.) you need to return the correct attributes. In this case, Nessus wants to log in and we need to grant that use a read-only TACACS+ Authorization Profile. The point I am trying to make here is that ISE is only involved in answering the request from the network devices, when someone tries to log into those devices. The network device would have some locally defined access level defined for that user. ) then you would tell Nessus to scan all devices using username admin_ro. If you didn't have TACACS+ and you had local user in all of your network devices (e.g. And that is the only reason we're having this discussion. Id like to setup my Nessus Professional scanner to scan my Cisco 5548UP. It's a great thing that all of your network devices are under TACACS+ management. There is no integration between ISE and Nessus. Your job will be to return the read-only attributes to the Cisco devices when user svc-tenable (or a member of a specific AD Group) performs a TACACS+ authentication, You could also achieve the same with an internal ISE Account - but keep things consistent if yoru TACACS+ is already checking AD for authentications. svc-tenable) that they can configure into their scanner, that will then go around all your Cisco devices and log in with read-only privileges. So in summary, they want a new user account in AD (e.g. I did a quick check on the T enable website for examples of Cisco IOS Scans And if the service account lives in AD, then ISE will authenticate the account in AD and your Policy Authorization Rule should check which AD Security Group the service account belongs to, and then return the appropriate TACACS+ Privilege Level. but TACACS+ is usually used for device admin) ISE will have to process that service account. And since ISE is your TACACS+ server (I am assuming here. This document was lately verified with ISE 3.1. This should be released end of April 2022. Unless I am mistaken, what they are referring to is, that you create a service account (an account not to be used by a human) that allows a service (Nessus, in this case) to log into network devices (WLC, switches, etc.) that are using TACACS+ for their device authentication. Tenable Nessus - trial software Demo The dCloud team is working on adding Tenable.sc TC-NAC to the ISE Enterprise Security & Ecosystems demo, please see cs.co/selling-ise-demos for more information. Logging into the ISE nodes to perform a scan using read only doesn't make sense - there is no such thing. They are looking for open ports and vulnerabilities. You can of course run a Nessus Vulnerability scan against any device on the network and they have probably already done that to ISE. I would doubt that they meant they wanted to scan the ISE devices (i.e.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |