![]() ![]() Yes, below solution is not in best practice, but a temporary workaround until you get Cisco ACS or ISE solution. Here is a second round to address the issue. It would be the problem since Tenable / Security Center will execute “show running-config” command instead of the special(hidden command)Īgain, ACS 5.x will be handy to prohibit and permit certain Cisco commands One catch from this method is “show running-config” need to be changed with “show running-config view full” in order for viewing entire running configuration. The new credential will provide all ” show + commands “, but no write memory. Privilege exec all level 7 show running-config Username NESSUS privilege 7 secret Abcd12345 Username NESSUS privilege 3 password Abcd12345 If you don’t have Cisco ACS server, try the following way to achieve the goal. If you have Cisco ACS (TACACS+) server, it would be easy to control permitted commands with the dedicated user account for the Nessus scanner. So, now we know what commands that Nessus use for the vulnerability and compliance scanning. Offline configuration audits use configuration files from hosts to be scanned instead. Weve received an request from the security ops team to create a new service account for the nessus scanner (with AD integration) in ISE with Read only privileges to scan the ISE devices. Organizational policies may not allow users to scan devices or know credentials for devices on the network for security reasons. Careful, they put together of all commands of Cisco router, switch and ASA in a single spreadsheet. Description Offline Configuration audits allow Nessus to scan hosts without the need to scan over the network or use credentials. The phrases Policy Compliance and Compliance Checks are used interchangeably within this document. You would need to tell us what you have configured forĪre these found under Policy Elements > Results > TACACS+ Profiles?Once you open it, you will see the whole list of Cisco commands. This document describes how Nessus 5.x can be used to audit the configuration of Unix, Windows, database, SCADA, IBM iSeries, and Cisco systems against a compliance policy as well as search the contents of various systems for sensitive content. Depending on what that device is (IOS, IOS-XR, WLC, etc.) you need to return the correct attributes. In this case, Nessus wants to log in and we need to grant that use a read-only TACACS+ Authorization Profile. The point I am trying to make here is that ISE is only involved in answering the request from the network devices, when someone tries to log into those devices. The network device would have some locally defined access level defined for that user. ) then you would tell Nessus to scan all devices using username admin_ro. If you didn't have TACACS+ and you had local user in all of your network devices (e.g. And that is the only reason we're having this discussion. It's a great thing that all of your network devices are under TACACS+ management. There is no integration between ISE and Nessus. Your job will be to return the read-only attributes to the Cisco devices when user svc-tenable (or a member of a specific AD Group) performs a TACACS+ authentication, You could also achieve the same with an internal ISE Account - but keep things consistent if yoru TACACS+ is already checking AD for authentications. svc-tenable) that they can configure into their scanner, that will then go around all your Cisco devices and log in with read-only privileges. So in summary, they want a new user account in AD (e.g. I did a quick check on the T enable website for examples of Cisco IOS Scans And if the service account lives in AD, then ISE will authenticate the account in AD and your Policy Authorization Rule should check which AD Security Group the service account belongs to, and then return the appropriate TACACS+ Privilege Level. but TACACS+ is usually used for device admin) ISE will have to process that service account. And since ISE is your TACACS+ server (I am assuming here. Unless I am mistaken, what they are referring to is, that you create a service account (an account not to be used by a human) that allows a service (Nessus, in this case) to log into network devices (WLC, switches, etc.) that are using TACACS+ for their device authentication. ![]() Logging into the ISE nodes to perform a scan using read only doesn't make sense - there is no such thing. They are looking for open ports and vulnerabilities. You can of course run a Nessus Vulnerability scan against any device on the network and they have probably already done that to ISE. ![]() I would doubt that they meant they wanted to scan the ISE devices (i.e. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |