Security

Reply
Occasional Contributor II

Endpoint not updated with the audit results

I am having a hard time making the Audit option (in a service) in 6.7 working.  

The scenraio is an IOT device connecting and then profiled. Based on the NMAP profiling results the cocnnection remains or being terminated. 

Service is configured with Local Endpoint repository as an Authorization source.

Profiler and Audit are defined in the service. 

the problem: nmap is running, and I can see the results in the access tracker (Audit Success). But the the Endpoint is not updated 

Anybody knows what are the conditions to update the endpoint record?

BTW when a I do an on demand scan the endpoint record is updated fine. 

 

1.JPG2.JPG

 

Regular Contributor I

Re: Endpoint not updated with the audit results

Curious if you worked through this. I think the difference here is that the NMAP Scan results in Posture Attributes where-as Device Profiling results in Fingerprint attributes which are shown in the Endpoint Database. 

 

For me.. I had the NMAP Create a role, CoA the Device, then take the new Role into consideration in the Policy. I am also marking the Endpoint as known so it does nto get scanned on subsequent attempts. 

Occasional Contributor II

Re: Endpoint not updated with the audit results

What do you mean by "I am also marking the Endpoint as known so it does nto get scanned on subsequent attempts". 

What scan is not running once an endpoint is marked as known?  The scan triggered by the audit tab?

Regular Contributor I

Re: Endpoint not updated with the audit results

Correct, the Audit Tab has 'Audit Trigger Conditions' if selected then has an option 'For unknown end-hosts only'. 

 

Did you ever find a way to see the Audit scan details in the Endpoint repositry or anywhere else? The only place I can seem to find it is in Access Tracker Output tab. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: