Configure ISE 2.1 Threat-Centric NAC (TC-NAC) with Qualys

Available Languages

Updated:November 14, 2016
Document ID:200548

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to configure Threat-Centric NAC with Qualys on Identity Services Engine (ISE) 2.1. Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the threat and vulnerability adapters.

Prerequisites

Requirements

Cisco recommends that you have basic knowledge of these topics:

  • Cisco Identity Service Engine

  • Qualys ScanGuard

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Identity Service Engine version 2.1
  • Wireless LAN Controller (WLC) 8.0.121.0
  • Qualys Guard Scanner 8.3.36-1, Signatures 2.3.364-2
  • Windows 7 Service Pack 1

Configure

High Level Flow Diagram

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-00.png

This is the flow:

  1. Client connects to the network, limited access is given and profile with Assess Vulnerabilities checkbox enabled is assigned
  2. PSN node sends Syslog message to MNT node confirming authentication took place and VA Scan was the result of Authorization Policy
  3. MNT node submits SCAN to TC-NAC node (using Admin WebApp) using this data:
    - MAC Address
    - IP Address
    - Scan Interval
    - Periodic Scan Enabled
    - Originating PSN
  4. Qualys TC-NAC (encapsulated in Docker Container) communicates with Qualys Cloud (via REST API) to trigger scan if needed
  5. Qualys Cloud instructs Qualys Scanner to scan the endpoint
  6. Qualys Scanner sends the results of the scan to the Qualys Cloud
  7. Results of the scan are sent back to TC-NAC:
    - MAC Address
    - All CVSS Scores
    - All Vulnerabilities (QID, title, CVEIDs)
  8. TC-NAC updates PAN with all the data from the step 7.
  9. CoA is triggered if needed according to Authorization Policy configured.

Configure Qualys Cloud and Scanner

Caution: Qualys configuration in this document is done for the lab purposes, please consult with Qualys engineers for design considerations

Step 1. Deploy Qualys Scanner

Qualys scanner can be deployed from OVA file. Login to Qualys cloud and navigate to Scans > Appliances and select New > Virtual Scanner Appliance

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-01.png

Select Download Image Only and pick appropriate distribution

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-02.png

To get Activation Code you can go to Scans > Appliances and select New > Virtual Scanner Appliance and select I Have My Image

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-03.png

After entering scanner name you are given Authorization Code which you will use later.

Step 2. Configure Qualys Scanner

Deploy OVA on the virtualization platform of your choice. Once done, configure those settings:

  • Set up network (LAN)
  • WAN interface settings (if you are using two interfaces)
  • Proxy settings (if you are using proxy)
  • Personalize this scanner

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-04.png

Afterwards scanner connects to Qualys and downloads the latest software and signatures.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-05.png

To verify the scanner is connected you can navigate to Scans > Appliances.

Green connected sign on the left indicates that scanner is ready, you can also see LAN IP, WAN IP, version of Scanner and Signatures.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-06.png

Configure ISE

Though you have configured Qualys Scanner and Cloud, you still have to tune Cloud settings to make sure integration with ISE works fine. Note, it should be done before you configure adapter through GUI, as the knowledgebase containing CVSS scoring is downloaded after the adapter is configured for the first time.

Step 1. Tune Qualys Cloud Settings for Integration with ISE

  • Enable CVSS Scoring at Vulnerability Management > Reports > Setup > CVSS > Enable CVSS Scoring

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-07.png

  • Ensure that user credentials used in adapter configuration have manager privileges. Select your user from the left top corner and click on User Profile. You should have Manager rights in the User Role.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-08.png

  • Ensure that IP addresses/subnets of endpoints that require Vulnerability Assessment are added to Qualys at Vulnerability Management > Assets > Host Assets > New > IP Tracked Hosts

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-09.png

Step 2. Enable TC-NAC Services

Enable TC-NAC Services under Administration > Deployment > Edit Node. Check checkbox.

Note: There can be only one TC-NAC Node per Deployment.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-10.png

Step 3. Configure Qualys Adapter Connectivity to ISE VA Framework

Navigate to Administration > Threat Centric NAC > Third Party Vendors > Add. Click on Save.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-11.png

When Qualys Instance transitions to Ready to configure state, click on Ready to configure option in the Status.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-12.png

REST API host should be the one you use for Qualys Cloud, where your account is located. In this example - qualysguard.qg2.apps.qualys.com

Account should be the one with Manager privileges, click on Next.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-13.png

ISE downloads information about Scanners which are connected to Qualys Cloud, you can configure PSN to Scanner Mapping on this page. It ensures that selected scanner is picked based on PSN which authorizes the endpoint.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-14.png

Advanced settings are well documented in ISE 2.1 Admin Guide, link can be found in the References section of this document. Click on Next and Finish. Qualys Instance transitions to Active state and knowledge base download starts.

Note: There can be only one Qualys instance per deployment.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-15.png

Step 4. Configure Authorization Profile to trigger VA Scan

Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Add new profile. Under Common Tasks select Vulnerability Assessment checkbox.
On-Demand scan interval should be selected according to your network design.

Authorization Profile contains those av-pairs:

cisco-av-pair = on-demand-scan-interval=48
cisco-av-pair = periodic-scan-enabled=0
cisco-av-pair = va-adapter-instance=796440b7-09b5-4f3b-b611-199fb81a4b99

They are sent to network devices within Access-Accept packet, although the real purpose of them is to tell MNT Node that Scan should be triggered. MNT instructs TC-NAC node to communicate with Qualys Cloud.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-16.png

Step 5. Configure Authorization Policies

  • Configure Authorization Policy to use the new Authorization Profile configured in step 4. Navigate to Policy > Authorization > Authorization Policy, locate Basic_Authenticated_Access rule and click on Edit. Change the Permissions from PermitAccess to the newly created Standard VA_Scan. This causes a Vulnerability Scan for all users. Click on Save.
  • Create Authorization Policy for Quarantined machines. Navigate to Policy > Authorization > Authorization Policy > Exceptions and create an Exception Rule. Click on Conditions > Create New Condition (Advanced Option) > Select Attribute, scroll down and select Threat. Expand the Threat attribute and select Qualys-CVSS_Base_Score. Change the operator to Greater Than and enter a value according to your Security Policy. Quarantine authorization profile should give limited access to the vulnerable machine.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-17.png

Verify

Identity Services Engine

The first connection triggers VA Scan. When the scan is finished, CoA Reauthentication is triggered to apply new policy if it is matched.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-18.png

In order to verify which vulnerabilities were detected, navigate to Context Visibility > Endpoints. Check per endpoints Vulnerabilities with the Scores given to it by Qualys.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-19.png

When selecting particular endpoint, more details about each Vulnerability appears, including Title and CVEID's.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-20.png

In Operations > TC-NAC Live Logs, you can see Old vs New authorization policies applied and details on CVSS_Base_Score.

Note: Authorization conditions are done based on CVSS_Base_Score, which equals to the highest Vulnerability Score detected on the endpoint.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-21.png

Qualys Cloud

When the VA Scan is triggered by TC-NAC Qualys queues the Scan, it can be viewed at Scans > Scans

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-22.png

 Afterwards it transitions to Running, meaning Qualys cloud has instructed the Qualys Scanner to perform actual scanning

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-23.png

 While the Scanner performs the Scan, you should see "Scanning..." sign in the top right corner of the Qualys Guard

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-24.png

Once the Scan is done it transitions to Finished state. You can view results at Scans > Scans, select required scan and click on View Summary or View Results.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-25.png

In the Report itself you can see Detailed Results, where detected Vulnerabilities are shown.

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-26.png

Troubleshoot

Debugs on ISE

In order to enable debugs on ISE navigate to Administration > System > Logging > Debug Log Configuration, select TC-NAC Node and change the Log Level va-runtime and va-service component to DEBUG

200548-Configure-ISE-2-1-Threat-Centric-NAC-TC-27.png

Logs to be checked - varuntime.log. You can tail it directly from ISE CLI:

ISE21-3ek/admin# show logging application varuntime.log tail

TC-NAC Docker received instruction to perform Scan for particular endpoint.

2016-06-28 19:06:30,823 DEBUG  [Thread-70][] va.runtime.admin.mnt.EndpointFileReader -:::::- VA: Read va runtime. [{"operationType":1,"macAddress":"C0:4A:00:14:8D:4B","ondemandScanInterval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"796440b7-09b5-4f3b-b611-199fb81a4b99","psnHostName":"ISE21-3ek","heartBeatTime":0,"lastScanTime":0}]
2016-06-28 19:06:30,824 DEBUG  [Thread-70][] va.runtime.admin.vaservice.VaServiceRemotingHandler -:::::- VA: received data from Mnt: {"operationType":1,"macAddress":"C0:4A:00:14:8D:4B","ondemandScanInterval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"796440b7-09b5-4f3b-b611-199fb81a4b99","psnHostName":"ISE21-3ek","heartBeatTime":0,"lastScanTime":0}


Once the result is received it stores all Vulnerability data in the Context Directory.

2016-06-28 19:25:02,020 DEBUG  [pool-311-thread-8][] va.runtime.admin.vaservice.VaServiceMessageListener -:::::- Got message from VaService: [{"macAddress":"C0:4A:00:14:8D:4B","ipAddress":"10.62.148.63","lastScanTime":1467134394000,"vulnerabilities":["{\"vulnerabilityId\":\"QID-90783\",\"cveIds\":\"CVE-2012-0002,CVE-2012-0152,\",\"cvssBaseScore\":\"9.3\",\"cvssTemporalScore\":\"7.7\",\"vulnerabilityTitle\":\"Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020)\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-38173\",\"cveIds\":\"\",\"cvssBaseScore\":\"9.4\",\"cvssTemporalScore\":\"6.9\",\"vulnerabilityTitle\":\"SSL Certificate - Signature Verification Failed Vulnerability\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-90882\",\"cveIds\":\"\",\"cvssBaseScore\":\"4.7\",\"cvssTemporalScore\":\"4\",\"vulnerabilityTitle\":\"Windows Remote Desktop Protocol Weak Encryption Method Allowed\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-90043\",\"cveIds\":\"\",\"cvssBaseScore\":\"7.3\",\"cvssTemporalScore\":\"6.3\",\"vulnerabilityTitle\":\"SMB Signing Disabled or SMB Signing Not Required\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-38601\",\"cveIds\":\"CVE-2013-2566,CVE-2015-2808,\",\"cvssBaseScore\":\"4.3\",\"cvssTemporalScore\":\"3.7\",\"vulnerabilityTitle\":\"SSL/TLS use of weak RC4 cipher\",\"vulnerabilityVendor\":\"Qualys\"}"]}]
2016-06-28 19:25:02,127 DEBUG  [pool-311-thread-8][] va.runtime.admin.vaservice.VaServiceMessageListener -:::::- VA: Save to context db, lastscantime: 1467134394000, mac: C0:4A:00:14:8D:4B
2016-06-28 19:25:02,268 DEBUG  [pool-311-thread-8][] va.runtime.admin.vaservice.VaAdminServiceContext -:::::- VA: sending elastic search json to pri-lan
2016-06-28 19:25:02,272 DEBUG  [pool-311-thread-8][] va.runtime.admin.vaservice.VaPanRemotingHandler -:::::- VA: Saved to elastic search: {C0:4A:00:14:8D:4B=[{"vulnerabilityId":"QID-90783","cveIds":"CVE-2012-0002,CVE-2012-0152,","cvssBaseScore":"9.3","cvssTemporalScore":"7.7","vulnerabilityTitle":"Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020)","vulnerabilityVendor":"Qualys"}, {"vulnerabilityId":"QID-38173","cveIds":"","cvssBaseScore":"9.4","cvssTemporalScore":"6.9","vulnerabilityTitle":"SSL Certificate - Signature Verification Failed Vulnerability","vulnerabilityVendor":"Qualys"}, {"vulnerabilityId":"QID-90882","cveIds":"","cvssBaseScore":"4.7","cvssTemporalScore":"4","vulnerabilityTitle":"Windows Remote Desktop Protocol Weak Encryption Method Allowed","vulnerabilityVendor":"Qualys"}, {"vulnerabilityId":"QID-90043","cveIds":"","cvssBaseScore":"7.3","cvssTemporalScore":"6.3","vulnerabilityTitle":"SMB Signing Disabled or SMB Signing Not Required","vulnerabilityVendor":"Qualys"}, {"vulnerabilityId":"QID-38601","cveIds":"CVE-2013-2566,CVE-2015-2808,","cvssBaseScore":"4.3","cvssTemporalScore":"3.7","vulnerabilityTitle":"SSL/TLS use of weak RC4 cipher","vulnerabilityVendor":"Qualys"}]}

Logs to be checked - vaservice.log. You can tail it directly from ISE CLI:

ISE21-3ek/admin# show logging application vaservice.log tail

Vulnerability Assessment Request Submitted to Adapter

2016-06-28 17:07:13,200 DEBUG  [endpointPollerScheduler-3][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg : [{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA request submitted to adapter","TC-NAC.Details","VA request submitted to adapter for processing","TC-NAC.MACAddress","C0:4A:00:14:8D:4B","TC-NAC.IpAddress","10.62.148.63","TC-NAC.AdapterInstanceUuid","796440b7-09b5-4f3b-b611-199fb81a4b99","TC-NAC.VendorName","Qualys","TC-NAC.AdapterInstanceName","QUALYS_VA"]}]

AdapterMessageListener checks each 5 minutes the status of the scan, until it is finished.

2016-06-28 17:09:43,459 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number of endpoints queued for checking scan results: 1, Number of endpoints queued for scan: 0, Number of endpoints for which the scan is in progress: 0"}
2016-06-28 17:14:43,760 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number of endpoints queued for checking scan results: 0, Number of endpoints queued for scan: 0, Number of endpoints for which the scan is in progress: 1"}
2016-06-28 17:19:43,837 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number of endpoints queued for checking scan results: 0, Number of endpoints queued for scan: 0, Number of endpoints for which the scan is in progress: 1"}
2016-06-28 17:24:43,867 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number of endpoints queued for checking scan results: 0, Number of endpoints queued for scan: 0, Number of endpoints for which the scan is in progress: 1"}

Adapter is gets QID's, CVE's along with the CVSS Scores

2016-06-28 17:24:57,556 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"requestedMacAddress":"C0:4A:00:14:8D:4B","scanStatus":"ASSESSMENT_SUCCESS","lastScanTimeLong":1467134394000,"ipAddress":"10.62.148.63","vulnerabilities":[{"vulnerabilityId":"QID-38173","cveIds":"","cvssBaseScore":"9.4","cvssTemporalScore":"6.9","vulnerabilityTitle":"SSL Certificate - Signature Verification Failed Vulnerability","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-90043","cveIds":"","cvssBaseScore":"7.3","cvssTemporalScore":"6.3","vulnerabilityTitle":"SMB Signing Disabled or SMB Signing Not Required","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-90783","cveIds":"CVE-2012-0002,CVE-2012-0152,","cvssBaseScore":"9.3","cvssTemporalScore":"7.7","vulnerabilityTitle":"Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020)","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-38601","cveIds":"CVE-2013-2566,CVE-2015-2808,","cvssBaseScore":"4.3","cvssTemporalScore":"3.7","vulnerabilityTitle":"SSL/TLS use of weak RC4 cipher","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-90882","cveIds":"","cvssBaseScore":"4.7","cvssTemporalScore":"4","vulnerabilityTitle":"Windows Remote Desktop Protocol Weak Encryption Method Allowed","vulnerabilityVendor":"Qualys"}]}
2016-06-28 17:25:01,282 INFO   [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Endpoint Details sent to IRF is {"C0:4A:00:14:8D:4B":[{"vulnerability":{"CVSS_Base_Score":9.4,"CVSS_Temporal_Score":7.7},"time-stamp":1467134394000,"title":"Vulnerability","vendor":"Qualys"}]}
2016-06-28 17:25:01,853 DEBUG  [endpointPollerScheduler-2][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg : [{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA successfully completed","TC-NAC.Details","VA completed; number of vulnerabilities found: 5","TC-NAC.MACAddress","C0:4A:00:14:8D:4B","TC-NAC.IpAddress","10.62.148.63","TC-NAC.AdapterInstanceUuid","796440b7-09b5-4f3b-b611-199fb81a4b99","TC-NAC.VendorName","Qualys","TC-NAC.AdapterInstanceName","QUALYS_VA"]}]

Typical Issues

Issue 1. ISE gets Vulnerability Report with CVSS_Base_Score of 0.0 and CVSS_Temporal_Score of 0.0, while Qualys Cloud report contains Vulnerabilities detected.

Problem:

While checking the Report from Qualys Cloud you can see detected Vulnerabilities, however on ISE you do not see them.

Debugs seen in vaservice.log:

2016-06-02 08:30:10,323 INFO   [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Endpoint Details sent to IRF is {"C0:4A:00:15:75:C8":[{"vulnerability":{"CVSS_Base_Score":0.0,"CVSS_Temporal_Score":0.0},"time-stamp":1464855905000,"title":"Vulnerability","vendor":"Qualys"}]}

Solution:

The reason for cvss score being zero is either that it has no vulnerabilities or the cvss scoring was not enabled in Qualys Cloud before you configure the adapter through UI. Knowledgebase containing cvss scoring feature enabled is downloaded after the adapter is configured first time. You have to ensure that CVSS Scoring was enabled before, adapter instance was created on ISE. It can be done under Vulnerability Management > Reports > Setup > CVSS > Enable CVSS Scoring

Issue 2. ISE does not get results back from the Qualys Cloud, even though correct Authorization Policy was hit.

Problem:

Corrected Authorization Policy was matched, which should trigger VA Scan. Despite that fact no scan is done.

Debugs seen in vaservice.log:

2016-06-28 16:19:15,401 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : (Body:'[B@6da5e620(byte[311])'MessageProperties [headers={}, timestamp=null, messageId=null, userId=null, appId=null, clusterId=null, type=null, correlationId=null, replyTo=null, contentType=application/octet-stream, contentEncoding=null, contentLength=0, deliveryMode=PERSISTENT, expiration=null, priority=0, redelivered=false, receivedExchange=irf.topic.va-reports, receivedRoutingKey=, deliveryTag=9830, messageCount=0])
2016-06-28 16:19:15,401 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"requestedMacAddress":"24:77:03:3D:CF:20","scanStatus":"SCAN_ERROR","scanStatusMessage":"Error triggering scan: Error while trigering on-demand scan code and error as follows 1904: none of the specified IPs are eligible for Vulnerability Management scanning.","lastScanTimeLong":0,"ipAddress":"10.201.228.102"}
2016-06-28 16:19:15,771 DEBUG  [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Adapter scan result failed for Macaddress:24:77:03:3D:CF:20, IP Address(DB): 10.201.228.102, setting status to failed
2016-06-28 16:19:16,336 DEBUG  [endpointPollerScheduler-2][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg : [{"systemMsg":"91008","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA Failure","TC-NAC.Details","Error triggering scan: Error while trigering on-demand scan code and error as follows 1904: none of the specified IPs are eligible for Vulnerability Management scanning.","TC-NAC.MACAddress","24:77:03:3D:CF:20","TC-NAC.IpAddress","10.201.228.102","TC-NAC.AdapterInstanceUuid","796440b7-09b5-4f3b-b611-199fb81a4b99","TC-NAC.VendorName","Qualys","TC-NAC.AdapterInstanceName","QUALYS_VA"]}]

Solution:

Qualys Cloud indicates that ip address of the endpoint is not eligible for the Scanning, please ensure you have added ip address of the endpoint to Vulnerability Management > Assets > Host Assets > New > IP Tracked Hosts

References

Revision History

Revision Publish Date Comments
1.0
29-Jun-2016
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Eugene Korneychuk
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products