How to auto-discover NAS(Radius-clients) in the network from CPPM?
With ClearPass 6.6.0, we can use 'Network Discovery' feature to discover various NAS devices on the network. After updating its shared secret, It can then be imported as RADIUS clients into CPPM.
1. Login to ClearPass as an Administrator.
2. Navigate to Monitoring >> Profiler and Discovery >> Network Discovery.
3. Click Start Network Discovery Scan to initiate the (SNMP) Scan to auto discover NAS devices.
4. By default, scan depth is 3. If required, we can change it to 5. Scan depth indicates the levels of network that we need to scan.
5. Seed devices are from where the scan should start for each network, usually at depth 1. The next level device is at 2, so on and so forth.
In the lab setup, we have connected an Aruba Controller(x.x.x.175/27) and a Cisco switch(x.x.x.180/27) to an Aruba switch(x.x.x.176/27) acting as Seed device.
1. Click Start to initiate the Scan.
The status will change from 'Scheduled' to 'In Progress' and when it is completed, we could see the status as 'Completed'
It has discovered two NAS devices and around 8 endpoints connected to those switches.
2. Navigate to Monitoring >> Profiler and Discovery >> Discovered Devices to check the new NAS devices that ClearPass found after this SNMP Scan.
3. We would be able to see the below two devices with the Status 'New'.
4. Select the devices that you want to import as RADIUS/TACACS clients and click import to input the RADIUS/TACASCS shared secret.
5. After import, navigate to Configuration >> Network >> Devices to see them imported successfully.
6. Devices, once imported cannot be imported again. Only the devices with Status New / Ignored can be imported again. Even, if you re-scan again, it will not change the device status to 'New'.
7. The seed device community string should be configured under Configuration >> Profile Settings >> SNMP configuration.
- ClearPass will use 'public' as the community string, if no configuration exist in the above location.
- Conflict in the community string will end up with SNMP Get failure and error message as shown below will be logged in the event viewer.