AAA, NAC, Guest Access & BYOD

How to configure subnet scan to profile static devices and how it works?

Introduction :

 

Network subnet scan is used to discover IP addresses of devices in the network. The devices discovered this way are further probed using SNMP to fingerprint and classify/profile the devices.

 

Environment :

 

Subnet Scan was introduced from CPPM 5.2

 

Configuration Steps :

 

How to configure,

Go to Configuration >> Profile Settings >> Add the Subnets to scan.

rtaImage.png

Subnet scan interval can be configured under Administration >> Server Manager >> Server Configuration >>  Cluster-Wide Parameters.

rtaImage.png

Note: Subnets to scan are configured per CPPM Zone. This is particularly useful in deployments that are geographically distributed. In such deployments, it is recommended that you assign the CPPM nodes in a cluster to multiple “Zones” (from Administration -> Server Configuration -> Manage Policy Manager Zones) depending on the geographical area served by that node, and enable Profile on atleast one node per zone.

 

Answer :

 

How Subnet scan works,

After you configure the Subnet scan, ClearPass will try to ping the devices(available ip pool) in the subnet. The below screen capture confirms that ClearPass server(10.17.164.13) is trying to ping the devices in the subnet 10.17.169.0.

rtaImage.png

Once received ICMP response from the devices, ClearPass will send out a SNMP get-request to fetch the SNMP System Description and Device Name (OID//Fingerprint). Devices getting back with SNMP get-response will be profiled with the submitted details.

The below packets capture will explain, how ClearPass profiled the Aruba Controller(10.17.169.10) via Subnet scan.

rtaImage.png

SNMP get-request from ClearPass to Controller.

rtaImage.png


SNMP get-response from Controller to ClearPass.

rtaImage.png

Profiled devices can be found under Monitoring >> Live monitoring >> Endpoint Profiler & Configuration >> Identity >> Endpoints.

rtaImage.png

 

 

Notes:

Configured subnets should be reachable by ClearPass.
ClearPass uses default SNMP community string "public"
UDP port (SNMP) 161 should be allowed between ClearPass and the devices.
If you see any devices get profiled with Device Category/OS Family/Name as Unknown, please collect the devices fingerprints from ClearPass and open up a TAC ticket to get the fingerprint added to the existing dictionary. Fingerprint can be collected from Endpoint >> click on the MAC address >> Show Fingerprint.

Version history
Revision #:
1 of 1
Last update:
‎11-09-2014 11:18 AM
Updated by:
 
Labels (1)
Contributors
Comments
sagi.bar-or@sinopoia.co.il

Anand

Thank you for the great explanation. Seems like there is no ARP-only discovery. That is, if SNMP is not enabled on endpoints (I believe it is not by default), then the subnet scan will not find clients in the subnet and add their MAC address while the rest is unknown. Is that correct?

I tried it. When I run the sbunet scan no new device is added to the endpoint db (and there are quite a lot). 

To verify that, I installed the SNMP service on a windows device on the specific subnet, with custom community, and added this SNMP profile to the list in CPPM.  Still, no device was added to the endpoint DB. Am I missing something fundemental, or indeed the subnet scan is not so effective to find devices?

Thank you

Sagi

 

Hi Sagi,

 

The SNMP based subnet scan is a generic scan, i will not be able to populate the endpoint if -

1: SNMP string is incorrect

2: Device does not responds to SNMP.

 

We hvae an option on 6.6.x to change the default SNMP string to a custom one, we can set it under Configuration - Profile Settings.

 

Capture.JPG

 

However as mentioned above, this will only work for devices which respond to the SNMP poll from CPPM.

 

If the user case is to update all static devices hosts terminating on a given switch, we just need to add SNMP details of that switch under Configuration - Network- Devices.

 

Capture.JPG

 CPPM would then try to update endpoints based on ARP table entries along with CDP/LLDP whichever the switch will support.

 

Regards,

Quamruz. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.