Network subnet scan is used to discover IP addresses of devices in the network. The devices discovered this way are further probed using SNMP to fingerprint and classify/profile the devices.
Subnet Scan was introduced from CPPM 5.2
Configuration Steps :
How to configure,
Go to Configuration >> Profile Settings >> Add the Subnets to scan.
Subnet scan interval can be configured under Administration >> Server Manager >> Server Configuration >> Cluster-Wide Parameters.
Note: Subnets to scan are configured per CPPM Zone. This is particularly useful in deployments that are geographically distributed. In such deployments, it is recommended that you assign the CPPM nodes in a cluster to multiple “Zones” (from Administration -> Server Configuration -> Manage Policy Manager Zones) depending on the geographical area served by that node, and enable Profile on atleast one node per zone.
How Subnet scan works,
After you configure the Subnet scan, ClearPass will try to ping the devices(available ip pool) in the subnet. The below screen capture confirms that ClearPass server(10.17.164.13) is trying to ping the devices in the subnet 10.17.169.0.
Once received ICMP response from the devices, ClearPass will send out a SNMP get-request to fetch the SNMP System Description and Device Name (OID//Fingerprint). Devices getting back with SNMP get-response will be profiled with the submitted details.
The below packets capture will explain, how ClearPass profiled the Aruba Controller(10.17.169.10) via Subnet scan.
SNMP get-request from ClearPass to Controller.
SNMP get-response from Controller to ClearPass.
Profiled devices can be found under Monitoring >> Live monitoring >> Endpoint Profiler & Configuration >> Identity >> Endpoints.
Configured subnets should be reachable by ClearPass.
ClearPass uses default SNMP community string "public"
UDP port (SNMP) 161 should be allowed between ClearPass and the devices.
If you see any devices get profiled with Device Category/OS Family/Name as Unknown, please collect the devices fingerprints from ClearPass and open up a TAC ticket to get the fingerprint added to the existing dictionary. Fingerprint can be collected from Endpoint >> click on the MAC address >> Show Fingerprint.