AAA, NAC, Guest Access & BYOD

How to configure subnet scan to profile static devices and how it works?

Introduction :

 

Network subnet scan is used to discover IP addresses of devices in the network. The devices discovered this way are further probed using SNMP to fingerprint and classify/profile the devices.

 

Environment :

 

Subnet Scan was introduced from CPPM 5.2

 

Configuration Steps :

 

How to configure,

Go to Configuration >> Profile Settings >> Add the Subnets to scan.

rtaImage.png

Subnet scan interval can be configured under Administration >> Server Manager >> Server Configuration >>  Cluster-Wide Parameters.

rtaImage.png

Note: Subnets to scan are configured per CPPM Zone. This is particularly useful in deployments that are geographically distributed. In such deployments, it is recommended that you assign the CPPM nodes in a cluster to multiple “Zones” (from Administration -> Server Configuration -> Manage Policy Manager Zones) depending on the geographical area served by that node, and enable Profile on atleast one node per zone.

 

Answer :

 

How Subnet scan works,

After you configure the Subnet scan, ClearPass will try to ping the devices(available ip pool) in the subnet. The below screen capture confirms that ClearPass server(10.17.164.13) is trying to ping the devices in the subnet 10.17.169.0.

rtaImage.png

Once received ICMP response from the devices, ClearPass will send out a SNMP get-request to fetch the SNMP System Description and Device Name (OID//Fingerprint). Devices getting back with SNMP get-response will be profiled with the submitted details.

The below packets capture will explain, how ClearPass profiled the Aruba Controller(10.17.169.10) via Subnet scan.

rtaImage.png

SNMP get-request from ClearPass to Controller.

rtaImage.png


SNMP get-response from Controller to ClearPass.

rtaImage.png

Profiled devices can be found under Monitoring >> Live monitoring >> Endpoint Profiler & Configuration >> Identity >> Endpoints.

rtaImage.png

 

 

Notes:

Configured subnets should be reachable by ClearPass.
ClearPass uses default SNMP community string "public"
UDP port (SNMP) 161 should be allowed between ClearPass and the devices.
If you see any devices get profiled with Device Category/OS Family/Name as Unknown, please collect the devices fingerprints from ClearPass and open up a TAC ticket to get the fingerprint added to the existing dictionary. Fingerprint can be collected from Endpoint >> click on the MAC address >> Show Fingerprint.

Version History
Revision #:
1 of 1
Last update:
‎11-09-2014 11:18 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.