Security

Reply
Contributor I
Posts: 31
Registered: ‎02-18-2015

Is there a way for discovering TACACS devices by subnet and dynamically grouping by device types?

I am planning on replacing ACS with clearpass for TACACS+ services...  All of my network switches are located behing a common management IP subnet. I would really like to be able to just discover all my network devices by IP range but ,we have a mixed vendor environment.  Which means I need to be able to apply different command sets for each vendor. I know that is possible via device groups but it looks like I need to mannually add each device to ClearPass in order to group them into 2 buckets (vendor A & B).

 

Does any one know if it's possible to auto discover the vendor/device type when doing a discovery by IP range?  Or is ther a way to get that information from the incoming TACACS requests?  I checked access tracker during my testing but, I don't see any info on the device type for the incomming requests. 

 

Any guidace is greatly appreciated!

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Is there a way for discovering TACACS devices by subnet and dynamically grouping by device types

If you're running ClearPass 6.6, you can leverage the new Network Discovery
feature.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 31
Registered: ‎02-18-2015

Re: Is there a way for discovering TACACS devices by subnet and dynamically grouping by device types

Oh ok... I am not too familiar with the new features in 6.6 since my box is still running 6.5. Thanks for pointing me in the right direction.  I see now from the release notes that it's based on SNMP scan of a seed device which is cool, and I am assuming the captured SNMP information is then converted into computed attributes for server filtering or enforcement policies... 

 

Can you expand a bit on the seed network device?  Does that mean I only need to discover 1 device from  each type of vendor? or does that still mean I need to add everything in my network inventory and each unit is a seed for snmp info?

 

Only thing is that I am not sure about having "yet another snmp tool" scanning our environment.  I will need to play with this feature more once I upgrade.  

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: