I'm pretty sure that I have seen that information, but asked our product team where it is supposed to reside at the moment. It should be in the product documentation.
To get you started, SNMP is port 161/udp and SSH is port 22/tcp both from the collector to your switches and client devices.
Further for WMI, that uses dynamic ports so you basically need to open all traffic from the collector to your Windows clients that you want to scan.
The nmap scans do a lot of ports, which are configurable, but in general, having all ports allowed from the collectors to the to-be-scanned devices is what I see being used.
For DHCP ip-helper, you need to open port 67/udp from your switches/routers to the collector.
Collector should only need port 443 out to the internet to communicate.
Do you see in the logs of the routers/switches any information on the SNMP coming in or failing?
Please note that for SNMPv3 it is important that the collector and your devices (routers/switches) are time-synchronized, preferred via NTP.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------
Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan
I'm trying to run a discovery scan using a seed router. I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.
------------------------------
Steve
------------------------------