Security

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.



------------------------------
Steve
------------------------------

I'm pretty sure that I have seen that information, but asked our product team where it is supposed to reside at the moment. It should be in the product documentation.

To get you started, SNMP is port 161/udp and SSH is port 22/tcp both from the collector to your switches and client devices.

Further for WMI, that uses dynamic ports so you basically need to open all traffic from the collector to your Windows clients that you want to scan.
The nmap scans do a lot of ports, which are configurable, but in general, having all ports allowed from the collectors to the to-be-scanned devices is what I see being used.

For DHCP ip-helper, you need to open port 67/udp from your switches/routers to the collector.

Collector should only need port 443 out to the internet to communicate.

Do you see in the logs of the routers/switches any information on the SNMP coming in or failing?
Please note that for SNMPv3 it is important that the collector and your devices (routers/switches) are time-synchronized, preferred via NTP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.

------------------------------
Steve
------------------------------

I just found the list that I remembered to have seen:

Network Requirements

• Static IP address
• Outbound Internet Access on TCP port 443
• Optional: Proxy Server

Network Services (Internal or External)

• TCP/UDP 53 (DNS)
• UDP 123 (NTP)

Recommended access to network devices

• SNMP (V1 through 3, but 3 is preferred)

Recommended access to endpoints

• TCP, UDP, ICMP - For nmap profiling and WMI profiling
• TCP:22 - For SSH scans
• UDP:161 - for SNMP scans

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 04, 2020 06:50 AM
From: Herman Robers
Subject: Clearpass Device Insight - Discovery Scan

I'm pretty sure that I have seen that information, but asked our product team where it is supposed to reside at the moment. It should be in the product documentation.

To get you started, SNMP is port 161/udp and SSH is port 22/tcp both from the collector to your switches and client devices.

Further for WMI, that uses dynamic ports so you basically need to open all traffic from the collector to your Windows clients that you want to scan.
The nmap scans do a lot of ports, which are configurable, but in general, having all ports allowed from the collectors to the to-be-scanned devices is what I see being used.

For DHCP ip-helper, you need to open port 67/udp from your switches/routers to the collector.

Collector should only need port 443 out to the internet to communicate.

Do you see in the logs of the routers/switches any information on the SNMP coming in or failing?
Please note that for SNMPv3 it is important that the collector and your devices (routers/switches) are time-synchronized, preferred via NTP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.

------------------------------
Steve
------------------------------

I have exactly the same problem. Anyone got a suggestion? This is quiet a common issue , please suggest me if you find any solution for it AESsuccess

------------------------------
Loomis Loomis
------------------------------

Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.

------------------------------
Steve
------------------------------

If you are sure there is no traffic blocked, and the logs from your switch don't indicate what is happening, please work with Aruba TAC. They can have a deeper look at what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 11, 2020 04:18 AM
From: Loomis Loomis
Subject: Clearpass Device Insight - Discovery Scan

I have exactly the same problem. Anyone got a suggestion? This is quiet a common issue , please suggest me if you find any solution for it .

------------------------------
Loomis Loomis

Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.

------------------------------
Steve
------------------------------

Issue reported by @scromie was resolved after correcting the SNMP configuration on the seed device which was an Aruba 5406R switch.

@Loomis67 are you still facing the same issue? If so, please open a support ticket as indicated by Herman so we can assist you in addressing your issue.

------------------------------
Rajesh Ramireddy
------------------------------

Original Message:
Sent: Nov 11, 2020 07:55 AM
From: Herman Robers
Subject: Clearpass Device Insight - Discovery Scan

If you are sure there is no traffic blocked, and the logs from your switch don't indicate what is happening, please work with Aruba TAC. They can have a deeper look at what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 11, 2020 04:18 AM
From: Loomis Loomis
Subject: Clearpass Device Insight - Discovery Scan

I have exactly the same problem. Anyone got a suggestion? This is quiet a common issue , please suggest me if you find any solution for it .

------------------------------
Loomis Loomis

Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.

------------------------------
Steve
------------------------------

Thanks for the reply Herman. We did discover some inconsistencies with the configuration on some of the NAD's. The customer uses SNMPv3 and the configuration had to be tweaked a little for it to work with the collectors. For example, in the snmp config, the customer had it configured with "snmpv3 only", and the collector doesn't seem to like that so we had to remove it from the config. Also, once we were sure we had the snmp issue worked out, we actually had to remove and re-add all the NAD's for it to actually work with them.

------------------------------
Steve
------------------------------

Original Message:
Sent: Nov 11, 2020 07:55 AM
From: Herman Robers
Subject: Clearpass Device Insight - Discovery Scan

If you are sure there is no traffic blocked, and the logs from your switch don't indicate what is happening, please work with Aruba TAC. They can have a deeper look at what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 11, 2020 04:18 AM
From: Loomis Loomis
Subject: Clearpass Device Insight - Discovery Scan

I have exactly the same problem. Anyone got a suggestion? This is quiet a common issue , please suggest me if you find any solution for it .

------------------------------
Loomis Loomis

Original Message:
Sent: Nov 03, 2020 05:59 PM
From: Steve Cromie
Subject: Clearpass Device Insight - Discovery Scan

I'm trying to run a discovery scan using a seed router.  I have added the SNMP and SSH augmentation and it fails. The collector is on a different subnet as the seed router but I can ping it. The documentation is pretty light when it comes to troubleshooting. It looks like the firewall is blocking an connection as well. Is there a list of ports or web sites that need to opened for CDI? The only one I did open is for Central.

------------------------------
Steve
------------------------------