Security

HI 

I need some help. Kindly suggest me here. We have clear pass implemented for Wired LAN. All the end user machines and laptops get their IP from DHCP. Hence, clear pass is able to identify all the device details and OS version. There are some devices such as printers, scanners that have static IP ( we use MAB method of authentication). The clear pass is unable to profile them automatically. All it does is just give the MAC vendor of the static-IP-Device.

1. Please let me know if there is a possibility to limit SNMP scan to a certain Ethernet ports on a switch where those static-IP-devices are connected to?

2. I was going through about NMAP in clear pass. Could this really help in profiling the static-IP-devices? will it be resource intensive and must be enabled only off-business-hours?

3. Is there any way to get the static-IP-devices profiled without SNMP/NMAP. Just like the way, cisco ISE does. From the MAC identifier ISE can mention the vendor and also the type of device.

Since our deployment covers hundreds of switches per site, we are looking for a feasible and easy method to get the static-IP-devices profiled.

Hi, 

For static ip scenarios, can you use DHCP binding, so that printers, scanners get the same ip address every time but goes through process of dhcp as well?

You can define Context Servers to initiate a specific scan - such as SNMP, SSH, WMI or NMAP or a combination of these... This scan can be defined as a Profile - hence when a particular device you can initiate the appropriate scan in response - but this is reliant on ClearPass knowing the device's IP address in a timely fashion.

Have a look at the attached and see if it helps.

Attachment(s)

Proactive WMI Scan.docx   770 KB 1 version