Problem statement:
There are several ways to profile devices with a static IP. The most efficient way is using the ARP data. That way only real, connected devices are being probed. The other ways of network and subnet scan are much less efficient as they scan the whole subnet. If you have class B subnet, for example, it is not feasible to do a subnet scan over 65,534 addresses. For class C a scan take about an hour.
Clearpass supports using SNMP to ask a NAD for the ARP table. You need to define the Layer 3 device which knows about the required client addresses, as a NAD device to Clearpass.
Though, there are network devices which do not support sending the ARP table via SNMP. For example: Palo Alto and Checkpoint firewall devices.
My cool workaround for this challenge: Use a windows (or Linux) computer as an ARP proxy:
- Use whatever method to retrieve the ARP table from the NAD (script, custom tools stc)
- Add the ARP table records as static ARP records to the ARP proxy computer
- Add the ARP Proxy computer as NAD to Clearpass.
For example, this is what I did:
- For Palo Alto I retrieve the ARP table using REST API. This is the Palo Alto supported way to get ARP data.
- For Checkpoint firewall which uses virtual systems, I use the SNMPWalk tool. You can get the ARP table only using a special command line parameter, which is not supported by Clearpass.
- I use a Windows client as the ARP Proxy. I use Powershell script to retrieve the ARP table as mentioned above, and thereafter I add all ARP entries to the local computer. I run it as a Scheduled Task with runs every 5 minutes.
- Then I add this windows device as a NAD to Clearpass, with the SNMP read settings
Note that if SNMP client (service) is not installed on the Windows computer, you need to add it to the windows client (add a Windows feature). You also need to edit the SNMP service and add the SNMP community in the Security tab.
Enjoy
(Sagi - sbaror11@gmail.com)