Security

Reply
Occasional Contributor II

Profiling for static IP

Hello,

We have around 80 percent of end points connecting via dhcp and we are using dhcp helper addresses and dhcp profiling . And it works well.

However for devices with static IP address , what should we use - snmp or http? We have almost 95 comware 7 switch environment.

Can someone guide and suggest most effective method for devices with static IP ?

Can't clearpass profile on the basis of it's dictionary database based in the Mac address of endpoint? This I am talking specifically of static IP devices.
Occasional Contributor I

Re: Profiling for static IP

Hello,

 

We have used subnet-scanning to profile static IP addresses with SNMP. CPPM uses SNMP port 161 to profile the devices. You can set specific subnets/or hosts to scan, you would set to scan the subnets that all the static IP addresses are in. Also, you set a read-only SNMP string as well so they can be profiled. The scan only runs at set intervals, the default is every 24hrs but this can be changed.


You could also do a discovery via an ARP-Table read. This is where you set CPPM to read the ARP table of L3 devices (such as a router or MC) in your network to discover devices to profile. Again this uses SNMP read-only.


The CPPM profiling technote is a little old but still a good source of information for this (Link - https://community.arubanetworks.com/t5/Security/UPDATED-ClearPass-Profiling-TechNote-V1-2/td-p/243541).

 

Can't comment on the http deployment as I have never implemented it.

 

Hope that helps,

 

J

Occasional Contributor II

Re: Profiling for static IP

Thanks a lot.

I will give a try to subnet scan .

I have one doubt here. What is the endpoint does not have snmp configured? In that case subnet scan which uses snmp fails as endpoint won't respond to snmp query.

Also can't I use public snmp string ?


For arp read, we need to define the snmp string when we add the switch ?? What port number is used by arp read ?
Occasional Contributor I

Re: Profiling for static IP

If the device does not respond to the snmp probe CPPM won't be able to update its endpoint. You can use "public" as the community string, it is the default value CPPM will use.

 

ARP-Read uses SNMP again. CPPM reads the ARP table of L3 devices using an SNMP read-only account. It will read the ARP table and other information on the device such as CDP/LLDP.

 

There is a post by 

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-configure-subnet-scan-to-profile-static-devices-and-how/ta-p/214829

 

J

Occasional Contributor II

Re: Profiling for static IP

Ok , can we skip subnet scan ( network resources and bandwidth consuming) And simply use Arp read with public string only ?

This way cppm will query NAS device on snmp port and read the arp table and do profiling.

We want to avoid any scan to each endpoint in the subnet .

Let me know your feedback
Occasional Contributor I

Re: Profiling for static IP

ClearPass would do an ARP-Read on the NAS device, then it would try and profile all the entries from the ARP-Read using an SNMP Probe. CPPM would probe any endpoint in the ARP table of the NAS device, so it would still probe all the DHCP devices as well as the static.

 

J

 

Highlighted
Occasional Contributor II

Re: Profiling for static IP

Thanks
Occasional Contributor II

Re: Profiling for static IP

Need a clarity.

So when we add a layer 2 switch under network devices in cppm , do we need to snmp string as well?

Is it is only when we add l3 switch on cppm , and we select arp read and force arp read and there's is no need to add snmp on l2 switch on cppm ?


This way cppm will.only check arp read from L3 switch and not on l2 switch ( because this way cppm intimate connection of snmp read only towards l3 )


Also what if endpoint does not respond to snmp ?

How do we profile those end points? Practically it is not possible to enable or configure snmp on each endpoint
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: