Configuring Network Scans and Subnet Scans

Configuring Network Scans and Subnet Scans

This section provides the following information:

Network Scan High-Level Tasks

Network Scan High-Level Tasks

Configuring Network Scan operations consist of these major tasks:

1.

Create the external accounts of Domain/WMI, SNMP, or SSH type for network hosts and devices. For details, see Adding External Accounts.

2.

Add the scan configurations (Domain/WMI, SNMP, or SSH) needed to query all the devices in the target network. For details, see:

Configuring the Networks/Subnets for WMI Scan Type

Configuring the Networks/Subnets for SNMP Scan Type

Configuring the Networks/Subnets for SSH Scan Type

The Domain/WMI, SNMP, and SSH credentials are used during a network scan or a subnet scan to profile Windows servers and machines (WMI credentials), Linux servers and machines (SSH credentials), and network devices (SNMP).

3.

After running a network scan, import the discovered network devices into

ClearPass

(see Monitoring Discovered Devices).

4.

Review the set of discovered devices and view the connected endpoints and neighbors (see Monitoring Discovered Devices).

Configuring a Network Scan

Seed devices are the initial IP addresses provided by the network administrator to start the network scan. When you initiate a network scan and specify the seed devices, network discovery uses SNMP to:

Find any other devices connected to the seed devices.

Profile the connected devices.

ClearPass uses that information to detect more devices in the network. The network discovery scan will proceed to the network depth specified by the Scan Depth parameter (described in below).

You can go to those devices and see their neighbor devices.

 

Running a network scan on seed devices is a time- and resource-consuming operation. Depending on the number of devices associated with the seed device, a complete scan can take more than an hour.
It is recommended that the network scan should be done outside of normal business hours or performed on a ClearPass node that is not servicing core authentications.

To configure a network scan:

1.

Navigate to

>

.

The Network Scan page opens.

Figure 1  Network Scan Page

2.

Click the

link.

The Schedule Scan dialog opens.

Figure 2  Configuring a Network Scan

3.

Specify the

parameters as described in the following table:

Table 1:

Configuring Network Scan Parameters

 

Parameter

Action/Description

Scan Type

Select Network Scan.

NOTE: For scan operations to be operable, the Master Server in Zone parameter must be configured. The master ClearPass server in a zone distributes the load among other ClearPass nodes in the zone. For details, see Master Server in Zone.

Zone

Specify the ClearPass Zone (for more information, see Managing Policy Manager Zones). If ClearPass Zones have not yet been set up, accept the default zone.

NOTE: The primary master server in the zone forwards the scan request to the other ClearPass nodes in the zone, depending on the seed device. Each scan configuration added is distributed by the master to a different node in the zone. If one scan configuration has multiple seed devices, all the seed devices are forwarded to one node.

Seed Devices

Enter the IP addresses of one or more seed devices from which the network scan should proceed. Separate multiple device IP addresses with commas.

Frequency of Scan

Specify the frequency of the network scan:

On Demand

This option runs the network scan once, either immediately if no start time is specified, or at the time specified by the Start Time of Scan parameter.

Hourly

Daily

Scan Depth

Specify the Scan Depth by selecting the desired number from 1 to 5. The Scan Depth numbers indicate the levels of the network you want to scan. The default is Scan Depth 3.

The seed devices are, by default, at Scan Depth 1. Starting from the seed device, the next device level is Scan Depth 2, and so on, until the scan reaches the scan depth specified here.

Probe ARP entries

The ARP (Address Resolution Protocol) table provides information about MAC address and IP address associations for endpoints that were discovered by this ClearPassserver. The ARP entries for the specified network(s) are read irrespective of whether this check box is enabled.

When this option is enabled, ClearPass uses the ARP entries to discover network access devices (NADs), then proceeds to perform a network scan to the configured scan depth.

4.

Click

.

You return to the Network Scan page. The status of the network scan operation shows initially as Running, and finally, Completed. The green status indicator indicates that the scan operation was successful.

5.

To restart a completed scan, click the green

button.

Configuring a Subnet Scan

To configure a subnet scan:

1.

Navigate to

>

.

The Network Scan page opens.

Figure 3  Network Scan Page

2.

Click the

link.

The Schedule Scan dialog opens.

Figure 4  Configuring a Subnet Scan

3.

Specify the

parameters as described in the following table:

Table 2:

Configuring Subnet Scan Parameters

 

Parameter

Action/Description

Scan Type

Select Subnet Scan.

You can schedule multiple subnet scans per zone.

To monitor subnet scan progress, navigate to Monitoring > Profiler and Network Scan > Network Scan Results.

NOTE: For scan operations to be operable, the Master Server in Zone parameter must be configured. The master ClearPass server in a zone distributes the load among other ClearPass nodes in the zone. For details, see Master Server in Zone.

Zone

Specify the ClearPass Zone. If a Zone is not configured, accept the default.

IP Subnet(s)

Enter the IP addresses of one or more IP subnets from which the subnet scan should proceed. Separate multiple IP subnets with commas.

Frequency of Scan

Specify the frequency of the scan:

On Demand

This option runs the subnet scan once, either immediately if no start time is specified, or at the time specified by the Start Time of Scan parameter.

Hourly

Daily

Start Time of Scan

Select the time you want the subnet scan to start.

4.

Click

.

You return to the Network Scan page. The status of the subnet scan operation shows initially as Running, and finally, Completed. The green status indicator indicates that the scan operation was successful.

Figure 5  Seed Devices Successfully Scanned

Viewing Details About a Subnet Scan

Additional information is available for the configured subnet scans.

To view the details about a subnet scan:

1.

Navigate to

>

>

.

Configuring Nmap-Based Endpoint Port Scans

The network scan feature supports running an Nmap (Network Mapper)-based scan on a host to detect open ports and also to fingerprint the services running behind those ports. This information is used in the device profile.

To configure endpoint port scans using Nmap:

1.

Enable Nmap-based endpoint port scans.

a.

Navigate to

>

>

>

.

The Cluster-Wide Parameters page opens.

b.

Select the

tab.

Figure 6  Cluster-Wide Parameters > Profiler Dialog

c.

Set the

parameter to

, then click

.

For more information, see Profiler Parameters.

Setting this value to TRUE enables active scan of the host for open ports. This can be resource intensive. Also, the Profiler Scan Ports value is ignored when Nmap scan is enabled.

2.

Schedule a network scan configuring a seed device with

entries enabled (see Configuring a Network Scan).

3.

When the network scan is completed, select an endpoint (see Adding and Modifying Endpoints).

a.

Navigate to

>

>

.

b.

From the

page, click the endpoint of interest.

The Edit Endpoint page opens.

Figure 7  Edit Endpoint Page

4.

To view the list of host services and the list of open ports returned by the network scan for the selected host or endpoint, select the

tab.

The Edit Endpoint > Fingerprints page shows the fingerprint details that include Nmap scan data.