Endpoint Information Collectors

Collectors are the network elements that provide data in order to profile endpoints.

DHCP Collector

Dynamic Host Configuration Protocol (DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. ) attributes such as option 55 (parameter request list), option 60 (vendor class), and the options list from the Discover and Request packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network. You can configure switches, controllers and gateways Gateway is a network node that allows traffic to flow in and out of the network. to forward DHCP Discover, Request, and Inform packets to Policy Manager. These DHCP packets are decoded by ClearPass Policy Manager to arrive at the appropriate device category, OS family, and device name. In addition to fingerprints, DHCP also provides the host name and IP address.

Sending DHCP Traffic to the Policy Manager Server

To configure your Aruba controller and Cisco switch to send DHCP traffic to the Policy Manager server, enter the following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands:

interface <VLAN_name>

ip address <IP_addr> <netmask>

ip helper-address <DHCP_server_IO>

ip helper-address <clearpass_IP> end


You can configure multiple IP helper-address statements to send DHCP packets to servers other than the DHCP server.

NetFlow Collector

NetFlow provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.

The ClearPass Policy Manager NetFlow collector provides the ability to identify the open ports of a device connected to a network by analyzing the received NetFlow packets.


Policy Managercollects the source IP address and the source port address forall NetFlow versions—v1, v5, v6, v7, and v9—as well as IPFIX and sFlow (v5). Also, Policy Manager collects the source MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address (if it exists) for NetFlow V9, IPFix, and sFlow (v5).

sFlow Collector

sFlow is a general purpose network-traffic measurement system technology. sFlow is embedded in network devices and provides continuous statistics on any protocol so that all traffic throughout a network can be accurately characterized and monitored. The main difference between NetFlow and sFlow is that NetFlow is restricted to IP traffic only, whereas sFlow has the ability sample all traffic (that is, it is network-layer independent).

The sFlow collector has the following characteristics:

In ClearPass Policy Manager, sFlow listens to UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 6343.


UDP port 6343 must be opened to the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network.. The switch/sFLow source should be configured to send sFlow packets to Policy Manager UDP port 6343.

sFlow identifies the source IP/port and destination IP/port (not the source MAC address) from the flow that reaches the Policy Manager server and updates the port information for endpoints existing in the Policy Manager server.

When the source MAC address exists in the sFlow traffic, the behavior of the Policy Manager server is as follows:

If the source MAC address is present in the Policy Manager endpoints, Policy Manager updates that endpoint entry with the open ports and source IP address.

If the source MAC address is not present in the ClearPass endpoints, and if the source IP address is present in the endpoints, Policy Manager updates the MAC address and source port for that endpoint.

If both the MAC address and IP address are not present in the Policy Manager endpoints, a new entry is created.

The sFlow traffic received is sent to Profiler for further processing in batches of 10 in one-minute intervals.

Policy Manager Onboard Collector

Policy Manager Onboard collects authentic device information from all devices during the onboarding The process of preparing a device for use on an enterprise network, by creating the appropriate access credentials and setting up the network connection parameters. process. Onboard then posts this information to the Policy Manager Profile. Because the information collected is definitive, Policy Manager Profiler can directly classify these devices into their appropriate category, OS family, and name without having to rely on any other fingerprinting information.

HTTP User-Agent Strings Collector

In some cases, DHCP fingerprinting alone cannot fully classify a device. A common example is the Apple family of smart devices; for example, DHCP fingerprints cannot distinguish between an iPad and an iPhone. In these scenarios, user-agent strings sent by browsers in the HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. protocol are useful to further refine classification results.

User-agent strings are collected from the following:

Policy Manager Guest

Policy Manager Onboard

Aruba controller through an IF-MAP (Interface for Metadata Access Points) interface

MAC OUI Collector

The MAC OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. (Organization Unique Identifier) is expressed in the first 24 bits of a MAC address for a network-connected device. Thus, the MAC OUI indicates the specific vendor for that device. The MAC OUI is acquired through various authentication mechanisms, such as 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. and MAC address authentication. The MAC OUI can be useful to more accurately classify endpoints. An example is Android™ devices where DHCP fingerprints can only classify a device as generic Android, but it cannot provide more details regarding the vendor. Combining this information with MAC OUI, the Policy Manager Profiler can classify a device as HTC™ Android, Samsung™ Android, or Motorola® Droid, etc. The MAC OUI is also useful to profile devices such as printers that might be configured with static IP addresses.

ActiveSync Plug-in Collector

You can install the ActiveSync Mobile data synchronization app developed by Microsoft that allows a mobile device to be synchronized with either a desktop or a server running compatible software products. plug-in provided by Aruba on Microsoft Exchange servers. When a device communicates with an Exchange server using the Active Sync protocol, the device provides attributes such as device-type and user-agent. These attributes are collected by the ActiveSync plug-in and sent to the Policy Manager Profiler. Profiler uses dictionaries to derive profiles from these attributes.

Policy Manager OnGuard Agent

The Policy Manager OnGuard agent performs advanced endpoint posture assessment. This agent collects and sends operating system details from endpoints during authentication. The Policy Manager Profiler uses the OnGuard OSType attribute to derive a profile (for more information, refer to Web-Based Authentication Service).

SNMP Collector

Endpoint information obtained by reading the Simple Network Management Protocol (SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. ) MIBs Management Information Base. A hierarchical database used by SNMP to manage the devices being monitored. of network devices is used to discover and profile static IP devices in the network. For related information, see Configuring Network Scans and Subnet Scans.

Table 1: SNMP MIBs Used by the SNMP Collector




A textual description of the entity used both for profiling switches, controllers, and routers configured in Policy Manager, and for profiling printers and other static IP devices discovered through SNMP or subnet Subnet is the logical division of an IP network. scans (RFC1213).


Provides the cached information obtained via receiving Cisco Discovery Protocol (CDP Cisco Discovery Protocol. CDP is a proprietary Data Link Layer protocol developed by Cisco Systems. CDP runs on Cisco devices and enables networking applications to learn about the neighboring devices directly connected to the network.) messages from CDP-capable devices. This is used to discover neighbor devices connected to the switch or controller configured in Policy Manager.


This table contains one or more rows per physical network connection known to this agent read from LLDP Link Layer Discovery Protocol. LLDP is a vendor-neutral link layer protocol in the Internet Protocol suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, which is principally a wired Ethernet. (Link Layer Discovery Protocol)-capable devices. This is used to discover and profile neighbor devices connected to the switch or controller configured in Policy Manager.


Address Resolution Protocol (ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. ) information is read from the network devices. This is used as a means to discover endpoints in the network.

Setting SNMP Community Attributes

The SNMP-based mechanism is capable of profiling devices only if they respond to SNMP, or if the device advertises its capability via LLDP (Link Layer Discovery Protocol). When performing SNMP reads for a device, Policy Manager uses SNMP Read credentials configured in the network devices, or defaults to using SNMPv2 Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. with public community strings specified.

To specify SNMPv2 with community strings:

1. Navigate to Configuration > Network > Devices.

2. From the Network Devices page, select the appropriate device.

The Edit Device Details dialog opens.

3. Select the SNMP Read Settings tab.

Figure 1  Specifying SNMP v2 with Community Strings

4. Specify the SNMP Read Settings parameters as described in the following table, then click Save.

Table 2: SNMP Read Settings Parameters



Allow SNMP Read

If not already enabled, enable the Allow SNMP Read check box.

The SNMP Read Settings parameter fields are now enabled for configuration.

Policy Manager Zone

Select the Policy Manager Zone. If no Policy Manager Zone is configured, select default.

SNMP Read Setting

Select SNMPv2 with community strings.

Community String

Enter the Community String value, then reenter the string to verify it.

Read ARP Table Info

If this is a Layer-3 device, and you want to use the ARP table on this device as a way to discover endpoints in the network, enable the Read ARP Table Info check box.

NOTE: Static IP endpoints discovered in this way are further probed via SNMP to profile the device.

Configuring the Device Info Poll Interval

Network devices configured with SNMP Read enabled are polled periodically for updates based on the time interval configured for the Device Info Poll Interval.

To set the Device Info Poll Interval:

1. Navigate to Administration > Server Manager > Server Configuration.

2. Select the Policy Manager server of interest.

The Server Configuration page opens.

3. Select the Service Parameters tab.

4. From the Select Service drop-down, select Policy Manager network services.

The Policy Manager network services page opens.

Figure 2  Specifying the Device Info Poll Interval

5. In the minutes field, enter the Device Info Poll Interval, then click Save.

Subnet Scan Collector

A network or subnet scan discovers the IP addresses of devices in the network. The devices discovered in this way are further probed using SNMP to fingerprint and assign a profile to the device. Network subnets to be scanned are configured per Policy Manager Zone.This is particularly useful in deployments that are geographically distributed. In such deployments, it is recommended that you complete the following tasks:

1. Assign the ClearPass Policy Manager nodes in a cluster to multiple zones depending on the geographical area served by that node.

To set up Policy Manager Zones, navigate to Administration > Server Manager > Server Configuration > Manage Policy Manager Zones.

2. Then enable the profile for a minimum of one node per zone.

For more information, see Managing Policy Manager Zones.

3. Configure the SNMP, SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. , and WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. credentials required to query for network devices, Linux devices, and Windows devices respectively (for details, see Configuring SNMP, SSH, and WMI Credentials).

4. Configure a network scan or subnet scan (for details, see Configuring Network Scans and Subnet Scans).