Discovery
FortiNAC-OS Requirement: "snmp" option must be included in the "set allowaccess" command. See Open ports for details. |
FortiNAC can search the network based on IP ranges and determine what SNMP enabled devices exist on the network. Once a device is discovered, FortiNAC creates a model for the device in the database and places the device in the Network Devices list.
FortiNAC receives traps and communicates with devices through SNMPv1, SNMPv2, and SNMPv3.
When the Use CDP option on the Discovery window is enabled, FortiNAC queries devices about other connected devices on the network. If a device has this discovery protocol enabled it gathers and stores information about devices it manages and devices it can contact on the network. Enabling the Cisco Discovery Protocol (CDP) when adding search criteria for discovery allows FortiNAC to query devices for information about those secondary devices. For example, FortiNAC can query a device and discover routers and switches connected to the original device. FortiNAC can then query those secondary devices and so on, until the edge of the network is reached. Only devices with CDP enabled will respond to a CDP query.
Discovering devices with sysNames containing multiple periods (FortiNAC versions 7.2.4 and greater): By default, FortiNAC parses out the hostname by getting the first element after a split by "." (FQDN parsing). Example: Device with sysName "NamePart1.NamePart2" would be added to Inventory as "NamePart1". To preserve the full sysName during discovery, enable the GlobalOption tool prior to adding devices. CentOS: In the CLI type globaloptiontool -name networkDevice.preserveFullName -set true FortiNAC-OS: In the CLI type execute enter-shell globaloptiontool -name networkDevice.preserveFullName -set true Once enabled, FortiNAC will skip FQDN parsing during discovery and pull in the full sysName. |
When a discovery process is started for a particular container, the status of that process is displayed in the Containers view. Click Refresh on the Containers view to update the status periodically.
Note:
- Important: When adding IP ranges, the total number of IP addresses covered should not exceed 65,000 (example: range 1 + range 2 + range 3 = 65,000). Otherwise, the discovery may not complete.
- In large networks, discovery can take an extended amount of time.
- If a device has multiple interfaces, each with a different IP address that is configured with its own SNMP settings, multiple representations of the same device will be added to FortiNAC. FortiNAC does not consolidate the duplicates in this case.
- When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.
- Go to Network > Inventory > Customer > Containers.
- Select a Container that will be populated by the discovery process.
- Click Start Discovery in the Containers panel.
- The Discovery Settings window displays.
- If you would like to search for devices using the Cisco Discovery Protocol, click the Use CDP check box to enable it.
- On the IP Range tab, click Add.
-
Enter the Starting and Ending IP addresses of the range to be queried for new devices. If you selected Use CDP, only the starting IP address is required.
If you have an extensive network and you plan to use CDP, it is recommended that you limit the number of levels queried beyond the initial device. In large networks, discovery can take an extended amount of time and may cause delays. For information on limiting the depth of the CDP discovery see Network device.
- Add all of the IP ranges required.
-
Click Next or click the SNMP Credentials tab.
- Under SNMPv1 Security Strings, enter the read/write security strings to use when communicating with the discovered devices. Click Add to add a security string. Select a security string and click Delete to remove it from the list.
-
Under SNMPv3 Credentials, click Add to enter the settings to use when communicating with the discovered devices.
Settings
Field
Definition
SNMP Protocol
Available options are AuthPriv or AuthNo Priv.
User Name
User Name for access to the device. Recommended but not required.
Authentication Protocol
Available options are:
MD5
SHA1 (Recommended)
Authentication
PasswordSpecify password to match what the device is using.
Privacy Protocol
Available options are:
DES
AES-128 (Recommended)
Privacy Password
Specify password to match what the device is using.
If the device is configured for AuthPriv, the authentication password, Privacy Protocol and Privacy password are required. If the device is configured for AuthNoPriv, only the authentication password is required.
- Click Next or click the CLI Credentials tab.
- Click Add to enter CLI Credentials for managing discovered devices.
Settings
Field
Definition
User Name
The user name used to log on to the device for configuration. This is for CLI access.
For devices using API credentials, enter the serial number for the appliance.
Password
The password required to configure the device. This is for CLI access.
For devices using API credentials, enter the REST API Key.
Enable Password
The enable password for the device. This is for CLI access. Depending on the configuration, you may not need both the password and the enable password.
Note: Version 8.7.2 and higher: Arista switches can be configured to require typing "enable" to enter enable mode, but no password is needed. For such configurations, populate this field with the # character.
Protocol Type
Use Telnet, SSH1 or SSH2 to logon to the device for configuration.
- Click OK to start the discovery process. The process runs in the background.
The status of a discovery task is displayed in the Devices header.
- Click Cancel Discovery to cancel the discovery process.