I manage a small business network with 4 sites. Each remote site is connected to the primary site via a ipsec VPN on the router. Each site has their own subnet. I'd like to be able to scan all 4 subnets from the server to monitor for new unauthorized devices. I have no problem seeing all of the other subnets from the server and I can see all of the devices on them with various ip scanner programs. However when running WiFi guard, it only discovers devices on my local subnet, even if I specify an ip range that includes the other sites. Is there a way around this? The remote sites do not have a server, I'm trying to find a centralized way to do this. Can your product do this?
It is not a product limitation, but rather how networks work in general.
As you may know, WiFi Guard identifies network devices by their MAC address, so the known MAC addresses are whitelisted whereas an unknown MAC address will trigger an alert. However MAC addresses can only be resolved within the local subnet. The ARP protocol messages used to resolve MAC addresses are not forwarded between subnets.
For this reason the IP scanner programs that you have tried would show you devices in the other subnets but not their MAC addresses. Some IP scanners may employ special techniques to get MAC addresses from some devices, but for most devices it's not possible to determine their MAC address via VPN. Since WiFi Guard can't determine their MAC addresses via VPN either, they cannot be used for identification and are not shown.
Normally this can be worked around by using some kind of agent program (or WiFi Guard) in each subnet, but since there are no dedicated servers in your subnets, I am afraid you wouldn't be able to track all devices in a centralised way.