Security

Hi,

I have a custom endpoint attribute and I need to increment this value by 1 using an enforcement profile in Event-based Enforcement Service.

I created a dictionary that parses syslog logs. When the policy meets an event, I would like to increase the attribute by one.

Is it possible to assign the received event to the attribute?

Hi;

You can use the profile "Clearpass Entity update Enforcement" for modify an attribute for endpoint.

I hope it helps.

Angel De la Encarnacion.

ACMP, ACCP, ACDX#544

"If the answer helps you, a kudo is appreciated."

I understand, but how to increase the attribute by one

Hi;

 Sorry, You need modify the source authentication " endpoints", I attach link with the same question and resolve.

http://community.arubanetworks.com/t5/Security/Incrementing-Endpoint-Attribute/td-p/269961

I hope it helps.

Angel De la Encarnacion.

ACMP, ACCP, ACDX#544

"If the answer helps you, a kudo is appreciated."

I saw this thread. Unfortunately, in version 6.6 the following tables have been removed

TIPS_AUTH_LOCAL_USER_TAG_MAPPINGS    TIPS_GUEST_USER_TAG_MAPPINGS    TIPS_NAD_CLIENT_TAG_MAPPINGS    TIPS_ENDPOINT_TAG_MAPPINGS    

TIPS_TAG_VALUES

information about version 6.6

 how to read the endpoint attribute in Enforcement Profiles from Endpoint Repository

You can try the following, which works for me in 6.7.2:

SELECT attributes->>'Counter' as Counter, (attributes->>'Counter')::int +1 as Counter1 FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')

I added this as a new filter in the Endpoints Repository Attributes.

In the example, the attributes->>'Counter' refers to an endpoint attribute with the name Counter. Map attributes Counter and Counter1 as Integer, where Counter has the current value, and Counter1 the current +1.

The attributes are stored in JSON format, and ->> takes a field from a JSON (PostgreSQL syntax).

Thanks for the answer.
Can you explain how to use such a query as an enforcing policy in the event based enforcement service?

I created a query in endpoint repository where

• name: Counter1
• Alias Name: Counter1
• Data type: Integer

Then I added a new enforcement profile type Post_Authetication with this attribute:

• Type: Endpoint
• Name: Counter
• Value:%{Authorization: [Endpoints Repository]: Counter1}

Unfortunately, the attribute assumes the following value:%{Authorization: [Endpoints Repository]: Counter1} when executing this query

The Endpoint Repository is not part of the Event Service, and you cannot add it.

As a workaround what might work is to add in the event service an attribute like 'increasecounter=true', then if you do a CoA, in the 802.1X service (or MACAuth, etc), you can check if that attribute is set, in which case you clear the increasecounter attribute and set the increased Counter value to the Counter attribute.

If you think you have a proper use case for this, please contact your local Aruba (ClearPass) SE to bring this to the attention of our product management. For me, it is the first time I see it, and as you see with some workarounds you can build it; if it is useful for the broader audience, having this as an official feature may make sense.

I have a problem with events. In one second CPPM gets a few lines(2-20) of syslog in the form:

2018-04-01 13:16:58 sourceip="192.0.0.1" port="32796" lvl="low"
2018-04-01 13:16:58 sourceip="192.0.0.2" port="443" lvl="low"

In Monitoring »Live Monitoring» Access Tracker I have information about all event, where the policy of Enforcement Profiles "increaselvl" was done every time.

In a situation when I get more than 2 lines, CPPM should increase my attribute two degrees (eg "plusplus", if I get 10 lines log increase 10 times (plusplus ... plus). Unfortunately, it increases only once.

Maybe in the dictionary I should implement a variable that I will update?

Thank you in advance for your answer.

#update