Security

Hello everybody,

 

I know there are some subjects talking about this but I didn't find one for my specific problem and after hours of changing log levels I'm starting to become crazy :smileysad:

 

For a customer who is using ClearPass as a solution for guest access, I would like, to comply with the french law, to log HTTP traffic and authentications. I created the firewall policy and added the 'log' parameter on the rule. I can see traffic logs on my syslog.

 

I also succedeed to get user authentications, but for every wlan. Is it possible to log only guest authentications ?

 

The biggest problem is, I also get too many info in my logs, about rogue APs, etc and I'm lost with categories and processes...

 

So my question is : What is the best config to get guest traffic and authentications to my syslog ? I only need that.

 

Thanks in advance.

 

Regards.

Are you using the controller's guest functionality or ClearPass Guest?

Sorry I forgot to mention that. I am using Clearpass guest to provide the captive portal.

Take a look at Insight inside ClearPass. You can run reports for guest authentications.

To comply with the french law, I must be able to provide logs of guest authentications and public IPs they are accessing over the internet.

 

I got it working, the only problem is I get too much unnecessary info... Do you know the best config on the controller 'Levels' page for my need ?

If you are using clearpass you can create a data filter and apply that filter to a syslog output from CPPM.

 

 

 

 

Thank you for your answer.

 

With this solution, I see I can export authentication logs but can I get session logs like I have on the controller where I see http communicatons ?

If you are looking for destination of users traffic then no. Clearpass does not do deep packet inspection. That information you will need to get from your firewall and controller. Most customers use Airwave or a syslog server to collect all the information in one single location.

That is why I was trying to get it from the controller and send it to my syslog. In fact I'm actually getting it, but I am also getting some logs about rogue APs, IKE messages, WMS, etc. that I don't want.

 

I am just looking for the best config on the log levels on processes/categories/subcategories to only get the info I want. Or at least reduce the amount of unnecessary info that is making my log file grow too much.

 

Thank you for your help.

 

Ok. Understood

@cjoseph

Is there a filter you can put on the controller?

Well, I put process and subcategories that I didn't need in 'emergencies' level of logging (messages that were displaying were of informational, errors or warnings level) as you can see on my attached screen.

 

I don't have localdb/wms/stm messages anymore but I still get ids/ids-ap messages. That's a lot better now though. I will keep this config, and if anyone know how I can get rid of these ids/ids-ap logs I'm listening :)

 

- nice2k