Security

Reply
Contributor II

Log guest authentication and traffic

Hello everybody,

 

I know there are some subjects talking about this but I didn't find one for my specific problem and after hours of changing log levels I'm starting to become crazy :smileysad:

 

For a customer who is using ClearPass as a solution for guest access, I would like, to comply with the french law, to log HTTP traffic and authentications. I created the firewall policy and added the 'log' parameter on the rule. I can see traffic logs on my syslog.

 

I also succedeed to get user authentications, but for every wlan. Is it possible to log only guest authentications ?

 

The biggest problem is, I also get too many info in my logs, about rogue APs, etc and I'm lost with categories and processes...

 

So my question is : What is the best config to get guest traffic and authentications to my syslog ? I only need that.

 

Thanks in advance.

 

Regards.

Guru Elite

Re: Log guest authentication and traffic

Are you using the controller's guest functionality or ClearPass Guest?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Log guest authentication and traffic

Sorry I forgot to mention that. I am using Clearpass guest to provide the captive portal.

Guru Elite

Re: Log guest authentication and traffic

Take a look at Insight inside ClearPass. You can run reports for guest authentications.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Log guest authentication and traffic

To comply with the french law, I must be able to provide logs of guest authentications and public IPs they are accessing over the internet.

 

I got it working, the only problem is I get too much unnecessary info... Do you know the best config on the controller 'Levels' page for my need ?

Aruba

Re: Log guest authentication and traffic

If you are using clearpass you can create a data filter and apply that filter to a syslog output from CPPM.

 

 

 

syslogfilter2.png

 

syslogfilter.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: Log guest authentication and traffic

Thank you for your answer.

 

With this solution, I see I can export authentication logs but can I get session logs like I have on the controller where I see http communicatons ?

Aruba

Re: Log guest authentication and traffic

If you are looking for destination of users traffic then no. Clearpass does not do deep packet inspection. That information you will need to get from your firewall and controller. Most customers use Airwave or a syslog server to collect all the information in one single location.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: Log guest authentication and traffic

That is why I was trying to get it from the controller and send it to my syslog. In fact I'm actually getting it, but I am also getting some logs about rogue APs, IKE messages, WMS, etc. that I don't want.

 

I am just looking for the best config on the log levels on processes/categories/subcategories to only get the info I want. Or at least reduce the amount of unnecessary info that is making my log file grow too much.

 

Thank you for your help.

 

Aruba

Re: Log guest authentication and traffic

Ok. Understood

@cjoseph

Is there a filter you can put on the controller?
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: