Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Syslog RADIUS Login/Logoff Message

This thread has been viewed 2 times

  • 1.  Syslog RADIUS Login/Logoff Message

    Posted May 08, 2015 10:48 AM

    I want send a syslog message to a logging collector (Splunk) to indicate when a user logins in and when they logoff or when their session expires.

     

    I need to be able to send the user-name and the framed-ip-address of the user and flag as to whether it was a login or logoff event.

     

    Is there a way to get a syslog target filter written that will do this?  I have seen the custom SQL available in the filter, but not sure how to write it.



  • 2.  RE: Syslog RADIUS Login/Logoff Message

    EMPLOYEE
    Posted May 08, 2015 11:00 AM

    Did you check out our ClearPass app in the Splunk App Store?

     

    Not sure if this does what you are asking, just want to make sure you know about it.

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15501

     

     



  • 3.  RE: Syslog RADIUS Login/Logoff Message

    Posted May 08, 2015 11:03 AM

    Zach, I just downloaded that tech note and am reviewing it now.  Thanks



  • 4.  RE: Syslog RADIUS Login/Logoff Message

    EMPLOYEE
    Posted May 08, 2015 11:04 AM

    Here's a link to the syslog export filter for the Splunk App integration:

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15500

     

    All this is available in the Documentation section of the support site: Documentation->Software->ClearPass->Policy Manager->Tech Notes



  • 5.  RE: Syslog RADIUS Login/Logoff Message

    Posted May 08, 2015 11:37 AM

    I reviewed the technote, but there are no details on how to tweak the session event log message that is sent.

     

    Message I am currently sending below.  My problem is that I am trying to determine if this is a login or logogg event.  Is there a field that can denote this?

     

    I see the field:  Login-Status=ACCEPT, is there another that can be used perhaps?

     

    May  8 11:30:55 10.237.6.129 2015-05-08: 11:30:55,478 10.237.6.129 TEST_CPPM_RADIUS_Session 3 1 0 RADIUS.Acct-Calling-Station-Id=5C-26-0A-71-67-80,Common.Roles=[Machine Authenticated], [User Authenticated],RADIUS.Acct-Framed-IP-Address=10.238.32.81,RADIUS.Auth-Source=AD:cp1adplim07.domain.com,RADIUS.Acct-Timestamp=2015-05-08 11:30:48-04,Common.Request-Id=R0000006c-01-554cd69d,Common.Source=RADIUS,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Login-Status=ACCEPT,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Common.Username=billbob,src=10.237.6.129,RADIUS.Acct-Username=host/7FP23R1.domain.com,RADIUS.Acct-NAS-IP-Address=10.238.32.99,Common.Service=CISCO_WIRED_802.1X_SERVICE