Security

I am seeing an odd thing with the session logs on my ClearPass deployment.

When I open up the details window for a RADIUS Request and click the show logs button, sometimes the logs are there and sometimes they are not. When the log is missing, a message saying "No Logs for this Session".

Other RADIUS requests from the same service are present.

Anyone know why this is happening?

 If something was processed, something should be there.  What was the exact result of the request? 

It does not seem to matter what the result of the request is it happens for both REJECTS and ACCEPT.  In the case of accepted authentications the role mappings and policies are being replied and the correct VSAs are being returned to the controllers.

I am trying to figure out if the requests which have no logs are all on the same node in the cluster or perhaps from the same wireless controller.

Did a little more poking around and it seems that the older the RADIUS request, the greater the likelihood the log will be missing.

If I look at requests from 12 hours ago, they are almost all gone but the most recent requests are all intact.

Is this after a certain date you are seeing this? Remember there is a setting in the cluster wide properties that allow you to retain the data longer. Just remember that can fill up the HD space if you are running in debug or you have a lot of clients connecting or reconnecting. 

My Cleanup intervals are all set to the defaults so I should see logs for 7 days.

If I go back 24 hrs. the logs from the previous day are missing for certain.

As far as I can tell the threshold is 12 hrs.  If I look at sessions from 11hrs ago the logs are still there.

What version of ClearPass do you have installed ?

Running version 6.2.4.5 appliance with 1 publisher and 1 subscriber.

We see this on 6.2.4 as well.