Wireless Access

Hi,

As a security concern, I have to retain the authentication records (username/user IP/User mac/Timestamp) from clearpass atleast for last 6 months. But when i search it on clearpass i could just see upto last few days. I tried pointing the authentication records to a 3rd party syslog server but I am unable to get the proper data. 

Has anybody tried this ??

ClearPass keeps 7 days by default. This can be increased but is not recommended in most cases.

Syslog is abolustely supported.

What syslog server are you using? Can you post some screenshots of your syslog export setup?

Hi Tim,

Thanks for the instant response !

I am temporarily using 3cdaemon syslog server for testing purposes. I tried different column selections but I am unable to get the data which I need.

What data are you trying to get that's not listed there?

Or is the issue you're not getting any data in your syslog server?

I need the clients username, mac address, IP address and the time stamp.

I do receive data but that is not what i need.

we need this for copyright infringement cases, to identify the user.

I enabled accounting and I am able to get the data but in most of the cases it says "RADIUS.Acct-Framed-IP-Address=null." 

Below is the sample for the two logs with null and with an IP address !

eg:

Jun 17 08:36:02 X.X.X.X Jun 17 2015 08:36:00.922 EDT X.X.X.X CEF:0|Aruba Networks|ClearPass|6.5.0.71095|42133-1-0|Session Logs|0|TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-Framed-IP-Address=null Common.Username=dc:86:d8:93:5c:45 Common.Request-Timestamp=2015-06-17 08:34:03-04 Common.Host-MAC-Address=dc86d8935c45 src=X.X.X.X 

Jun 17 08:36:02 X.X.X.X Jun 17 2015 08:36:00.922 EDT X.X.X.X CEF:0|Aruba Networks|ClearPass|6.5.0.71095|42134-1-0|Session Logs|0|TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-Framed-IP-Address=X.X.X.X Common.Username=dc:86:d8:93:5c:45 Common.Request-Timestamp=2015-06-17 08:34:03-04 Common.Host-MAC-Address=dc86d8935c45 src=X.X.X.X 

Mbachhav,

That is because 802.1x authentication occurs before a client gets an ip address, so a radius accounting start is not always aware of what ip address a client receives.  Can you turn on radius interim accounting and see if you get that information?

Hi Colin,

Thanks for the swift response ! Radius intermin accounting is already enabled !

Mohit

What is your interim accounting interval?  You might have to wait 5 minutes to get that information, based on the interval.  Do you see anything in the accounting tab in ClearPass?  See if you see the ip address five minutes later in the tab and in the syslog message.

Syslog messages in ClearPass are not necessarily realtime, so it could take up to 2 minutes after the interim accounting message for it to show up in syslog from ClearPass.

Hi ,

Configuration looks correct. as the work around, take the pkt capture at the Syslog end for at least 15 mins to confirm whether CPPM server pushing the required data.

Please feel free for any further help on this.