06-16-2015 07:06 AM
As a security concern, I have to retain the authentication records (username/user IP/User mac/Timestamp) from clearpass atleast for last 6 months. But when i search it on clearpass i could just see upto last few days. I tried pointing the authentication records to a 3rd party syslog server but I am unable to get the proper data.
Has anybody tried this ??
Solved! Go to Solution.
06-16-2015 07:10 AM
ClearPass keeps 7 days by default. This can be increased but is not recommended in most cases.
Syslog is abolustely supported.
What syslog server are you using? Can you post some screenshots of your syslog export setup?
06-16-2015 07:21 AM
Thanks for the instant response !
I am temporarily using 3cdaemon syslog server for testing purposes. I tried different column selections but I am unable to get the data which I need.
06-16-2015 07:40 AM
06-16-2015 07:48 AM
I need the clients username, mac address, IP address and the time stamp.
I do receive data but that is not what i need.
we need this for copyright infringement cases, to identify the user.
06-16-2015 07:50 AM
Configuration looks correct. as the work around, take the pkt capture at the Syslog end for at least 15 mins to confirm whether CPPM server pushing the required data.
Please feel free for any further help on this.
[Is my post helped you ? Give Kudos :) ]
06-16-2015 07:51 AM
06-17-2015 05:53 AM
I enabled accounting and I am able to get the data but in most of the cases it says "RADIUS.Acct-Framed-IP-Address=null."
Below is the sample for the two logs with null and with an IP address !
Jun 17 08:36:02 X.X.X.X Jun 17 2015 08:36:00.922 EDT X.X.X.X CEF:0|Aruba Networks|ClearPass|184.108.40.206095|42133-1-0|Session Logs|0|TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-Framed-IP-Address=null Common.Username=dc:86:d8:93:5c:45 Common.Request-Timestamp=2015-06-17 08:34:03-04 Common.Host-MAC-Address=dc86d8935c45 src=X.X.X.X
Jun 17 08:36:02 X.X.X.X Jun 17 2015 08:36:00.922 EDT X.X.X.X CEF:0|Aruba Networks|ClearPass|220.127.116.11095|42134-1-0|Session Logs|0|TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-Framed-IP-Address=X.X.X.X Common.Username=dc:86:d8:93:5c:45 Common.Request-Timestamp=2015-06-17 08:34:03-04 Common.Host-MAC-Address=dc86d8935c45 src=X.X.X.X
06-17-2015 05:57 AM
That is because 802.1x authentication occurs before a client gets an ip address, so a radius accounting start is not always aware of what ip address a client receives. Can you turn on radius interim accounting and see if you get that information?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base