Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎02-09-2015

Authentication records for last 6 months

Hi,

As a security concern, I have to retain the authentication records (username/user IP/User mac/Timestamp) from clearpass atleast for last 6 months. But when i search it on clearpass i could just see upto last few days. I tried pointing the authentication records to a 3rd party syslog server but I am unable to get the proper data. 

Has anybody tried this ??

 

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Authentication records for last 6 months

ClearPass keeps 7 days by default. This can be increased but is not recommended in most cases.

 

Syslog is abolustely supported.

 

What syslog server are you using? Can you post some screenshots of your syslog export setup?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎02-09-2015

Re: Authentication records for last 6 months

Hi Tim,

Thanks for the instant response !

I am temporarily using 3cdaemon syslog server for testing purposes. I tried different column selections but I am unable to get the data which I need.

 

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Authentication records for last 6 months

What data are you trying to get that's not listed there?

Or is the issue you're not getting any data in your syslog server?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎02-09-2015

Re: Authentication records for last 6 months

I need the clients username, mac address, IP address and the time stamp.

I do receive data but that is not what i need.

we need this for copyright infringement cases, to identify the user.

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: Authentication records for last 6 months

Hi ,

 

Configuration looks correct. as the work around, take the pkt capture at the Syslog end for at least 15 mins to confirm whether CPPM server pushing the required data.

 

Please feel free for any further help on this.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Authentication records for last 6 months

You'll need accounting enabled in order to get the IP with 802.1X.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎02-09-2015

Re: Authentication records for last 6 months

I enabled accounting and I am able to get the data but in most of the cases it says "RADIUS.Acct-Framed-IP-Address=null." 

Below is the sample for the two logs with null and with an IP address !

 

eg:

Jun 17 08:36:02 X.X.X.X Jun 17 2015 08:36:00.922 EDT X.X.X.X CEF:0|Aruba Networks|ClearPass|6.5.0.71095|42133-1-0|Session Logs|0|TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-Framed-IP-Address=null Common.Username=dc:86:d8:93:5c:45 Common.Request-Timestamp=2015-06-17 08:34:03-04 Common.Host-MAC-Address=dc86d8935c45 src=X.X.X.X 

Jun 17 08:36:02 X.X.X.X Jun 17 2015 08:36:00.922 EDT X.X.X.X CEF:0|Aruba Networks|ClearPass|6.5.0.71095|42134-1-0|Session Logs|0|TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-Framed-IP-Address=X.X.X.X Common.Username=dc:86:d8:93:5c:45 Common.Request-Timestamp=2015-06-17 08:34:03-04 Common.Host-MAC-Address=dc86d8935c45 src=X.X.X.X 

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: Authentication records for last 6 months

Mbachhav,

 

That is because 802.1x authentication occurs before a client gets an ip address, so a radius accounting start is not always aware of what ip address a client receives.  Can you turn on radius interim accounting and see if you get that information?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎02-09-2015

Re: Authentication records for last 6 months

Hi Colin,

Thanks for the swift response ! Radius intermin accounting is already enabled !

 

Mohit

Search Airheads
Showing results for 
Search instead for 
Did you mean: