Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Query related to Clearpass Alerting for Radius Auth failures

  • 1.  Query related to Clearpass Alerting for Radius Auth failures

    Posted Aug 10, 2020 11:14 AM

    Hi Guys,

     

    Currently we can configure alerting for Radius Auth failures using insight based on the no of failures for x amount of time.

     

    Can we customize this alert to trigger based of number of auth failures seen for different users?

     

    N no of failures are seen for x minutes of time for different user.

    I am not looking for an alert based on the cumulative count of all users

     

    Eg: User X had 4 auth failures in last 5 minutes

     

    Background:

    I am trying to setup alerting for users whose devices have undergone consecutive failures (mostly phones remembering old passwords) to avoid account lockouts or alert IT support so they can inform the users about the same.

     

    There are ways to tweak the LDAP filters to ensure Clearpass can refrain from sending the request which can lead to account lockout.

     

    However, that requires Clearpass to always check against PDC as that maintains the badpwdcount parameter value globally. However, it is not feasible to do that in our case.



  • 2.  RE: Query related to Clearpass Alerting for Radius Auth failures

    Posted Aug 10, 2020 06:28 PM

    Hi Nitesh,

     

    How are you?

     

    The native alert features would not meet your requirement.

    You may try Insight as an authorization source in the service and pull the failed auth requests in the past X mins for the authenticating username and trigger an alert email through, Postauth enforcement >> Context Server Action to trigger an email using local API (RESTApi) call.

     

    Reference for the enforcement: https://github.com/aruba/clearpass-exchange-snippets/tree/master/messaging/clearpass-smtp

     

    Here is the sample query for reference (4 auth failures in 5 mins):


    select CASE WHEN count(*) >= 4 THEN 'True' ELSE 'False' END from auth where username = '%{Authentication:Username}' AND auth_status = 'Failed' AND timestamp >= NOW() - interval '5 mins';

     



  • 3.  RE: Query related to Clearpass Alerting for Radius Auth failures

    Posted Aug 11, 2020 05:39 AM

    Hi Saravanan,

     

    I am doing well. Thanks !

     

    I hope you are doing great.

     

    We are using Clearpass version 6.8.5 .

    When i tried importing the xml file, it throws an error:

    "User admin tried to import EnforcementProfile Details
    Reason for Failure: Error in processing request. Please retry..."

     

    Do i need to change any of the parameters in the xml file prior to importing it ?



  • 4.  RE: Query related to Clearpass Alerting for Radius Auth failures

    Posted Aug 12, 2020 01:01 PM
      |   view attached

    Nitesh,

     

    Extract and Import the attached Context Server Action under Administration » Dictionaries » Context Server Actions.

    And create an HTTP enforcement profile as below. 

     

    Enforcement.jpg

    Note: You need to apply changes to Context Server action >> Send Email >> Content

     

     

    Attachment(s)



  • 5.  RE: Query related to Clearpass Alerting for Radius Auth failures

    Posted Aug 21, 2020 05:49 AM

    Hi Saravanan,

     

    Thank you for the details.

     

    I will test this out next week & see if it helps in addressing the use case I mentioned