Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Guest Reject - Logging and/or Alerting??

This thread has been viewed 2 times

  • 1.  ClearPass Guest Reject - Logging and/or Alerting??

    Posted Sep 23, 2019 11:22 AM

    Hey all!  I just recently setup a Guest Captive Portal through our ClearPass cluster which requires sponsor approval.  That's all good, everything is working really well.  

     

    I just got my first incident ticket regarding a rejected user(rejected by sponsor).  When the user is rejected it is removed completely from the Guest db. 

     

    Bouncing back to Policy Manager, I can see in the Audit Viewer there is an ADD line and a REMOVE line for this user that was rejected.  When clicking into the REMOVE log the user's status is showing Approved.  

    This is the REMOVE log entryThis is the REMOVE log entry

    Is there any way to export a log or alert on this?  As of now I have no way to audit what users get rejected.

     

    Somewhat unrelated to alerting but related to logging- the Sponsor Name field (in photo) is showing up as the guest's email address and not the actual Employee Sponsor.  Any way to modify the Audit log's attributes in this output above?  We have the sponsor field named "sponsor_email_company" and I noticed that "sponsor_email" is actually recording the guest's email address instead of the Employee's.  I did double check, we're not assigning the "sponsor_email" attribute to any field in the self-registration page.

     

    Thanks!

     



  • 2.  RE: ClearPass Guest Reject - Logging and/or Alerting??

    EMPLOYEE
    Posted Sep 25, 2019 03:18 AM

    You can create a Syslog export filter for Audit Records. You can then leverage the filtering capabilities of your SIEM get the specific message.



  • 3.  RE: ClearPass Guest Reject - Logging and/or Alerting??

    Posted Sep 25, 2019 12:58 PM

    Sorry, I may not have made my question clear - I can't do that because there is no evidence of a REJECT, only REMOVE.  When the Employee Clicked on REJECT in the captive portal ClearPass Audit Viewer logged the Guest's "Approval Status" as "Approved", even though they were rejected.

     

    I could setup an export filter for Audit Viewer like you said and filter in the collector however there is currently no REJECT identifier.  If I filter by REMOVE (in collector) I could see all the users that are Removed either by an administrator or by "clusteradmin", the Clusteradmin account also shows up when reviewing our auto-removal of expired Guest Accounts.

     

    The main question would be - how to I identify the difference between a REJECTED Guest user and a user who was simply removed from the database due to auto-removal after expiration?