Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass no TACACS REJECTs in syslog?

This thread has been viewed 10 times
  • 1.  ClearPass no TACACS REJECTs in syslog?

    Posted Feb 02, 2024 06:30 AM

    I noticed that I'm not getting any REJECTs from a TACACS service in syslog.

    In the access tracker the REJECTs show up, but not on the syslog server. I did a packet capture to be sure the really aren't in the traffic and didn't see them there either. So it isn't a syslog server issue.

    The ACCEPTs show up fine on the syslog server side.

     

    These are syslog filter settings.

     

    Export Template: Session Logs

    Include Audit Entity Details:       

    Export Event Format Type: Standard

    Local Facility Level: Local Use 1 (local1)

     

    Data Filter:         

    [TACACS Requests]

     

    Columns Selection:         

    Common.Username

    Common.Service

    TACACS.Remote-Address

    TACACS.Privilege-Level

    Common.Request-Timestamp

    Common.NAS-IP-Address

    Common.NAS-Name

    Common.Login-Status

    Common.Enforcement-Profiles

    Common.Roles

    Common.Alerts

    Common.Error-Code

     

    Anyone seen this before or have an idea what is going on?



  • 2.  RE: ClearPass no TACACS REJECTs in syslog?

    EMPLOYEE
    Posted Feb 13, 2024 08:28 AM

    I don't see TACACS rejects either in syslog (but do see accepts). Can you open a TAC Support case for that?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass no TACACS REJECTs in syslog?
    Best Answer

    Posted 10 days ago

    Thanks for checking Herman, created a support case and was able to solve the specific issue with their guidance. It has to do with the Columns Selection. Some of those fields don't exist in the TACACS reject so then the whole request won't be send via syslog.

    When you remove some of the selected fields like Common.Roles and TACACS.Privilege-Level the REJECTS are logged via syslog. But now the ACCEPTS don't show the Roles anymore which was useful. So I end up with two syslog filters causing part of the info to be logged twice.

    Not fully sure how to make this work as I want.