View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass no TACACS REJECTs in syslog?

This thread has been viewed 10 times
  • 1.  ClearPass no TACACS REJECTs in syslog?

    Posted Feb 02, 2024 06:30 AM

    I noticed that I'm not getting any REJECTs from a TACACS service in syslog.

    In the access tracker the REJECTs show up, but not on the syslog server. I did a packet capture to be sure the really aren't in the traffic and didn't see them there either. So it isn't a syslog server issue.

    The ACCEPTs show up fine on the syslog server side.


    These are syslog filter settings.


    Export Template: Session Logs

    Include Audit Entity Details:       

    Export Event Format Type: Standard

    Local Facility Level: Local Use 1 (local1)


    Data Filter:         

    [TACACS Requests]


    Columns Selection:         














    Anyone seen this before or have an idea what is going on?

  • 2.  RE: ClearPass no TACACS REJECTs in syslog?

    Posted Feb 13, 2024 08:28 AM

    I don't see TACACS rejects either in syslog (but do see accepts). Can you open a TAC Support case for that?

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: ClearPass no TACACS REJECTs in syslog?
    Best Answer

    Posted 10 days ago

    Thanks for checking Herman, created a support case and was able to solve the specific issue with their guidance. It has to do with the Columns Selection. Some of those fields don't exist in the TACACS reject so then the whole request won't be send via syslog.

    When you remove some of the selected fields like Common.Roles and TACACS.Privilege-Level the REJECTS are logged via syslog. But now the ACCEPTS don't show the Roles anymore which was useful. So I end up with two syslog filters causing part of the info to be logged twice.

    Not fully sure how to make this work as I want.