Security

Hello,

We have a few different VPNs being authenticated through our ClearPass cluster. I have a custom dashboard setup using the API to access the session data.

It is working perfectly and the data is reporting as expected. However I need to 

Is there a way to query the Access Tracker information through the API or directly to the DB? Or possibly have that data sent to a syslog server so I can parse it from there?

I need things like the User's full name (from our AD) and most importantly the hostname of the system that connects. Since the VPNs are not ours we are not sending a dhcp to clearpass for them to be profiled. 

You can configure syslog to be send from ClearPass with information about the authentication using session logs and you can find the username, date and several data that come from the NAS.

I assume you want to get information out about these VPN sessions?

I can't see a way to do this using the ClearPass RESTful API. However, you can do via via SQL (using the appexternal account) or syslog (though this is reliant on the standard output or hand crafting your own output using SQL - have a look at https://ase.arubanetworks.com/solutions/id/234). 

Regarding the SQL - for real-time look in the tipsLogDb - specifically the tips_session_log_details and tips_radius_accounting_log tables - these look like they can be joined across the session_id and id respectively - though I haven't tested this.

For longer term logs look at the Insightdb over the auth and radius_acct tables. These can be joined over the session_id and the {session_id} respectively. I previously posted a message explaining how to join these here https://community.arubanetworks.com/t5/Security/Clearpass-insightdb-join-auth-amp-radius-acct-tables-with/m-p/645814/highlight/true#M48800