Security

I am building our new clearpass server cluster(s) and have just discovered that access tracker is independent with each subscriber. In other words, it is not all aggregated to the publisher. Since load balancing across the subscribers is recommended by Aruba, what is the recommended method for tracking a user's authentications throughout the day? It is not easily determined which subscriber the user's authentication will take place (since a centralized load balancer is used). Is this where the Insight product is used? I've touched on it a bit, but I'm not finding a place to show all the authentications.

 

Anyone else with a multi-server clearpass deployment with whom I could consult?

We have requested the option to search all cluster members in access tracker. Currently we have to flip between them when searching.

 

You could use the Insight search feature as well which tends to allow a lot more search options.

 

The nice thing with insight is there are preconfigured templates for failed auths by authentication type.

 

 

 

 

 

 

Using insight though, how can I tell on which subscriber an auth failure occurred? This would allow me to then dig into that subscriber, into the failed auth, and read the detailed logs on why they failed (which is NOT available in insight). Any ideas?

Good point. Feature request!

Dang...I was really hoping this was already there. (Aruba, insert comments here.) Sadly, I'm finding that once again, we have an application that lacks good network-wide visibility.

Tim, can you explain to me how you functionally use Insight? I'm realizing, too, that the search results don't even include timestamps! How on earth does one troubleshoot user authentications in a multi-server environment???

 

(Again, Aruba feel free to chime in with some advice here.)

We're really only using Insight for trending/counts and time period reports, not really for troubleshooting.

Sadly this was available in earlier code and from what i understand is coming back (no ETA).

 

Charlie