Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Reference RADIUS Alerts

This thread has been viewed 1 times

  • 1.  Reference RADIUS Alerts

    Posted Apr 14, 2017 10:47 AM
      |   view attached

    Does anyone know how to reference the specific alerts in the access log to send to a external context server? For example, if I want to reference the username, I would use %{Authentication:Username}. Specifically, I am interested in referencing the RADIUS alerts to send the specific failure reason in a helpdesk ticket (see screenshot)

     

    Thanks!



  • 2.  RE: Reference RADIUS Alerts

    EMPLOYEE
    Posted Apr 14, 2017 11:15 AM

    You could use an external syslog and parse for "Common.Alerts-Present<>0"

     

    <143>2014-04-03 10:03:56,535 10.17.6.54 All Session Log Fields 0 1 0 Common.Alerts-Present=0,Common.Audit-Posture-Token=UNKNOWN,Common.Auth-Type=,Common.Enforcement- Profiles=EAI ClearPass Identity Provider (SAML IdP Service) Profile,Common.Error- Code=0,Common.Host-MAC-Address=,Common.Login-Status=ACCEPT,Common.Monitor- Mode=Disabled,Common.Request-Id=W00000037-01-533ce4a8,Common.Request-Timestamp=2014-04-03 10:03:44.785+05:30,Common.Roles=[User Authenticated],Common.Service=EAI ClearPass Identity Provider (SAML IdP Service),Common.Source=Application,Common.System-Posture-Token=UNKNOWN,Common.Username=prem4,WEBAUTH.Auth-Source=ClearPass Lab AD,WEBAUTH.Host-IP- Address=127.0.0.1,Common.Alerts=WebAuthService: User 'prem4' not present in [Local User Repository](localhost),
<143>2014-04-03 12:01:59,542 10.17.6.54 All Session Log Fields 2 1 0 Common.Alerts- Present=0,Common.Audit-Posture-Token=UNKNOWN,Common.Auth-Type=,Common.Connection- Status=Unknown,Common.Enforcement-Profiles=Prem650 wireless access Aruba 802.1X Wireless Profile1,Common.Error-Code=0,Common.Host-MAC-Address=bc20a4d791f0,Common.Login- Status=ACCEPT,Common.Monitor-Mode=Disabled,Common.NAS-IP-Address=10.20.22.85,Common.NAS- Port=0,Common.Request-Id=R0000001f-01-533d0045,Common.Request-Timestamp=2014-04-03 12:01:33+05:30,Common.Roles=[User Authenticated],Common.Service=Aruba ASO,Common.Source=RADIUS,Common.System-Posture- Token=UNKNOWN,Common.Username=prem3,RADIUS.Auth-Method=MSCHAP,RADIUS.Auth- Source=AD:adisam.arubapoc.local,

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13860



  • 3.  RE: Reference RADIUS Alerts

    Posted Apr 14, 2017 12:16 PM

    Was hoping for an easy solution haha. Thank you anyway!