Security

Hi All,

Working on a clearpass wired 802.1x deployment and have some configurations on some configuration best practices.  In the deployment, the network devices are cisco.

Question 1:   I noticed in the template from the vendor, they are logging to clearpass over udp port 20514.   The below command from the config.  I'm familiar with this config/port when using Cisco ISE, but not sure if this is correct for clearpass.  My question is it best practice to send syslog from the NAD (switch) to clearpass and is this the proper port?  I can't find it in the config.   
logging host <clearpass IP>  transport udp port 20514

Question 2:  What's the recommended way to handle profiling when you have endpoint devices that are configured with static IP  or in scenarios where there is no option to forward dhcp queries to clearpass?   

Logging from network devices (like switches) to ClearPass can be beneficial for monitoring and auditing purposes. The UDP port 20514 is commonly used for this purpose, as it allows ClearPass to receive syslog messages from the network devices. It's indeed a standard practice to configure syslog forwarding from network devices to ClearPass, especially for monitoring network access and troubleshooting issues.

Regarding the specific command you provided: 

logging host <clearpass IP> transport udp port 20514

This command seems appropriate for Cisco devices to send syslog messages to ClearPass over UDP port 20514. However, it's crucial to ensure that ClearPass is configured to listen on the specified port for syslog messages.

You may want to double-check the ClearPass configuration to verify that it is indeed configured to receive syslog messages over UDP port 20514. If not, you may need to adjust the ClearPass configuration accordingly.

Original Message:
Sent: Mar 24, 2024 01:34 PM
From: arubamike
Subject: Clearpass configuration

Hi All,

Working on a clearpass wired 802.1x deployment and have some configurations on some configuration best practices.  In the deployment, the network devices are cisco.

Question 1:   I noticed in the template from the vendor, they are logging to clearpass over udp port 20514.   The below command from the config.  I'm familiar with this config/port when using Cisco ISE, but not sure if this is correct for clearpass.  My question is it best practice to send syslog from the NAD (switch) to clearpass and is this the proper port?  I can't find it in the config.   
logging host <clearpass IP>  transport udp port 20514

Question 2:  What's the recommended way to handle profiling when you have endpoint devices that are configured with static IP  or in scenarios where there is no option to forward dhcp queries to clearpass?   

Hi All,

Working on a clearpass wired 802.1x deployment and have some configurations on some configuration best practices.  In the deployment, the network devices are cisco.

I noticed in the template from the vendor, they are logging to clearpass over udp port 20514.   The below command from the config.  I'm familiar with this config/port when using Cisco ISE, but not sure if this is correct for clearpass.  My question is it best practice to send syslog from the NAD (switch) to clearpass and is this the proper port?  I can't find it in the config.   
logging host <clearpass IP>  transport udp port 20514

Unless you are setting up Ingress Events, there is zero reason to ever send syslog to ClearPass.

https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Ingress%20Events/Intro_threat_events.htm

Was someone under the impression they were trying to implement NetFlow of sFlow with that setup?

https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/PolicyProfile/Collectors.htm

Hi All,

Working on a clearpass wired 802.1x deployment and have some configurations on some configuration best practices.  In the deployment, the network devices are cisco.

I noticed in the template from the vendor, they are logging to clearpass over udp port 20514.   The below command from the config.  I'm familiar with this config/port when using Cisco ISE, but not sure if this is correct for clearpass.  My question is it best practice to send syslog from the NAD (switch) to clearpass and is this the proper port?  I can't find it in the config.   
logging host <clearpass IP>  transport udp port 20514

Hi @chulcher,

I don't think they were under the impression they were setting up netflow.  I think it's the case of a partner taking config for one vendor/product (Cisco ISE) and using that same config for clearpass.   I will remove the syslog configuration.   Ingress events may be something to look into, but that seems it would be syslog provided by our firewall, not network switch?  

Unless you are setting up Ingress Events, there is zero reason to ever send syslog to ClearPass.

https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Ingress%20Events/Intro_threat_events.htm

Was someone under the impression they were trying to implement NetFlow of sFlow with that setup?

https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/PolicyProfile/Collectors.htm

Hi All,

Working on a clearpass wired 802.1x deployment and have some configurations on some configuration best practices.  In the deployment, the network devices are cisco.

I noticed in the template from the vendor, they are logging to clearpass over udp port 20514.   The below command from the config.  I'm familiar with this config/port when using Cisco ISE, but not sure if this is correct for clearpass.  My question is it best practice to send syslog from the NAD (switch) to clearpass and is this the proper port?  I can't find it in the config.   
logging host <clearpass IP>  transport udp port 20514