integrate aruba clearpass with eventtracker
Post on 28-Dec-2021
7 Views
Preview:
TRANSCRIPT
Integrate Aruba Clearpass with EventTracker EventTracker v9.x or later
Publication Date: March 31, 2020
1
Integrate Aruba Clearpass with EventTracker
Abstract
This guide provides instructions to retrieve the Aruba Clearpass events by syslog. Once EventTracker is
configured to collect and parse these logs, dashboard and reports can be configured to monitor Aruba
Clearpass.
Scope
The configurations detailed in this guide are consistent with EventTracker version 9.x or above and Aruba
Clearpass 6.7 and above.
Audience
Administrators who are assigned the task to monitor Aruba Clearpass events using EventTracker.
The information contained in this document represents the current view of Netsurion on the issues
discussed as of the date of publication. Because Netsurion must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion
cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright Aruba Clearpass is the responsibility of the user. Without
limiting the rights under copyright, this paper may be freely distributed without permission from
Netsurion, if its content is unaltered, nothing is added to the content and credit to Netsurion is
provided.
Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Netsurion, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or should
be inferred.
© 2020 Netsurion. All rights reserved. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
2
Integrate Aruba Clearpass with EventTracker
Table of Contents 1. Overview ........................................................................................................................................................ 3
2. Prerequisites................................................................................................................................................... 3
3. Integrating Aruba Clearpass with EventTracker ............................................................................................ 3
3.1 Configuring a Syslog Forwarding ............................................................................................................ 3
3.2 Adding syslog export filters .................................................................................................................... 5
4. EventTracker Knowledge Packs...................................................................................................................... 7
4.1 Saved Searches ....................................................................................................................................... 7
4.2 Alerts ....................................................................................................................................................... 7
4.3 Flex Reports ............................................................................................................................................ 7
4.4 Dashboards ........................................................................................................................................... 11
5. Importing knowledge pack into EventTracker ............................................................................................. 16
5.1 Saved Searches ..................................................................................................................................... 17
5.2 Alerts ..................................................................................................................................................... 18
5.3 Parsing Rules ......................................................................................................................................... 19
5.4 Flex Reports .......................................................................................................................................... 20
5.5 Knowledge Objects ............................................................................................................................... 22
5.6 Dashboards ........................................................................................................................................... 23
6. Verifying knowledge pack in EventTracker .................................................................................................. 25
6.1 Saved Searches ..................................................................................................................................... 25
6.2 Alerts ..................................................................................................................................................... 26
6.3 Parsing Rules ......................................................................................................................................... 26
6.4 Reports.................................................................................................................................................. 27
6.5 Knowledge Objects ............................................................................................................................... 27
6.6 Dashboards ........................................................................................................................................... 28
3
Integrate Aruba Clearpass with EventTracker
1. Overview The Aruba Clearpass is a policy management platform. It allows an organization to effortlessly onboard
new devices, grant varying access levels, and keep their networks secure across any multivendor wired,
wireless and VPN infrastructure.
EventTracker, when integrated with Aruba Clearpass, collects log from Aruba Clearpass and creates a
detailed reports, alerts, dashboards and saved searches. These attributes of EventTracker helps users to
view the most critical and important information on a single platform.
“Reports” provide detailed overview of activities like, Devices registered with Clearpass, RADIUS and
TACACS authentications requests (success and failed), Policy manager system level activities, and many
more.
“Alerts” notify as critical events are triggered by Aruba Clearpass. With alerts, users are notified about
real time occurrences of events such as, failed RADIUS/TACACS authentications.
Dashboards depict system activities like ADD and REMOVE, RADIUS/TACACS successful logins and failed
logins with geo-location support to highlight region/ area over a map. These services will include
information such as suspicious source IP address, Source MAC address, NAS address, event category,
device onboarded, policy added, etc.
2. Prerequisites • VCP (virtual collection point) syslog port should be opened.
• Port 514 should be allowed in Firewall (if applicable).
3. Integrating Aruba Clearpass with EventTracker Aruba Clearpass can be integrated with EventTracker using syslog forwarding.
3.1 Configuring a Syslog Forwarding 1. Login to Aruba Clearpass dashboard and navigate to Administration > External Servers > Syslog Targets.
E.g.
4
Integrate Aruba Clearpass with EventTracker
Figure 1
2. Select Add. (The Add Syslog Target dialog opens)
Figure 2
• Host Address: Enter the EventTracker syslog port IP address. (IPv4 address)
• Description: Enter a short description of syslog server as desired.
• Protocol: Select ‘UDP’.
• Server Port: Enter ‘514’.
3. Click Save. (Syslog target is now added)
Figure 3
5
Integrate Aruba Clearpass with EventTracker
3.2 Adding syslog export filters Configure syslog export filters to instruct Policy Manager where to send this information, and what kind of
information should be sent through data filters.
1. Navigate to Syslog Export Filters Page, Administration > External Servers > Syslog Export Filters.
Figure 4
2. From the Syslog Export Filters page, click Add.
Figure 5
6
Integrate Aruba Clearpass with EventTracker
** Note – 1. Below steps has to be repeated for each syslog export entry.
2. ‘Export event Format Type’ field should always be “Standard”
3. ‘Clearpass Servers’ field should be empty.
Name
Export
Template Syslog server Filters and Columns EventTracker Logs
Audit AUDIT
EventTracker
syslog IP address Not applicable
EventTracker Logs System SYSTEM
EventTracker syslog IP address Not applicable
EventTracker Logs
Session_1 SESSION
EventTracker
syslog IP address
Data Filter - [RADIUS Requests] Column Selection (Predefined group) - select
"RADIUS Accounting" Column Selection (Available columns Type - RADIUS) -
Add "RADIUS.Acct-Authentic"
EventTracker Logs
Session_2 SESSION
EventTracker
syslog IP address
Data Filter - [RADIUS Requests] Column Selection (Predefined group) - select "Failed
Authentications"
EventTracker Logs Session_3 SESSION
EventTracker syslog IP address
Data Filter - [TACACS Requests]
Column Selection (Predefined group) - select "TACACS+ Accounting"
EventTracker Logs
Session_4 SESSION
EventTracker
syslog IP address
Data Filter - [Webauth Requests] Column Selection (Predefined group) - select "Web
Authentication"
EventTracker Logs
Session_5 SESSION
EventTracker
syslog IP address
Data Filter - [Guest Access Requests] Column Selection (Predefined group) - select "Guest
Access"
EventTracker Logs Session_6 SESSION
EventTracker syslog IP address
Data Filter - [Active Session]
Column Selection (Predefined group) - select "Logged in users"
EventTracker Logs Insight_1 INSIGHT
EventTracker syslog IP address Predefined Group - TACACS Failed Authentication
EventTracker Logs
Insight_2 INSIGHT
EventTracker
syslog IP address Predefined Group - Endpoints
EventTracker Logs Insight_3 INSIGHT
EventTracker syslog IP address
Predefined Group - WEBAUTH Failed Authentications Column Selection (Available columns - Auth) - Add “Auth.Error-Code”
EventTracker Logs Insight_4 INSIGHT
EventTracker syslog IP address
Predefined Group - Failed Application Authentications
EventTracker Logs Insight_5 INSIGHT
EventTracker syslog IP address Predefined Group - Onboard Enrollment
7
Integrate Aruba Clearpass with EventTracker
3. Once you’ve defined the above fields in their respective tabs, click on “Next” a to finalize the
configurations and save. (Note – You’ve to repeat this step for each new entry in export filters.)
4. EventTracker Knowledge Packs
4.1 Saved Searches
Saved searches are designed to quickly parse logs and allow user to see only specific events related to:
• Aruba Clearpass - TACACS SESSION EVENTS: Allows to filter log search specific to TACACS+ activities.
• Aruba Clearpass - SYSTEM EVENTS: Allows to filter log search specific to clearpass policy manager
activities. Such as, user login, logout, export, collect logs, etc.
• Aruba Clearpass - RADIUS SESSION EVENTS: Allows to filter log search specific to RADIUS session
activities.
• Aruba Clearpass - AUDIT EVENTS: Allows to filter log search specific to clearpass audit activities, such
as, ADD or REMOVE or MODIFY or REORDER.
• Aruba Clearpass - INSIGHT EVENTS: Allows to filter log search specific to clearpass Insight application.
4.2 Alerts Alerts are triggered when an event received is identified as critical and requires immediate notification.
Such as,
• Aruba Clearpass: Failed login has been detected for RADIUS session
This alert is triggered when clearpass receives an authentication failure for a RADIUS account.
• Aruba Clearpass: Login failed detected for clearpass system
This alert is triggered when clearpass receives an authentication failure for systems registered.
• Aruba Clearpass: Failed login has been detected for Web authentication
This alert is triggered when a web authentication failure happens in clearpass web console.
4.3 Flex Reports • Aruba Clearpass - RADIUS authentication failed: This report generates a detailed summary of failed
authentications that happened in any RADIUS server account. This includes, source MAC address,
Authentication types, timestamp, username, etc.
8
Integrate Aruba Clearpass with EventTracker
Figure 6
• Aruba Clearpass - System Activities (User login failed): This report generates a detailed summary of
failed activity on clearpass policy manager. This includes information such as Source IP address,
username, component, etc.
Figure 7
• Aruba Clearpass - System Activities (User login-logout): This report generates a detailed summary of
successful login and logout on clearpass policy manager. This includes, source username, IP address,
category, component, etc.
9
Integrate Aruba Clearpass with EventTracker
Figure 8
• Aruba Clearpass - System Activities: This report includes system related activities other than login,
logout or login fail. For, e.g. export, session destroyed, Collect Logs, AV/AS Updates,
activate.arubanetworks.com, email successful, etc.
Figure 9
• Aruba Clearpass - Audit Activities: Audit activity report includes events such ADD, MODIFY, REMOVE
and REORDER. For e.g. when a device gets registered with clearpass policy manager, ‘ADD’ event is
generated.
10
Integrate Aruba Clearpass with EventTracker
Figure 10
• Aruba Clearpass - RADIUS authentication success: This report includes detailed summary of RADIUS
server successful authentications. These includes, Source IP address, NAS IP address, Authentication
types (Local, Remote, and RADIUS), etc.
Figure 11
11
Integrate Aruba Clearpass with EventTracker
4.4 Dashboards
• Aruba Clearpass - System events by Types
Figure 12
• Aruba Clearpass - Audit Events by Action Types
Figure 13
12
Integrate Aruba Clearpass with EventTracker
• Aruba Clearpass - Audit Events by Source IP address
Figure 14
• Aruba Clearpass - Audit Events by Source Username
Figure 15
13
Integrate Aruba Clearpass with EventTracker
• Aruba Clearpass - System events by source IP address
Figure 16
• Aruba Clearpass - System events by Failed Login
Figure 5
14
Integrate Aruba Clearpass with EventTracker
• Aruba Clearpass - RADIUS Session Events by Usernames
Figure 18
• Aruba Clearpass - RADIUS Session Events by Source IP address
Figure 19
15
Integrate Aruba Clearpass with EventTracker
• Aruba Clearpass - WebAuth Events by Failed Login
Figure 20
• Aruba Clearpass - WebAuth Events by Failed MAC address
Figure 21
16
Integrate Aruba Clearpass with EventTracker
• Aruba Clearpass - RADIUS Session Events by Failed login
Figure 22
• Aruba Clearpass - TACACS failed authentications
5. Importing knowledge pack into EventTracker
Getting Knowledge Packs
To get the knowledge packs, locate the knowledge pack folder. Follow the below steps:
1. Press “ + R”.
2. Now, type “%et_install_path%\Knowledge Packs” and press “Enter”.
(Note – If, not able to locate the file path as mentioned above, please contact EventTracker support to
get the assistance).
NOTE: Import knowledge pack items in the following sequence:
• Categories
• Alerts
• Token Template/ Parsing Rules
17
Integrate Aruba Clearpass with EventTracker
• Flex Reports
• Knowledge Objects
• Dashboards
1. Launch the EventTracker Control Panel.
2. Double click Export-Import Utility.
Figure 23
Figure 24
3. Click the Import tab.
5.1 Saved Searches 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the Category
option, and then click browse .
18
Integrate Aruba Clearpass with EventTracker
2. Navigate to the knowledge pack folder and select the file with extension “.iscat”, e.g.
“Categories_Aruba Clearpass.iscat” and then click “Import”.
Figure 25
EventTracker displays a success message:
Figure 26
5.2 Alerts 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click Alert option, and
then click browse.
19
Integrate Aruba Clearpass with EventTracker
2. Navigate to the knowledge pack folder and select the file with extension “.isalt”, e.g. “Alerts_ Aruba
Clearpass.isalt” and then click “Import”.
Figure 27
EventTracker displays a success message:
Figure 28
5.3 Parsing Rules 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the “Token
Value” option, and then click browse .
20
Integrate Aruba Clearpass with EventTracker
2. Navigate to the knowledge pack folder and select the file with extension “.istoken”, e.g. “Parsing Rules_
Aruba Clearpass.istoken” and then click “Import”:
Figure 29
5.4 Flex Reports 1. In EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click
Reports option, and choose “New (*.etcrx)”:
21
Integrate Aruba Clearpass with EventTracker
Figure 30
2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click “Select File” and
navigate to knowledge pack folder and select file with extension “.etcrx”, e.g. “Reports_ Aruba
Clearpass.etcrx”.
Figure 31
3. Wait while reports are being populated in below tables. Now, select all the relevant reports and then
click Import .
22
Integrate Aruba Clearpass with EventTracker
Figure 32
EventTracker displays a success message:
Figure 33
5.5 Knowledge Objects
1. Click Knowledge objects under the Admin option in the EventTracker manager web interface.
Figure 34
2. Next, click the “import object” icon:
23
Integrate Aruba Clearpass with EventTracker
Figure 6
3. A pop-up box will appear, click “Browse” in that and navigate to knowledge packs folder (type
“%et_install_path%\Knowledge Packs” in navigation bar) with the extension “.etko”, e.g. “KO_ Aruba
Clearpass.etko” and then click “Upload”.
Figure 36
4. Wait while EventTracker populates all the relevant knowledge objects. Once the objects are displayed,
select the required ones and click “Import”:
Figure 37
5.6 Dashboards
1. Login to EventTracker manager web interface.
2. Navigate to Dashboard → My Dashboard.
3. In “My Dashboard”, Click Import
24
Integrate Aruba Clearpass with EventTracker
Figure 38
Figure 39
4. Select browse and navigate to knowledge pack folder (type “%et_install_path%\Knowledge Packs” in
navigation bar) where “.etwd”, e.g. “Dashboards_ Aruba Clearpass.etwd” is saved and click “Upload”.
5. Wait while EventTracker populates all the available dashboards. Now, choose “Select All” and click
“Import”.
Figure 40
25
Integrate Aruba Clearpass with EventTracker
Figure 7
6. Verifying knowledge pack in EventTracker
6.1 Saved Searches 1. Login to EventTracker manager web interface.
2. Click Admin dropdown, and then click Categories.
3. In Category Tree to view imported categories, scroll down and expand “Aruba Clearpass” group folder
to view the imported categories:
Figure 42
26
Integrate Aruba Clearpass with EventTracker
6.2 Alerts 1. In the EventTracker manager web interface, click the Admin dropdown, and then click Alerts.
2. In search box enter “<search criteria> e.g. “Aruba Clearpass” and then click Search.
EventTracker displays an alert related to “Aruba Clearpass”:
Figure 43
6.3 Parsing Rules 1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing Rule.
2. In the Parsing Rule tab, click on the “Aruba Clearpass” group folder to view the imported Token Values.
Figure 44
27
Integrate Aruba Clearpass with EventTracker
6.4 Reports
1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.
Figure 45
2. In Reports Configuration pane, select the Defined option.
3. Click on the “Aruba Clearpass” group folder to view the imported reports.
Figure 46
6.5 Knowledge Objects 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.
28
Integrate Aruba Clearpass with EventTracker
2. In the Knowledge Object tree, expand the “Aruba Clearpass” group folder to view the imported
Knowledge objects.
Figure 47
6.6 Dashboards
1. In the EventTracker web interface, Click Home and select “My Dashboard”.
Figure 48
2. Select “Customize daslets” button. And type “Clearpass” in the search bar.
29
Integrate Aruba Clearpass with EventTracker
Figure 49
Figure 50
top related