integrate aruba clearpass with eventtracker

Integrate Aruba Clearpass with EventTracker EventTracker v9.x or later

Publication Date: March 31, 2020

1

Integrate Aruba Clearpass with EventTracker

Abstract

This guide provides instructions to retrieve the Aruba Clearpass events by syslog. Once EventTracker is

configured to collect and parse these logs, dashboard and reports can be configured to monitor Aruba

Clearpass.

Scope

The configurations detailed in this guide are consistent with EventTracker version 9.x or above and Aruba

Clearpass 6.7 and above.

Audience

Administrators who are assigned the task to monitor Aruba Clearpass events using EventTracker.

The information contained in this document represents the current view of Netsurion on the issues

discussed as of the date of publication. Because Netsurion must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion

cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR

IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright Aruba Clearpass is the responsibility of the user. Without

limiting the rights under copyright, this paper may be freely distributed without permission from

Netsurion, if its content is unaltered, nothing is added to the content and credit to Netsurion is

provided.

Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Netsurion, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or should

be inferred.

© 2020 Netsurion. All rights reserved. The names of actual companies and products mentioned

herein may be the trademarks of their respective owners.

2


Table of Contents 1. Overview ........................................................................................................................................................ 3

2. Prerequisites................................................................................................................................................... 3

3. Integrating Aruba Clearpass with EventTracker ............................................................................................ 3

3.1 Configuring a Syslog Forwarding ............................................................................................................ 3

3.2 Adding syslog export filters .................................................................................................................... 5

4. EventTracker Knowledge Packs...................................................................................................................... 7

4.1 Saved Searches ....................................................................................................................................... 7

4.2 Alerts ....................................................................................................................................................... 7

4.3 Flex Reports ............................................................................................................................................ 7

4.4 Dashboards ........................................................................................................................................... 11

5. Importing knowledge pack into EventTracker ............................................................................................. 16

5.1 Saved Searches ..................................................................................................................................... 17

5.2 Alerts ..................................................................................................................................................... 18

5.3 Parsing Rules ......................................................................................................................................... 19

5.4 Flex Reports .......................................................................................................................................... 20

5.5 Knowledge Objects ............................................................................................................................... 22

5.6 Dashboards ........................................................................................................................................... 23

6. Verifying knowledge pack in EventTracker .................................................................................................. 25

6.1 Saved Searches ..................................................................................................................................... 25

6.2 Alerts ..................................................................................................................................................... 26

6.3 Parsing Rules ......................................................................................................................................... 26

6.4 Reports.................................................................................................................................................. 27

6.5 Knowledge Objects ............................................................................................................................... 27

6.6 Dashboards ........................................................................................................................................... 28

3


1. Overview The Aruba Clearpass is a policy management platform. It allows an organization to effortlessly onboard

new devices, grant varying access levels, and keep their networks secure across any multivendor wired,

wireless and VPN infrastructure.

EventTracker, when integrated with Aruba Clearpass, collects log from Aruba Clearpass and creates a

detailed reports, alerts, dashboards and saved searches. These attributes of EventTracker helps users to

view the most critical and important information on a single platform.

“Reports” provide detailed overview of activities like, Devices registered with Clearpass, RADIUS and

TACACS authentications requests (success and failed), Policy manager system level activities, and many

more.

“Alerts” notify as critical events are triggered by Aruba Clearpass. With alerts, users are notified about

real time occurrences of events such as, failed RADIUS/TACACS authentications.

Dashboards depict system activities like ADD and REMOVE, RADIUS/TACACS successful logins and failed

logins with geo-location support to highlight region/ area over a map. These services will include

information such as suspicious source IP address, Source MAC address, NAS address, event category,

device onboarded, policy added, etc.

2. Prerequisites • VCP (virtual collection point) syslog port should be opened.

• Port 514 should be allowed in Firewall (if applicable).

3. Integrating Aruba Clearpass with EventTracker Aruba Clearpass can be integrated with EventTracker using syslog forwarding.

3.1 Configuring a Syslog Forwarding 1. Login to Aruba Clearpass dashboard and navigate to Administration > External Servers > Syslog Targets.

E.g.

4


Figure 1

2. Select Add. (The Add Syslog Target dialog opens)

Figure 2

• Host Address: Enter the EventTracker syslog port IP address. (IPv4 address)

• Description: Enter a short description of syslog server as desired.

• Protocol: Select ‘UDP’.

• Server Port: Enter ‘514’.

3. Click Save. (Syslog target is now added)

Figure 3

5


3.2 Adding syslog export filters Configure syslog export filters to instruct Policy Manager where to send this information, and what kind of

information should be sent through data filters.

1. Navigate to Syslog Export Filters Page, Administration > External Servers > Syslog Export Filters.

Figure 4

2. From the Syslog Export Filters page, click Add.

Figure 5

6


** Note – 1. Below steps has to be repeated for each syslog export entry.

2. ‘Export event Format Type’ field should always be “Standard”

3. ‘Clearpass Servers’ field should be empty.

Name

Export

Template Syslog server Filters and Columns EventTracker Logs

Audit AUDIT

EventTracker

syslog IP address Not applicable

EventTracker Logs System SYSTEM

EventTracker syslog IP address Not applicable

EventTracker Logs

Session_1 SESSION

EventTracker

syslog IP address

Data Filter - [RADIUS Requests] Column Selection (Predefined group) - select

"RADIUS Accounting" Column Selection (Available columns Type - RADIUS) -

Add "RADIUS.Acct-Authentic"

EventTracker Logs

Session_2 SESSION

EventTracker

syslog IP address

Data Filter - [RADIUS Requests] Column Selection (Predefined group) - select "Failed

Authentications"

EventTracker Logs Session_3 SESSION

EventTracker syslog IP address

Data Filter - [TACACS Requests]

Column Selection (Predefined group) - select "TACACS+ Accounting"

EventTracker Logs

Session_4 SESSION

EventTracker

syslog IP address

Data Filter - [Webauth Requests] Column Selection (Predefined group) - select "Web

Authentication"

EventTracker Logs

Session_5 SESSION

EventTracker

syslog IP address

Data Filter - [Guest Access Requests] Column Selection (Predefined group) - select "Guest

Access"

EventTracker Logs Session_6 SESSION


Data Filter - [Active Session]

Column Selection (Predefined group) - select "Logged in users"

EventTracker Logs Insight_1 INSIGHT

EventTracker syslog IP address Predefined Group - TACACS Failed Authentication

EventTracker Logs

Insight_2 INSIGHT

EventTracker

syslog IP address Predefined Group - Endpoints



Predefined Group - WEBAUTH Failed Authentications Column Selection (Available columns - Auth) - Add “Auth.Error-Code”



Predefined Group - Failed Application Authentications


EventTracker syslog IP address Predefined Group - Onboard Enrollment

7


3. Once you’ve defined the above fields in their respective tabs, click on “Next” a to finalize the

configurations and save. (Note – You’ve to repeat this step for each new entry in export filters.)

4. EventTracker Knowledge Packs

4.1 Saved Searches

Saved searches are designed to quickly parse logs and allow user to see only specific events related to:

• Aruba Clearpass - TACACS SESSION EVENTS: Allows to filter log search specific to TACACS+ activities.

• Aruba Clearpass - SYSTEM EVENTS: Allows to filter log search specific to clearpass policy manager

activities. Such as, user login, logout, export, collect logs, etc.

• Aruba Clearpass - RADIUS SESSION EVENTS: Allows to filter log search specific to RADIUS session

activities.

• Aruba Clearpass - AUDIT EVENTS: Allows to filter log search specific to clearpass audit activities, such

as, ADD or REMOVE or MODIFY or REORDER.

• Aruba Clearpass - INSIGHT EVENTS: Allows to filter log search specific to clearpass Insight application.

4.2 Alerts Alerts are triggered when an event received is identified as critical and requires immediate notification.

Such as,

• Aruba Clearpass: Failed login has been detected for RADIUS session

This alert is triggered when clearpass receives an authentication failure for a RADIUS account.

• Aruba Clearpass: Login failed detected for clearpass system

This alert is triggered when clearpass receives an authentication failure for systems registered.

• Aruba Clearpass: Failed login has been detected for Web authentication

This alert is triggered when a web authentication failure happens in clearpass web console.

4.3 Flex Reports • Aruba Clearpass - RADIUS authentication failed: This report generates a detailed summary of failed

authentications that happened in any RADIUS server account. This includes, source MAC address,

Authentication types, timestamp, username, etc.

8


Figure 6

• Aruba Clearpass - System Activities (User login failed): This report generates a detailed summary of

failed activity on clearpass policy manager. This includes information such as Source IP address,

username, component, etc.

Figure 7

• Aruba Clearpass - System Activities (User login-logout): This report generates a detailed summary of

successful login and logout on clearpass policy manager. This includes, source username, IP address,

category, component, etc.

9


Figure 8

• Aruba Clearpass - System Activities: This report includes system related activities other than login,

logout or login fail. For, e.g. export, session destroyed, Collect Logs, AV/AS Updates,

activate.arubanetworks.com, email successful, etc.

Figure 9

• Aruba Clearpass - Audit Activities: Audit activity report includes events such ADD, MODIFY, REMOVE

and REORDER. For e.g. when a device gets registered with clearpass policy manager, ‘ADD’ event is

generated.

10


Figure 10

• Aruba Clearpass - RADIUS authentication success: This report includes detailed summary of RADIUS

server successful authentications. These includes, Source IP address, NAS IP address, Authentication

types (Local, Remote, and RADIUS), etc.

Figure 11

11


4.4 Dashboards

• Aruba Clearpass - System events by Types

Figure 12

• Aruba Clearpass - Audit Events by Action Types

Figure 13

12


• Aruba Clearpass - Audit Events by Source IP address

Figure 14

• Aruba Clearpass - Audit Events by Source Username

Figure 15

13


• Aruba Clearpass - System events by source IP address

Figure 16

• Aruba Clearpass - System events by Failed Login

Figure 5

14


• Aruba Clearpass - RADIUS Session Events by Usernames

Figure 18

• Aruba Clearpass - RADIUS Session Events by Source IP address

Figure 19

15


• Aruba Clearpass - WebAuth Events by Failed Login

Figure 20

• Aruba Clearpass - WebAuth Events by Failed MAC address

Figure 21

16


• Aruba Clearpass - RADIUS Session Events by Failed login

Figure 22

• Aruba Clearpass - TACACS failed authentications

5. Importing knowledge pack into EventTracker

Getting Knowledge Packs

To get the knowledge packs, locate the knowledge pack folder. Follow the below steps:

1. Press “ + R”.

2. Now, type “%et_install_path%\Knowledge Packs” and press “Enter”.

(Note – If, not able to locate the file path as mentioned above, please contact EventTracker support to

get the assistance).

NOTE: Import knowledge pack items in the following sequence:

• Categories

• Alerts

• Token Template/ Parsing Rules

mailto:[email protected]

17


• Flex Reports

• Knowledge Objects

• Dashboards

1. Launch the EventTracker Control Panel.

2. Double click Export-Import Utility.

Figure 23

Figure 24

3. Click the Import tab.

5.1 Saved Searches 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the Category

option, and then click browse .

18


2. Navigate to the knowledge pack folder and select the file with extension “.iscat”, e.g.

“Categories_Aruba Clearpass.iscat” and then click “Import”.

Figure 25

EventTracker displays a success message:

Figure 26

5.2 Alerts 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click Alert option, and

then click browse.

19


2. Navigate to the knowledge pack folder and select the file with extension “.isalt”, e.g. “Alerts_ Aruba

Clearpass.isalt” and then click “Import”.

Figure 27


Figure 28

5.3 Parsing Rules 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the “Token

Value” option, and then click browse .

20


2. Navigate to the knowledge pack folder and select the file with extension “.istoken”, e.g. “Parsing Rules_

Aruba Clearpass.istoken” and then click “Import”:

Figure 29

5.4 Flex Reports 1. In EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click

Reports option, and choose “New (*.etcrx)”:

21


Figure 30

2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click “Select File” and

navigate to knowledge pack folder and select file with extension “.etcrx”, e.g. “Reports_ Aruba

Clearpass.etcrx”.

Figure 31

3. Wait while reports are being populated in below tables. Now, select all the relevant reports and then

click Import .

22


Figure 32


Figure 33

5.5 Knowledge Objects

1. Click Knowledge objects under the Admin option in the EventTracker manager web interface.

Figure 34

2. Next, click the “import object” icon:

23


Figure 6

3. A pop-up box will appear, click “Browse” in that and navigate to knowledge packs folder (type

“%et_install_path%\Knowledge Packs” in navigation bar) with the extension “.etko”, e.g. “KO_ Aruba

Clearpass.etko” and then click “Upload”.

Figure 36

4. Wait while EventTracker populates all the relevant knowledge objects. Once the objects are displayed,

select the required ones and click “Import”:

Figure 37

5.6 Dashboards

1. Login to EventTracker manager web interface.

2. Navigate to Dashboard → My Dashboard.

3. In “My Dashboard”, Click Import

24


Figure 38

Figure 39

4. Select browse and navigate to knowledge pack folder (type “%et_install_path%\Knowledge Packs” in

navigation bar) where “.etwd”, e.g. “Dashboards_ Aruba Clearpass.etwd” is saved and click “Upload”.

5. Wait while EventTracker populates all the available dashboards. Now, choose “Select All” and click

“Import”.

Figure 40

25


Figure 7

6. Verifying knowledge pack in EventTracker

6.1 Saved Searches 1. Login to EventTracker manager web interface.

2. Click Admin dropdown, and then click Categories.

3. In Category Tree to view imported categories, scroll down and expand “Aruba Clearpass” group folder

to view the imported categories:

Figure 42

26


6.2 Alerts 1. In the EventTracker manager web interface, click the Admin dropdown, and then click Alerts.

2. In search box enter “<search criteria> e.g. “Aruba Clearpass” and then click Search.

EventTracker displays an alert related to “Aruba Clearpass”:

Figure 43

6.3 Parsing Rules 1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing Rule.

2. In the Parsing Rule tab, click on the “Aruba Clearpass” group folder to view the imported Token Values.

Figure 44

27


6.4 Reports

1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.

Figure 45

2. In Reports Configuration pane, select the Defined option.

3. Click on the “Aruba Clearpass” group folder to view the imported reports.

Figure 46

6.5 Knowledge Objects 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.

28


2. In the Knowledge Object tree, expand the “Aruba Clearpass” group folder to view the imported

Knowledge objects.

Figure 47

6.6 Dashboards

1. In the EventTracker web interface, Click Home and select “My Dashboard”.

Figure 48

2. Select “Customize daslets” button. And type “Clearpass” in the search bar.

29


Figure 49

Figure 50

integrate aruba clearpass with eventtracker

Documents