ClearPass Policy Manager

Transcription

1 ClearPass Policy Manager Integration with ArcSight Logger Copyright Copyright 2014 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, Green Island. All rights reserved. All other trademarks are the property of their respective owners. Open Source Code Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site: Revision History Date Author Revision Description April 10, 2014 Premraj Lourdraj Initial Revision April 23, 2014 Premraj Lourdraj Incorporated modifications from Bob, Danny, Trent, Sohag

2 Table of Contents Introduction... 5 Background... 5 Assumptions... 5 Example... 5 Syslogs based on ClearPass internal modules... 7 Syslogs based on Session Logs, Audit Records and Event Records... 8 ArcSight Logger Architecture and Components... 9 ClearPass Configuration Adding ArcSight as a Syslog Target Defining ClearPass Data Filters Creating Syslog Export Filters Creating Syslog Export Filter: All Session Log Fields Creating Syslog Export Filter: All Events Creating Syslog Export Filter: All Audits Creating Syslog Export filter: Failed Authentications Syslog Column Names ArcSight Logger Configuration Adding an Event Input ClearPass Parser Adding an Event Input ClearPass Source Type Adding an Event Input ClearPass Receiver Adding the ClearPass Server ArcSight Logger Sample Displays Syslog Raw Data Failed Authentication Raw Data Aruba Networks 2

3 Successful Authentication Raw Data Event Log Raw Data Audit Log Raw Data Caveats Table of Figures Figure 1 - Raw Syslog feed received by ArcSight Logger from ClearPass... 6 Figure 2 - ClearPass Access Tracker displaying Events... 6 Figure 3 - ArcSight Logger displaying the same ClearPass Events... 6 Figure 4 - Example of Syslogs based on internal ClearPass modules... 7 Figure 5 - Example of Syslog: Session Logs... 8 Figure 6 - Example of Syslog: Audit Records... 8 Figure 7 - Example of Syslog: System Events... 8 Figure 8 - ArcSight Logger Architecture and Component Interaction... 9 Figure 9 - Adding Syslog Targets to ClearPass Figure 10 - Predefined Data Filters in ClearPass Figure 11 - Syslog Export Filters Figure 12 - Creating Syslog Export Filter: All Session Log Fields Figure 13 - Creating Syslog Export Filter: adding Common columns Figure 14 - Creating Syslog Export Filter: adding RADIUS columns Figure 15 - Confirmation of selected columns Figure 16 - Summary of selected columns Figure 17 - Enabling the Syslog Export Filter Figure 18 - Configuring Syslog Export Filter for all System Events Figure 19 - Configuring Syslog Export Filter for all Audit Events Aruba Networks 3

4 Figure 20 - Configuring Syslog Export Filter for Failed Authentications Figure 21 - Selecting the predefined columns for Failed Authentications Figure 22 - Failed Authentication summary Syslog Export Filter Figure 23 - Enabling Syslog Export Filter Figure 24 - Typical Syslog sent by ClearPass Figure 25 - Adding an Extract Parser into ArcSight Logger Figure 26 - Setting Pair Delimiter and Key/Value Delimiter for Parser Figure 27 - Table showing parsers defined in ArcSight Logger Figure 28 - Defining ClearPass Event Time Location Figure 29 - Table showing source types defined in ArcSight Logger Figure 30 - Configuring ArcSight Logger Receiver for ClearPass Figure 31 - Adding ClearPass server in ArcSight Logger Figure 32 - Summary page showing Syslog data received from ClearPass Figure 33 - Searching ArcSight for ClearPass information Figure 34 - Analyze Search Page: Field Summary Figure 35 - Analyze Search Page: Login Accept / Reject Summary Figure 36 - Analyze Search Page: Login Status = REJECT Figure 37 - Analyze Search Page: Login Status = REJECT - > Raw Data Figure 38 - Analyze Search Page: Login Status = REJECT - > Raw Data - > Extract Fields Figure 39 - Syslog received by ArcSight Logger Figure 40 - ArcSight Logger display of Syslog message Figure 41 - Syslog Export Filter: Column Selection and Reordering Aruba Networks 4

5 Introduction This document describes how to integrate ClearPass Policy Manager with ArcSight Logger in order to extract the maximum utility from both applications. Specifically, it provides information on: How to configure ClearPass to send Syslog output to an instance of ArcSight Logger How to configure ArcSight Logger to receive, parse and store this Syslog output After completion of these steps, the Syslog data stored in ArcSight Logger can be used to search and display ClearPass events. Background ClearPass Policy Manager is an Access Management Solution used extensively in small, midrange and large enterprises. ClearPass Access Tracker, Audit Viewer and Event Viewer user interfaces enable ClearPass users to view various kinds of Authentication, Authorization and Accounting events when endpoints authenticate to the network using ClearPass. ClearPass has the capability to receive Syslog events from endpoints, store them, encapsulate them and retransmit them as RFC 5424 compliant Syslog messages to any Syslog receiver. ArcSight Logger is a popular log management/siem solution that can receive events (including Syslog messages) from multiple sources, which can then be searched, analyzed and displayed using its graphical user interface. Assumptions The audience for this document is assumed to be familiar with the administration and use of ClearPass Policy Manager and ArcSight Logger applications. Example For example, let us assume the following raw Syslog feed is sent by ClearPass: <143> :03:56, All Session Log Fields Common.Alerts- Present=0,Common.Audit-Posture-Token=UNKNOWN,Common.Auth-Type=,Common.Enforcement- Profiles=EAI ClearPass Identity Provider (SAML IdP Service) Profile,Common.Error- Code=0,Common.Host-MAC-Address=,Common.Login-Status=ACCEPT,Common.Monitor- Mode=Disabled,Common.Request-Id=W ce4a8,Common.Request-Timestamp= :03: :30,Common.Roles=[User Authenticated],Common.Service=EAI ClearPass Identity Provider (SAML IdP Service),Common.Source=Application,Common.System-Posture- Aruba Networks 5

6 Token=UNKNOWN,Common.Username=prem4,WEBAUTH.Auth-Source=ClearPass Lab AD,WEBAUTH.Host-IP- Address= ,Common.Alerts=WebAuthService: User 'prem4' not present in [Local User Repository](localhost), <143> :01:59, All Session Log Fields Common.Alerts- Present=0,Common.Audit-Posture-Token=UNKNOWN,Common.Auth-Type=,Common.Connection- Status=Unknown,Common.Enforcement-Profiles=Prem650 wireless access Aruba 802.1X Wireless Profile1,Common.Error-Code=0,Common.Host-MAC-Address=bc20a4d791f0,Common.Login- Status=ACCEPT,Common.Monitor-Mode=Disabled,Common.NAS-IP-Address= ,Common.NAS- Port=0,Common.Request-Id=R f d0045,Common.Request-Timestamp= :01:33+05:30,Common.Roles=[User Authenticated],Common.Service=Aruba ASO,Common.Source=RADIUS,Common.System-Posture- Token=UNKNOWN,Common.Username=prem3,RADIUS.Auth-Method=MSCHAP,RADIUS.Auth- Source=AD:adisam.arubapoc.local, Figure 1 - Raw Syslog feed received by ArcSight Logger from ClearPass Figure 2 shows how the Syslog feed shown in Figure 1 will be seen in ClearPass Access Tracker: Figure 2 - ClearPass Access Tracker displaying Events After integrating ClearPass with ArcSight Logger, the Syslog feed will appear as seen in Figure 3 in the ArcSight event display page: Figure 3 - ArcSight Logger displaying the same ClearPass Events Aruba Networks 6

7 Types of Syslog ClearPass can generate two different types of Syslog feeds: 1. Syslogs based upon logs generated by internal ClearPass modules. This can be configured by clicking on Administration >> Server Manager >> Log Configuration in ClearPass.! These are logs from ClearPass internal modules like the RADIUS Server or ClearPass Authentication Request services. 2. Syslogs based upon Access Tracker Events, System Events and Audit Records. These can be configured by clicking on Administration >> External Servers >> Syslog Export Filters in ClearPass.! These are the logs defined in Data Filters, which will be discussed later in this document. Syslogs based on ClearPass internal modules While you can setup ArcSight Logger to receive Syslog messages based on ClearPass internal modules, we are going to ignore them in this document as they are not particularly useful for the end user. Here are some examples of these types of Syslog messages: Mar 27 12:01: :00:15,315 [main] DEBUG RadiusServer.Radius - Module: Loaded SQL Mar 27 12:01: :00:15,315 [main] DEBUG RadiusServer.Radius - sql: driver = "rlm_sql_unixodbc" Mar 27 12:01: :00:15,316 [main] DEBUG RadiusServer.Radius - sql: sql_driver = "PostgreSQL" Mar 27 12:01: :00:15,316 [main] DEBUG RadiusServer.Radius - sql: login = "appuser" Mar 27 12:01: :00:15,316 [main] DEBUG RadiusServer.Radius - sql: password = "(encstring)" Mar 27 14:59: :58:32,502 [RequestHandler-1-0x7f3899d6d700 r=psauto h=57 r=w e ef40] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations Mar 27 14:59: :58:32,502 [RequestHandler-1-0x7f3899d6d700 r=psauto h=57 r=w e ef40] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0 Mar 27 14:59: :58:32,510 [R:W e ef40] ERROR com.avenda.tips.webauthservice.webauthhandler - Failed to perform chained policy-evaluation and enfprofiles Mar 27 14:59: com.avenda.tips.webauthservice.webauthopexception: Applied Reject profile Figure 4 - Example of Syslogs based on internal ClearPass modules Aruba Networks 7

8 Syslogs based on Session Logs, Audit Records and Event Records For the purposes of this document, we will only discuss integration of ClearPass Syslog data based upon: Session logs these can be seen in the ClearPass Access Tracker Audit records these can be seen in the ClearPass Audit Viewer Event records these can be seen in the ClearPass Event Viewer Figure 5, 6 and 7 show some examples of these three log types. Note that the payload is sent as name/value pairs. <143> :03:56, All Session Log Fields Common.Alerts- Present=0,Common.Enforcement-Profiles=EAI ClearPass Identity Provider (SAML IdP Service) Profile,Common.Error-Code=0, Common.Login-Status=ACCEPT, Common.Request-Id=W ce4a8,Common.Request-Timestamp= :03: :30,Common.Roles=[User Authenticated],Common.Service=EAI ClearPass Identity Provider (SAML IdP Service),Common.Source=Application,Common.Username=prem4,WEBAUTH.Auth-Source=ClearPass Lab AD, Figure 5 - Example of Syslog: Session Logs <143> :45:40, Audit Records Filtername Timestamp=Mar 27, :44:33 EDT,Source=Audit Records,Category=Syslog Export Data,Action=DISABLE,User=admin\n Figure 6 - Example of Syslog: Audit Records <142> :43:11, System Events Filtername Timestamp=Mar 27, :42:25 EDT,Source=Admin UI,Level=INFO,Category=Logged out,action=none,description=user: admin\nrole: Super Administrator\nSession ID: 9a99afae329433e45e6e1c50bc9b0e74\nClient IP Address: Figure 7 - Example of Syslog: System Events This document will explain how to configure ClearPass to send these three types of log messages: Session Logs, Audit Records and System Events; to ArcSight Logger. Aruba Networks 8

9 ArcSight Logger Architecture and Components Figure 8 shows the various components that interact with ArcSight Logger. ClearPass with configured Syslog Filters is shown as one of the Syslog senders. Figure 8 - ArcSight Logger Architecture and Component Interaction To integrate ClearPass with ArcSight Logger, you have to perform two major tasks which are covered in the next two sections, namely: ClearPass Configuration ArcSight Logger Configuration Aruba Networks 9

10 ClearPass Configuration Note: The configuration steps described in this section were tested on ClearPass Configuring ClearPass to integrate with ArcSight Logger consists of the following three steps: 1. Adding ArcSight Logger as a Syslog Target. 2. Defining ClearPass Data Filters. 3. Defining ClearPass Syslog Export Filters. Adding ArcSight as a Syslog Target First, an instance of ArcSight Logger needs to be added to ClearPass as a Syslog target. To do this, the ArcSight Logger IP address or hostname and port number needs to be added at the appropriate place in the ClearPass administrative interface. 1. Navigate to Administration >> External Servers >> Syslog Targets and click on Add. 2. In the popup window, enter the requested details, namely: Host Address: ArcSight Logger IP address or hostname Description: (Optional) Description of the ArcSight Logger device Protocol: Syslog protocol type (UDP/TCP) Server Port: 519 The protocol type (UDP/TCP) and the port number (519) should match the values that you will set in ArcSight Logger receiver (see the next section). 3. Click on Save and verify that your settings have been saved correctly. Figure 9 - Adding Syslog Targets to ClearPass Aruba Networks 10

11 Defining ClearPass Data Filters Next, Data Filters need to be defined to select only the events which need to be sent as Syslog output to ArcSight Logger. ClearPass comes with several predefined Data Filters, which are shown in Figure 10. ClearPass also allows you to define your own Data Filters that you can use to filter out the events that satisfy your requirement. Refer to the ClearPass documentation on the procedure to define a data filter. Figure 10 - Predefined Data Filters in ClearPass Creating Syslog Export Filters Finally, Syslog Export Filters determine which events, and which columns of those events, are sent to ArcSight Logger. Defining Syslog Export Filters consists of making two major decisions: Choosing the Data Filters defined earlier to determine the events to be sent in the Syslog output. Choosing the Column names of interest for sending in the Syslog output. Aruba Networks 11

12 There are predefined column groups that make it easier to choose a group of relevant columns (shown later). For example, if the requirement is to send only Failed Authentication logs, then a Failed Authentication Export Filter needs to be created by choosing a Failed Requests Data Filter and then choosing the Failed Authentications column group. Multiple filters can be created and then turned on and off as and when required. In this document we will create four Syslog Export Filters (as shown in the Figures 11-14) which together export all possible log events and all column names to ArcSight Logger. The user can customize these to their requirement. Figure 11 - Syslog Export Filters Aruba Networks 12

13 Creating Syslog Export Filter: All Session Log Fields 1. Navigate to Administration >> External Servers >> Syslog Export Filters. Click on Add. 2. In the General tab, enter the requested details, namely: Name: Enter an appropriate name, like All Session Log Fields. Description: (Optional) Enter a description for this filter. Export Template: Choose Session Logs. Syslog Servers: Add the ArcSight Logger Syslog target which was created earlier. Figure 12 - Creating Syslog Export Filter: All Session Log Fields 3. In the Filter and Columns tab, choose all possible requests and all column names to be exported by this filter. Option 1: (For common use cases) Select Data Filter and Columns for export. Data Filter: Choose [All Requests] Columns Selection: Use the method described below to add all available columns. This will populate the Selected Columns list displayed on the right. Available Columns - Type: Choose Common. Select all the column names by multi- selecting. You will have to scroll down the list of column names to select all of them. Click the >> button to move these column names to the Selected Columns box on the right. Aruba Networks 13

14 Figure 13 - Creating Syslog Export Filter: adding Common columns Repeat this process for all the four types: Common, RADIUS, TACACS and WEBAUTH. For RADIUS columns as an example, see Figure 14. Figure 14 - Creating Syslog Export Filter: adding RADIUS columns Reorder the selected columns to the desired sequence to be seen in the ArcSight Logger event display page. Note: The first column name is lost as it gets cut off by the ArcSight Extract Parser (see the Caveat section in this document). We have chosen to put Common.Alerts- Present field first as it is not particularly useful (see Figure 15 below). You can choose to move another column to the first position. To rearrange the column names on the right you have to use the left/right arrow buttons and push the columns left/right until you get the right order. The final display should show all column names in the Selected Columns box. Ensure that for all column types, the available column box is empty. Aruba Networks 14

15 Figure 15 - Confirmation of selected columns Option 2: (For advanced use cases) Specify custom SQL query for export. Note: Option 2 is not covered in this document. Custom SQL: Leave this blank. Choose the Summary tab, verify the details and click Save to create the Syslog Export Filter. Figure 16 - Summary of selected columns Aruba Networks 15

16 4. To activate this filter, click on the Enable button. Figure 17 - Enabling the Syslog Export Filter Column Names The following is a complete list of column names sent by this Syslog Filter: Common.Alerts- Present Common.Alerts Common.Audit- Posture- Token Common.Auth- Type Common.Connection- Status Common.Enforcement- Profiles Common.Error- Code Common.Login- Status Common.Monitor- Mode Common.NAS- Port Common.Request- Id Common.Source Common.System- Posture- Token Common.Request- Timestamp Common.NAS- IP- Address Common.Host- MAC- Address Common.Roles Common.Username Common.Service RADIUS.Acct- Authentic RADIUS.Acct- Called- Station- Id RADIUS.Acct- Calling- Station- Id RADIUS.Acct- Delay- Time RADIUS.Acct- Framed- IP- Address RADIUS.Acct- Input- Octets RADIUS.Acct- Input- Pkts RADIUS.Acct- NAS- IP- Address RADIUS.Acct- NAS- Port RADIUS.Acct- NAS- Port- Type RADIUS.Acct- Output- Octets RADIUS.Acct- Output- Pkts RADIUS.Acct- Service- Name RADIUS.Acct- Session- Id RADIUS.Acct- Session- Time Aruba Networks 16

17 RADIUS.Acct- Status- Type RADIUS.Acct- Termination- Cause RADIUS.Acct- Timestamp RADIUS.Acct- Username RADIUS.Auth- Method RADIUS.Auth- Source WEBAUTH.Auth- Source WEBAUTH.Enforcement- Profiles WEBAUTH.Host- IP- Address WEBAUTH.NAS- Port- Index WEBAUTH.NAS- Port- Name TACACS.Acct- Flags TACACS.Acct- Session- Id TACACS.Auth- Source TACACS.Authen- Action TACACS.Authen- Method TACACS.Authen- Service TACACS.Authen- Type TACACS.Enforcement- Profiles TACACS.Privilege- Level TACACS.Remote- Address TACACS.Request- Type Aruba Networks 17

18 Creating Syslog Export Filter: All Events Use the summary page shown in Figure 18 to configure the Syslog filter for all System Events. Note: There are no column filters for this export filter. Figure 18 - Configuring Syslog Export Filter for all System Events Column Names Complete list of column names sent by this Syslog Filter: Source Level Category Action Description Creating Syslog Export Filter: All Audits Use the summary page shown in Figure 19 to configure the Syslog filter for all Audit Records. Note: There are no column filters for this export filter. Figure 19 - Configuring Syslog Export Filter for all Audit Events Aruba Networks 18

19 Column Names Complete list of column names sent by this Syslog Filter: Source Category Action User Creating Syslog Export filter: Failed Authentications 1. Navigate to Administration >> External Servers >> Syslog Export Filters. Click on Add. 2. In the General tab, enter the requested details, namely: Name: Enter an appropriate name, like Failed Authentications Description: (Optional) Enter a description for this filter. Export Template: Choose Session Logs. Syslog Servers: From the pull down menu, add the ArcSight Logger Syslog Target which was created earlier. Figure 20 - Configuring Syslog Export Filter for Failed Authentications Aruba Networks 19

20 3. In the Filter and Columns tab, choose the Data Filter and the columns that will be exported by this filter. Option 1: (For common use cases) Select Data Filter and Columns for export. Data Filter: Choose [Failed Requests] Columns Selection: Choose the Predefined Field Group Failed Authentications. This will populate the Selected Columns list box displayed on the right hand side. Figure 21 - Selecting the predefined columns for Failed Authentications Option 2: (For advanced use cases) Specify custom SQL query for export. Note: Option 2 is not covered in this document. Custom SQL: Leave this blank. Choose the Summary tab, verify the details and click Save to create the Syslog Export Filter. Aruba Networks 20

21 Figure 22 - Failed Authentication summary Syslog Export Filter To activate this filter click on the Enable button. Figure 23 - Enabling Syslog Export Filter Note: You may want to turn off All Session Log Fields filter to avoid getting logs from both filters. Aruba Networks 21

22 Syslog Column Names Syslogs sent by ClearPass consist of a standard Syslog header followed by a payload consisting of comma- separated name/value pairs with = as the name/value separators as shown below. <143> :03:56, All Session Log Fields Common.Alerts-Present=0, Common.Request-Id=W b,... Figure 24 - Typical Syslog sent by ClearPass The name part of the name/value pair corresponds to the column names we chose earlier for each of the Syslog export filter. Here is the complete list of column names. Level, Source, Category, Action, Description, User, Common.Alerts, Common.Alerts-Present, Common.Audit-Posture-Token, Common.Auth-Type, Common.Connection-Status, Common.Enforcement- Profiles, Common.Error-Code, Common.Login-Status, Common.Monitor-Mode, Common.NAS-Port, Common.Request-Id, Common.Source, Common.System-Posture-Token, Common.Request-Timestamp, Common.NAS-IP-Address, Common.Host-MAC-Address, Common.Roles, Common.Username, Common.Service, RADIUS.Acct-Authentic, RADIUS.Acct-Called-Station-Id, RADIUS.Acct-Calling-Station-Id, RADIUS.Acct-Delay-Time, RADIUS.Acct-Framed-IP-Address, RADIUS.Acct-Input-Octets, RADIUS.Acct- Input-Pkts, RADIUS.Acct-NAS-IP-Address, RADIUS.Acct-NAS-Port, RADIUS.Acct-NAS-Port-Type, RADIUS.Acct-Output-Octets, RADIUS.Acct-Output-Pkts, RADIUS.Acct-Service-Name, RADIUS.Acct- Session-Id, RADIUS.Acct-Session-Time, RADIUS.Acct-Status-Type, RADIUS.Acct-Termination-Cause, RADIUS.Acct-Timestamp, RADIUS.Acct-Username, RADIUS.Auth-Method, RADIUS.Auth-Source, WEBAUTH.Auth-Source, WEBAUTH.Enforcement-Profiles, WEBAUTH.Host-IP-Address, WEBAUTH.NAS-Port- Index, WEBAUTH.NAS-Port-Name, TACACS.Acct-Flags, TACACS.Acct-Session-Id, TACACS.Auth-Source, TACACS.Authen-Action, TACACS.Authen-Method, TACACS.Authen-Service, TACACS.Authen-Type, TACACS.Enforcement-Profiles, TACACS.Privilege-Level, TACACS.Remote-Address, TACACS.Request-Type In the next section, we will use the above list to tell ArcSight Logger parser the names to extract and display from the ClearPass Syslog. Aruba Networks 22

23 ArcSight Logger Configuration Note: The configuration steps described in this section were tested on ArcSight Logger Configuring ArcSight Logger consists of: Adding an Event Input ClearPass Parser Adding an Event Input ClearPass Source Type Adding an Event Input ClearPass Receiver Adding the ClearPass Server Adding an Event Input ClearPass Parser 1. Navigate to Configuration >> Event Input. Choose the Parsers tab and click Add. Figure 25 - Adding an Extract Parser into ArcSight Logger Aruba Networks 23

24 2. Enter the requested details and click Save. Name: ClearPass Parser Parser Type: Extract Parser Note: We choose the Extract Parser type since ClearPass logs contain name/value pairs and this fits well with this type of parser. However, some information will be lost, namely information that is not sent as name/value pairs (e.g. Syslog Export Filter names). See the Caveats section for details. 3. In the next window, enter requested details for the various fields and click Save to save the Parser. Description: (Optional) Enter a description for the parser such as ClearPass Syslog Parser for all Authentication, Events and Audit records Pair Delimiter: Enter the comma character or, Key/Value Delimiter: Enter the equal- to symbol or = Fields: Level, Source, Category, Action, Description, User, Common.Alerts, Common.Alerts- Present, Common.Audit-Posture-Token, Common.Auth-Type, Common.Connection-Status, Common.Enforcement-Profiles, Common.Error-Code, Common.Login-Status, Common.Monitor-Mode, Common.NAS-Port, Common.Request-Id, Common.Source, Common.System-Posture-Token, Common.Request-Timestamp, Common.NAS-IP-Address, Common.Host-MAC-Address, Common.Roles, Common.Username, Common.Service, RADIUS.Acct-Authentic, RADIUS.Acct-Called-Station-Id, RADIUS.Acct-Calling-Station-Id, RADIUS.Acct-Delay-Time, RADIUS.Acct-Framed-IP-Address, RADIUS.Acct-Input-Octets, RADIUS.Acct-Input-Pkts, RADIUS.Acct-NAS-IP-Address, RADIUS.Acct-NAS-Port, RADIUS.Acct-NAS-Port-Type, RADIUS.Acct-Output-Octets, RADIUS.Acct- Output-Pkts, RADIUS.Acct-Service-Name, RADIUS.Acct-Session-Id, RADIUS.Acct-Session-Time, RADIUS.Acct-Status-Type, RADIUS.Acct-Termination-Cause, RADIUS.Acct-Timestamp, RADIUS.Acct-Username, RADIUS.Auth-Method, RADIUS.Auth-Source, WEBAUTH.Auth-Source, WEBAUTH.Enforcement-Profiles, WEBAUTH.Host-IP-Address, WEBAUTH.NAS-Port-Index, WEBAUTH.NAS-Port-Name, TACACS.Acct-Flags, TACACS.Acct-Session-Id, TACACS.Auth-Source, TACACS.Authen-Action, TACACS.Authen-Method, TACACS.Authen-Service, TACACS.Authen-Type, TACACS.Enforcement-Profiles, TACACS.Privilege-Level, TACACS.Remote-Address, TACACS.Request-Type Note: The above is the complete list of columns available in ClearPass 6.3.1, but you can choose to enter only a subset of these column names if you want only those names to appear as fields in the ArcSight Logger display. Aruba Networks 24

25 Figure 26 - Setting Pair Delimiter and Key/Value Delimiter for Parser After saving the parser, you will see a table with a list of parsers defined in ArcSight Logger as shown in Figure 27. Figure 27 - Table showing parsers defined in ArcSight Logger Aruba Networks 25

26 Adding an Event Input ClearPass Source Type 1. Navigate to Configuration >> Event Input. Choose the Source Types tab and click Add. 2. Enter the requested details and click Save. Event Time Location: Enter the regular expression.*(\d\d\d\d- \d\d- \d\d \d\d:\d\d:\d\d) to match four digits for the year, a dash, two digits for month, a dash, and six digits for the time, two each for hours, minutes and seconds separated by colons. Event Time Format: Enter yyyy- MM- dd HH:mm:ss for the time format as described above. Parser: Select the previously defined ClearPass Parser from the dropdown list. Figure 28 - Defining ClearPass Event Time Location After saving the source type, you will see a table with a list of source types defined in ArcSight Logger as shown in Figure 29. Figure 29 - Table showing source types defined in ArcSight Logger Aruba Networks 26

27 Adding an Event Input ClearPass Receiver 1. Navigate to Configuration >> Event Input. Choose the Receivers tab and click Add. 2. Enter the requested details and click Save. Name: Enter a descriptive name, for example: ClearPass Receiver. Type: Enter type UDP Receiver. IP/Host: Leave the selection of the dropdown list to All (default). Port: Enter 519. Encoding: Select UTF- 8 (default). Source Type: Select the previously defined ClearPass Source from the dropdown list. Note: The receiver type (UDP) and port (519) should match the values configured in ClearPass for this ArcSight Syslog target under Administration >> External Servers >> Syslog Targets. Note: The reason a non- default port like 519 may need to be used instead of the default 514, is that every receiver in ArcSight Logger will listen to only one source type, which requires defining multiple receivers (each on a different port), one receiver for each source type. Figure 30 - Configuring ArcSight Logger Receiver for ClearPass Aruba Networks 27

28 Adding the ClearPass Server 1. Navigate to Configuration >> Devices >> Add. Add your ClearPass server as a device. This enables the use of the ClearPass device name in search strings. 2. Enter the requested details and click Save. Name: Enter a display name to identify the ClearPass server. IP address: Enter the IP address of the ClearPass server. Receiver: Select the ClearPass Receiver configured earlier from the dropdown list. Figure 31 - Adding ClearPass server in ArcSight Logger This concludes the required configuration of ArcSight Logger for integration with ClearPass for receiving all Syslog information fields from ClearPass. Aruba Networks 28

29 ArcSight Logger Sample Displays Here are sample snapshots from ArcSight Logger showing Syslog data received from ClearPass. Figure 32 - Summary page showing Syslog data received from ClearPass This page shows the results after searching for events from the ClearPass device in the last 30 days. Figure 33 - Searching ArcSight for ClearPass information This page summarizes the count of name fields in ArcSight Logger after receiving Syslogs. Figure 34 - Analyze Search Page: Field Summary Aruba Networks 29

30 This page summarizes the RADIUS ACCEPT and REJECT counts. Figure 35 - Analyze Search Page: Login Accept / Reject Summary This page is a part of a long horizontal display showing values for all the column names that ArcSight received for a Failed Authentication event (Common.Login- Status=REJECT). Figure 36 - Analyze Search Page: Login Status = REJECT This page shows the raw data corresponding to Login Status = REJECT. Figure 37 - Analyze Search Page: Login Status = REJECT - > Raw Data This page shows the raw data corresponding to Login Status = REJECT with fields expanded. Figure 38 - Analyze Search Page: Login Status = REJECT - > Raw Data - > Extract Fields Aruba Networks 30

31 Syslog Raw Data Here are examples of the raw Syslog data received from ClearPass for different types of events. Note the column names that are returned for these events. Failed Authentication Raw Data <143> :46:27, TEST filter Common.Alerts=WebAuthService: User 'bbb' not present in [Local User Repository](localhost)\nUser 'bbb' not present in ClearPass Lab AD(adisam.arubapoc.local),Common.Alerts-Present=0,Common.Audit-Posture- Token=UNKNOWN,Common.Auth-Type=,Common.Enforcement-Profiles=[Deny Application Access Profile],Common.Error-Code=201,Common.Host-MAC-Address=,Common.Login- Status=REJECT,Common.Monitor-Mode=Enabled,Common.Request-Id=W e ec,Common.Request-Timestamp= :37: :30,Common.Roles=,Common.Service=EAI ClearPass Identity Provider (SAML IdP Service),Common.Source=Application,Common.System-Posture- Token=UNKNOWN,Common.Username=bbb,WEBAUTH.Auth-Source=,WEBAUTH.Host-IP-Address= , Successful Authentication Raw Data <143> :00:27, All Session Log Fields Common.Alerts- Present=0,Common.Audit-Posture-Token=UNKNOWN,Common.Auth-Type=,Common.Enforcement- Profiles=EAI ClearPass Identity Provider (SAML IdP Service) Profile,Common.Error- Code=0,Common.Host-MAC-Address=,Common.Login-Status=ACCEPT,Common.Monitor- Mode=Disabled,Common.Request-Id=W b,Common.Request-Timestamp= :59: :30,Common.Roles=[Employee], [User Authenticated],Common.Service=EAI ClearPass Identity Provider (SAML IdP Service),Common.Source=Application,Common.System-Posture- Token=UNKNOWN,Common.Username=prem1,WEBAUTH.Auth-Source=[Local User Repository],WEBAUTH.Host- IP-Address= , Event Log Raw Data <139> :01:04, All Events Timestamp=Mar 28, :59:39 IST,Source=Endpoint Context Server,Level=ERROR,Category=MaaS360: Communication Error,Action=Failed,Description=Failed to fetch Endpoint details from MaaS360 - verify Proxy settings, Server credentials and retry. Audit Log Raw Data <143> :47:14, All Audits Timestamp=Mar 28, :46:59 IST,Source=All Audits,Category=Syslog Export Data,Action=MODIFY,User=admin Aruba Networks 31

32 Caveats ArcSight Logger offers two types of parsers for processing Syslog messages from applications such as ClearPass: Regular Expression parser, which requires defining a regular expression to parse the payload of an incoming Syslog stream; Extract Parser, which assumes the payload of the incoming Syslog stream consists of name/value pairs and requires defining the name fields, the field separators and the name/value delimiters. Using the Extract Parser makes integration much easier than using a Regular Expression Parser, as there is no need to develop complex Regular Expressions to handle all possible ways a Syslog can be sent. However, there are some limitations inherent to the Extract Parser approach which can be overcome by using a Regular Expression Parser. However, describing a Regular Expression Parser is beyond the scope for this document. The following caveats exist when using the Extract Parser described in this document: 1. If the value of any field in the Syslog message payload contains a comma (,) then only the value that is before the comma will be displayed as the value of the field. For example, if the name/value pair in ClearPass is: ClearPass: Common.Roles= [Employee], [User Authenticated] then ArcSight Logger will only capture the first value: ArcSight Logger: Common.Roles= [Employee] 2. The very first name/value pair in the Syslog as sent by ClearPass does not get parsed and the corresponding field is shown empty in ArcSight Logger. For example, if the Syslog message is as displayed in Figure 39: Figure 39 - Syslog received by ArcSight Logger Aruba Networks 32

33 then the field Common.Alerts- Present is not parsed, as seen in Figure 40: Figure 40 - ArcSight Logger display of Syslog message Workaround: Place as the first column in ClearPass Syslog filter, a column that is not important or whose value is not that useful. To do this, when defining a Syslog Export Filter in ClearPass, navigate to Syslog Export Filter >> Filter and Columns. Click on the left arrow button (<<) as shown in Figure 41. Figure 41 - Syslog Export Filter: Column Selection and Reordering 3. Column names are fixed in ClearPass and will appear exactly the same in ArcSight Logger. This is because we are using the predefined Data Filters and column names cannot be changed in ClearPass for predefined Data Filters. However, if we wanted to change column names, we could use a custom SQL query when defining a Data Filter. In that case, we could change the field name Common.Username to Username, for example. Note: Describing how to create a custom SQL query is beyond the scope of this Tech Note. Please consult ClearPass technical documentation to understand how to create and use a custom SQL query. Aruba Networks 33