Scribd
Upload
258 views30 pages

Integration Guide Aruba Clearpass PDF

This document provides instructions on integrating the Aruba Clearpass access management platform with the EventTracker SIEM solution. It outlines how to configure syslog forwarding from Clearpass to EventTracker and add syslog export filters. It also describes the various EventTracker knowledge packs that can be imported, including saved searches, alerts, reports and dashboards to monitor Clearpass events and activities. Verification steps are included to ensure the integration and knowledge packs are working properly.

Uploaded by

mohammad alalami
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
258 views30 pages

Integration Guide Aruba Clearpass PDF

This document provides instructions on integrating the Aruba Clearpass access management platform with the EventTracker SIEM solution. It outlines how to configure syslog forwarding from Clearpass to EventTracker and add syslog export filters. It also describes the various EventTracker knowledge packs that can be imported, including saved searches, alerts, reports and dashboards to monitor Clearpass events and activities. Verification steps are included to ensure the integration and knowledge packs are working properly.

Uploaded by

mohammad alalami
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Integrate Aruba Clearpass with

EventTracker
EventTracker v9.x or later

Publication Date: March 31, 2020


Integrate Aruba Clearpass with EventTracker

Abstract
This guide provides instructions to retrieve the Aruba Clearpass events by syslog. Once EventTracker is
configured to collect and parse these logs, dashboard and reports can be configured to monitor Aruba
Clearpass.

Scope
The configurations detailed in this guide are consistent with EventTracker version 9.x or above and Aruba
Clearpass 6.7 and above.

Audience
Administrators who are assigned the task to monitor Aruba Clearpass events using EventTracker.

The information contained in this document represents the current view of Netsurion on the issues
discussed as of the date of publication. Because Netsurion must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurio n
cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright Aruba Clearpass is the responsibility of the user. Without
limiting the rights under copyright, this paper may be freely distributed without permission from
Netsurion, if its content is unaltered, nothing is added to the content and credit to Netsurion is
provided.

Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectua l
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Netsurion, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or should
be inferred.

© 2020 Netsurion. All rights reserved. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.

1
Integrate Aruba Clearpass with EventTracker

Table of Contents
1. Overview ........................................................................................................................................................ 3
2. Prerequisites................................................................................................................................................... 3
3. Integrating Aruba Clearpass with EventTracker ............................................................................................ 3
3.1 Configuring a Syslog Forwarding ............................................................................................................ 3
3.2 Adding syslog export filters .................................................................................................................... 5
4. EventTracker Knowledge Packs...................................................................................................................... 7
4.1 Saved Searches ....................................................................................................................................... 7
4.2 Alerts ....................................................................................................................................................... 7
4.3 Flex Reports ............................................................................................................................................ 7
4.4 Dashboards ........................................................................................................................................... 11
5. Importing knowledge pack into EventTracker ............................................................................................. 16
5.1 Saved Searches ..................................................................................................................................... 17
5.2 Alerts ..................................................................................................................................................... 18
5.3 Parsing Rules......................................................................................................................................... 19
5.4 Flex Reports .......................................................................................................................................... 20
5.5 Knowledge Objects ............................................................................................................................... 22
5.6 Dashboards ........................................................................................................................................... 23
6. Verifying knowledge pack in EventTracker .................................................................................................. 25
6.1 Saved Searches ..................................................................................................................................... 25
6.2 Alerts ..................................................................................................................................................... 26
6.3 Parsing Rules......................................................................................................................................... 26
6.4 Reports.................................................................................................................................................. 27
6.5 Knowledge Objects ............................................................................................................................... 27
6.6 Dashboards ........................................................................................................................................... 28

2
Integrate Aruba Clearpass with EventTracker

1. Overview
The Aruba Clearpass is a policy management platform. It allows an organization to effortlessly onboard
new devices, grant varying access levels, and keep their networks secure across any multivendor wired,
wireless and VPN infrastructure.
EventTracker, when integrated with Aruba Clearpass, collects log from Aruba Clearpass and creates a
detailed reports, alerts, dashboards and saved searches. These attributes of EventTracker helps users to
view the most critical and important information on a single platform.

“Reports” provide detailed overview of activities like, Devices registered with Clearpass, RADIUS and
TACACS authentications requests (success and failed), Policy manager system level activities, and many
more.

“Alerts” notify as critical events are triggered by Aruba Clearpass. With alerts, users are notified about
real time occurrences of events such as, failed RADIUS/TACACS authentications.

Dashboards depict system activities like ADD and REMOVE, RADIUS/TACACS successful logins and failed
logins with geo-location support to highlight region/ area over a map. These services will include
information such as suspicious source IP address, Source MAC address, NAS address, event category,
device onboarded, policy added, etc.

2. Prerequisites
• VCP (virtual collection point) syslog port should be opened.
• Port 514 should be allowed in Firewall (if applicable).

3. Integrating Aruba Clearpass with EventTracker


Aruba Clearpass can be integrated with EventTracker using syslog forwarding.

3.1 Configuring a Syslog Forwarding


1. Login to Aruba Clearpass dashboard and navigate to Administration > External Servers > Syslog Targets.
E.g.

3
Integrate Aruba Clearpass with EventTracker

Figure 1

2. Select Add. (The Add Syslog Target dialog opens)

Figure 2

• Host Address: Enter the EventTracker syslog port IP address. (IPv4 address)
• Description: Enter a short description of syslog server as desired.
• Protocol: Select ‘UDP’.
• Server Port: Enter ‘514’.
3. Click Save. (Syslog target is now added)

Figure 3

4
Integrate Aruba Clearpass with EventTracker

3.2 Adding syslog export filters


Configure syslog export filters to instruct Policy Manager where to send this information, and what kind of
information should be sent through data filters.
1. Navigate to Syslog Export Filters Page, Administration > External Servers > Syslog Export Filters.

Figure 4

2. From the Syslog Export Filters page, click Add.

Figure 5

5
Integrate Aruba Clearpass with EventTracker

** Note – 1. Below steps has to be repeated for each syslog export entry.

2. ‘Export event Format Type’ field should always be “Standard”


3. ‘Clearpass Servers’ field should be empty.

Export
Name Template Syslog server Filters and Columns
EventTracker Logs EventTracker
Audit AUDIT syslog IP address Not applicable
EventTracker Logs EventTracker
System SYSTEM syslog IP address Not applicable
Data Filter - [RADIUS Requests]
Column Selection (Predefined group) - select
"RADIUS Accounting"
EventTracker Logs EventTracker Column Selection (Available columns Type - RADIUS) -
Session_1 SESSION syslog IP address Add "RADIUS.Acct-Authentic"
Data Filter - [RADIUS Requests]
EventTracker Logs EventTracker Column Selection (Predefined group) - select "Failed
Session_2 SESSION syslog IP address Authentications"
Data Filter - [TACACS Requests]
EventTracker Logs EventTracker Column Selection (Predefined group) - select
Session_3 SESSION syslog IP address "TACACS+ Accounting"
Data Filter - [Webauth Requests]
EventTracker Logs EventTracker Column Selection (Predefined group) - select "Web
Session_4 SESSION syslog IP address Authentication"
Data Filter - [Guest Access Requests]
EventTracker Logs EventTracker Column Selection (Predefined group) - select "Guest
Session_5 SESSION syslog IP address Access"
Data Filter - [Active Session]
EventTracker Logs EventTracker Column Selection (Predefined group) - select "Logged
Session_6 SESSION syslog IP address in users"
EventTracker Logs EventTracker
Insight_1 INSIGHT syslog IP address Predefined Group - TACACS Failed Authentication
EventTracker Logs EventTracker
Insight_2 INSIGHT syslog IP address Predefined Group - Endpoints
Predefined Group - WEBAUTH Failed Authentications
EventTracker Logs EventTracker Column Selection (Available columns - Auth) - Add
Insight_3 INSIGHT syslog IP address “Auth.Error-Code”
EventTracker Logs EventTracker Predefined Group - Failed Application
Insight_4 INSIGHT syslog IP address Authentications
EventTracker Logs EventTracker
Insight_5 INSIGHT syslog IP address Predefined Group - Onboard Enrollment

6
Integrate Aruba Clearpass with EventTracker

3. Once you’ve defined the above fields in their respective tabs, click on “Next” a to finalize the
configurations and save. (Note – You’ve to repeat this step for each new entry in export filters.)

4. EventTracker Knowledge Packs


4.1 Saved Searches
Saved searches are designed to quickly parse logs and allow user to see only specific events related to:

• Aruba Clearpass - TACACS SESSION EVENTS: Allows to filter log search specific to TACACS+ activities.
• Aruba Clearpass - SYSTEM EVENTS: Allows to filter log search specific to clearpass policy manager
activities. Such as, user login, logout, export, collect logs, etc.
• Aruba Clearpass - RADIUS SESSION EVENTS: Allows to filter log search specific to RADIUS session
activities.
• Aruba Clearpass - AUDIT EVENTS: Allows to filter log search specific to clearpass audit activities, such
as, ADD or REMOVE or MODIFY or REORDER.
• Aruba Clearpass - INSIGHT EVENTS: Allows to filter log search specific to clearpass Insight application.

4.2 Alerts
Alerts are triggered when an event received is identified as critical and requires immediate notification.
Such as,

• Aruba Clearpass: Failed login has been detected for RADIUS session
This alert is triggered when clearpass receives an authentication failure for a RADIUS account.
• Aruba Clearpass: Login failed detected for clearpass system
This alert is triggered when clearpass receives an authentication failure for systems registered.
• Aruba Clearpass: Failed login has been detected for Web authentication
This alert is triggered when a web authentication failure happens in clearpass web console.

4.3 Flex Reports


• Aruba Clearpass - RADIUS authentication failed: This report generates a detailed summary of failed
authentications that happened in any RADIUS server account. This includes, source MAC address,
Authentication types, timestamp, username, etc.

7
Integrate Aruba Clearpass with EventTracker

Figure 6

• Aruba Clearpass - System Activities (User login failed): This report generates a detailed summary of
failed activity on clearpass policy manager. This includes information such as Source IP address,
username, component, etc.

Figure 7

• Aruba Clearpass - System Activities (User login-logout): This report generates a detailed summary of
successful login and logout on clearpass policy manager. This includes, source username, IP address,
category, component, etc.

8
Integrate Aruba Clearpass with EventTracker

Figure 8

• Aruba Clearpass - System Activities: This report includes system related activities other than login,
logout or login fail. For, e.g. export, session destroyed, Collect Logs, AV/AS Updates,
activate.arubanetworks.com, email successful, etc.

Figure 9

• Aruba Clearpass - Audit Activities: Audit activity report includes events such ADD, MODIFY, REMOVE
and REORDER. For e.g. when a device gets registered with clearpass policy manager, ‘ADD’ event is
generated.

9
Integrate Aruba Clearpass with EventTracker

Figure 10

• Aruba Clearpass - RADIUS authentication success: This report includes detailed summary of RADIUS
server successful authentications. These includes, Source IP address, NAS IP address, Authentication
types (Local, Remote, and RADIUS), etc.

Figure 11

10
Integrate Aruba Clearpass with EventTracker

4.4 Dashboards
• Aruba Clearpass - System events by Types

Figure 12

• Aruba Clearpass - Audit Events by Action Types

Figure 13

11
Integrate Aruba Clearpass with EventTracker

• Aruba Clearpass - Audit Events by Source IP address

Figure 14

• Aruba Clearpass - Audit Events by Source Username

Figure 15

12
Integrate Aruba Clearpass with EventTracker

• Aruba Clearpass - System events by source IP address

Figure 16

• Aruba Clearpass - System events by Failed Login

Figure 5

13
Integrate Aruba Clearpass with EventTracker

• Aruba Clearpass - RADIUS Session Events by Usernames

Figure 18

• Aruba Clearpass - RADIUS Session Events by Source IP address

Figure 19

14
Integrate Aruba Clearpass with EventTracker

• Aruba Clearpass - WebAuth Events by Failed Login

Figure 20

• Aruba Clearpass - WebAuth Events by Failed MAC address

Figure 21

15
Integrate Aruba Clearpass with EventTracker

• Aruba Clearpass - RADIUS Session Events by Failed login

Figure 22

• Aruba Clearpass - TACACS failed authentications

5. Importing knowledge pack into EventTracker


Getting Knowledge Packs
To get the knowledge packs, locate the knowledge pack folder. Follow the below steps:

1. Press “ + R”.
2. Now, type “%et_install_path%\Knowledge Packs” and press “Enter”.
(Note – If, not able to locate the file path as mentioned above, please contact EventTracker support to
get the assistance).

NOTE: Import knowledge pack items in the following sequence:


• Categories
• Alerts
• Token Template/ Parsing Rules

16
Integrate Aruba Clearpass with EventTracker

• Flex Reports
• Knowledge Objects
• Dashboards
1. Launch the EventTracker Control Panel.
2. Double click Export-Import Utility.

Figure 23

Figure 24

3. Click the Import tab.

5.1 Saved Searches


1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the Category
option, and then click browse .

17
Integrate Aruba Clearpass with EventTracker

2. Navigate to the knowledge pack folder and select the file with extension “.iscat”, e.g.
“Categories_Aruba Clearpass.iscat” and then click “Import”.

Figure 25

EventTracker displays a success message:

Figure 26

5.2 Alerts
1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click Alert option, and
then click browse.

18
Integrate Aruba Clearpass with EventTracker

2. Navigate to the knowledge pack folder and select the file with extension “.isalt”, e.g. “Alerts_ Aruba
Clearpass.isalt” and then click “Import”.

Figure 27

EventTracker displays a success message:

Figure 28

5.3 Parsing Rules


1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the “Token
Value” option, and then click browse .

19
Integrate Aruba Clearpass with EventTracker

2. Navigate to the knowledge pack folder and select the file with extension “.istoken”, e.g. “Parsing Rules_
Aruba Clearpass.istoken” and then click “Import”:

Figure 29

5.4 Flex Reports


1. In EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click
Reports option, and choose “New (*.etcrx)”:

20
Integrate Aruba Clearpass with EventTracker

Figure 30

2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click “Select File” and
navigate to knowledge pack folder and select file with extension “.etcrx”, e.g. “Reports_ Aruba
Clearpass.etcrx”.

Figure 31

3. Wait while reports are being populated in below tables. Now, select all the relevant reports and then
click Import .

21
Integrate Aruba Clearpass with EventTracker

Figure 32

EventTracker displays a success message:

Figure 33

5.5 Knowledge Objects


1. Click Knowledge objects under the Admin option in the EventTracker manager web interface.

Figure 34

2. Next, click the “import object” icon:

22
Integrate Aruba Clearpass with EventTracker

Figure 6

3. A pop-up box will appear, click “Browse” in that and navigate to knowledge packs folder (type
“%et_install_path%\Knowledge Packs” in navigation bar) with the extension “.etko”, e.g. “KO_ Aruba
Clearpass.etko” and then click “Upload”.

Figure 36

4. Wait while EventTracker populates all the relevant knowledge objects. Once the objects are displayed,
select the required ones and click “Import”:

Figure 37

5.6 Dashboards
1. Login to EventTracker manager web interface.
2. Navigate to Dashboard → My Dashboard.
3. In “My Dashboard”, Click Import

23
Integrate Aruba Clearpass with EventTracker

Figure 38

Figure 39

4. Select browse and navigate to knowledge pack folder (type “%et_install_path%\Knowledge Packs” in
navigation bar) where “.etwd”, e.g. “Dashboards_ Aruba Clearpass.etwd” is saved and click “Upload”.
5. Wait while EventTracker populates all the available dashboards. Now, choose “Select All” and click
“Import”.

Figure 40

24
Integrate Aruba Clearpass with EventTracker

Figure 7

6. Verifying knowledge pack in EventTracker


6.1 Saved Searches
1. Login to EventTracker manager web interface.
2. Click Admin dropdown, and then click Categories.
3. In Category Tree to view imported categories, scroll down and expand “Aruba Clearpass” group folder
to view the imported categories:

Figure 42

25
Integrate Aruba Clearpass with EventTracker

6.2 Alerts
1. In the EventTracker manager web interface, click the Admin dropdown, and then click Alerts.
2. In search box enter “<search criteria> e.g. “Aruba Clearpass” and then click Search.
EventTracker displays an alert related to “Aruba Clearpass”:

Figure 43

6.3 Parsing Rules


1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing Rule.
2. In the Parsing Rule tab, click on the “Aruba Clearpass” group folder to view the imported Token Values.

Figure 44

26
Integrate Aruba Clearpass with EventTracker

6.4 Reports
1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.

Figure 45

2. In Reports Configuration pane, select the Defined option.


3. Click on the “Aruba Clearpass” group folder to view the imported reports.

Figure 46

6.5 Knowledge Objects


1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.

27
Integrate Aruba Clearpass with EventTracker

2. In the Knowledge Object tree, expand the “Aruba Clearpass” group folder to view the imported
Knowledge objects.

Figure 47

6.6 Dashboards
1. In the EventTracker web interface, Click Home and select “My Dashboard”.

Figure 48

2. Select “Customize daslets” button. And type “Clearpass” in the search bar.

28
Integrate Aruba Clearpass with EventTracker

Figure 49

Figure 50

29

You might also like