Aruba ClearPass Policy Manager
The JSA DSM for Aruba ClearPass Policy Manager can collect event logs from your Aruba ClearPass Policy Manager servers.
The following table identifies the specifications for the Aruba ClearPass Policy Manager DSM:
Specification |
Value |
|---|---|
Manufacturer |
Aruba Networks |
DSM name |
ClearPass |
RPM file name |
DSM-ArubaClearPass-JSA_version-build_number.noarch.rpm |
Supported versions |
6.5.0.71095 |
Event format |
LEEF |
Recorded event types |
Session Audit System Insight |
Automatically discovered? |
Yes |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Aruba Networks website (https://www.arubanetworks.com/products/security/) |
To integrate Aruba ClearPass Policy Manager with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the https://support.juniper.net/support/downloads/ onto your JSA console:
Aruba ClearPass DSM RPM
DSMCommon RPM
Configure your Aruba ClearPass Policy Manager device to send syslog events to JSA.
If JSA does not automatically detect the log source, add an Aruba ClearPass log source on the JSA Console. The following table describes the parameters that require specific values for Aruba ClearPass Policy Manager event collection:
Table 2: Aruba ClearPass Policy Manager Log Source Parameters Parameter
Value
Log Source type
Aruba ClearPass Policy Manager
Protocol Configuration
Syslog
Configuring Aruba ClearPass Policy Manager to Communicate with JSA
To collect syslog events from Aruba ClearPass Policy Manager, you must add an external syslog server for the JSA host and then create one or more syslog filters for your syslog server.
For Session and Insight events, full event parsing works only for the default fields that are provided by Aruba ClearPass Policy Manager. Session and Insight events that are created by a user, and have different combinations of fields, might appear as Unknown Session Log, or Unknown Insight Log.
The following table shows the field categories and their default fields that you can use:
|
Export template |
Predefined field groups |
Default-selected columns |
|---|---|---|
|
Insight Logs |
Radius Authentications |
Auth.Username Auth.Host-MAC-Address Auth.Protocol Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Roles Auth.Enforcement-Profiles |
|
Insight Logs |
Radius Failed Authentications |
Auth.Username Auth.Host-MAC-Address Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
|
Insight Logs |
RADIUS Accounting |
Radius.Username Radius.Calling-Station-Id Radius.Framed-IP-Address Radius.NAS-IP-Address Radius.Start-Time Radius.End-Time Radius.Duration Radius.Input-bytes Radius.Output-bytes |
|
Insight Logs |
tacacs Authentication |
tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service tacacs.Auth-Source tacacs.Roles tacacs.Enforcement-Profiles tacacs.Privilege-Level |
|
Insight Logs |
tacacs Failed Authentication |
tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
|
Insight Logs |
WEBAUTH |
Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
|
Insight Logs |
WEBAUTH Failed Authentications |
Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
|
Insight Logs |
Application Authentication |
Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
|
Insight Logs |
Failed Application Authentication |
Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
|
Insight Logs |
Endpoints |
Endpoint.MAC-Address Endpoint.MAC-Vendor Endpoint.IP-Address Endpoint.Username Endpoint.Device-Category Endpoint.Device-Family Endpoint.Device-Name Endpoint.Conflict Endpoint.Status Endpoint.Added-At Endpoint.Updated-At |
|
Insight Logs |
Insight Logs |
Guest.Username Guest.MAC-Address Guest.Visitor-Name Guest.Visitor-Company Guest.Role-Name Guest.Enabled Guest.Created-At Guest.Starts-At Guest.Expires-At |
|
Insight Logs |
Insight Logs |
OnboardEnrollment.Username OnboardEnrollment.Device-Name OnboardEnrollment.MAC-Address OnboardEnrollment.Device-Product OnboardEnrollment.Device-Version OnboardEnrollment.Added-At OnboardEnrollment.Updated-At |
|
Insight Logs |
Onboard Certificate |
OnboardCert.Username OnboardCert.Mac-Address OnboardCert.Subject OnboardCert.Issuer OnboardCert.Valid-From OnboardCert.Valid-To OnboardCert.Revoked-At |
|
Insight Logs |
Onboard OCSP |
OnboardOCSP.Remote-Address OnboardOCSP.Response-Status-Name OnboardOCSP.Timestamp |
|
Insight Logs |
Clearpass System Events |
CppmNode.CPPM-Node CppmSystemEvent.Source CppmSystemEvent.Level CppmSystemEvent.Category CppmSystemEvent.Action CppmSystemEvent.Timestamp |
|
Insight Logs |
Clearpass Configuration Audit |
CppmConfigAudit.Name CppmConfigAudit.Action CppmConfigAudit.Category CppmConfigAudit.Updated-By CppmConfigAudit.Updated-At |
|
Insight Logs |
Posture Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Posture-Healthy Endpoint.Posture-Unhealthy |
|
Insight Logs |
Posture Firewall Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Firewall-APT Endpoint.Firewall-Input Endpoint.Firewall-Output |
|
Insight Logs |
Posture Antivirus Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antivirus-APT Endpoint.Antivirus-Input Endpoint. Antivirus-Output |
|
Insight Logs |
Posture Antispyware Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antispyware-APT Endpoint.Antispyware-Input Endpoint.Antispyware-Output |
|
Insight Logs |
Posture DiskEncryption Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.DiskEncryption-APT Endpoint.DiskEncryption-Input Endpoint.DiskEncryption-Output |
|
Insight Logs |
Posture Windows Hotfixes Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.HotFixes-APT Endpoint.HotFixes-Input Endpoint.HotFixes-Output |
|
Session Logs |
Logged in Users |
Common.Username Common.Service Common.Roles Common.Host-MAC-Address RADIUS.Acct-Framed-IP-Address Common.NAS-IP-Address Common.Request-Timestamp |
|
Session Logs |
Failed Authentications |
Common.Username Common.Service Common.Roles RADIUS.Auth-Source RADIUS.Auth-Method Common.System-Posture-Token Common.Enforcement-Profiles Common.Host-MAC-Address Common.NAS-IP-Address Common.Error-Code Common.Alerts Common.Request-Timestamp |
|
Session Logs |
RADIUS Accounting |
RADIUS.Acct-Username RADIUS.Acct-NAS-IP-Address RADIUS.Acct-NAS-Port RADIUS.Acct-NAS-Port-Type RADIUS.Acct-Calling-Station-Id RADIUS.Acct-Framed-IP-Address RADIUS.Acct-Session-Id RADIUS.Acct-Session-Time RADIUS.Acct-Output-Pkts RADIUS.Acct-Input-Pkts RADIUS.Acct-Output-Octets RADIUS.Acct-Input.Octets RADIUS.Acct-Service-Name RADIUS.Acct-Timestamp |
|
Session Logs |
tacacs+ Administration |
Common.Username Common.Service tacacs.Remote-Address tacacs.Privilege.Level Common.Request-Timestamp |
|
Session Logs |
tacacs+ Accounting |
Common.Username Common.Service tacacs.Remote-Address tacacs.Acct-Flags tacacs.Privilege.Level Common.Request-Timestamp |
|
Session Logs |
Web Authentication |
Common.Username Common.Host-MAC-Address WEBAUTH.Host-IP-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp |
|
Session Logs |
Guest Access |
Common.Username RADIUS.Auth-Method Common.Host-MAC-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp |
Log in to your Aruba ClearPass Policy Manager server.
Start the Administration Console.
Click External Servers >Syslog Targets.
Click Add, and then configure the details for the JSA host.
On the Administration Console, click External Servers >Syslog Export Filters
Click Add.
Select LEEF for the Export Event Format Type, and then select the Syslog Server that you added.
Click Save.