Accenture MDR Quick Start Guide for Aruba ClearPass Policy Manager

Owned by Dinesh Murugaiyan
Last updated: Sept 09, 2022
4 min read

This quick start guide will help Accenture MDR customers configure Aruba ClearPass Policy Manager to send logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Aruba Clearpass policy manager

LCP

601 (TCP)

Default port

 

Configuring Aruba ClearPass Policy Manager

Adding a Syslog Target:

1.Login to Clearpass policy manager console.

2.Navigate to Administration > External Servers > Syslog Targets. The Syslog Targets page opens.

3.Click the Add link. The Add Syslog Target dialog opens: Add Syslog Target Parameters by entering the LCP IP address in the ‘Host Address’ and port number in ‘Server Port’ section and select protocol UDP/TCP.

4.Click Save. The new Syslog Target is now added to the list.

Add Syslog Export Filter

1.Login to Clearpass policy manager console.

2.Navigate to Administration > External Servers > Syslog Export Filters. The Syslog Export Filters page opens.

3.From the Syslog Export Filters page, click Add. The Add Syslog Filters page opens to the General tab.

4.Please enter syslog export filter name and export template by referring the table 1.

5.Export Event Format Type should be selected as ‘Standard’. LCP IP address as syslog target should be selected in 'Syslog Servers'.

6.If Session/Insight export template is selected then ‘Filter and Columns' tab is enabled, click, and navigate to it, ensure default value ‘All Request’ is selected for 'Data Filter’ and then please select predefined field group by referring table 1 and selected columns will auto populate with default fields, please refer table 1 and ensure that it matches with it, then click and navigate to summary tab and click save.

7.If System Events and Audit Records export template is selected then ‘Filter and columns’ tab will not be available, click and navigate to summary tab and click save.

8.Repeat steps 1 to 7 by referring table 1 to add syslog export filters for all Session, Insight, Audit Records and System Event export templates.

Table 1

Syslog export filter name (Case Sensitive)

Export template

Predefined field groups

Selected columns (Default)

ACPPM_radauth

Insight Logs

Radius Authentications

Auth.Username

Auth.Host-MAC-Address

Auth.Protocol

Auth.NAS-IP-Address

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

Auth.Source

Auth.Roles

Auth.Enforcement-Profiles

ACPPM_radfailedauth

Insight Logs

Radius Failed Authentications

Auth.Username

Auth.Host-MAC-Address

Auth.NAS-IP-Address

CppmNode.CPPM-Node

Auth.Service

CppmErrorCode.Error-Code-Details

CppmAlert.Alerts

ACPPM_radacct

Insight Logs

RADIUS Accounting

Radius.Username

Radius.Calling-Station-Id

Radius.Framed-IP-Address

Radius.NAS-IP-Address

Radius.Start-Time

Radius.End-Time

Radius.Duration

Radius.Input-bytes

Radius.Output-bytes

ACPPM_tacauth

Insight Logs

tacacs Authentication

tacacs.Username

tacacs.Remote-Address

tacacs.Request-Type

tacacs.NAS-IP-Address

tacacs.Service

tacacs.Auth-Source

tacacs.Roles

tacacs.Enforcement-Profiles

tacacs.Privilege-Level

ACPPM_tacfailedauth

Insight Logs

tacacs Failed Authentication

tacacs.Username

tacacs.Remote-Address

tacacs.Request-Type

tacacs.NAS-IP-Address

tacacs.Service

CppmErrorCode.Error-Code-Details

CppmAlert.Alerts

ACPPM_webauth

Insight Logs

WEBAUTH

Auth.Username

Auth.Host-MAC-Address

Auth.Host-IP-Address

Auth.Protocol

Auth.System-Posture-Token

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

Auth.Source

Auth.Roles

Auth.Enforcement-Profiles

ACPPM_webfailedauth

Insight Logs

WEBAUTH Failed Authentications

Auth.Username

Auth.Host-MAC-Address

Auth.Host-IP-Address

Auth.Protocol

Auth.System-Posture-Token

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

CppmErrorCode.Error-Code-Details

CppmAlert.Alerts

ACPPM_appauth

Insight Logs

Application Authentication

Auth.Username

Auth.Host-IP-Address

Auth.Protocol

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

Auth.Source

Auth.Roles

Auth.Enforcement-Profiles

ACPPM_failedappauth

Insight Logs

Failed Application Authentication

Auth.Username

Auth.Host-IP-Address

Auth.Protocol

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

CppmErrorCode.Error-Code-Details

CppmAlert.Alerts

ACPPM_endpoints

Insight Logs

Endpoints

Endpoint.MAC-Address

Endpoint.MAC-Vendor

Endpoint.IP-Address

Endpoint.Username

Endpoint.Device-Category

Endpoint.Device-Family

Endpoint.Device-Name

Endpoint.Conflict

Endpoint.Status

Endpoint.Added-At

Endpoint.Updated-At

ACPPM_cpguest

Insight Logs

Clearpass Guest

Guest.Username

Guest.MAC-Address

Guest.Visitor-Name

Guest.Visitor-Company

Guest.Role-Name

Guest.Enabled

Guest.Created-At

Guest.Starts-At

Guest.Expires-At

ACPPM_onbenroll

Insight Logs

Onboard Enrollment

OnboardEnrollment.Username

OnboardEnrollment.Device-Name

OnboardEnrollment.MAC-Address

OnboardEnrollment.Device-Product

OnboardEnrollment.Device-Version

OnboardEnrollment.Added-At

OnboardEnrollment.Updated-At

ACPPM_onbcert

Insight Logs

Onboard Certificate

OnboardCert.Username

OnboardCert.Mac-Address

OnboardCert.Subject

OnboardCert.Issuer

OnboardCert.Valid-From

OnboardCert.Valid-To

OnboardCert.Revoked-At

ACPPM_onboscp

Insight Logs

Onboard OCSP

OnboardOCSP.Remote-Address

OnboardOCSP.Response-Status-Name

OnboardOCSP.Timestamp

ACPPM_cpsysevent

Insight Logs

Clearpass System Events

CppmNode.CPPM-Node

CppmSystemEvent.Source

CppmSystemEvent.Level

CppmSystemEvent.Category

CppmSystemEvent.Action

CppmSystemEvent.Timestamp

ACPPM_cpconfaudit

Insight Logs

Clearpass Configuration Audit

CppmConfigAudit.Name

CppmConfigAudit.Action

CppmConfigAudit.Category

CppmConfigAudit.Updated-By

CppmConfigAudit.Updated-At

ACPPM_possummary

Insight Logs

Posture Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Posture-Healthy

Endpoint.Posture-Unhealthy

ACPPM_posfwsummary

Insight Logs

Posture Firewall Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Firewall-APT

Endpoint.Firewall-Input

Endpoint.Firewall-Output

ACPPM_poavsummary

Insight Logs

Posture Antivirus Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Antivirus-APT

Endpoint.Antivirus-Input

Endpoint. Antivirus-Output

ACPPM_posassummary

Insight Logs

Posture Antispyware Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Antispyware-APT

Endpoint.Antispyware-Input

Endpoint.Antispyware-Output

ACPPM_posdskencrpsummary

Insight Logs

Posture DiskEncryption Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.DiskEncryption-APT

Endpoint.DiskEncryption-Input

Endpoint.DiskEncryption-Output

ACPPM_poswinhfsummary

Insight Logs

Posture Windows Hotfixes Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.HotFixes-APT

Endpoint.HotFixes-Input

Endpoint.HotFixes-Output

ACPPM_loggedusers

Session Logs

Logged in Users

Common.Username

Common.Service

Common.Roles

Common.Host-MAC-Address

RADIUS.Acct-Framed-IP-Address

Common.NAS-IP-Address

Common.Request-Timestamp

ACPPM_failedauth

Session Logs

Failed Authentications

Common.Username

Common.Service

Common.Roles

RADIUS.Auth-Source

RADIUS.Auth-Method

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Host-MAC-Address

Common.NAS-IP-Address

Common.Error-Code

Common.Alerts

Common.Request-Timestamp

ACPPM_radacctsession

Session Logs

RADIUS Accounting

RADIUS.Acct-Username

RADIUS.Acct-NAS-IP-Address

RADIUS.Acct-NAS-Port

RADIUS.Acct-NAS-Port-Type

RADIUS.Acct-Calling-Station-Id

RADIUS.Acct-Framed-IP-Address

RADIUS.Acct-Session-Id

RADIUS.Acct-Session-Time

RADIUS.Acct-Output-Pkts

RADIUS.Acct-Input-Pkts

RADIUS.Acct-Output-Octets

RADIUS.Acct-Input.Octets

RADIUS.Acct-Service-Name

RADIUS.Acct-Timestamp

ACPPM_tacadmin

Session Logs

tacacs+ Administration

Common.Username

Common.Service

tacacs.Remote-Address

tacacs.Privilege.Level

Common.Request-Timestamp

ACPPM_tacacct

Session Logs

tacacs+ Accounting

Common.Username

Common.Service

tacacs.Remote-Address

tacacs.Acct-Flags

tacacs.Privilege.Level

Common.Request-Timestamp

ACPPM_webauthsession

Session Logs

Web Authentication

Common.Username

Common.Host-MAC-Address

WEBAUTH.Host-IP-Address

Common.Roles

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Request-Timestamp

ACPPM_guestacc

Session Logs

Guest Access

Common.Username

RADIUS.Auth-Method

Common.Host-MAC-Address

Common.Roles

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Request-Timestamp

ACPPM_auditrecords

Audit Records

Not Applicable

Not Applicable

ACPPM_systemevents

System Events

Not Applicable

Not Applicable

Important Note:

1.Only default fields listed in ‘Selected Columns’ is supported for event parsing, hence please ensure that all the fields mentioned in table 1 in ‘Selected columns (Default)’ is present and in the same order, additional fields from ‘Available Columns’ can be only added after all default fields in selected column however these additional fields are not supported for event parsing and will be available in raw log.

2. It is important to create syslog export filter template by following exactly as provided in the table 1 including the name (case sensitive) of the syslog export filter.

 

LCP Configuration Parameters

Table 1-2: The Aruba ClearPass Policy Manager event collector (Syslog -3991) properties to be configured by Accenture are given in the table.

Property

Default Value

Description

Protocol                      

TCP/UDP

The default protocol for syslog.

The collector can also accept logs in TCP.

Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the  Accenture Security Onboarding team.

Hostname/IP  Address

*

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security Onboarding team.

Signatures    

ACPPM_,CPPM_

Accenture Security recommended signatures processed by the Aruba clearpass Policy manager event collector.

Port Number    

601

For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security Onboarding team if this is a requirement.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.