Accenture MDR Quick Start Guide for Aruba ClearPass Policy Manager
- Dinesh Murugaiyan
This quick start guide will help Accenture MDR customers configure Aruba ClearPass Policy Manager to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Aruba Clearpass policy manager | LCP | 601 (TCP) | Default port  |
Configuring Aruba ClearPass Policy Manager
Adding a Syslog Target:
1.Login to Clearpass policy manager console.
2.Navigate to Administration > External Servers > Syslog Targets. The Syslog Targets page opens.
3.Click the Add link. The Add Syslog Target dialog opens: Add Syslog Target Parameters by entering the LCP IP address in the ‘Host Address’ and port number in ‘Server Port’ section and select protocol UDP/TCP.
4.Click Save. The new Syslog Target is now added to the list.
Add Syslog Export Filter
1.Login to Clearpass policy manager console.
2.Navigate to Administration > External Servers > Syslog Export Filters. The Syslog Export Filters page opens.
3.From the Syslog Export Filters page, click Add. The Add Syslog Filters page opens to the General tab.
4.Please enter syslog export filter name and export template by referring the table 1.
5.Export Event Format Type should be selected as ‘Standard’. LCP IP address as syslog target should be selected in 'Syslog Servers'.
6.If Session/Insight export template is selected then ‘Filter and Columns' tab is enabled, click, and navigate to it, ensure default value ‘All Request’ is selected for 'Data Filter’ and then please select predefined field group by referring table 1 and selected columns will auto populate with default fields, please refer table 1 and ensure that it matches with it, then click and navigate to summary tab and click save.
7.If System Events and Audit Records export template is selected then ‘Filter and columns’ tab will not be available, click and navigate to summary tab and click save.
8.Repeat steps 1 to 7 by referring table 1 to add syslog export filters for all Session, Insight, Audit Records and System Event export templates.
Table 1
Syslog export filter name (Case Sensitive) | Export template | Predefined field groups | Selected columns (Default) |
ACPPM_radauth | Insight Logs | Radius Authentications | Auth.Username Auth.Host-MAC-Address Auth.Protocol Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
ACPPM_radfailedauth | Insight Logs | Radius Failed Authentications | Auth.Username Auth.Host-MAC-Address Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
ACPPM_radacct | Insight Logs | RADIUS Accounting | Radius.Username Radius.Calling-Station-Id Radius.Framed-IP-Address Radius.NAS-IP-Address Radius.Start-Time Radius.End-Time Radius.Duration Radius.Input-bytes Radius.Output-bytes |
ACPPM_tacauth | Insight Logs | tacacs Authentication | tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service tacacs.Auth-Source tacacs.Roles tacacs.Enforcement-Profiles tacacs.Privilege-Level |
ACPPM_tacfailedauth | Insight Logs | tacacs Failed Authentication | tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
ACPPM_webauth | Insight Logs | WEBAUTH | Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
ACPPM_webfailedauth | Insight Logs | WEBAUTH Failed Authentications | Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
ACPPM_appauth | Insight Logs | Application Authentication | Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
ACPPM_failedappauth | Insight Logs | Failed Application Authentication | Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
ACPPM_endpoints | Insight Logs | Endpoints | Endpoint.MAC-Address Endpoint.MAC-Vendor Endpoint.IP-Address Endpoint.Username Endpoint.Device-Category Endpoint.Device-Family Endpoint.Device-Name Endpoint.Conflict Endpoint.Status Endpoint.Added-At Endpoint.Updated-At |
ACPPM_cpguest | Insight Logs | Clearpass Guest | Guest.Username Guest.MAC-Address Guest.Visitor-Name Guest.Visitor-Company Guest.Role-Name Guest.Enabled Guest.Created-At Guest.Starts-At Guest.Expires-At |
ACPPM_onbenroll | Insight Logs | Onboard Enrollment | OnboardEnrollment.Username OnboardEnrollment.Device-Name OnboardEnrollment.MAC-Address OnboardEnrollment.Device-Product OnboardEnrollment.Device-Version OnboardEnrollment.Added-At OnboardEnrollment.Updated-At |
ACPPM_onbcert | Insight Logs | Onboard Certificate | OnboardCert.Username OnboardCert.Mac-Address OnboardCert.Subject OnboardCert.Issuer OnboardCert.Valid-From OnboardCert.Valid-To OnboardCert.Revoked-At |
ACPPM_onboscp | Insight Logs | Onboard OCSP | OnboardOCSP.Remote-Address OnboardOCSP.Response-Status-Name OnboardOCSP.Timestamp |
ACPPM_cpsysevent | Insight Logs | Clearpass System Events | CppmNode.CPPM-Node CppmSystemEvent.Source CppmSystemEvent.Level CppmSystemEvent.Category CppmSystemEvent.Action CppmSystemEvent.Timestamp |
ACPPM_cpconfaudit | Insight Logs | Clearpass Configuration Audit | CppmConfigAudit.Action CppmConfigAudit.Category CppmConfigAudit.Updated-By CppmConfigAudit.Updated-At |
ACPPM_possummary | Insight Logs | Posture Summary | Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Posture-Healthy Endpoint.Posture-Unhealthy |
ACPPM_posfwsummary | Insight Logs | Posture Firewall Summary | Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Firewall-APT Endpoint.Firewall-Input Endpoint.Firewall-Output |
ACPPM_poavsummary | Insight Logs | Posture Antivirus Summary | Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antivirus-APT Endpoint.Antivirus-Input Endpoint. Antivirus-Output |
ACPPM_posassummary | Insight Logs | Posture Antispyware Summary | Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antispyware-APT Endpoint.Antispyware-Input Endpoint.Antispyware-Output |
ACPPM_posdskencrpsummary | Insight Logs | Posture DiskEncryption Summary | Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.DiskEncryption-APT Endpoint.DiskEncryption-Input Endpoint.DiskEncryption-Output |
ACPPM_poswinhfsummary | Insight Logs | Posture Windows Hotfixes Summary | Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.HotFixes-APT Endpoint.HotFixes-Input Endpoint.HotFixes-Output |
ACPPM_loggedusers | Session Logs | Logged in Users | Common.Username Common.Service Common.Roles Common.Host-MAC-Address RADIUS.Acct-Framed-IP-Address Common.NAS-IP-Address Common.Request-Timestamp |
ACPPM_failedauth | Session Logs | Failed Authentications | Common.Username Common.Service Common.Roles RADIUS.Auth-Source RADIUS.Auth-Method Common.System-Posture-Token Common.Enforcement-Profiles Common.Host-MAC-Address Common.NAS-IP-Address Common.Error-Code Common.Alerts Common.Request-Timestamp |
ACPPM_radacctsession | Session Logs | RADIUS Accounting | RADIUS.Acct-Username RADIUS.Acct-NAS-IP-Address RADIUS.Acct-NAS-Port RADIUS.Acct-NAS-Port-Type RADIUS.Acct-Calling-Station-Id RADIUS.Acct-Framed-IP-Address RADIUS.Acct-Session-Id RADIUS.Acct-Session-Time RADIUS.Acct-Output-Pkts RADIUS.Acct-Input-Pkts RADIUS.Acct-Output-Octets RADIUS.Acct-Input.Octets RADIUS.Acct-Service-Name RADIUS.Acct-Timestamp |
ACPPM_tacadmin | Session Logs | tacacs+ Administration | Common.Username Common.Service tacacs.Remote-Address tacacs.Privilege.Level Common.Request-Timestamp |
ACPPM_tacacct | Session Logs | tacacs+ Accounting | Common.Username Common.Service tacacs.Remote-Address tacacs.Acct-Flags tacacs.Privilege.Level Common.Request-Timestamp |
ACPPM_webauthsession | Session Logs | Web Authentication | Common.Username Common.Host-MAC-Address WEBAUTH.Host-IP-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp |
ACPPM_guestacc | Session Logs | Guest Access | Common.Username RADIUS.Auth-Method Common.Host-MAC-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp |
ACPPM_auditrecords | Audit Records | Not Applicable | Not Applicable |
ACPPM_systemevents | System Events | Not Applicable | Not Applicable |
Important Note:
1.Only default fields listed in ‘Selected Columns’ is supported for event parsing, hence please ensure that all the fields mentioned in table 1 in ‘Selected columns (Default)’ is present and in the same order, additional fields from ‘Available Columns’ can be only added after all default fields in selected column however these additional fields are not supported for event parsing and will be available in raw log.
2. It is important to create syslog export filter template by following exactly as provided in the table 1 including the name (case sensitive) of the syslog export filter.
Â
LCP Configuration Parameters
Table 1-2: The Aruba ClearPass Policy Manager event collector (Syslog -3991) properties to be configured by Accenture are given in the table.
Property | Default Value | Description |
Protocol            | TCP/UDP | The default protocol for syslog. The collector can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture Security Onboarding team. |
Hostname/IP Â Address | * | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security Onboarding team. |
Signatures   | ACPPM_,CPPM_ | Accenture Security recommended signatures processed by the Aruba clearpass Policy manager event collector. |
Port Number   | 601 | For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security Onboarding team if this is a requirement. |
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.