Aruba ClearPass (syslog)

Configure ClearPass Policy Manager to forward syslog logs to Radiant Security.

Overview

Aruba ClearPass Policy Manager (CPPM) is a network access control solution that integrates with existing infrastructure to manage authentication, authorization, policy management, device profiling, and guest access.

This guide will walk you through the steps needed to configure Aruba ClearPass to forward logs to Radiant Security via a syslog forwarder.

To complete this configuration, you’ll need to complete the following steps:

Add the data connector in Radiant Security
Configure a local Radiant Security Syslog Collector
Add a Syslog Target on Aruba ClearPass
Configure log forwarding on Aruba ClearPass

Prerequisites

Access to the Aruba ClearPass console as an Admin
Configure a local Radiant Security Syslog Collector

Add the data connector in Radiant Security

1. Log in to Radiant Security.
2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.
3. Search for and select the Aruba ClearPass (syslog) option and then click Data Feeds.
4. Under Select your data feeds, select Aruba ClearPass and click Credentials. 5. Under Credential Name, give the credential an identifiable name (e.g. `Aruba ClearPass Credentials`). Then, click Credentials. 6. Under Required Credentials, enter a value for the Connector Tag. This can be any string you want.
7. Click Add Connector to save the changes.
8. Copy and save the connector Token value using the clipboard option or use the Download File option to save it as a SSL certificate or token file. You will need this token to complete the configuration. 9. Click Done to save your changes.

Configure a local Radiant Security Syslog Collector

Refer to the Deploy a Radiant Security Syslog Collector guide to set up a local Radiant Syslog Collector.

Add a Syslog Target on Aruba ClearPass

1. Access the Aruba ClearPass console.

2. Navigate to Administration > External Servers > Syslog Targets.

Untitled(1)

3. Click Add.

4. Enter the following parameters:

1. Host Address: <syslog_collector_internal_address>
2. Description: Radiant Security On-Prem Syslog Forwarder
3. Protocol: UDP
4. Server Port: 6514

5. Click Save.

Configure log forwarding on Aruba ClearPass

Access the Aruba ClearPass console
Navigate to Administration > External Servers > Syslog Export Filters
Click Add.
Enter the following parameters:
1. Name: Radiant Security Session Logs - Logged in users
2. Description: Radiant Security Syslog Forwarder
3. Export Template: Session Logs
4. Export Event Format Type: CEF
5. ClearPass Servers: Leave it blank

Click the Filter and Columns tab.

Data Filter: [All Requests]

Columns Selection: Select one of the Predefined Field Group values from the table below:

Export Template	Predefined Field Group
Session Logs	Failed Authentications
Session Logs	Guest Access
Session Logs	Logged in users
Session Logs	RADIUS Accounting
Session Logs	TACACS+ Accounting
Insight Logs	Endpoints
Insight Logs	ClearPass Guest
Insight Logs	Onboard Enrollment
Insight Logs	RADIUS Authentications
Insight Logs	RADIUS Failed Authentications
Insight Logs	TACACS Authentication
Insight Logs	TACACS Failed Authentication
Insight Logs	WEBAUTH Failed Authentications
Insight Logs	WEBAUTH
Insight Logs	Application Authentication
Insight Logs	Posture Antivirus Summary
Insight Logs	Posture Antispyware Summary
Insight Logs	Posture DiskEncryption Summary
Insight Logs	Posture Summary

Click Save.
Repeat steps 3 and 4 for all the Export Templates and Predefined Field Group from the table.
Each Syslog Export Filter can only support one export template and one predefined group. The final result should look like this:

We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai

Last updated: 2024-09-03