# Aruba ClearPass

Aruba ClearPass is a network access control (NAC) platform that authenticates and authorizes users and devices joining wired, wireless, and VPN networks, and enforces policy to contain unmanaged or compromised endpoints. Connecting Aruba ClearPass forwards authentication, authorization, accounting, and session logs to Radiant Security via syslog through the Radiant Agent. Radiant uses ClearPass logs to enrich identity and network-access artifacts during triage, giving analysts visibility into who connected, from what device, and whether the access decision succeeded or failed.

### Prerequisites

* [ ] Admin access to the Aruba ClearPass console
* [ ] A deployed [Radiant Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md) reachable from Aruba ClearPass
* [ ] Administrator role in Radiant Security

### Add the data connector in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select **Radiant Agent**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **Aruba ClearPass (syslog)**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Aruba ClearPass Credentials`), or select an existing Radiant Agent credential from the drop-down menu.
6. Click **Add Connector**.

### Add a syslog target on Aruba ClearPass

Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Aruba ClearPass data. If you do not know the port, contact your Customer Success representative.

1. Sign in to the Aruba ClearPass console.
2. Navigate to **Administration** > **External Servers** > **Syslog Targets**.

<div align="left"><figure><img src="/files/WlY3INvPjGj6Fq89rCdc" alt=""><figcaption></figcaption></figure></div>

3. Click **Add**.
4. Enter the following parameters:
   * **Host Address**: the IP address or hostname of the Radiant Agent.
   * **Description**: `Radiant Security Agent`.
   * **Protocol**: `TCP`.
   * **Server Port**: the port configured on the Radiant Agent to receive Aruba ClearPass data.
5. Click **Save**.

### Configure log forwarding on Aruba ClearPass

Each **Syslog Export Filter** supports one **Export Template** and one **Predefined Field Group**, so you create one filter per row in the table below. Use a consistent naming pattern (e.g., `Radiant Security <Export Template> - <Predefined Field Group>`).

1. In the Aruba ClearPass console, navigate to **Administration** > **External Servers** > **Syslog Export Filters**.
2. Click **Add**.
3. Enter the following parameters:
   * **Name**: a descriptive name following the pattern above (e.g., `Radiant Security Session Logs - Logged in users`).
   * **Description**: `Radiant Security Syslog Forwarder`.
   * **Export Template**: the Export Template for this filter (e.g., `Session Logs`).
   * **Export Event Format Type**: `CEF`.
   * **ClearPass Servers**: leave blank.

<div align="left"><figure><img src="/files/KCu35HZ1gzaFefopEIuh" alt=""><figcaption></figcaption></figure></div>

4. Click the **Filter and Columns** tab and configure the following:
   * **Data Filter**: `[All Requests]`.
   * **Columns Selection**: select the Predefined Field Group that pairs with the Export Template you chose, from the table below.
5. Click **Save**.
6. Repeat steps 2–3 for each **Export Template** and **Predefined Field Group** pair in the table.

#### Export Templates and Predefined Field Groups

<table><thead><tr><th width="254.5">Export Template</th><th>Predefined Field Group</th></tr></thead><tbody><tr><td>Session Logs</td><td>Failed Authentications</td></tr><tr><td>Session Logs</td><td>Guest Access</td></tr><tr><td>Session Logs</td><td>Logged in users</td></tr><tr><td>Session Logs</td><td>RADIUS Accounting</td></tr><tr><td>Session Logs</td><td>TACACS+ Accounting</td></tr><tr><td>Insight Logs</td><td>Endpoints</td></tr><tr><td>Insight Logs</td><td>ClearPass Guest</td></tr><tr><td>Insight Logs</td><td>Onboard Enrollment</td></tr><tr><td>Insight Logs</td><td>RADIUS Authentications</td></tr><tr><td>Insight Logs</td><td>RADIUS Failed Authentications</td></tr><tr><td>Insight Logs</td><td>TACACS Authentication</td></tr><tr><td>Insight Logs</td><td>TACACS Failed Authentication</td></tr><tr><td>Insight Logs</td><td>WEBAUTH Failed Authentications</td></tr><tr><td>Insight Logs</td><td>WEBAUTH</td></tr><tr><td>Insight Logs</td><td>Application Authentication</td></tr><tr><td>Insight Logs</td><td>Posture Antivirus Summary</td></tr><tr><td>Insight Logs</td><td>Posture Antispyware Summary</td></tr><tr><td>Insight Logs</td><td>Posture DiskEncryption Summary</td></tr><tr><td>Insight Logs</td><td>Posture Summary</td></tr></tbody></table>

7. Each **Syslog Export Filter** can only support one export template and one predefined group. The final result should look like this:

<div align="left"><figure><img src="/files/RfP3qHIm3cfKDcXyGyCb" alt=""><figcaption></figcaption></figure></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/aruba-clearpass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.