Aruba ClearPass

Aruba ClearPass is a network access control (NAC) platform that authenticates and authorizes users and devices joining wired, wireless, and VPN networks, and enforces policy to contain unmanaged or compromised endpoints. Connecting Aruba ClearPass forwards authentication, authorization, accounting, and session logs to Radiant Security via syslog through the Radiant Agent. Radiant uses ClearPass logs to enrich identity and network-access artifacts during triage, giving analysts visibility into who connected, from what device, and whether the access decision succeeded or failed.

Prerequisites

• Admin access to Aruba ClearPass

• A deployed Radiant Agent reachable from Aruba ClearPass

Add the data connector in Radiant Security

1. Sign in to Radiant Security.

2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

3. Search for and select Radiant Agent, then click Data Feeds.

4. Under Select your data feeds, select Aruba ClearPass (syslog), then click Credentials.

5. Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g., Aruba ClearPass Credentials), or select an existing Radiant Agent credential from the drop-down menu.

6. Click Add Connector.

Add a syslog target on Aruba ClearPass

Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Aruba ClearPass data. If you do not know the port, contact your Customer Success representative.

1. Sign in to the Aruba ClearPass console.

2. Navigate to Administration > External Servers > Syslog Targets.

1. Click Add.

2. Enter the following parameters:

   • Host Address: the IP address or hostname of the Radiant Agent.

   • Description: Radiant Security Agent.

   • Protocol: TCP.

   • Server Port: the port configured on the Radiant Agent to receive Aruba ClearPass data.

3. Click Save.

Configure log forwarding on Aruba ClearPass

Each Syslog Export Filter supports one Export Template and one Predefined Field Group, so you create one filter per row in the table below. Use a consistent naming pattern (e.g., Radiant Security <Export Template> - <Predefined Field Group>).

1. In the Aruba ClearPass console, navigate to Administration > External Servers > Syslog Export Filters.

2. Click Add.

3. Enter the following parameters:

   • Name: a descriptive name following the pattern above (e.g., Radiant Security Session Logs - Logged in users).

   • Description: Radiant Security Syslog Forwarder.

   • Export Template: the Export Template for this filter (e.g., Session Logs).

   • Export Event Format Type: CEF.

   • ClearPass Servers: leave blank.

1. Click the Filter and Columns tab and configure the following:

   • Data Filter: [All Requests].

   • Columns Selection: select the Predefined Field Group that pairs with the Export Template you chose, from the table below.

2. Click Save.

3. Repeat steps 2–3 for each Export Template and Predefined Field Group pair in the table.

Export Templates and Predefined Field Groups

1. Each Syslog Export Filter can only support one export template and one predefined group. The final result should look like this:

Verify ingestion

After Aruba Clearpass begins forwarding, confirm events are reaching Radiant.

1. In Radiant, navigate to Log Management.

2. Filter by rs_connectorType:"aruba_clearpass".

3. Confirm recent events appear.