Security

Hello,

I have a question about missing logging in Access Tracker during guest portal logins.

Under "Guest → Configuration → Pages → Self-Registration", I set up a portal for guests to sign in via our Guest SSID. Users can request an account, and after approval by an admin, they can log in through the guest portal, which works fine. However, it was quite a hassle to set up, especially with the Aruba APs managed through Aruba Central.

My issue is the following: every time a guest tries to log in through this portal, I don't see any logging details in the Access Tracker (Policy Manager → Monitoring → Live Monitoring → Access Tracker). Even when I intentionally enter completely wrong credentials, no log entries appear. Shouldn't this be logged by default?

The Access Tracker itself is working fine, RADIUS requests and other authentication events are being logged as expected.

Thanks and best regards,
Rami

Hi Rami,

Check whether the Pre-Auth Check is enabled on the web login page. 

If "Local - match a local account" is selected, invalid login attempts are immediately rejected without being sent to the controller. This saves time during authentication. In this case, these login attempts are also not logged in the Access Tracker.

If "Pre-Auth Check" is set to "None - no extra checks will be made," all login attempts are sent to the controller, which then sends the login credentials to ClearPass via RADIUS. In this case, these login attempts are logged in the Access Tracker.

Successful login attempts are always logged in the Access Tracker. 

Hello,

I have a question about missing logging in Access Tracker during guest portal logins.

Under "Guest → Configuration → Pages → Self-Registration", I set up a portal for guests to sign in via our Guest SSID. Users can request an account, and after approval by an admin, they can log in through the guest portal, which works fine. However, it was quite a hassle to set up, especially with the Aruba APs managed through Aruba Central.

My issue is the following: every time a guest tries to log in through this portal, I don't see any logging details in the Access Tracker (Policy Manager → Monitoring → Live Monitoring → Access Tracker). Even when I intentionally enter completely wrong credentials, no log entries appear. Shouldn't this be logged by default?

The Access Tracker itself is working fine, RADIUS requests and other authentication events are being logged as expected.

Thanks and best regards,
Rami

Hi Waldemar,

thanks for your reply.

It worked perfectly. I can now see all failed login attempts in the access tracker. The user does not get direct feedback that the password is incorrect, but I think that is fine. I want to get logging if someone tries to brute force my guest Wi-Fi.

Next, I have to find a way to set up notifications for these events, but I think there is a limitation when it comes to sending emails for specific events. In the worst case, I would have to forward my logs to a syslog server and find a way to set up notifications for these events there. Will se, but that helped a lot.

Best,
Rami

Hi Rami,

Check whether the Pre-Auth Check is enabled on the web login page. 

If "Local - match a local account" is selected, invalid login attempts are immediately rejected without being sent to the controller. This saves time during authentication. In this case, these login attempts are also not logged in the Access Tracker.

If "Pre-Auth Check" is set to "None - no extra checks will be made," all login attempts are sent to the controller, which then sends the login credentials to ClearPass via RADIUS. In this case, these login attempts are logged in the Access Tracker.

Successful login attempts are always logged in the Access Tracker. 

Hello,

I have a question about missing logging in Access Tracker during guest portal logins.

Under "Guest → Configuration → Pages → Self-Registration", I set up a portal for guests to sign in via our Guest SSID. Users can request an account, and after approval by an admin, they can log in through the guest portal, which works fine. However, it was quite a hassle to set up, especially with the Aruba APs managed through Aruba Central.

My issue is the following: every time a guest tries to log in through this portal, I don't see any logging details in the Access Tracker (Policy Manager → Monitoring → Live Monitoring → Access Tracker). Even when I intentionally enter completely wrong credentials, no log entries appear. Shouldn't this be logged by default?

The Access Tracker itself is working fine, RADIUS requests and other authentication events are being logged as expected.

Thanks and best regards,
Rami

Hi Rami,

I'm glad to hear that your problem has been resolved.

ClearPass can send an email within an enforcement profile. To do this, you need to create a Context Server action that sends an email via the API. Then you need an enforcement profile that triggers the Context Server action. It's quite complicated. If you haven't done much with ClearPass so far, you're better off using Syslog.
You'll need a Syslog target and a Syslog export filter.

In the Syslog Export Filter, you specify which Syslog server to send to. You can also specify what information should be sent.

Hi Waldemar,

thanks for your reply.

It worked perfectly. I can now see all failed login attempts in the access tracker. The user does not get direct feedback that the password is incorrect, but I think that is fine. I want to get logging if someone tries to brute force my guest Wi-Fi.

Next, I have to find a way to set up notifications for these events, but I think there is a limitation when it comes to sending emails for specific events. In the worst case, I would have to forward my logs to a syslog server and find a way to set up notifications for these events there. Will se, but that helped a lot.

Best,
Rami

Hi Rami,

Check whether the Pre-Auth Check is enabled on the web login page. 

If "Local - match a local account" is selected, invalid login attempts are immediately rejected without being sent to the controller. This saves time during authentication. In this case, these login attempts are also not logged in the Access Tracker.

If "Pre-Auth Check" is set to "None - no extra checks will be made," all login attempts are sent to the controller, which then sends the login credentials to ClearPass via RADIUS. In this case, these login attempts are logged in the Access Tracker.

Successful login attempts are always logged in the Access Tracker. 

Hello,

I have a question about missing logging in Access Tracker during guest portal logins.

Under "Guest → Configuration → Pages → Self-Registration", I set up a portal for guests to sign in via our Guest SSID. Users can request an account, and after approval by an admin, they can log in through the guest portal, which works fine. However, it was quite a hassle to set up, especially with the Aruba APs managed through Aruba Central.

My issue is the following: every time a guest tries to log in through this portal, I don't see any logging details in the Access Tracker (Policy Manager → Monitoring → Live Monitoring → Access Tracker). Even when I intentionally enter completely wrong credentials, no log entries appear. Shouldn't this be logged by default?

The Access Tracker itself is working fine, RADIUS requests and other authentication events are being logged as expected.

Thanks and best regards,
Rami

Hello,

I have a question about missing logging in Access Tracker during guest portal logins.

Under "Guest → Configuration → Pages → Self-Registration", I set up a portal for guests to sign in via our Guest SSID. Users can request an account, and after approval by an admin, they can log in through the guest portal, which works fine. However, it was quite a hassle to set up, especially with the Aruba APs managed through Aruba Central.

My issue is the following: every time a guest tries to log in through this portal, I don't see any logging details in the Access Tracker (Policy Manager → Monitoring → Live Monitoring → Access Tracker). Even when I intentionally enter completely wrong credentials, no log entries appear. Shouldn't this be logged by default?

The Access Tracker itself is working fine, RADIUS requests and other authentication events are being logged as expected.

Thanks and best regards,
Rami

If the captive portal logins are fully within the guest part, for example with server initiated flows, there is no RADIUS request coming from your AP/switch/controller, and you indeed may not see anything; Waldemar explained already how to run those authentications over policy manager and see them.

There is additional logging, specifically for the guest features, under ClearPass Guest -> Administration » Support » Application Log. You may see here more logs.

If you do use the RADIUS authentication, in a ClearPass cluster, it may also be that the authentication happens to one of your subscribers. By default, access tracker only shows logs from the system you are logged in to, but you can select other servers as well.

Hopefully with this you can find the logging.

Hello,

I have a question about missing logging in Access Tracker during guest portal logins.

Under "Guest → Configuration → Pages → Self-Registration", I set up a portal for guests to sign in via our Guest SSID. Users can request an account, and after approval by an admin, they can log in through the guest portal, which works fine. However, it was quite a hassle to set up, especially with the Aruba APs managed through Aruba Central.

My issue is the following: every time a guest tries to log in through this portal, I don't see any logging details in the Access Tracker (Policy Manager → Monitoring → Live Monitoring → Access Tracker). Even when I intentionally enter completely wrong credentials, no log entries appear. Shouldn't this be logged by default?

The Access Tracker itself is working fine, RADIUS requests and other authentication events are being logged as expected.

Thanks and best regards,
Rami