The Zero-ETL Approach: Enhancing Data Agility and Insight
ClearPass Insight 6.3 User Guide
1. ClearPass Insight 6.3
User Guide
Overview
ClearPass Insight is an advanced application for use with the ClearPass Policy Manager platform to deliver enhanced
analytics, in-depth reporting, and significant gains when addressing compliance and regulatory overhead. The goal of
this guide is to illustrate how easy it is for network managers to analyze authentication information captured from
Policy Manager in order to generate customized reports.
Custom report templates provide the ability to track detailed authentication records, audit trails, and systematic reports
on network-access trends, and to generate reports that are compliant with regulatory and corporate requirements.
Additional features associated with Insight are described below.
Consolidated Reporting
Insight is capable of aggregating data from multiple Policy Manager appliances, or external stores, containing archived
network access logs. It presents a powerful combination of near real-time analytics, as well as the ability to look into
the past to satisfy historical analysis and compliance needs.
In-depth Analytics
Insight uses a powerful analytics engine that mines network access logs in order to generate trending report on various
parameters. Network managers can utilize these trends to get an overview of authentication and access activity,
elaborate client access distribution, load-averages, and analyze authentication traffic flow through various network
devices.
Ready-to-use Templates
Insight includes several ready-to-use templates that help reduce the time associated with creating custom reports. The
templates guide users through the process of capturing data for a number of use cases with minimal configuration.
Alerts
Insight can generate near real-time alerts on anomalous network activity. Network managers can configure alerts based
on a number of various parameters. Alerts can be delivered via SMS or e-mail notification to multiple recipients to
prompt action.
Single Sign-on
Each application within the ClearPass suite can be accessed with a single login. Sign in once for access to Policy
Manager, Insight, Onboard, and Guest.
Getting Started
ClearPass Insight uses a Web-based management interface. The following browsers are supported:
l Mozilla Firefox 3.0 or newer
l Microsoft Internet Explorer 9.0 or newer
l Google Chrome 1.0 or newer
Logging In the First Time
1. Use one of the following methods to launch Insight.
0511599-00v1 | March 2014 1
2. l Point the browser to https://<clearpass-host-name>/insight.
l Access Policy manager by pointing the browser to https://<clearpass-host-name>/tips, and then select the
Launch ClearPass Insight application link. (See the image below.)
l Log in to Policy Manager, and then select Insight in the Dashboard > Applications widget. This opens Insight
in a new tab.
2. Use the default Username/Password [admin/eTIPS123], and then click Login to launch Insight.
Figure 1: Policy Manager Login Screen
Insight Dashboard
The Dashboard page opens immediately when you successfully log in. The Dashboard includes widgets that provide
a summarized, graphical view of your network analytics.
Figure 2: Insight Dashboard
Device Family
This widget includes a pie chart that shows the distributed percentage device families on your network based on
device category. Categories include Home Audio/Video Equipment, Smart Phone, and unknown,
2 ClearPass Insight 6.3 | User Guide
3. Figure 3: Device Family
Healthy vs Unhealthy Authentications
This widget shows the number of healthy and unhealthy authentication attempts on your network over the last seven
days. Mouse over each line item in this chart to see the specific number of each for a specific day.
Figure 4: Healthy vs Unhealthy Authentications
Authentications
This widget provides of the number of authentications that have take place on your network over the last seven days.
Mouse over the graph to view the specific count of failed and successful authentications.
ClearPass Insight 6.3 | User Guide 3
4. Figure 5: Authentications
Top 10 Bandwidth Consumers
This widget displays a chart that shows the first top 10 bandwidth consumers. Mouse over the bar charts to view the
bandwidth usage in MB against the selected users.
Figure 6: Top 10 Bandwidth Consumers
Top 10 Causes for Failed Authentications
This widget shows the count of failed authentications with the top 10 causes that caused the failure. Mouse over the
bar chart to view the specific count of failed authentications against each cause.
4 ClearPass Insight 6.3 | User Guide
5. Figure 7: Top 10 Causes for Failed Authentications
Top 10 NAS with Failed Authentications
This widget shows the top 10 Network Access Server (NAS) with failed authentications. Mouse over the bar chart to
view the specific count of failed authentications for the top 10 NAS ip addresses.
Figure 8: Top 10 NAS with Failed Authentications
Device Category
This widget provides a pie chart that summarizes the number of devices on your network based on the device type:
computer, smart device, etc. The data for the past seven days is displayed. Devices currently on the network are also
displayed. Mouse over each section to see the specific number of devices.
ClearPass Insight 6.3 | User Guide 5
6. Figure 9: Device Category Widget
Average Session Time
The widget shows the average session time for the specified date range specified in the Timestamp Settings. Mouse
over the lines in the chart to view the specific session time in minutes against the selected period.
Figure 10: Average Session Time
6 ClearPass Insight 6.3 | User Guide
7. Service Categorization
The ClearPass Policy Manager policy model groups policy components that serve a particular type of request into
Service. This widget provides a chart that displays the usage of the services that used for different request types (for
example, 802.1X, Web Authentication).
Figure 11: Service Categorization
Traffic Volume
This widget shows the average traffic volume per session, average traffic volume per user, and total data traffic per day
for the date range specified in the Timestamp Settings. Mouse over the curve line in the graph to view the specific
traffic volume in mega bites for the selected period.
ClearPass Insight 6.3 | User Guide 7
8. Figure 12: Traffic Volume
License Usage
This widget shows the available and used licenses distributed for a selected application. Mouse over the bar chart to
view the specific count of licenses against the listed servers.
Figure 13: License Usage
8 ClearPass Insight 6.3 | User Guide
9. Guest Registrations
This widget shows the number of guest authentications on your network over a period of seven days. Mouse over the
chart to view the specific number of guest registrations for a given day.
Figure 14: Guest Registrations
Customize
Use the Customize tool provided near the upper right portion of the Dashboard page to specify the widgets that
display on this dashboard. You can change the position of these widgets by a simple drag and drop. The widget
display settings are stored and can be viewed at next login for every user.
The information provided in these widgets includes device connection and authentication attempts over the last seven
days. Use the Customize tool to change the start time for this seven-day range.
ClearPass Insight 6.3 | User Guide 9
10. Figure 15: Customize
Search
Use the Search page to query the Insight database. Searches can be performed for all records, for specific reports, or for
specific alerts.
The Search Reports and Search Alerts template drop-down menus are populated by currently configured reports and
alerts. If you have not yet configured reports or alerts, then the Select Template drop-down for these options will be
blank.
Reports can be filtered using rules that include a simple AND or OR condition. For example, you can use rules to view
RADIUS Authentications from the Amigopod Active Directory or Guest User Repository source. When using rules,
the Value field auto-populates with data while you type.
Nested "AND/OR" combinations are not currently supported.
Configuring a Search
To perform a search:
1. Select the type of search to perform.
2. Select the template.
3. If desired, specify rules to filter the search.
10 ClearPass Insight 6.3 | User Guide
11. When you select Search Alerts as the type, the Rules that are currently specified here will be the rules used for
processing the search.
4. Specify the desired date and time range. Note that you can search for data not just on a certain day, but for a
specific time as well.
Figure 16: RADIUS Authentications for source Amigopod AD or [Guest User Repository]
5. Click Customize to determine the columns that you want to include in your search result for a given template.
6. To add a column to the search result, drag the corresponding field from the Available Columns section and drop it
to the Selected Columns section. Similarly, you can drag the fields from the Selected Columns section and drop it
back to Available Columns. You can also drag and drop fields to sort the order of the selected or available
columns.
The options listed in the Available Columns may vary depending upon the column type you select.
Figure 17: Customize Search
7. Click Save when done.
8. Click Search to view the results of the search, which is displayed in a table below the search criteria.
Search Templates
The list of available Search templates includes:
ClearPass Insight 6.3 | User Guide 11
12. l Application Authentication
l ClearPass Configuration Audit
l ClearPass Guest
l ClearPass System Events
l Endpoints
l Failed Application Authentication
l Failed Posture
l Machine Authentication
l Onboard Certificate
l Onboard Enrollment
l Onboard OCSP
l Posture
l RADIUS Accounting
l RADIUS Authentication
l RADIUS Failed Authentications
l TACACS Authentication
l TACACS Failed Authentication
l WEBAUTH
l WEBAUTH Failed Authentications
Viewing Additional Details
For a selected template, apart from the details that are listed in the search results, you can also view the additional
details. These additional details include user, session, and device data, which are stored in a database. By clicking on a
row entry in the search results table, you can view these details for a selected user, device, or session in a pop-up
window as shown in the following figure.
Figure 18: Additional Details - Insight Search Results
The tabs, which are displayed in the pop-up window, varies depending upon the type of the template chosen. The
following table lists the tabs for a given template.
12 ClearPass Insight 6.3 | User Guide
13. If data for a particular tab is not available in the database, that tab will be hidden in the pop-up window.
Template Tabs
Authentication Authentication, Endpoint , User, Guest, Nad, Alert, CppmErrorCode, Server
RadiusAccounting Accounting, Authentication, Endpoint, User, Guest, Nad, Server
Tacacs Tacacs, User, Nad, Alert, CppmErrorCode, Server
ClearPass System events Events, Server
Table 1: Pop-up Window Tabs
Reports
The Reports page provides you with a method for creating reports that are tailored for specific network access data to
meet your precise requirements. Reports can be set up to run on the fly or can be scheduled daily, week, or monthly.
Insight reports show data over the last two-month period. In addition, Insight retains data for up to 2 years.
If configuring a report, you can specify rules that include a simple AND or OR condition. For example, you can use
rules specify to view RADIUS Authentications from the Amigopod Active Directory or Guest User Repository source.
If using rules, the Value field auto-populates with data while you type.
Nested "AND/OR" combinations are not currently supported.
After a report is configured and run, the report is available for download in PDF and CSV formats.
Adding and Running a Report
To add a report:
1. Navigate to the Reports page and select the Add Reports link.
2. On the Reports tab:
a. Enter a name and description for the report.
b. Enable the report. (Only Enabled reports can be run.)
c. Select to schedule the report at a specific time daily, weekly, or monthly. This will include all data for that
range. Alternatively, you can specify this as a static report rather than recurring, and then enter a time range for
data that you want to view.
d. Specify whether this is a private report, or whether all users will have access to download this report.
e. Enter an optional header and footer. Also, optionally enter an image that will appear on the report.
f. Specify an optional notification e-mail address and/or SMS number. If an e-mail address is configured, then a
PDF version of the report will be sent via e-mail. If an SMS number is configured, then an SMS message will be
sent to the specified phone number alerting that the report is available.
The SMS number must include the carrier information. In Policy Manager, navigate to the Administration > External
Servers > Messaging Setup page and select the Mobile Service Providers tab to view the list of supported carriers.
ClearPass Insight 6.3 | User Guide 13
14. Figure 19: Add Reports > Reports tab
3. On the Configuration tab:
a. Select the template for this report. Refer to the table that follows for a list of available templates.
b. Specify analytical data to be included in the report. Use the Ctrl button to select multiple criteria.
c. If desired, specify rules to filter the search.
Figure 20: Add Reports > Configuration tab
4. On the Columns tab, determine the columns that you want to include in your report. Each Column Type includes
a list of available columns. Simply drag and drop a label from the Available Columns section to the Selected
Columns section to add it to the report. Similarly, you can drag columns out of the Selected Columns section and
move it back to Available Columns. You can also utilize dragging and dropping to sort the order of the selected
columns.
14 ClearPass Insight 6.3 | User Guide
15. Figure 21: Add Reports > Columns tab
5. Click Save when you are finished. Upon successful completion, the new report will be available on the front
Reports page.
To run the report:
1. Select the check box beside the new report, and then click the Run Report button.
Figure 22: Running a Report
2. A message will display when the report is completed. Select the report that you just ran, navigate to the
Downloads tab, and select the report format that you want to view (PDF, HTML, or CSV). If a notification has
been set up, then a PDF version of the report will be sent to the specified e-mail address, and an SMS message will
be sent to the specified number.
Report Templates
The list of available Report templates includes:
l Application Authentication
l ClearPass Configuration Audit
l ClearPass Guest
l ClearPass Guest Information
l ClearPass System Events
ClearPass Insight 6.3 | User Guide 15
16. l Endpoints
l Failed Application Authentication
l Failed Posture
l License Information
l Machine Authentication
l Onboard Certificate
l Onboard Enrollment
l Onboard OCSP
l Posture
l RADIUS Accounting
l RADIUS Authentication
l RADIUS Failed Authentications
l Session and NAS Information
l TACACS Authentication
l TACACS Failed Authentication
l Unique Guests
l Unique Sessions
l WEBAUTH
l WEBAUTH Failed Authentications
License information is generated once a day. When initially configuring a License Information report, License information
will not be available until the license netevent is generated. In most cases, this will be the next day. If you set up this
report and immediately run it, the report will be empty. If you require this information immediately, you can add a future
end_date as the starting date.
Alerts
Alerts provide network managers with near-real-time messages on anomalous network activity. Such activity could
constitute:
l Irregular authentication activity
l Irregular network device access activity
l Users attempting privileged commands on network devices
l Irregular activity on the ClearPass servers.
As with Reports, Alerts include templates for easy configuration. These templates allow managers to quickly configure
and monitor network activity. In addition to e-mail notifications, you can also send alerts to mobile devices via SMS,
providing the capability to receive mission-critical information on the go.
Adding Alerts
To add an alert:
1. Navigate to the Alerts page and select the Add Alerts link.
2. Enter a name and description for the alert.
3. Select the template for this alert. Refer to the table that follows for a list of available templates.
16 ClearPass Insight 6.3 | User Guide
17. 4. If desired, specify rules to filter the search. For example, you can specify to view RADIUS Authentications failures
from the Amigopod Active Directory or Guest User Repository source. If using rules, the Value field auto-populates
with data while you type.
Nested "AND/OR" combinations are not currently supported.
5. Specify threshold and interval values as criteria for determining whether an alert is necessary. For example, you may
want to set up an alert if authentication fails 10 times within five minutes. Note that Threshold has no maximum
value.
6. Specify a notification e-mail address and/or SMS number to be used when sending an alert.
The SMS number must include the carrier information. In Policy Manager, navigate to the Administration > External
Servers > Messaging Setup page and select the Mobile Service Providers tab to view the list of supported carriers.
Figure 23: Add Alerts
Alert Templates
The list of available Alert templates includes:
l ClearPass Policy Manager Services
l ClearPass Policy Manager SNMP Errors
l RADIUS Failed Authentications
l TACACS Command Execution
l TACACS Failed Authentications
l TACACS Failed Device Administration
l WEBAUTH Failed Authentications
Administration
The Administration page is used for configuring the e-mail server and settings to be used when sending notifications.
You can also specify the number of days for retaining information in you database. Finally, this page allows you to
test the new notification settings to review Insight log files.
ClearPass Insight 6.3 | User Guide 17
18. Configuring Administration Settings
To configure notification and database settings:
1. Navigate to the Administration page.
2. Specify a hostname for the SMTP/e-mail server.
3. Specify the port on which this resides. This value defaults to 25. However, if SSL Required is specified, then this
value defaults to 465. Similarly, if Start TLS is specified, then this value defaults to 587.
4. Enter the administration user name and password.
5. Specify the timeout value in seconds.
6. If desired, specify either to require SSL or to start TLS.
7. Enter a valid e-mail address in the From Address field.
8. In the Database Retention field, specify the number of days to retain database records and reports. Specify the
maximum number of rows in the CSV output, and specify the replication interval in minutes. Use the Database
Settings values specified in the following table:
Database Settings Description
Database Retention
Specify the number of days to retain the database in the range of 1 - 730 days. The
default value is 30 days.
Report Retention
Specify the number of days to retain the reports in the range of 1 - 365 days. The default
value is 60 days.
CSV Report Limit
Specify the number of rows for CSV report in the range of 1-5000000 rows. The default
value is 50000 rows.
Replication Interval
Specify the time interval to replicate the database in the range of 10 - 2880 minutes. The
default value is 60 minutes.
Table 2: Database Settings
9. Import customized templates for Insight reports or alerts using the Import Insight Template section. See Importing
Customized Templates for more information.
Contact Aruba Networks Customer Support if you need to create custom templates. Support will provide you custom
templates in .tgz format.
10. You can configure a master-slave model for replicating a configuration across the cluster nodes. If multiple nodes
have Insight enabled, one node can be configured as a master and other nodes can be configured as slaves. If you
do not configure any node as a master, replication will be disabled. Click Replicate to replicate a master
configuration across the cluster nodes. You can configure only a single node as a master.
18 ClearPass Insight 6.3 | User Guide
19. Figure 24: Administration
Testing the Notification Settings
After you have finished setting up the e-mail server, use the Test Notification Settings button on the lower-left portion
of the page to make sure that there are no errors in your configuration.
Collect Logs
Click on the Collect Logs button on the lower-left portion of the page. You will be prompted to either open or save
the file. The log files are stored in tar.gz format.
Importing Customized Templates
Contact Aruba Networks Customer Support for creating custom templates with inputs for the following:
l Name of the custom template
l Executive report (Non-editable columns and filter conditions) or Non-Executive report
l Columns to be included in the report such as username , MAC address, Time Stamp and so on)
Support team will provide you with a custom template in .tgz format. If you are already using custom templates
provided by Aruba support and need to modify them or to request additional custom templates, then you need to
provide Insight logs. You can collect Insight logs using the option on the Administration tab.
Use the following steps to import the custom templates:
1. Download the custom templates provided by the support team in .tgz format to the local drive.
2. Login to Insight and navigate to the Administration tab.
3. Click Browse in the Select file to import field and select the template you copied in the local drive.
4. Click Submit. On successful import, the system displays the success message.
5. Click Save.
ClearPass Insight 6.3 | User Guide 19