1. ClearPass Insight 6.3 User Guide Overview ClearPass Insight is an advanced application for use with the ClearPass Policy Manager platform to deliver enhanced analytics, in-depth reporting, and significant gains when addressing compliance and regulatory overhead. The goal of this guide is to illustrate how easy it is for network managers to analyze authentication information captured from Policy Manager in order to generate customized reports. Custom report templates provide the ability to track detailed authentication records, audit trails, and systematic reports on network-access trends, and to generate reports that are compliant with regulatory and corporate requirements. Additional features associated with Insight are described below. Consolidated Reporting Insight is capable of aggregating data from multiple Policy Manager appliances, or external stores, containing archived network access logs. It presents a powerful combination of near real-time analytics, as well as the ability to look into the past to satisfy historical analysis and compliance needs. In-depth Analytics Insight uses a powerful analytics engine that mines network access logs in order to generate trending report on various parameters. Network managers can utilize these trends to get an overview of authentication and access activity, elaborate client access distribution, load-averages, and analyze authentication traffic flow through various network devices. Ready-to-use Templates Insight includes several ready-to-use templates that help reduce the time associated with creating custom reports. The templates guide users through the process of capturing data for a number of use cases with minimal configuration. Alerts Insight can generate near real-time alerts on anomalous network activity. Network managers can configure alerts based on a number of various parameters. Alerts can be delivered via SMS or e-mail notification to multiple recipients to prompt action. Single Sign-on Each application within the ClearPass suite can be accessed with a single login. Sign in once for access to Policy Manager, Insight, Onboard, and Guest. Getting Started ClearPass Insight uses a Web-based management interface. The following browsers are supported: l Mozilla Firefox 3.0 or newer l Microsoft Internet Explorer 9.0 or newer l Google Chrome 1.0 or newer Logging In the First Time 1. Use one of the following methods to launch Insight. 0511599-00v1 | March 2014 1

2. l Point the browser to https:///insight. l Access Policy manager by pointing the browser to https:///tips, and then select the Launch ClearPass Insight application link. (See the image below.) l Log in to Policy Manager, and then select Insight in the Dashboard >Applications widget. This opens Insight in a new tab. 2. Use the default Username/Password [admin/eTIPS123], and then click Login to launch Insight. Figure 1: Policy Manager Login Screen Insight Dashboard The Dashboard page opens immediately when you successfully log in. The Dashboard includes widgets that provide a summarized, graphical view of your network analytics. Figure 2: Insight Dashboard Device Family This widget includes a pie chart that shows the distributed percentage device families on your network based on device category. Categories include Home Audio/Video Equipment, Smart Phone, and unknown, 2 ClearPass Insight 6.3 | User Guide 3. Figure 3: Device Family Healthy vs Unhealthy Authentications This widget shows the number of healthy and unhealthy authentication attempts on your network over the last seven days. Mouse over each line item in this chart to see the specific number of each for a specific day. Figure 4: Healthy vsUnhealthy Authentications Authentications This widget provides of the number of authentications that have take place on your network over the last seven days. Mouse over the graph to view the specific count of failed and successful authentications. ClearPass Insight 6.3 | User Guide 3 4. Figure 5: Authentications Top 10 Bandwidth Consumers This widget displays a chart that shows the first top 10 bandwidth consumers. Mouse over the bar charts to view the bandwidth usage in MB against the selected users. Figure 6: Top 10 Bandwidth Consumers Top 10 Causes for Failed Authentications This widget shows the count of failed authentications with the top 10 causes that caused the failure. Mouse over the bar chart to view the specific count of failed authentications against each cause. 4 ClearPass Insight 6.3 | User Guide 5. Figure 7: Top 10 Causes for Failed Authentications Top 10 NAS with Failed Authentications This widget shows the top 10 Network Access Server (NAS) with failed authentications. Mouse over the bar chart to view the specific count of failed authentications for the top 10 NAS ip addresses. Figure 8: Top 10 NAS with Failed Authentications Device Category This widget provides a pie chart that summarizes the number of devices on your network based on the device type: computer, smart device, etc. The data for the past seven days is displayed. Devices currently on the network are also displayed. Mouse over each section to see the specific number of devices. ClearPass Insight 6.3 | User Guide 5 6. Figure 9: Device Category Widget Average Session Time The widget shows the average session time for the specified date range specified in the Timestamp Settings. Mouse over the lines in the chart to view the specific session time in minutes against the selected period. Figure 10: Average Session Time 6 ClearPass Insight 6.3 | User Guide 7. Service Categorization The ClearPass Policy Manager policy model groups policy components that serve a particular type of request into Service. This widget provides a chart that displays the usage of the services that used for different request types (for example, 802.1X, Web Authentication). Figure 11: Service Categorization Traffic Volume This widget shows the average traffic volume per session, average traffic volume per user, and total data traffic per day for the date range specified in the Timestamp Settings. Mouse over the curve line in the graph to view the specific traffic volume in mega bites for the selected period. ClearPass Insight 6.3 | User Guide 7 8. Figure 12: Traffic Volume License Usage This widget shows the available and used licenses distributed for a selected application. Mouse over the bar chart to view the specific count of licenses against the listed servers. Figure 13: License Usage 8 ClearPass Insight 6.3 | User Guide 9. Guest Registrations This widget shows the number of guest authentications on your network over a period of seven days. Mouse over the chart to view the specific number of guest registrations for a given day. Figure 14: Guest Registrations Customize Use the Customize tool provided near the upper right portion of the Dashboard page to specify the widgets that display on this dashboard. You can change the position of these widgets by a simple drag and drop. The widget display settings are stored and can be viewed at next login for every user. The information provided in these widgets includes device connection and authentication attempts over the last seven days. Use the Customize tool to change the start time for this seven-day range. ClearPass Insight 6.3 | User Guide 9 10. Figure 15: Customize Search Use the Search page to query the Insight database. Searches can be performed for all records, for specific reports, or for specific alerts. The Search Reports and Search Alerts template drop-down menus are populated by currently configured reports and alerts. If you have not yet configured reports or alerts, then the Select Template drop-down for these options will be blank. Reports can be filtered using rules that include a simple AND or OR condition. For example, you can use rules to view RADIUS Authentications from the Amigopod Active Directory or Guest User Repository source. When using rules, the Value field auto-populates with data while you type. Nested "AND/OR" combinations are not currently supported. Configuring a Search To perform a search: 1. Select the type of search to perform. 2. Select the template. 3. If desired, specify rules to filter the search. 10 ClearPass Insight 6.3 | User Guide 11. When you select Search Alerts as the type, the Rules that are currently specified here will be the rules used for processing the search. 4. Specify the desired date and time range. Note that you can search for data not just on a certain day, but for a specific time as well. Figure 16: RADIUSAuthentications for source Amigopod AD or [Guest User Repository] 5. Click Customize to determine the columns that you want to include in your search result for a given template. 6. To add a column to the search result, drag the corresponding field from the Available Columns section and drop it to the Selected Columns section. Similarly, you can drag the fields from the Selected Columns section and drop it back to Available Columns. You can also drag and drop fields to sort the order of the selected or available columns. The options listed in the Available Columns may vary depending upon the column type you select. Figure 17: Customize Search 7. Click Save when done. 8. Click Search to view the results of the search, which is displayed in a table below the search criteria. Search Templates The list of available Search templates includes: ClearPass Insight 6.3 | User Guide 11 12. l Application Authentication l ClearPass Configuration Audit l ClearPass Guest l ClearPass System Events l Endpoints l Failed Application Authentication l Failed Posture l Machine Authentication l Onboard Certificate l Onboard Enrollment l Onboard OCSP l Posture l RADIUSAccounting l RADIUS Authentication l RADIUS Failed Authentications l TACACSAuthentication l TACACS Failed Authentication l WEBAUTH l WEBAUTHFailed Authentications Viewing Additional Details For a selected template, apart from the details that are listed in the search results, you can also view the additional details. These additional details include user, session, and device data, which are stored in a database. By clicking on a row entry in the search results table, you can view these details for a selected user, device, or session in a pop-up window as shown in the following figure. Figure 18: Additional Details - Insight Search Results The tabs, which are displayed in the pop-up window, varies depending upon the type of the template chosen. The following table lists the tabs for a given template. 12 ClearPass Insight 6.3 | User Guide 13. If data for a particular tab is not available in the database, that tab will be hidden in the pop-up window. Template Tabs Authentication Authentication, Endpoint , User, Guest, Nad, Alert, CppmErrorCode, Server RadiusAccounting Accounting, Authentication, Endpoint, User, Guest, Nad, Server Tacacs Tacacs, User, Nad, Alert, CppmErrorCode, Server ClearPass System events Events, Server Table 1: Pop-up Window Tabs Reports The Reports page provides you with a method for creating reports that are tailored for specific network access data to meet your precise requirements. Reports can be set up to run on the fly or can be scheduled daily, week, or monthly. Insight reports show data over the last two-month period. In addition, Insight retains data for up to 2 years. If configuring a report, you can specify rules that include a simple AND or OR condition. For example, you can use rules specify to view RADIUS Authentications from the Amigopod Active Directory or Guest User Repository source. If using rules, the Value field auto-populates with data while you type. Nested "AND/OR" combinations are not currently supported. After a report is configured and run, the report is available for download in PDF and CSV formats. Adding and Running a Report To add a report: 1. Navigate to the Reports page and select the Add Reports link. 2. On the Reports tab: a. Enter a name and description for the report. b. Enable the report. (Only Enabled reports can be run.) c. Select to schedule the report at a specific time daily, weekly, or monthly. This will include all data for that range. Alternatively, you can specify this as a static report rather than recurring, and then enter a time range for data that you want to view. d. Specify whether this is a private report, or whether all users will have access to download this report. e. Enter an optional header and footer. Also, optionally enter an image that will appear on the report. f. Specify an optional notification e-mail address and/or SMS number. If an e-mail address is configured, then a PDF version of the report will be sent via e-mail. If an SMS number is configured, then an SMS message will be sent to the specified phone number alerting that the report is available. The SMSnumber must include the carrier information. In Policy Manager, navigate to the Administration > External Servers > Messaging Setup page and select the Mobile Service Providers tab to view the list of supported carriers. ClearPass Insight 6.3 | User Guide 13 14. Figure 19: Add Reports >Reports tab 3. On the Configuration tab: a. Select the template for this report. Refer to the table that follows for a list of available templates. b. Specify analytical data to be included in the report. Use the Ctrl button to select multiple criteria. c. If desired, specify rules to filter the search. Figure 20: Add Reports >Configuration tab 4. On the Columns tab, determine the columns that you want to include in your report. Each Column Type includes a list of available columns. Simply drag and drop a label from the Available Columns section to the Selected Columns section to add it to the report. Similarly, you can drag columns out of the Selected Columns section and move it back to Available Columns. You can also utilize dragging and dropping to sort the order of the selected columns. 14 ClearPass Insight 6.3 | User Guide 15. Figure 21: Add Reports >Columns tab 5. Click Save when you are finished. Upon successful completion, the new report will be available on the front Reports page. To run the report: 1. Select the check box beside the new report, and then click the Run Report button. Figure 22: Running a Report 2. A message will display when the report is completed. Select the report that you just ran, navigate to the Downloads tab, and select the report format that you want to view (PDF, HTML, or CSV). If a notification has been set up, then a PDF version of the report will be sent to the specified e-mail address, and an SMSmessage will be sent to the specified number. Report Templates The list of available Report templates includes: l Application Authentication l ClearPass Configuration Audit l ClearPass Guest l ClearPass Guest Information l ClearPass System Events ClearPass Insight 6.3 | User Guide 15 16. l Endpoints l Failed Application Authentication l Failed Posture l License Information l Machine Authentication l Onboard Certificate l Onboard Enrollment l Onboard OCSP l Posture l RADIUSAccounting l RADIUS Authentication l RADIUS Failed Authentications l Session and NASInformation l TACACSAuthentication l TACACS Failed Authentication l Unique Guests l Unique Sessions l WEBAUTH l WEBAUTHFailed Authentications License information is generated once a day. When initially configuring a License Information report, License information will not be available until the license netevent is generated. In most cases, this will be the next day. If you set up this report and immediately run it, the report will be empty. If you require this information immediately, you can add a future end_date as the starting date. Alerts Alerts provide network managers with near-real-time messages on anomalous network activity. Such activity could constitute: l Irregular authentication activity l Irregular network device access activity l Users attempting privileged commands on network devices l Irregular activity on the ClearPass servers. As with Reports, Alerts include templates for easy configuration. These templates allow managers to quickly configure and monitor network activity. In addition to e-mail notifications, you can also send alerts to mobile devices via SMS, providing the capability to receive mission-critical information on the go. Adding Alerts To add an alert: 1. Navigate to the Alerts page and select the Add Alerts link. 2. Enter a name and description for the alert. 3. Select the template for this alert. Refer to the table that follows for a list of available templates. 16 ClearPass Insight 6.3 | User Guide 17. 4. If desired, specify rules to filter the search. For example, you can specify to view RADIUS Authentications failures from the Amigopod Active Directory or Guest User Repository source. If using rules, the Value field auto-populates with data while you type. Nested "AND/OR" combinations are not currently supported. 5. Specify threshold and interval values as criteria for determining whether an alert is necessary. For example, you may want to set up an alert if authentication fails 10 times within five minutes. Note that Threshold has no maximum value. 6. Specify a notification e-mail address and/or SMS number to be used when sending an alert. The SMSnumber must include the carrier information. In Policy Manager, navigate to the Administration > External Servers > Messaging Setup page and select the Mobile Service Providers tab to view the list of supported carriers. Figure 23: Add Alerts Alert Templates The list of available Alert templates includes: l ClearPass Policy Manager Services l ClearPass Policy Manager SNMPErrors l RADIUS Failed Authentications l TACACS Command Execution l TACACS Failed Authentications l TACACS Failed Device Administration l WEBAUTH Failed Authentications Administration The Administration page is used for configuring the e-mail server and settings to be used when sending notifications. You can also specify the number of days for retaining information in you database. Finally, this page allows you to test the new notification settings to review Insight log files. ClearPass Insight 6.3 | User Guide 17 18. Configuring Administration Settings To configure notification and database settings: 1. Navigate to the Administration page. 2. Specify a hostname for the SMTP/e-mail server. 3. Specify the port on which this resides. This value defaults to 25. However, if SSL Required is specified, then this value defaults to 465. Similarly, if Start TLS is specified, then this value defaults to 587. 4. Enter the administration user name and password. 5. Specify the timeout value in seconds. 6. If desired, specify either to require SSL or to start TLS. 7. Enter a valid e-mail address in the From Address field. 8. In the Database Retention field, specify the number of days to retain database records and reports. Specify the maximum number of rows in the CSV output, and specify the replication interval in minutes. Use the Database Settings values specified in the following table: Database Settings Description Database Retention Specify the number of days to retain the database in the range of 1 - 730 days. The default value is 30 days. Report Retention Specify the number of days to retain the reports in the range of 1 - 365 days. The default value is 60 days. CSV Report Limit Specify the number of rows for CSV report in the range of 1-5000000 rows. The default value is 50000 rows. Replication Interval Specify the time interval to replicate the database in the range of 10 - 2880 minutes. The default value is 60 minutes. Table 2: Database Settings 9. Import customized templates for Insight reports or alerts using the Import Insight Template section. See Importing Customized Templates for more information. Contact Aruba Networks Customer Support if you need to create custom templates. Support will provide you custom templates in .tgz format. 10. You can configure a master-slave model for replicating a configuration across the cluster nodes. If multiple nodes have Insight enabled, one node can be configured as a master and other nodes can be configured as slaves. If you do not configure any node as a master, replication will be disabled. Click Replicate to replicate a master configuration across the cluster nodes. You can configure only a single node as a master. 18 ClearPass Insight 6.3 | User Guide 19. Figure 24: Administration Testing the Notification Settings After you have finished setting up the e-mail server, use the Test Notification Settings button on the lower-left portion of the page to make sure that there are no errors in your configuration. Collect Logs Click on the Collect Logs button on the lower-left portion of the page. You will be prompted to either open or save the file. The log files are stored in tar.gz format. Importing Customized Templates Contact Aruba Networks Customer Support for creating custom templates with inputs for the following: l Name of the custom template l Executive report (Non-editable columns and filter conditions) or Non-Executive report l Columns to be included in the report such as username , MAC address, Time Stamp and so on) Support team will provide you with a custom template in .tgz format. If you are already using custom templates provided by Aruba support and need to modify them or to request additional custom templates, then you need to provide Insight logs. You can collect Insight logs using the option on the Administration tab. Use the following steps to import the custom templates: 1. Download the custom templates provided by the support team in .tgz format to the local drive. 2. Login to Insight and navigate to the Administration tab. 3. Click Browse in the Select file to import field and select the template you copied in the local drive. 4. Click Submit. On successful import, the system displays the success message. 5. Click Save. ClearPass Insight 6.3 | User Guide 19