Differences

This shows you the differences between two versions of the page.

--- siteadmin:clearpass_fticks [2024/05/15 13:25] – admin
+++ siteadmin:clearpass_fticks [2024/05/20 12:34] (current) – admin
@@ Line 1: / Line 1: @@
 ======ClearPass FTICKS for Federation Operators only======
+**NOTE: This is untested.**
+**This only applies to Federation Operators and not to individual sites**
 There are a number of steps required to set up FTICKS logging.
@@ Line 5: / Line 9: @@
 ====Syslog Targets====
-Create a new Syslog Target (Administration->External Servers->Syslog Target) for the Jisc syslog server, utilities.govroam.uk on port 514/UDP
+Create a new Syslog Target (**Administration**->**External Servers**->**Syslog Target**) for the Jisc syslog server, utilities.govroam.uk on port 514/UDP
 {{:siteadmin:screenshot_2024-05-15_at_14.13.46.png?direct&400|IMAGE}}
@@ Line 11: / Line 15: @@
 ====Syslog Export Filter====
-Create a new Syslog Export Filter (Administration->External Servers->Syslog Export Filter) for the FTICKs logs:
+Create a new Syslog Export Filter (**Administration**->**External Servers**->**Syslog Export Filter**) for the FTICKs logs:
 {{:siteadmin:screenshot_2024-05-15_at_14.14.49.png?direct&400|IMAGE}}
 where
-  * Export Template is \\Session Logs\\
+  * Export Template is //Session Logs//
-  * Export Event Format Type is \\Standard\\
+  * Export Event Format Type is //Standard//
-  * Local Facility Level is \\local7\\
+  * Local Facility Level is //local7//
   * Syslog Servers is the Jisc one created above
   * and your ClearPass servers to generate logs from
-Then in the \\Filters and Columns\\ tab:
+Then in the //Filters and Columns// tab:
 {{:siteadmin:screenshot_2024-05-15_at_14.16.20.png?direct&400|IMAGE}}
-ignore Option 1 and cut and paste the following int othe Custom SQL box:
+Ignore Option 1 and cut and paste the following into the Custom SQL box:
 <code>
-SELECT  concat( substring(user_name,2,100)||'#VISCOUNTRY=UK#VISINST='||attr_value||'#CSI='||end_host_id||'#RESULT=OK#FEDID=0X000')
+SELECT  concat( substring(user_name,2,100)||'#VISCOUNTRY=GB#VISINST='||attr_value||'#CSI='||end_host_id||'#RESULT=OK#FEDID=0X000')
 AS "F-TICKS/govroam/1.0#REALM"
 FROM public.tips_radius_session_log,public.tips_session_log_details
@@ Line 50: / Line 54: @@
 There might need to be other lines in there to ensure that the only logs sent to Jisc are ones that match a proxy between two sites specifically for govroam, rather than all proxied logs for non-govroam services.
+=====SERIOUS LIMITATION=====
+The big caveat with the above is that FTICKS logs will ONLY be generated where there is an Operator-Name variable set in the originating Access Request from the member site. No FTICKS if there isn't. Even if Clearpass inserts an Operator-Name, still no FTICKs logs.
+**Thus as many as possible of your member sites need to configured their servers to set Operator-Name. This rules out any site using NPS as their ORPS unfortunately.**
 ====Limitations on logging====
-Despite being able to delve quite deep into the Clearpass TIPS database (see above) there are limits on what data can be logged. The
+Problem: Not all member organisations can or do set the Operater-Name attribute in their Requests. Ideally the RFO should be able to insert an O-N with a value set on behalf of your site but only some RADIUS servers are capable of doing this (FreeRADIUS, RadSecProxy, RADIATOR). The next best option is to insert a generic value for the Federation. i.e:
+When an RFO, scarfolk.gov.uk, gets a request from a site, say arkham.nhs.uk:
+  - If the Operator-Name is set to, say, 1arkham.nhs.uk then leave it as is.
+  - If the Operator-Name is missing the insert an Operator-Name with the value '1arkham.nhs.uk' no matter which of the several holby,nhs.uk servers the request comes from.
+  - If there's no way to set the Operator-Name as in (2) then just insert an Operator-Name of, say, '1scarfolk.gov.uk'.
+This way the home site will, at best, see an Operator-Name with the source site's value or, at worst, with it set to the Federation's value.
+However, this conditional setting of Operator-Name isn't something found in servers like ClearPass, ISE or NPS. NPS is completely incapable of setting the Operator-Name. ClearPass can't do any sort of conditional setting. ISE might be able to.
+With ClearPass you delete and add attributes to the Access Request but you can't conditionally replace or modify them. So the options are to either do nothing, which is what the configuration above does, and not try to add an Operator-Name where missing. Or, to add an Operator-Name with the default value of the RFO. Despite ClearPass allowing database access and has the ability to set and expand variables, there's no way to conditionally set the Operator-Name using the underlying FreeRADIUS variables.
+Overwriting the Operator-Name is an option but not a great one. Not only does it meant that sites which do set the Operator-Name will not be able to be identified outside of the Federation, but the FTICKS log won't be generated anyway.