Contextual Intelligence Publisher Outputs

Each publisher type available in the Contextual Intelligence module is capable of publishing a subset of the data provided by NAC, as dictated by the available APIs for the vendor in question.

Master List

The list of data points provided by NAC:

  • Client ID

  • Principal

    • This is the full principal, complete with username and roles
    • Some publishers may provide only the username from this, others username and role

  • IP Address

  • MAC Address

  • Machine Name

  • Host Type

  • Policy Group

  • Domain

  • Compliance State

iboss Publisher

  • Username
  • IP Address
  • MAC Address
  • Group Memberships (LDAP roles AND NAC roles)
  • Machine Name
  • Domain

Sample Data:

Copy

Juniper SRX (Requires 6.3+)

  • Username
  • IP Address
  • Group Memberships (LDAP roles AND NAC roles)
  • Device Type
  • Machine Name
  • Compliance State

Sample Data:

Copy

Palo Alto Publisher

  • Username
  • IP Address
  • Domain
  • Device Type
  • Machine Name

Sample Data:

Copy

Exinda Publisher

  • Username
  • IP Address
  • Domain
  • Group Memberships (LDAP roles AND NAC roles)

Sample Data:

Copy

Procera Publisher

  • Device Current IP Address
  • Device Local IP Address (If a policy key is installed)
  • Username
  • Group Memberships (LDAP roles AND NAC roles)
  • Device Mac Address
  • Machine Name (if available)
  • Device Type
  • Policy Group
  • Domain

Sample Data:

Copy

JSON Publisher

  • Client ID
  • Principal
  • IP Address
  • MAC Address
  • Machine Name
  • Host Type
  • Policy Group
  • Domain

Sample Data:

Copy

RADIUS Accounting

Note that this does not require any flavor or pre-existing RADIUS or RBE. This is simply CIP repacking Contextual Intelligence data as RADIUS accounting.

  • Device IP Address
  • Device Mac Address
  • Username
  • Login Time (RADIUS Start)
  • Logout Time (RADIUS Stop)
  • NOTE: We do not currently send Interim-Updates. Because of this, ensure that the receiving end has session/idle timeouts set to the maximum value.
  • Vendors that we know support RADIUS accounting as an input:

Syslog Publisher

Fields (All syslog formats publish the following fields):

  • Client ID
  • Username
  • Roles
  • Current IP Address
  • Local IP Address
  • MAC Address
  • Machine Name
  • Host Type
  • Policy Group
  • Device Attributes

Key-Value Format (Splunk compatible)

Copy

LEEF Format (Qradar compatible, tab delimited)

Copy

CEF Format (ArcSight compatible, space delimited)

Copy

Field Definitions and Descriptions

Key-ValueLEEFCEFDescription
clientIdclientIdclientIdThe id of the client record in the NAC database.
currentIpsrcsrcThe IP address of this client. This is the IP address of the device as seen from the network.
localIplocalIplocalIpThe IP address of this client as reported by the NAC policy key, if it is installed. This may differ from the ‘currentIp’ if the client is behind a NAT device.
macAddresssrcMACsmacThe MAC address of the client
machineNamemachineNamemachineNameThe machine name of the client
hostRefTypehostRefTypehostRefType

One of a list of strings describing the type of device. Values can be one of:

  • Android
  • Apple Mobile
  • BlackBerry
  • iPad
  • Linux
  • MAC
  • Media
  • Microsoft Gaming Device
  • Miscellaneous
  • Nintendo Gaming Device
  • Nokia Mobile
  • Palm
  • PC
  • Sony Gaming Device
  • Windows Mobile
policyGrouppolicyGrouppolicyGroupThe name of the policy group this client belongs to, as configured in the NAC policy manager
deviceAttributesAn array of strings that represent any device attributes associated with the client. A device attribute is represented in the string as “SOURCE:NAME:VALUE”. (EX: a client with a device attribute from ‘ActiveDirectory’ with name ‘Domain’ and value ‘OPSWAT’ would be represented as “ActiveDirectory:Domain:opswat”.
usernameusrNamesuserThe username this client is authenticated with. This is identical to the first entry in the ‘principal’ field.
rolesrolerolesEach entry is a string role name, identical to the roles reported following the username in the ‘principal’ field
complianceStatecomplianceStatecomplianceStateWill be either ‘compliant’ or ‘not compliant’
failedPolicyfailedPolicyfailedPolicyContains the name of a policy that is causing the device to be ‘not compliant’
eventTypeevenTypeeventType

The type of event that caused the packet to be sent:

  • Session Start
  • Session Stop
  • Authentication

IF-MAP Publisher

  • Username
  • IP Address
  • MAC Address
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Contextual Intelligence Publishing - Exinda
On This Page
Contextual Intelligence Publisher OutputsMaster Listiboss PublisherJuniper SRX (Requires 6.3+)Palo Alto PublisherExinda PublisherProcera PublisherJSON PublisherRADIUS AccountingSyslog PublisherKey-Value Format (Splunk compatible)LEEF Format (Qradar compatible, tab delimited)CEF Format (ArcSight compatible, space delimited)Field Definitions and DescriptionsIF-MAP Publisher