Contextual Intelligence Publisher Outputs
Each publisher type available in the Contextual Intelligence module is capable of publishing a subset of the data provided by NAC, as dictated by the available APIs for the vendor in question.
Master List
The list of data points provided by NAC:
Client ID
Principal
- This is the full principal, complete with username and roles
- Some publishers may provide only the username from this, others username and role
IP Address
MAC Address
Machine Name
Host Type
Policy Group
Domain
Compliance State
iboss Publisher
- Username
- IP Address
- MAC Address
- Group Memberships (LDAP roles AND NAC roles)
- Machine Name
- Domain
Sample Data:
Juniper SRX (Requires 6.3+)
- Username
- IP Address
- Group Memberships (LDAP roles AND NAC roles)
- Device Type
- Machine Name
- Compliance State
Sample Data:
Palo Alto Publisher
- Username
- IP Address
- Domain
- Device Type
- Machine Name
Sample Data:
Exinda Publisher
- Username
- IP Address
- Domain
- Group Memberships (LDAP roles AND NAC roles)
Sample Data:
Procera Publisher
- Device Current IP Address
- Device Local IP Address (If a policy key is installed)
- Username
- Group Memberships (LDAP roles AND NAC roles)
- Device Mac Address
- Machine Name (if available)
- Device Type
- Policy Group
- Domain
Sample Data:
JSON Publisher
- Client ID
- Principal
- IP Address
- MAC Address
- Machine Name
- Host Type
- Policy Group
- Domain
Sample Data:
RADIUS Accounting
Note that this does not require any flavor or pre-existing RADIUS or RBE. This is simply CIP repacking Contextual Intelligence data as RADIUS accounting.
- Device IP Address
- Device Mac Address
- Username
- Login Time (RADIUS Start)
- Logout Time (RADIUS Stop)
- NOTE: We do not currently send Interim-Updates. Because of this, ensure that the receiving end has session/idle timeouts set to the maximum value.
- Vendors that we know support RADIUS accounting as an input:
- Fortinet (Requires the FortiAuthenticator Module)
- SonicWALL
- Lightspeed
- WatchGuard Firebox Firewall - http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/authentication/rsso_enable.html
Syslog Publisher
Fields (All syslog formats publish the following fields):
- Client ID
- Username
- Roles
- Current IP Address
- Local IP Address
- MAC Address
- Machine Name
- Host Type
- Policy Group
- Device Attributes
Key-Value Format (Splunk compatible)
LEEF Format (Qradar compatible, tab delimited)
CEF Format (ArcSight compatible, space delimited)
Field Definitions and Descriptions
Key-Value | LEEF | CEF | Description |
---|---|---|---|
clientId | clientId | clientId | The id of the client record in the NAC database. |
currentIp | src | src | The IP address of this client. This is the IP address of the device as seen from the network. |
localIp | localIp | localIp | The IP address of this client as reported by the NAC policy key, if it is installed. This may differ from the ‘currentIp’ if the client is behind a NAT device. |
macAddress | srcMAC | smac | The MAC address of the client |
machineName | machineName | machineName | The machine name of the client |
hostRefType | hostRefType | hostRefType | One of a list of strings describing the type of device. Values can be one of:
|
policyGroup | policyGroup | policyGroup | The name of the policy group this client belongs to, as configured in the NAC policy manager |
deviceAttributes | An array of strings that represent any device attributes associated with the client. A device attribute is represented in the string as “SOURCE:NAME:VALUE”. (EX: a client with a device attribute from ‘ActiveDirectory’ with name ‘Domain’ and value ‘OPSWAT’ would be represented as “ActiveDirectory:Domain:opswat”. | ||
username | usrName | suser | The username this client is authenticated with. This is identical to the first entry in the ‘principal’ field. |
roles | role | roles | Each entry is a string role name, identical to the roles reported following the username in the ‘principal’ field |
complianceState | complianceState | complianceState | Will be either ‘compliant’ or ‘not compliant’ |
failedPolicy | failedPolicy | failedPolicy | Contains the name of a policy that is causing the device to be ‘not compliant’ |
eventType | evenType | eventType | The type of event that caused the packet to be sent:
|
IF-MAP Publisher
- Username
- IP Address
- MAC Address
Was this page helpful?
On This Page
Contextual Intelligence Publisher OutputsMaster Listiboss PublisherJuniper SRX (Requires 6.3+)Palo Alto PublisherExinda PublisherProcera PublisherJSON PublisherRADIUS AccountingSyslog PublisherKey-Value Format (Splunk compatible)LEEF Format (Qradar compatible, tab delimited)CEF Format (ArcSight compatible, space delimited)Field Definitions and DescriptionsIF-MAP Publisher