Title
Create new category
Edit page index title
Edit category
Edit link
Contextual Intelligence Publisher Outputs
Each publisher type available in the Contextual Intelligence module is capable of publishing a subset of the data provided by NAC, as dictated by the available APIs for the vendor in question.
Master List
The list of data points provided by NAC:
Client ID
Principal
This is the full principal, complete with username and roles
Some publishers may provide only the username from this, others username and role
IP Address
MAC Address
Machine Name
Host Type
Policy Group
Domain
Compliance State
iboss Publisher
Username
IP Address
MAC Address
Group Memberships (LDAP roles AND NAC roles)
Machine Name
Domain
Sample Data:
Juniper SRX (Requires 6.3+)
Username
IP Address
Group Memberships (LDAP roles AND NAC roles)
Device Type
Machine Name
Compliance State
Sample Data:
Palo Alto Publisher
Username
IP Address
Domain
Device Type
Machine Name
Sample Data:
Exinda Publisher
Username
IP Address
Domain
Group Memberships (LDAP roles AND NAC roles)
Sample Data:
Procera Publisher
Device Current IP Address
Device Local IP Address (If a policy key is installed)
Username
Group Memberships (LDAP roles AND NAC roles)
Device Mac Address
Machine Name (if available)
Device Type
Policy Group
Domain
Sample Data:
JSON Publisher
Client ID
Principal
IP Address
MAC Address
Machine Name
Host Type
Policy Group
Domain
Sample Data:
RADIUS Accounting
Note that this does not require any flavor or pre-existing RADIUS or RBE. This is simply CIP repacking Contextual Intelligence data as RADIUS accounting.
Device IP Address
Device Mac Address
Username
Login Time (RADIUS Start)
Logout Time (RADIUS Stop)
NOTE: We do not currently send Interim-Updates. Because of this, ensure that the receiving end has session/idle timeouts set to the maximum value.
Vendors that we know support RADIUS accounting as an input:
Fortinet (Requires the FortiAuthenticator Module)
SonicWALL
Lightspeed
WatchGuard Firebox Firewall - http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/authentication/rsso_enable.html
Syslog Publisher
Fields (All syslog formats publish the following fields):
Client ID
Username
Roles
Current IP Address
Local IP Address
MAC Address
Machine Name
Host Type
Policy Group
Device Attributes
Key-Value Format (Splunk compatible)
LEEF Format (Qradar compatible, tab delimited)
CEF Format (ArcSight compatible, space delimited)
Field Definitions and Descriptions
Key-Value | LEEF | CEF | Description |
|---|---|---|---|
clientId | clientId | clientId | The id of the client record in the NAC database. |
currentIp | src | src | The IP address of this client. This is the IP address of the device as seen from the network. |
localIp | localIp | localIp | The IP address of this client as reported by the NAC policy key, if it is installed. This may differ from the ‘currentIp’ if the client is behind a NAT device. |
macAddress | srcMAC | smac | The MAC address of the client |
machineName | machineName | machineName | The machine name of the client |
hostRefType | hostRefType | hostRefType | One of a list of strings describing the type of device. Values can be one of:
|
policyGroup | policyGroup | policyGroup | The name of the policy group this client belongs to, as configured in the NAC policy manager |
deviceAttributes | An array of strings that represent any device attributes associated with the client. A device attribute is represented in the string as “SOURCE:NAME:VALUE”. (EX: a client with a device attribute from ‘ActiveDirectory’ with name ‘Domain’ and value ‘OPSWAT’ would be represented as “ActiveDirectory:Domain:opswat”. | ||
username | usrName | suser | The username this client is authenticated with. This is identical to the first entry in the ‘principal’ field. |
roles | role | roles | Each entry is a string role name, identical to the roles reported following the username in the ‘principal’ field |
complianceState | complianceState | complianceState | Will be either ‘compliant’ or ‘not compliant’ |
failedPolicy | failedPolicy | failedPolicy | Contains the name of a policy that is causing the device to be ‘not compliant’ |
eventType | evenType | eventType | The type of event that caused the packet to be sent:
|
IF-MAP Publisher
Username
IP Address
MAC Address