Monitoring
Ignore the colors. Splunk picks the colors, so red might mean accept or some other nonsense. Make sure you look at the legend.
eduroam
Row 1
- Overall distribution of requests.
- This is sourced from the authentication servers.
- Time selected from the "Recent time" picker.
Row 2
- Outcome ratios broken down by cluster
- Sourced from the authentication servers (FreeRADIUS).
- Time selected from the "Recent time" picker.
- Timestamps of these logs are based on when the server has a response prepared to send, not when it is actually sent. Notably, rejects get a 1s delay (by design).
Row 3
- Outcome ratios broken down by cluster.
- Sourced from the controllers.
- Time selected from the "Recent time" picker.
- A reject log is generated from the
dot1x-procprocess. - An accept log is generated from the
authmgrprocess.- log generated when an entry is added to the user table
- log per IP address, not per authentication request.
- Typically 3-4 times as many accepts compared to row 2.
- A device that gets an accept, but is unable to get an IP address is not logged from the controller's perspective.
Row 4
- Top talkers
- Sourced from the authentication servers.
- Time selected from the "Top time" picker.
ClearPass (CPPM)
- Due to MAC auth, it is normal for there to be far more rejects than accepts.
- Extraordinarily few rejects are actually sent. Instead devices are "rejected" by not assigning a role.
- Web auth happens after the user gets an IP address.
Left column
- Outcome ratios broken down by cluster.
- Sourced from the controllers.
Right column
- Outcome ratios broken down by cluster.
- Sourced from the authentication servers (CPPM).
- For more details on recent events, check the access tracker in CPPM.