Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Monitoring

Ignore the colors. Splunk picks the colors, so red might mean accept or some other nonsense. Make sure you look at the legend.

eduroam

eduroam splunk dashboard

Row 1

  • Overall distribution of requests.
  • This is sourced from the authentication servers.
  • Time selected from the “Recent time” picker.

Row 2

  • Outcome ratios broken down by cluster
  • Sourced from the authentication servers (FreeRADIUS).
  • Time selected from the “Recent time” picker.
  • Timestamps of these logs are based on when the server has a response prepared to send, not when it is actually sent. Notably, rejects get a 1s delay (by design).

Row 3

  • Outcome ratios broken down by cluster.
  • Sourced from the controllers.
  • Time selected from the “Recent time” picker.
  • A reject log is generated from the dot1x-proc process.
  • An accept log is generated from the authmgr process.
    • log generated when an entry is added to the user table
    • log per IP address, not per authentication request.
    • Typically 3-4 times as many accepts compared to row 2.
  • A device that gets an accept, but is unable to get an IP address is not logged from the controller’s perspective.

Row 4

  • Top talkers
  • Sourced from the authentication servers.
  • Time selected from the “Top time” picker.

ClearPass (CPPM)

ClearPass splunk dashboard

  • Due to MAC auth, it is normal for there to be far more rejects than accepts.
  • Extraordinarily few rejects are actually sent. Instead devices are “rejected” by not assigning a role.
  • Web auth happens after the user gets an IP address.

Left column

  • Outcome ratios broken down by cluster.
  • Sourced from the controllers.

Right column

  • Outcome ratios broken down by cluster.
  • Sourced from the authentication servers (CPPM).
  • For more details on recent events, check the access tracker in CPPM.