topic Re: Logging MAC address of endpoints connecting over VPN in Network Access Control

Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Fri, 16 Jun 2017 14:47:37 GMT

Dear Colleagues,

The customer would like to log the MAC addresses of the endpoints connecting over VPN into their SIEM.

As far as I know we can't do that. Seemingly we can't even send the MAC to ISE from ASA over the MDM-tlv attributes.

Is there any trick, e.g. getting the MAC address from Windows registry with the posture scan agent and log that out somehow, or custom DAP LUA script running on ASA?

Best regards,

Istvan

Re: Logging MAC address of endpoints connecting over VPN

Timothy Abbott — Fri, 16 Jun 2017 17:45:04 GMT

Istvan,

Not that I'm aware of and I don't think extracting the MAC using posture is going to work because of the possibility the endpoint has more than one NIC. I don't think what you are asking for is currently possible.

Regards,

-Tim

Re: Logging MAC address of endpoints connecting over VPN

vibobrov — Fri, 16 Jun 2017 22:35:12 GMT

What version of ASA, Anyconnect and ISE are you using? Anyconnect on Windows and MAC send the client MAC address to ASA. Latest version of ASA (9.3+ I think) will send that information to ASA via ACIDEX. New versions of ISE (1.4+ I think, but may be later) will log that MAC address.

MAC address is not made available to Anyconnect client on iOS by Apple. To keep mobile clients consistent, Android version of Anyconnect also does not send the MAC address to the ASA. So for those mobile devices, you won't get the MAC address from Anyconnect.

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Mon, 19 Jun 2017 14:30:42 GMT

Hi Tim,

Thank you. Please follow my post that I am adding below. I re-tested in a dcloud LAB for some reasons the MAC is now there and seemingly it has been parsed from the ASA mdm-tlv attribute.

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Mon, 19 Jun 2017 14:39:49 GMT

Hi Tim, Viktor,

I have opened the dCloud Rapid Threat Containment lab where I knew that we use ASAv and AnyConnect with ISE (actually 2.0).

I used the same lab but a different pod before. That time no MAC address was presented in Livelog in ISE and the 'mdm-tlv=device-mac=...' string was not in the Cisco A/V pair in the authentication event details.

This last time the MAC address was presented without any change.

The questions are:

- How can this behavior controlled?

- Once it is there, can we send it to an upstream SIEM over syslog?

Re: Logging MAC address of endpoints connecting over VPN

Timothy Abbott — Mon, 19 Jun 2017 14:53:29 GMT

The test I did in my lab didn't send the MAC address either but I was using a different version of anyconnect. I was using the latest version of AnyConnect for IOS so I'm wondering if it is version / platform specific. I'll ask one of my AC colleagues to chime in. If the MAC address shows up in the live log / session directory, ISE can forward that information over syslog.

Regards,

-Tim

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Mon, 19 Jun 2017 15:44:32 GMT

Thank you in advance!

Re: Logging MAC address of endpoints connecting over VPN

vibobrov — Tue, 20 Jun 2017 01:08:17 GMT

Hi Istvan,

I mentioned about this in my previous post. Apple blocks any Apps from accessing the MAC address, so you will never get a MAC address from Anyconnect on iOS. You will find the same for Android. Although, on Android, Anyconnect can get the MAC, the BU disabled it to keep all mobile clients consistent.

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Tue, 20 Jun 2017 06:56:41 GMT

Hi Viktor,

At the moment the focus is Windows. And it seems - Tim's anyconnect friend hasn't confirmed yet - sending MAC address is not consistent across AnyConnect for Windows versions.

Hopefully Time can come up with a response from his fellow engineer.

Re: Logging MAC address of endpoints connecting over VPN

vibobrov — Tue, 20 Jun 2017 12:53:48 GMT

Do you have Hostscan enabled on the PC that's not reporting the MAC address? That may be required for Anyconnect to grab the MAC address.

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Tue, 20 Jun 2017 13:09:26 GMT

Hi Viktor,

This document says that HostScan is not required: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

Re: Logging MAC address of endpoints connecting over VPN

vibobrov — Tue, 20 Jun 2017 14:12:59 GMT

On the firewall, enable debug dap trace and see what attributes you're seeing there.

Re: Logging MAC address of endpoints connecting over VPN

Craig Hyps — Tue, 20 Jun 2017 14:25:14 GMT

Hostscan should not be required. Viktor is correct and not all OSes will expose the MAC address to an application.

I would debug the RADIUS at the ASA or could get packet capture after ASA to see the RADIUS attributes (or TCP dump at PSN). You will see the mdm-tlvs that are being sent. Most Windows clients expose the MAC address.

Support to send MDM TLV attributes over RADIUS via ACIDEX requires ASA 9.3.2+ and AC 4.1+.

Craig

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Tue, 20 Jun 2017 14:45:40 GMT

Hi Craig,

Thank you for Jumping in.

So can we say that with ASA 9.3.2 and AC 4.1 or later this is expected to work, if not there is something to troubleshoot?

Re: Logging MAC address of endpoints connecting over VPN

vibobrov — Tue, 20 Jun 2017 15:06:08 GMT

Please run debug dap trace on the ASA to see what attributes anyconnect is reporting to the ASA. And as chyps mentioned, debug radius

Re: Logging MAC address of endpoints connecting over VPN

pcarco — Tue, 20 Jun 2017 18:50:10 GMT

Sorry I am late to this thread and Tim did reach out. FWIW I agree the debugs are necessary

Support info as Craig has already stated.

Release Notes for the Cisco ASA Series, 9.3(x) - Cisco

AnyConnect VPN Enhancements

The AnyConnect Identity Extension (ACIDex) attributes have been expanded to include desktop operating systems and MAC addresses. These attributes, previously available for mobile devices, provide identification of the client's platform to the ASA when initiating a VPN connection. The ASA can then use this information for:
- Configuring DAP polices. For more information see Dynamic Access Policies chapter in the appropriate release of the Cisco ASA 5500-X Series Next-Generation Firewalls, Configuration Guides.
- AAA activities. Specifically when the ASA is part of an ISE controlled network, these attributes identify the endpoint to the ISE.
- Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.0 - Cisco

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Tue, 20 Jun 2017 19:47:05 GMT

I will Viktor. Tomorrow. The LAB pods I planned to use this afternoon were all busy.

Re: Logging MAC address of endpoints connecting over VPN

Istvan Segyik — Wed, 21 Jun 2017 20:30:09 GMT

I have run the debugs and the MAC address is being sent again. So we are good. The reason why it didn't work on one of the dCloud instances is still a mystery. Might be a bug in the ASAv version on that pod.

The last and final question if anybody may know the response: which MAC address is selected on a Windows desktop? Active NIC's MAC, lowest or highest value?

Re: Logging MAC address of endpoints connecting over VPN

Craig Hyps — Wed, 21 Jun 2017 21:07:40 GMT

It collects all known addresses. I believe they are simply presented in alphabetical order. It is NOT based on specific logic such as active connection (say the one used for VPN).

Craig