Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1952
Views
0
Helpful
4
Replies

ISE Splunk logs base64 encoded username and password

joseponceiii
Level 1
Level 1

‎02-04-2021 03:46 AM

Hello,

 

Sorry, I may have incorrectly posted this to another discussion topic, but reposting to this NAC page.

 

Has anyone seen the sample logs below sent over the syslog server? I have already opened a TAC case but just in case anyone has experience any of this or might have any idea. Basically, our two node ISE deployment are sending these logs to Splunk syslog server and security has noticed that there were some users in the logs that have being sent with username and passwords in base64 encoded format, meaning this can be easily decoded - I have easily taken one of the passwords. 


So, we have remote VPN connections on ASAs being authenticated against ISE with AD integration and with posture checks. Below is the sample logs that came from Splunk server, and TAC initially can't find these but took the support bundle to further analyze. Have you seen these before "Authorization=Basic" - means base64 encoded? I omitted some infos here: What's weird here is there are only about 5 users that have these kind of logs and they are legit users. All other users connecting to VPN has none of these.

 

SystemDomain=<domain.com>,DestinationIPAddress=x.x.x.x\,rsSchedLog=Pwd=&Email=UserNameHere%40domain%2Ecom\,PortalUser.EmailAddress=UserNameHere@domain.com,PostureStatus=Compliant\,MacAddress=XX-XX-XX-XX\,User-Fetch-Last-Name=LastNameHere\,EmailAddress=UserNameHere@domain.com\,User-Fetch-Telephone=+xxxxx xxx,IdentitySelectionMatchedRule=Cisco AnyConnect VPN Clients, AD-User-Resolved-DNs=CN=UserNameHere\\\,OU=Employees\\OU=Accounts\\DC=ads\\DC=domain\\DC=com\,Authorization=Basic<Omitted, base64 encoded password is located here - basically just random numbers/characters>\,SystemUserDomain=DOMAIN\,User-Fetch-Email=UserNameHere@domain.com\,PRAInterval=0\,SSID=xx.xx.xx.xx

 

Many Thanks,

0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎02-04-2021 04:45 AM

Hi,

This sounds very interesting. I would appreciate if you share the findings.
Meanwhile, can you share the syslog from another user who don't have this
problem.

Also, I suggest to check the different between this user and other users in
AD configuration
0 Helpful

joseponceiii
Level 1
Level 1
In response to Mohammed al Baqari

‎02-04-2021 07:54 PM

Hi, 

 

TAC have already  found those logs in ISE before sending it to the syslog server and it was found somewhere here iseLocalStore.log files. He is currently looking for the possible solution to this issue.

I've got some sample logs that was given to me, and looks something like this in the AD_User_Resolved_DNs

 

CN=Employee1\\OU=Employees\\OU=Accounts\\Authorization=NTLM

CN=Employee12\\OU=Employees\\OU=Accounts\\Authorization=NTLM

 

I have no access to Active Directory unfortunately, however, above might be worth looking for something related to NTLM and Basic Authorization, right? As those looks like the difference between the two.

 

Many Thanks,

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-06-2021 06:36 PM

As the entry includes User-Fetch-* attributes, it appears the profiling endpoint attribute list for an endpoint.

0 Helpful

joseponceiii
Level 1
Level 1
In response to hslai

‎02-07-2021 05:20 AM

@hslai Yeah, looks like a Endpoint profiling event occured. However, why is it sending a base64 encoded password for only on  these users? Any idea? That's the main problem.

0 Helpful
Customers Also Viewed These Support Documents