cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1953
Views
0
Helpful
4
Replies

ISE Splunk logs base64 encoded username and password

joseponceiii
Level 1
Level 1

Hello,

 

Sorry, I may have incorrectly posted this to another discussion topic, but reposting to this NAC page.

 

Has anyone seen the sample logs below sent over the syslog server? I have already opened a TAC case but just in case anyone has experience any of this or might have any idea. Basically, our two node ISE deployment are sending these logs to Splunk syslog server and security has noticed that there were some users in the logs that have being sent with username and passwords in base64 encoded format, meaning this can be easily decoded - I have easily taken one of the passwords. 


So, we have remote VPN connections on ASAs being authenticated against ISE with AD integration and with posture checks. Below is the sample logs that came from Splunk server, and TAC initially can't find these but took the support bundle to further analyze. Have you seen these before "Authorization=Basic" - means base64 encoded? I omitted some infos here: What's weird here is there are only about 5 users that have these kind of logs and they are legit users. All other users connecting to VPN has none of these.

 

SystemDomain=<domain.com>,DestinationIPAddress=x.x.x.x\,rsSchedLog=Pwd=&Email=UserNameHere%40domain%2Ecom\,PortalUser.EmailAddress=UserNameHere@domain.com,PostureStatus=Compliant\,MacAddress=XX-XX-XX-XX\,User-Fetch-Last-Name=LastNameHere\,EmailAddress=UserNameHere@domain.com\,User-Fetch-Telephone=+xxxxx xxx,IdentitySelectionMatchedRule=Cisco AnyConnect VPN Clients, AD-User-Resolved-DNs=CN=UserNameHere\\\,OU=Employees\\OU=Accounts\\DC=ads\\DC=domain\\DC=com\,Authorization=Basic<Omitted, base64 encoded password is located here - basically just random numbers/characters>\,SystemUserDomain=DOMAIN\,User-Fetch-Email=UserNameHere@domain.com\,PRAInterval=0\,SSID=xx.xx.xx.xx

 

Many Thanks,

4 Replies 4

Hi,

This sounds very interesting. I would appreciate if you share the findings.
Meanwhile, can you share the syslog from another user who don't have this
problem.

Also, I suggest to check the different between this user and other users in
AD configuration

Hi, 

 

TAC have already  found those logs in ISE before sending it to the syslog server and it was found somewhere here iseLocalStore.log files. He is currently looking for the possible solution to this issue.

I've got some sample logs that was given to me, and looks something like this in the AD_User_Resolved_DNs

 

CN=Employee1\\OU=Employees\\OU=Accounts\\Authorization=NTLM

CN=Employee12\\OU=Employees\\OU=Accounts\\Authorization=NTLM

 

I have no access to Active Directory unfortunately, however, above might be worth looking for something related to NTLM and Basic Authorization, right? As those looks like the difference between the two.

 

Many Thanks,

hslai
Cisco Employee
Cisco Employee

As the entry includes User-Fetch-* attributes, it appears the profiling endpoint attribute list for an endpoint.

@hslai Yeah, looks like a Endpoint profiling event occured. However, why is it sending a base64 encoded password for only on  these users? Any idea? That's the main problem.