06-16-2017 07:47 AM
Dear Colleagues,
The customer would like to log the MAC addresses of the endpoints connecting over VPN into their SIEM.
As far as I know we can't do that. Seemingly we can't even send the MAC to ISE from ASA over the MDM-tlv attributes.
Is there any trick, e.g. getting the MAC address from Windows registry with the posture scan agent and log that out somehow, or custom DAP LUA script running on ASA?
Best regards,
Istvan
Solved! Go to Solution.
06-20-2017 11:50 AM
Sorry I am late to this thread and Tim did reach out. FWIW I agree the debugs are necessary
Support info as Craig has already stated.
Release Notes for the Cisco ASA Series, 9.3(x) - Cisco
06-20-2017 12:47 PM
I will Viktor. Tomorrow. The LAB pods I planned to use this afternoon were all busy.
06-21-2017 01:30 PM
I have run the debugs and the MAC address is being sent again. So we are good. The reason why it didn't work on one of the dCloud instances is still a mystery. Might be a bug in the ASAv version on that pod.
The last and final question if anybody may know the response: which MAC address is selected on a Windows desktop? Active NIC's MAC, lowest or highest value?
06-21-2017 02:07 PM
It collects all known addresses. I believe they are simply presented in alphabetical order. It is NOT based on specific logic such as active connection (say the one used for VPN).
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide