Solved: Re: Logging MAC address of endpoints connecting over VPN - Page 2

Istvan Segyik · ‎06-16-2017

Dear Colleagues,

The customer would like to log the MAC addresses of the endpoints connecting over VPN into their SIEM.

As far as I know we can't do that. Seemingly we can't even send the MAC to ISE from ASA over the MDM-tlv attributes.

Is there any trick, e.g. getting the MAC address from Windows registry with the posture scan agent and log that out somehow, or custom DAP LUA script running on ASA?

Best regards,

Istvan

pcarco · ‎06-20-2017

Sorry I am late to this thread and Tim did reach out. FWIW I agree the debugs are necessary

Support info as Craig has already stated.

Release Notes for the Cisco ASA Series, 9.3(x) - Cisco

AnyConnect VPN Enhancements

The AnyConnect Identity Extension (ACIDex) attributes have been expanded to include desktop operating systems and MAC addresses. These attributes, previously available for mobile devices, provide identification of the client's platform to the ASA when initiating a VPN connection. The ASA can then use this information for:
- Configuring DAP polices. For more information see Dynamic Access Policies chapter in the appropriate release of the Cisco ASA 5500-X Series Next-Generation Firewalls, Configuration Guides.
- AAA activities. Specifically when the ASA is part of an ISE controlled network, these attributes identify the endpoint to the ISE.
- Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.0 - Cisco

Istvan Segyik · ‎06-20-2017

I will Viktor. Tomorrow. The LAB pods I planned to use this afternoon were all busy.

Istvan Segyik · ‎06-21-2017

I have run the debugs and the MAC address is being sent again. So we are good. The reason why it didn't work on one of the dCloud instances is still a mystery. Might be a bug in the ASAv version on that pod.

The last and final question if anybody may know the response: which MAC address is selected on a Windows desktop? Active NIC's MAC, lowest or highest value?

Craig Hyps · ‎06-21-2017

It collects all known addresses. I believe they are simply presented in alphabetical order. It is NOT based on specific logic such as active connection (say the one used for VPN).

Craig