Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
5
Helpful
5
Replies

TLSVersion and TLSCipher in syslog message

Go to solution
adamscottmaster2013
Level 3
Level 3

‎07-10-2023 08:18 AM

I am running ISE 3.0 patch-7 and I use certificate based dot1x for authentication.

When the device is successfully authenticated, I see TLSversion and TLSCipher in the ISE log.  I also configure the ISE to send these messages to external syslog server; however, I capture the traffic on the ISE for syslog message and I can confirm that syslog messages from the ISE to external syslog server do NOT contain either TLSVersion or TLSCipher.  I've opened a TAC case with Cisco to investigate.  

Is this expected?  TIA

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M. Wisely
Level 4
Level 4
In response to adamscottmaster2013

‎07-11-2023 07:56 AM

If you go into you're remote logging target config, the default is 1024 which is too low to get the full log. If you try increasing this to 8192, you should get all the fields

View solution in original post

5 Replies 5

Go to solution
M. Wisely
Level 4
Level 4

‎07-11-2023 02:41 AM

We're running 3.1p7 and I can see the TLSversion and TLSCipher fields in logs forwarded to our external syslog server.

0 Helpful

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to M. Wisely

‎07-11-2023 07:45 AM

@M. Wisely:  can you share the tcpdump that shows the TLSVersion in syslog?

@Nancy Saini:  TLSVersion does not show up in syslog output, is this expected in ISE 3.0?  Is this a new feature in ISE 3.1 and higher?

0 Helpful

Go to solution
M. Wisely
Level 4
Level 4
In response to adamscottmaster2013

‎07-11-2023 07:56 AM

If you go into you're remote logging target config, the default is 1024 which is too low to get the full log. If you try increasing this to 8192, you should get all the fields

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to M. Wisely

‎07-11-2023 09:12 AM

@M. Wisely:  the solution you provided works like a charm.  Thank you very much.

0 Helpful

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎07-11-2023 03:45 AM

The way logs are sent to an external syslog server depends on the logging categories (Administration > System > Logging) referring the external logging target. There are predefined logging categories on ISE (Failed attempts, Passed authentication, etc) which defines the format in which logs would be sent to various logging targets.

ISE doesn't log TLS packet dump in it's log files itself so don't think it would sent the TLS version in dot1x authentication to external syslog server.

0 Helpful
Customers Also Viewed These Support Documents