07-10-2023 08:18 AM
I am running ISE 3.0 patch-7 and I use certificate based dot1x for authentication.
When the device is successfully authenticated, I see TLSversion and TLSCipher in the ISE log. I also configure the ISE to send these messages to external syslog server; however, I capture the traffic on the ISE for syslog message and I can confirm that syslog messages from the ISE to external syslog server do NOT contain either TLSVersion or TLSCipher. I've opened a TAC case with Cisco to investigate.
Is this expected? TIA
Solved! Go to Solution.
07-11-2023 07:56 AM
If you go into you're remote logging target config, the default is 1024 which is too low to get the full log. If you try increasing this to 8192, you should get all the fields
07-11-2023 02:41 AM
We're running 3.1p7 and I can see the TLSversion and TLSCipher fields in logs forwarded to our external syslog server.
07-11-2023 07:45 AM
@M. Wisely: can you share the tcpdump that shows the TLSVersion in syslog?
@Nancy Saini: TLSVersion does not show up in syslog output, is this expected in ISE 3.0? Is this a new feature in ISE 3.1 and higher?
07-11-2023 07:56 AM
If you go into you're remote logging target config, the default is 1024 which is too low to get the full log. If you try increasing this to 8192, you should get all the fields
07-11-2023 09:12 AM
@M. Wisely: the solution you provided works like a charm. Thank you very much.
07-11-2023 03:45 AM
The way logs are sent to an external syslog server depends on the logging categories (Administration > System > Logging) referring the external logging target. There are predefined logging categories on ISE (Failed attempts, Passed authentication, etc) which defines the format in which logs would be sent to various logging targets.
ISE doesn't log TLS packet dump in it's log files itself so don't think it would sent the TLS version in dot1x authentication to external syslog server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide