cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
5
Helpful
5
Replies

TLSVersion and TLSCipher in syslog message

I am running ISE 3.0 patch-7 and I use certificate based dot1x for authentication.

When the device is successfully authenticated, I see TLSversion and TLSCipher in the ISE log.  I also configure the ISE to send these messages to external syslog server; however, I capture the traffic on the ISE for syslog message and I can confirm that syslog messages from the ISE to external syslog server do NOT contain either TLSVersion or TLSCipher.  I've opened a TAC case with Cisco to investigate.  

Is this expected?  TIA

1 Accepted Solution

Accepted Solutions

If you go into you're remote logging target config, the default is 1024 which is too low to get the full log. If you try increasing this to 8192, you should get all the fields

View solution in original post

5 Replies 5

M. Wisely
Level 4
Level 4

We're running 3.1p7 and I can see the TLSversion and TLSCipher fields in logs forwarded to our external syslog server.

@M. Wisely:  can you share the tcpdump that shows the TLSVersion in syslog?

@Nancy Saini:  TLSVersion does not show up in syslog output, is this expected in ISE 3.0?  Is this a new feature in ISE 3.1 and higher?

If you go into you're remote logging target config, the default is 1024 which is too low to get the full log. If you try increasing this to 8192, you should get all the fields

@M. Wisely:  the solution you provided works like a charm.  Thank you very much.

Nancy Saini
Cisco Employee
Cisco Employee

The way logs are sent to an external syslog server depends on the logging categories (Administration > System > Logging) referring the external logging target. There are predefined logging categories on ISE (Failed attempts, Passed authentication, etc) which defines the format in which logs would be sent to various logging targets.

ISE doesn't log TLS packet dump in it's log files itself so don't think it would sent the TLS version in dot1x authentication to external syslog server.