cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1488
Views
9
Helpful
18
Replies

FMC FTD RA VPN Session Info

JGB_GtmK_CJoN
Level 1
Level 1

Greetings,

Using the FMC or CLI, how can I find the computer name of the device that an end-user is connecting from when they use Anyconnect client for RA VPN?

FMC & FTD 4112's = 7.2.5

Secure Client w/Anyconnect = 5.0.0540

Thanks!

18 Replies 18

via CLI 
show vpn-sessiondb anyconnect detail 
check the user name 

for GUI (FMC) I need to check 

MHM

Thanks for the CLI command!

Will this also show the local name  or hostname of the device that the user is connecting from?

hostname the user use to connect.

thanks @MHM Cisco World , but the show vpn-sessiondb detail anyconnect ... doesn't have any hostname filed in the output.  It has Client OS, Type and Ver but no name.  Could it be another command?

Although the "show vpn-sessiondb detail anyconnect filter name ..." command would give you the OS running on the endpoint, I don't believe there is a way to show the actual device name without relying on DAP messages.

Thanks Aref.  Each Connection Profile has it's own set of LDAP Attribute mappings that will be used to match a user with their CP based on MemberOf Group/Policy - will this produce DAP messages that can be used to identify the originating device name?

@Aref Alsouqi maybe a better ask is = How are these DAP messages generated, logged and accessed?

@JGB_GtmK_CJoN normally VPN authentication is based on the connecting user, the computer name would not be known by the FMC. One way to learn the computer name would be to use certificate authentication (or double authentication - AAA + certificate) and specify using the certificate from the machine store, thus you would learn the computer name.

Thanks Rob!

Currently AAA only is being used for Authentication w/2FA and also for Authorization based on group membership as mentioned above.  If AAA + cert is not used, is there any way that the FTD can interrogate the connecting device or pull that info from Anyconnect Client and have the computer name logged? 

If I open my Secure Client, I see the Client Name - can this data be exchanged with the FTD & logged?

 

@JGB_GtmK_CJoN unless you are performing certificate authentication as the primary authentication method using the machine certificate store and the computer name is the authenticated username, you aren't going to easily find the information you require.

You may find the information indirectly from DAP logs, SYSLOG messages or possibly the learnt ACIDex attributes will provide information on the connected computer that could be used to determine the computer name.

Which module in Secure Client are you referring to? The VPN module?

@Rob Ingram how would I be able to skim through DAP or SYSLOG messages (at the FMC level - currently not exporting to external) to confirm if the Client Name shows up?  

Looking at the ACIDex Attributes link you provided and it lists ASA - is this available for the FTD's (4112 running 7.2.5).  I tried looking in the FMC but could not easily find a tab that looked similar to this? 

This seems like a helpful tool.

 

 

The Secure Client module that displays computer name (Client name) is the Umbrella tab (not VPN - apologies, but I guess the question remains to see if the FTD can collect this data from the Secure Client?).  

@Rob Ingram a follow up question to the certificate method = If the AAA + cert is setup, how can the learned computer name be found?  (FMC GUI, CLI, Syslogs, etc...) 

How about Device UUID?  Is this captured if only AAA is used?

@JGB_GtmK_CJoN if using "aaa + certificate" the "show vpn-sessiondb detail anyconnect" would display only the authenticated user account, so you'd have to filter on the generated SYSLOG message of the certificate authentication and send that to the SYSLOG server.

The device UUID is available in ACIDex, but not sure how you'd easily correlate that with the computer name.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

 

@Rob Ingram The device UUID would be another way that can be used to check that users are only logging in from trusted/managed devices. 

The Client Name/local computer name data was intended to be used to flag any device that doesn't follow the organization's naming convention and/or inventory.  If a non-standard device is used, flagging them would generate a back-end action requesting that the end-user be engaged, reminded, educated... etc... 

Another concept was using the device UUID as there is a DB of these objects that map to every managed/trusted device.

Either way would work if they end up in a Syslog message that can be used to generate follow up action.

Device cert is an option that is being discussed as a latter phase.  Looking for an interim way to mitigate unmanaged devices.

 

Review Cisco Networking for a $25 gift card