Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
9
Helpful
18
Replies

FMC FTD RA VPN Session Info

JGB_GtmK_CJoN
Level 1
Level 1

‎11-13-2023 09:16 AM - edited ‎11-13-2023 09:22 AM

Greetings,

Using the FMC or CLI, how can I find the computer name of the device that an end-user is connecting from when they use Anyconnect client for RA VPN?

FMC & FTD 4112's = 7.2.5

Secure Client w/Anyconnect = 5.0.0540

Thanks!

Labels:
0 Helpful
18 Replies 18

Rob Ingram
VIP
VIP
In response to JGB_GtmK_CJoN

‎11-13-2023 11:32 AM

@JGB_GtmK_CJoN if you just want to determine whether the authenticated user is connecting from a trusted/managed device the standard way of doing this is either using a machine certificate (which can only be issued via your internal CA) or using a DAP policy to confirm the device is joined to the domain. If either fail the connection request fails.

 

JGB_GtmK_CJoN
Level 1
Level 1
In response to Rob Ingram

‎11-13-2023 11:52 AM

@Rob Ingram yes, very much agree. That is being discussed and prepared but is not available for all devices.  There is a mixed pool of W10, W11, MAC OS, Linux, Android & iOS.. so the domain join is something that needs to be worked through for some of these client machines.  It should be straightforward for W10, W11 but there are a few hurdles with the rest.

Having an identifier that gets parsed via SYSLOG would allow some form of identification vs. null.  This would be an interim until certs are worked out.  If there is any other suggestions, please let me know. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-14-2023 04:45 AM

This might be available using ACIDEX natively via the Dynamic Access Policy (DAP) feature if we gather endpoint host name as one of the matching criteria.

I know that when we use ISE we get all of the ACIDEX information automatically. See attached for the details I get when connecting to my lab VPN and authentication to AD via ISE.

 

Preview file
447 KB

Marius Gunnerud
VIP
VIP

‎11-14-2023 11:45 PM

If you want to collect the hostname of the machines connecting to VPN you will either have to use certificate authentication and use the machine name in the CN field or install a host scan agent on the end device that collects data about the system and sends to, for example, an ISE appliance.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card