Thanks 

I am using cisco ise for authentication .

@bluesea2010 what do you actually need to know? Do you need to know what authentication type ASA and ISE are using to communicate when authenticating the users? Provide your configuration and or look in the ISE Live Logs, this would tell you if using PAP or MSCHAP.

Hi,

I want to know when client and ASA communicating , what type of authentication  and encryption it uses  

second  from  asa to ise what  type of authentication it use ?  
when i check ise login details , i am getting the below 

No Data available for this record. Either the data is purged or authentication for this session record happened a week ago.
Or if this is an 'PassiveID' or 'PassiveID Visibility' session, it will not have authentication details on ISE but only the session.

Thanks

@bluesea2010 run show vpn-sessiondb ratio encryption to determine what encryption all your clients are using when connecting to the VPN.

Run show vpn-sessiondb detail anyconnect to determine the authentication (AuthMode) method and encryption/hashing algorithms each client has used when connecting to the VPN. This command will only provide information on connected users.

Hi ,

here is the output 

Result of the command: "show vpn-sessiondb detail anyconnect"

Username : Index : 1222
Assigned IP : 172.30.228.6 Public IP :
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 4514753 Bytes Rx : 4701289
Pkts Tx : 17080 Pkts Rx : 19344
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy-n Tunnel Group :
Login Time : 13:44:55 AST Sun Jul 24 2022
Duration : 0h:31m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac100307004c600062dd22a7
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1222.1
Public IP :
Encryption : none Hashing : none
TCP Src Port : 51169 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : win
Client OS Ver: 10.0.19043
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.02045
Bytes Tx : 12678 Bytes Rx : 3343
Pkts Tx : 10 Pkts Rx : 5
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 1222.4
Assigned IP : 172.30.228.6 Public IP :
Encryption : AES256 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 51271
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.02045
Bytes Tx : 7659 Bytes Rx : 0
Pkts Tx : 14 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-55386fb1

DTLS-Tunnel:
Tunnel ID : 1222.5
Assigned IP : 172.30.228.6 Public IP :
Encryption : AES256 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 55938
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.02045
Bytes Tx : 4448355 Bytes Rx : 4653578
Pkts Tx : 16875 Pkts Rx : 19119
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-55386fb1

Thanks 

@bluesea2010 so that user has connected using AES256 (encryption), SHA1 (hashing) and User/Password for authentication.

You probably want to use better encryption/hashing algorithms and also you are only using DTLS1.0, you probably want to use DTLS1.2 for better performance. Refer to guide to reconfigure these settings https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/

Hi @Rob Ingram 

I  have only  tlsv1.0 , I dont have tls v1.2 as in the article 

When you say better encryption /hashing ,what  you are recommending 

Thanks

Asa 5585 -ssp 10 and  9.2(4)27 

@bluesea2010 you will need to upgrade, 9.2 is very old and TLS/DTLS 1.2 won't be supported, nor will the latest encryption/hashing algorithms.

Version 9.12 is the latest your hardware supports. https://software.cisco.com/download/home/283123066/type/280775065/release/9.12.4%20Interim

Asa 5585 ssp10 end of support is next month 

@bluesea2010 well if you want to use more secure encryption/hashing algorithms you'd need to upgrade the software, you should be able to do this if you have access rights to download the software from the cisco site.

Or buy newer hardware and run the latest code.

Hi @Rob Ingram 

If we joined ise in the  active directory , what authentication type  are using  when ise is authenticating a user against active directory 

Thanks