05-10-2024 10:20 AM
Hello,
Is it possible to retrieve the hostname of the client workstation via syslog messages?
I activated syslog DAP, but I do not see the hostname of the workstation.
For organizational reasons, I do not want to do it via AAA.
Thanks a lot
Solved! Go to Solution.
05-13-2024 08:11 AM
05-10-2024 01:18 PM
ASA/FTD sends all DAP attributes to syslog via %ASA-7-734003:
The attribute name is endpoint.device.hostname.
05-10-2024 02:55 PM
Thank you @tvotna, normally I checked my syslog and I didn't find 734003!
I'll check again next week.
Thank you very much
05-13-2024 06:06 AM - edited 05-13-2024 07:05 AM
Hello @tvotna
I do not see endpoint.device.hostname, here is my conf. and the logs, any idea (I see other DAP information) ?
should something be activated on the DAP?
sh logging | i 734003
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.grouppolicy = GP_001
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username = mylogin13
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username1 = mylogin13
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username2 =
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.tunnelgroup = TG_001
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.clientversion = "5.0.05042"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platform = "android"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Xiaomi 2x0x1x9xG"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platformversion = "14"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueid = "0E92E6A9993F50A6D8BB23B9F036D65541CA6A18490A42793D13A1124EAD1629"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueidglobal = "0E92E6A9993F50A6D8BB23B9F036D65541CA6A18490A42793D13A1124EAD1629"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.phoneid = "unknown"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.macaddress["0"] = "unknown"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.useragent = "AnyConnect Android 5.0.05042"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.session_token_security = "true"
#sh run logg
logging enable
logging timestamp
no logging hide username
logging buffer-size 512000
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm notifications
logging facility 23
logging device-id hostname
logging host mgmt 192.x.x.x
logging host mgmt 192.x.x.x
logging class auth trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational
logging class dap trap debugging
# sh ver | i Version
Cisco Adaptive Security Appliance Software Version 9.16(4)57
Thank you
05-13-2024 07:51 AM
Endpoint.device.hostname attribute is for desktop platforms. Mobile devices only support ACIDEX attributes "endpoint.anyconnect.*". See below ("Mobile Posture"):
05-13-2024 08:04 AM - edited 05-13-2024 08:04 AM
Hello @tvotna
it does the same for a windows or macos office workstation
here are the logs from a desktop plateform ("LENOVO 33541H0") :
# sh logging | i 734003
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.grouppolicy = GP_001
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username = mylogin13
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username1 = mylogin13
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username2 =
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.tunnelgroup = TG_001
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.clientversion = "4.10.08029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platform = "win"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "LENOVO 33541H0"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platformversion = "10.0.19045 "
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueid = "3FADB48437F957E90A1CF7498C1F0A845A35A2A54F63B70A9E9E3FD60B9D6F36"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect. = "366B6624906F781138640E5768209B7E7D594029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.macaddress["0"] = "80-56-f2-fb-72-7d"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.useragent = "AnyConnect Windows 4.10.08029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.publicmacaddress = "80-56-f2-fb-72-7d"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.session_token_security = "true"
Thank you for your help
05-13-2024 08:11 AM
I guess you need to enable hostscan on the firewall.
05-13-2024 09:03 AM
can you share the link to the doc please?
05-13-2024 09:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide