cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
725
Views
0
Helpful
8
Replies

VPN Anyconnect / syslog

cisco.13
Level 1
Level 1

Hello,
Is it possible to retrieve the hostname of the client workstation via syslog messages?
I activated syslog DAP, but I do not see the hostname of the workstation.
For organizational reasons, I do not want to do it via AAA.
Thanks a lot

1 Accepted Solution

Accepted Solutions

I guess you need to enable hostscan on the firewall.

 

View solution in original post

8 Replies 8

tvotna
Spotlight
Spotlight

ASA/FTD sends all DAP attributes to syslog via %ASA-7-734003:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-722001-to-776020.html#con_5293521

The attribute name is endpoint.device.hostname.

 

cisco.13
Level 1
Level 1

Thank you @tvotna, normally I checked my syslog and I didn't find 734003!
I'll check again next week.
Thank you very much

cisco.13
Level 1
Level 1

Hello @tvotna 
I do not see endpoint.device.hostname, here is my conf. and the logs, any idea (I see other DAP information) ?
should something be activated on the DAP?


sh logging | i 734003
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.grouppolicy = GP_001
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username = mylogin13
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username1 = mylogin13
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username2 =
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.tunnelgroup = TG_001
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.clientversion = "5.0.05042"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platform = "android"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Xiaomi 2x0x1x9xG"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platformversion = "14"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueid = "0E92E6A9993F50A6D8BB23B9F036D65541CA6A18490A42793D13A1124EAD1629"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueidglobal = "0E92E6A9993F50A6D8BB23B9F036D65541CA6A18490A42793D13A1124EAD1629"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.phoneid = "unknown"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.macaddress["0"] = "unknown"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.useragent = "AnyConnect Android 5.0.05042"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.session_token_security = "true"

#sh run logg
logging enable
logging timestamp
no logging hide username
logging buffer-size 512000
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm notifications
logging facility 23
logging device-id hostname
logging host mgmt 192.x.x.x
logging host mgmt 192.x.x.x
logging class auth trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational
logging class dap trap debugging

# sh ver | i Version
Cisco Adaptive Security Appliance Software Version 9.16(4)57

Thank you

Endpoint.device.hostname attribute is for desktop platforms. Mobile devices only support ACIDEX attributes "endpoint.anyconnect.*". See below ("Mobile Posture"):

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/release/notes/release-notes-secure-client-for-android-release-5-0.html

 

cisco.13
Level 1
Level 1

Hello @tvotna 
it does the same for a windows or macos office workstation
here are the logs from a desktop plateform ("LENOVO 33541H0") :

# sh logging | i 734003
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.grouppolicy = GP_001
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username = mylogin13
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username1 = mylogin13
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username2 =
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.tunnelgroup = TG_001
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.clientversion = "4.10.08029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platform = "win"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "LENOVO 33541H0"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platformversion = "10.0.19045 "
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueid = "3FADB48437F957E90A1CF7498C1F0A845A35A2A54F63B70A9E9E3FD60B9D6F36"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect. = "366B6624906F781138640E5768209B7E7D594029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.macaddress["0"] = "80-56-f2-fb-72-7d"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.useragent = "AnyConnect Windows 4.10.08029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.publicmacaddress = "80-56-f2-fb-72-7d"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.session_token_security = "true"

Thank you for your help

 

I guess you need to enable hostscan on the firewall.

 

can you share the link to the doc please?