Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
8
Replies

VPN Anyconnect / syslog

Go to solution
cisco.13
Level 1
Level 1

‎05-10-2024 10:20 AM

Hello,
Is it possible to retrieve the hostname of the client workstation via syslog messages?
I activated syslog DAP, but I do not see the hostname of the workstation.
For organizational reasons, I do not want to do it via AAA.
Thanks a lot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight
In response to cisco.13

‎05-13-2024 08:11 AM

I guess you need to enable hostscan on the firewall.

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
tvotna
Spotlight
Spotlight

‎05-10-2024 01:18 PM

ASA/FTD sends all DAP attributes to syslog via %ASA-7-734003:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-722001-to-776020.html#con_5293521

The attribute name is endpoint.device.hostname.

 

0 Helpful

Go to solution
cisco.13
Level 1
Level 1

‎05-10-2024 02:55 PM

Thank you @tvotna, normally I checked my syslog and I didn't find 734003!
I'll check again next week.
Thank you very much

0 Helpful

Go to solution
cisco.13
Level 1
Level 1

‎05-13-2024 06:06 AM - edited ‎05-13-2024 07:05 AM

Hello @tvotna 
I do not see endpoint.device.hostname, here is my conf. and the logs, any idea (I see other DAP information) ?
should something be activated on the DAP?


sh logging | i 734003
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.grouppolicy = GP_001
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username = mylogin13
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username1 = mylogin13
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username2 =
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.tunnelgroup = TG_001
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.clientversion = "5.0.05042"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platform = "android"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Xiaomi 2x0x1x9xG"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platformversion = "14"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueid = "0E92E6A9993F50A6D8BB23B9F036D65541CA6A18490A42793D13A1124EAD1629"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueidglobal = "0E92E6A9993F50A6D8BB23B9F036D65541CA6A18490A42793D13A1124EAD1629"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.phoneid = "unknown"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.macaddress["0"] = "unknown"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.useragent = "AnyConnect Android 5.0.05042"
<188>May 13 2024 09:40:38 FW-001 : %ASA-4-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.session_token_security = "true"

#sh run logg
logging enable
logging timestamp
no logging hide username
logging buffer-size 512000
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm notifications
logging facility 23
logging device-id hostname
logging host mgmt 192.x.x.x
logging host mgmt 192.x.x.x
logging class auth trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational
logging class dap trap debugging

# sh ver | i Version
Cisco Adaptive Security Appliance Software Version 9.16(4)57

Thank you

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to cisco.13

‎05-13-2024 07:51 AM

Endpoint.device.hostname attribute is for desktop platforms. Mobile devices only support ACIDEX attributes "endpoint.anyconnect.*". See below ("Mobile Posture"):

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/release/notes/release-notes-secure-client-for-android-release-5-0.html

 

0 Helpful

Go to solution
cisco.13
Level 1
Level 1

‎05-13-2024 08:04 AM - edited ‎05-13-2024 08:04 AM

Hello @tvotna 
it does the same for a windows or macos office workstation
here are the logs from a desktop plateform ("LENOVO 33541H0") :

# sh logging | i 734003
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.grouppolicy = GP_001
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username = mylogin13
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username1 = mylogin13
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.username2 =
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute aaa.cisco.tunnelgroup = TG_001
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.clientversion = "4.10.08029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platform = "win"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "LENOVO 33541H0"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.platformversion = "10.0.19045 "
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.deviceuniqueid = "3FADB48437F957E90A1CF7498C1F0A845A35A2A54F63B70A9E9E3FD60B9D6F36"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect. = "366B6624906F781138640E5768209B7E7D594029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.macaddress["0"] = "80-56-f2-fb-72-7d"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.useragent = "AnyConnect Windows 4.10.08029"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.publicmacaddress = "80-56-f2-fb-72-7d"
<191>May 13 2024 11:24:50 FW-001 : %ASA-7-734003: DAP: User mylogin13, Addr x.x.x.x: Session Attribute endpoint.anyconnect.session_token_security = "true"

Thank you for your help

 

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to cisco.13

‎05-13-2024 08:11 AM

I guess you need to enable hostscan on the firewall.

 

0 Helpful

Go to solution
cisco.13
Level 1
Level 1
In response to tvotna

‎05-13-2024 09:03 AM

can you share the link to the doc please?

0 Helpful
Customers Also Viewed These Support Documents