topic Re: Default ISE Syslog format for User-Name attribute? in Network Access Control

Default ISE Syslog format for User-Name attribute?

jameswatson33 — Mon, 11 Mar 2019 07:45:54 GMT

We're working with a partner who consumes syslog output from ISE for identity tracking purposes.

They are reporting getting unexpected output, but I cannot see that any modifications made by us could be resulting in this. Basically they are saying, and it is easily confirmed by looking at output to rsyslog, that the User-Name attribute is not coming across as they expect it. It is coming across as:

Jun 2 16:25:25 servername CISE_RADIUS_Accounting 0009005642 2 0 2017-06-02 16:25:25.722 -05:00 0471296004 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=18, Device IP Address=10.192.65.11, RequestLatency=2, NetworkDeviceName=wlc, User-Name=ourDomain\\james.watson, NAS-IP-Address=10.192.65.11, NAS-Port=4, Framed-IP-Address=10.191.87.202, Class=CACS:4d41c00a019356ee5abd3159:servername/285090051/16636127, Called-Station-ID=TECH, Calling-Station-ID=b8-53-ac-76-06-2d, NAS-Identifier=wlc-1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=18206328, Acct-Output-Octets=97837917, Acct-Session-Id=5931bd5a/b8:53:ac:76:06:2d/36497162, Acct-Authentic=RADIUS, Acct-Session-Time=6760, Acct-Input-Packets=100572, Acct-Output-Packets=117663, undefined-52=#000#000#000#000, undefined-53=#000#000#000#000, Event-Timestamp=1496438725, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 1621,

They report that the double backslash is causing issues that they don't experience with other ISE customers.

So first question: Is this the default format for this output or not?

Second question: We are not currently using identity rewrite. Would it be effective in changing this output to syslog?

Any additional information I

jameswatson33 — Mon, 05 Jun 2017 18:38:01 GMT

Any additional information I could provide to make the question more precise?

This seems like a pretty

jameswatson33 — Tue, 06 Jun 2017 13:58:09 GMT

This seems like a pretty straightforward question. Is it possible I'm posting in the wrong forum? Any suggestions to improve my chances of finding an answer?

Re: Default ISE Syslog format for User-Name attribute?

kd4fmt — Mon, 25 Sep 2017 18:55:24 GMT

did you get the problem fixed? I have htis issue also

Re: Default ISE Syslog format for User-Name attribute?

LMCisco — Thu, 10 May 2018 00:20:14 GMT

Any luck solving this issue? Appreciate sharing your findings

Re: Default ISE Syslog format for User-Name attribute?

blahblarblah — Wed, 23 May 2018 01:18:54 GMT

for what its worth;

this is the standard format for windows domain joined machines when peap is configured to 'use windows logon details'. the double backslash is common in unix-like environments to escape the backslash.

also, as a note - identity-rewrite does not help here, because it only rewrites the identity sent to AD servers. it does not change the identity as far as ISE see's it.

so - my understanding is this: if ISE gets a request for "santa@north.pole", you can rewrite it to "easter.bunny@myAD.eggdomain" for your myAD.eggdomain servers to authenticate it. BUT, once authenticated, it will still use "santa@north.pole" for the identity (+ therefore radius syslog messages).

hth

Re: Default ISE Syslog format for User-Name attribute?

ajc — Wed, 23 May 2018 19:14:38 GMT

We are running ISE 2.2 and we needed to collect username info in our palo alto live logs. The following link provides you information about this and I think it could probably help you.

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295

Re: Default ISE Syslog format for User-Name attribute?

DB101 — Wed, 18 Jul 2018 01:00:05 GMT

Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.

Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.

Defect Details

CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely

Symptom

Syslog messages are sent with double slash in the username field.

Characters which are escaped with double slash are ,;{}\

Conditions

ISE 2.x version

Workaround

None

Further Problem Description

Below characters are escaped as of now

,;{}\

No Character should be escaped as per RFC 3164 which ISE follows.

Re: Default ISE Syslog format for User-Name attribute?

blahblarblah — Thu, 26 Jul 2018 08:40:27 GMT

logged the case and attached to the bug. cheers.

Re: Default ISE Syslog format for User-Name attribute?

DB101 — Thu, 26 Jul 2018 22:29:26 GMT

No good news yet. Cisco have not made a commitment to fix this defect.

Still working on it.

Re: Default ISE Syslog format for User-Name attribute?

DB101 — Fri, 10 Aug 2018 00:14:59 GMT

Defect updated from 'enhancement' to severity 3. Cisco has advised us they are working on a fix.

Re: Default ISE Syslog format for User-Name attribute?

DB101 — Mon, 08 Oct 2018 00:14:07 GMT

FYI, we received a custom patch and are yet to test it. The fix will be added to future versions.

Re: Default ISE Syslog format for User-Name attribute?

Nidhi — Mon, 08 Oct 2018 06:03:39 GMT

I suggest please reach out to your account team to get this defect prioritized and they can update you once the fix is available.

Re: Default ISE Syslog format for User-Name attribute?

DB101 — Wed, 21 Nov 2018 22:26:26 GMT

We received a patch from Cisco that addresses this issue and results in a single backslash. Suggest you contact Cisco and request the patch. I believe it will be incorporated in a future release.

Re: Default ISE Syslog format for User-Name attribute?

quangle1993 — Sat, 24 Nov 2018 03:27:49 GMT

Hi, can you share me the patch please. I really need it to fix my case. Thanks very much,Quang!

Re: Default ISE Syslog format for User-Name attribute?

quangle1993 — Sat, 24 Nov 2018 03:27:59 GMT

Hi, can you share me the patch please. I really need it to fix my case. Thanks very much,Quang!

Re: Default ISE Syslog format for User-Name attribute?

Jason Kunst — Sat, 24 Nov 2018 03:54:29 GMT

Work through the tac

Re: Default ISE Syslog format for User-Name attribute?

tminh — Sat, 24 Nov 2018 05:21:06 GMT

Me too.

We are facing to the same problem with \\ (2 back slash).

Could anyone share the patch or how to fix it?

Thanks,

Minh

Re: Default ISE Syslog format for User-Name attribute?

Jason Kunst — Sat, 24 Nov 2018 12:26:04 GMT

Patches aren’t shared here please work through the tac