cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7000
Views
10
Helpful
20
Replies

Are you impacted? - ISE syslog double backslash

DB101
Level 1
Level 1

We need your help to convince Cisco to resolve a defect. Please get on-board!

 

We are trying to integrate UserID function between Cisco ISE 2.x and Palo Alto Networks Firewalls. A Cisco ISE defect is causing a double backslash between domain and userID in the syslog output

 

We need you to add your company to the defect listed below so Cisco knows that multiple people are (or will be) impacted.

 

Cisco have now acknowledged this defect but are refusing to prioritize a fix. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.

 

Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.

 

Defect Details

CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely

 

Symptom

Syslog messages are sent with double slash in the username field.

 

Characters which are escaped with double slash are ,;{}\

 

Conditions

ISE 2.x version

 

Workaround

None

 

Further Problem Description

Below characters are escaped as of now

 

,;{}\

 

No Character should be escaped as per RFC 3164 which ISE follows.

20 Replies 20

Krups
Level 1
Level 1

Yes you are right it is written in the release note but I think it is not solved.

I just did a capture of the UDP traffic after an authentication on the ISE portal and I have "\\" between the domain and the username for UserName= and GuestUserName=

 

 

Hi @Krups 

 please open a TAC case for that, if it was fixed in version 2.6 it should have been fixed in version 2.7 P2 !!!

 

Best regards.

Stove Jons
Level 1
Level 1

This appears to be an issue again on ISE version 3.3 patch 4.

Logs are still coming across as User-Name=Domain\\username

Looking through many threads on this community site from 2018-2021, this issue is reported as being fixed in ISE 2.6 and beyond but that does not appear to be the case as all of our syslog coming from ISE shows the double slash.

Hi @Stove Jons ,

 please open a TAC Case and report the Bug ID: CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely.

 

Best regards.

I am running ISE 3.3 but have not installed patch 4. I will post my findings.

CONFIRMED, we have 2 separated deployments ISE 3.3:

The one running patch 2 does NOT send logs with backslash or domain. Only the username

The one running patch 4 is randomly sending logs with double backslash + username OR domain+double backslash + username.

We are opening a TAC Case.