07-17-2018 06:05 PM - edited 02-21-2020 11:01 AM
We need your help to convince Cisco to resolve a defect. Please get on-board!
We are trying to integrate UserID function between Cisco ISE 2.x and Palo Alto Networks Firewalls. A Cisco ISE defect is causing a double backslash between domain and userID in the syslog output
We need you to add your company to the defect listed below so Cisco knows that multiple people are (or will be) impacted.
Cisco have now acknowledged this defect but are refusing to prioritize a fix. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.
Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.
Defect Details
CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely
Symptom
Syslog messages are sent with double slash in the username field.
Characters which are escaped with double slash are ,;{}\
Conditions
ISE 2.x version
Workaround
None
Further Problem Description
Below characters are escaped as of now
,;{}\
No Character should be escaped as per RFC 3164 which ISE follows.
Solved! Go to Solution.
02-22-2021 05:56 AM - edited 02-22-2021 06:20 AM
Yes you are right it is written in the release note but I think it is not solved.
I just did a capture of the UDP traffic after an authentication on the ISE portal and I have "\\" between the domain and the username for UserName= and GuestUserName=
02-22-2021 06:33 AM
Hi @Krups
please open a TAC case for that, if it was fixed in version 2.6 it should have been fixed in version 2.7 P2 !!!
Best regards.
01-10-2025 08:41 AM
This appears to be an issue again on ISE version 3.3 patch 4.
Logs are still coming across as User-Name=Domain\\username
Looking through many threads on this community site from 2018-2021, this issue is reported as being fixed in ISE 2.6 and beyond but that does not appear to be the case as all of our syslog coming from ISE shows the double slash.
01-10-2025 10:30 AM
Hi @Stove Jons ,
please open a TAC Case and report the Bug ID: CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely.
Best regards.
01-10-2025 11:50 AM
I am running ISE 3.3 but have not installed patch 4. I will post my findings.
01-21-2025 01:04 PM
CONFIRMED, we have 2 separated deployments ISE 3.3:
The one running patch 2 does NOT send logs with backslash or domain. Only the username
The one running patch 4 is randomly sending logs with double backslash + username OR domain+double backslash + username.
We are opening a TAC Case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide