06-02-2017 02:43 PM - edited 03-11-2019 12:45 AM
We're working with a partner who consumes syslog output from ISE for identity tracking purposes.
They are reporting getting unexpected output, but I cannot see that any modifications made by us could be resulting in this. Basically they are saying, and it is easily confirmed by looking at output to rsyslog, that the User-Name attribute is not coming across as they expect it. It is coming across as:
Jun 2 16:25:25 servername CISE_RADIUS_Accounting 0009005642 2 0 2017-06-02 16:25:25.722 -05:00 0471296004 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=18, Device IP Address=10.192.65.11, RequestLatency=2, NetworkDeviceName=wlc, User-Name=ourDomain\\james.watson, NAS-IP-Address=10.192.65.11, NAS-Port=4, Framed-IP-Address=10.191.87.202, Class=CACS:4d41c00a019356ee5abd3159:servername/285090051/16636127, Called-Station-ID=TECH, Calling-Station-ID=b8-53-ac-76-06-2d, NAS-Identifier=wlc-1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=18206328, Acct-Output-Octets=97837917, Acct-Session-Id=5931bd5a/b8:53:ac:76:06:2d/36497162, Acct-Authentic=RADIUS, Acct-Session-Time=6760, Acct-Input-Packets=100572, Acct-Output-Packets=117663, undefined-52=#000#000#000#000, undefined-53=#000#000#000#000, Event-Timestamp=1496438725, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 1621,
They report that the double backslash is causing issues that they don't experience with other ISE customers.
So first question: Is this the default format for this output or not?
Second question: We are not currently using identity rewrite. Would it be effective in changing this output to syslog?
Solved! Go to Solution.
07-17-2018 06:00 PM
Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.
Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.
Defect Details
CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely
Symptom
Syslog messages are sent with double slash in the username field.
Characters which are escaped with double slash are ,;{}\
Conditions
ISE 2.x version
Workaround
None
Further Problem Description
Below characters are escaped as of now
,;{}\
No Character should be escaped as per RFC 3164 which ISE follows.
06-05-2017 11:38 AM
Any additional information I could provide to make the question more precise?
06-06-2017 06:58 AM
This seems like a pretty straightforward question. Is it possible I'm posting in the wrong forum? Any suggestions to improve my chances of finding an answer?
09-25-2017 11:55 AM
did you get the problem fixed? I have htis issue also
05-09-2018 05:20 PM
Any luck solving this issue? Appreciate sharing your findings
05-23-2018 12:14 PM
We are running ISE 2.2 and we needed to collect username info in our palo alto live logs. The following link provides you information about this and I think it could probably help you.
05-22-2018 06:18 PM
for what its worth;
this is the standard format for windows domain joined machines when peap is configured to 'use windows logon details'. the double backslash is common in unix-like environments to escape the backslash.
also, as a note - identity-rewrite does not help here, because it only rewrites the identity sent to AD servers. it does not change the identity as far as ISE see's it.
so - my understanding is this: if ISE gets a request for "santa@north.pole", you can rewrite it to "easter.bunny@myAD.eggdomain" for your myAD.eggdomain servers to authenticate it. BUT, once authenticated, it will still use "santa@north.pole" for the identity (+ therefore radius syslog messages).
hth
07-17-2018 06:00 PM
Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.
Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.
Defect Details
CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely
Symptom
Syslog messages are sent with double slash in the username field.
Characters which are escaped with double slash are ,;{}\
Conditions
ISE 2.x version
Workaround
None
Further Problem Description
Below characters are escaped as of now
,;{}\
No Character should be escaped as per RFC 3164 which ISE follows.
07-26-2018 01:40 AM
logged the case and attached to the bug. cheers.
07-26-2018 03:29 PM
No good news yet. Cisco have not made a commitment to fix this defect.
Still working on it.
08-09-2018 05:14 PM
Defect updated from 'enhancement' to severity 3. Cisco has advised us they are working on a fix.
10-07-2018 05:14 PM
10-07-2018 11:03 PM
I suggest please reach out to your account team to get this defect prioritized and they can update you once the fix is available.
11-21-2018 02:26 PM
We received a patch from Cisco that addresses this issue and results in a single backslash. Suggest you contact Cisco and request the patch. I believe it will be incorporated in a future release.
11-23-2018 07:27 PM
Hi, can you share me the patch please. I really need it to fix my case. Thanks very much,Quang!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide