Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4890
Views
10
Helpful
18
Replies

Default ISE Syslog format for User-Name attribute?

Go to solution
jameswatson33
Level 1
Level 1

‎06-02-2017 02:43 PM - edited ‎03-11-2019 12:45 AM

We're working with a partner who consumes syslog output from ISE for identity tracking purposes.

They are reporting getting unexpected output, but I cannot see that any modifications made by us could be resulting in this. Basically they are saying, and it is easily confirmed by looking at output to rsyslog, that the User-Name attribute is not coming across as they expect it. It is coming across as:

Jun  2 16:25:25 servername CISE_RADIUS_Accounting 0009005642 2 0 2017-06-02 16:25:25.722 -05:00 0471296004 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=18, Device IP Address=10.192.65.11, RequestLatency=2, NetworkDeviceName=wlc, User-Name=ourDomain\\james.watson, NAS-IP-Address=10.192.65.11, NAS-Port=4, Framed-IP-Address=10.191.87.202, Class=CACS:4d41c00a019356ee5abd3159:servername/285090051/16636127, Called-Station-ID=TECH, Calling-Station-ID=b8-53-ac-76-06-2d, NAS-Identifier=wlc-1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=18206328, Acct-Output-Octets=97837917, Acct-Session-Id=5931bd5a/b8:53:ac:76:06:2d/36497162, Acct-Authentic=RADIUS, Acct-Session-Time=6760, Acct-Input-Packets=100572, Acct-Output-Packets=117663, undefined-52=#000#000#000#000, undefined-53=#000#000#000#000, Event-Timestamp=1496438725, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 1621,

They report that the double backslash is causing issues that they don't experience with other ISE customers.

So first question: Is this the default format for this output or not?

Second question: We are not currently using identity rewrite. Would it be effective in changing this output to syslog?

5 people had this problem
Labels:
0 Helpful
18 Replies 18

Go to solution
quangle1993
Level 1
Level 1
In response to DB101

‎11-23-2018 07:27 PM

Hi, can you share me the patch please. I really need it to fix my case. Thanks very much,Quang!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to quangle1993

‎11-23-2018 07:54 PM

Work through the tac
0 Helpful

Go to solution
tminh
Cisco Employee
Cisco Employee
In response to DB101

‎11-23-2018 09:21 PM

Me too.

 

We are facing to the same problem with \\ (2 back slash).

Could anyone share the patch or how to fix it?

 

Thanks,

Minh

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to tminh

‎11-24-2018 04:26 AM

Patches aren’t shared here please work through the tac
0 Helpful
Customers Also Viewed These Support Documents