Solved: Re: Disclose invalid username on ISE 2.4p3

Ping Zhou · ‎09-27-2018

Hello experts,

ISE 2.4p3 masks the unknow usernames (unknown to all its identity stores) in its live log with "INVALID". I use "Administration >> Settings >> Protocols >> RADIUS >> Disclose invalid username" checkbox to display the unknowns. It lasts for 30 mins then turns off and seems there no way to adjust the duration. Can this be configured for permant on ISE 2.4p3? Thanks!

Jason Kunst · ‎09-27-2018

If there is no setting for it then it’s a feature request

Please reach out thru sales team to product management with your use case

View solution in original post

howon · ‎09-27-2018

Enhancement to permanently disclose username or change duration (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh91118) is planned with next version of ISE. We have started accepting beta registration for 2.5 if you are interested:

https://community.cisco.com/t5/network-architecture-blogs/ise-2-5-beta-registration-is-open/ba-p/3711445

View solution in original post

Jason Kunst · ‎09-27-2018

If there is no setting for it then it’s a feature request

Please reach out thru sales team to product management with your use case

Damien Miller · ‎09-27-2018

I submitted an enhancement request for this on Aug 11th, Cisco Internal reference# F37407. It's not so much an enhancement request as it is the option for restoring earlier behavior.

Jason Kunst · ‎09-27-2018

If it worked before then escalate thru the TAC as a regression. Also work with product managers if getting any resistance and see how they can help

howon · ‎09-27-2018

Enhancement to permanently disclose username or change duration (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh91118) is planned with next version of ISE. We have started accepting beta registration for 2.5 if you are interested:

https://community.cisco.com/t5/network-architecture-blogs/ise-2-5-beta-registration-is-open/ba-p/3711445

cnorborg · ‎07-14-2022

Was this ever done? I'm on a 3.X version and am seeing this in my logs during my initial configuration. Going to Administration - System - Settings - Protocols - RADIUS, I don't see an option for this?

Of course I am trying with TACACS and don't see a "protocol" for tacacs specifically?

Greg Gibbs · ‎07-14-2022

As per the Admin Guide, the 'Disclose Invalid Usernames' option is available in the Administration > System > Settings > Security Settings page.

Marcelo Morais · ‎07-14-2022

Hi @cnorborg ,

!version 2.4

In Administration > System > Settings > Protocols > RADIUS > Suppression & Reports > Authentication Details > Disclose invalid usernames

!version 2.6+

In Administration > System > Settings > Security Settings > Disclose invalid usernames

About " ... and don't see a "protocol" for tacacs specifically ... ", there is "no protocol" for TACACS+.

Hope this helps !!!

Paolo Di Filippa · ‎11-14-2022

Does anyone knows if permanently activating this option will affect global performances of the deployment? I didn't find anything about this topic on the Net...Thanks in advance for your feedbacks

Greg Gibbs · ‎11-14-2022

There should be no performance impact by having the option enabled. The feature was added to improve security, not to improve performance.