Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5616
Views
10
Helpful
8
Replies

ISE send bad information for Palo-Alto User-ID Agent

Charly
Level 1
Level 1

‎03-19-2018 02:39 AM - edited ‎02-21-2020 07:31 AM

Hi,

From our Firewall PALO ALTO, I try to get informations from ISE SNMP logs in order to identify users connected to ISE, to give them access to ressources.... I need to be able to link Username and IP address...

 

Then, I get info from this log : (for example)

CISE_RADIUS_Accounting 0000018222 2 0 2018-03-19 10:29:14.575 +01:00 0000939068 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=114, Device IP Address=10.10.10.241, RequestLatency=2, NetworkDeviceName=NAD_10.10.10.241, User-Name=EUROPE\\TESTUSER, NAS-IP-Address=10.10.10.241, NAS-Port=13, Framed-IP-Address=10.20.202.7, Class=CACS:0a4058f100000cbe5aaf7bf8:SJLISE01/309110859/18792, Called-Station-ID=00-a2-89-b9-d9-60, Called-Station-ID=70-6b-b9-7d-3f-80:Boardriders-Employee, Calling-Station-ID=e4-a4-71-50-29-2c, NAS-Identifier=EU-SJL-WLC2504-CA1-1-241, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=1643432, Acct-Output-Octets=9346103, Acct-Session-Id=5aaf7bf8/e4:a4:71:50:29:2c/7968, Acct-Authentic=RADIUS, Acct-Session-Time=1774, Acct-Input-Packets=7687, Acct-Output-Packets=8562, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1521451754, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN,

 

I can link "User-Name=" with "Framed-IP-Address="

 

But, as we need to treat users with their domains, I need to get the info :

User-Name=EUROPE\TESTUSER, with only 1 backslash !!!

 

I tried to get the right info with regex manipulations in our Firewall, but no success.

 

The only way is to get the right info from ISE. Can we change the log form in ISE, removing 1 backslash ?

Please Help!

 

Thanks

2 people had this problem
0 Helpful
8 Replies 8

jj27
Spotlight
Spotlight

‎03-21-2018 09:41 PM - edited ‎03-21-2018 09:45 PM

Hi,

 

Have you tried this configuration in your Palo Alto for the Syslog filter?  Replace "DOMAIN" with your actual domain below.

 

Event Regex
CISE_RADIUS_Accounting

Username Regex
User-Name=([a-zA-Z0-9\.\-\@\_\/]+)|User-Name=DOMAIN\\\\([a-zA-Z0-9\\\.\-\@\_\/]+)

Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

  

Charly
Level 1
Level 1
In response to jj27

‎03-27-2018 05:55 AM

Hi,

 

Yes, of course...

The problem is I need to identify the Domain name as we have users from different domains allowed to connect...

Currently, we can offer the solution only for Users from Domain EUROPE, as we configured as you mentionned, but US, APAC or ASIA domain users cannot be identified...

 

 

0 Helpful

Charly
Level 1
Level 1
In response to Charly

‎03-30-2018 01:38 AM

Hi,

I wonder if there is a way to obtain the logs with DOMAIN\UserName and IP Address from the controllers ???

Anyone ?

0 Helpful

DB101
Level 1
Level 1
In response to Charly

‎07-17-2018 06:00 PM

Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.

 

Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.

 

Defect Details

CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely

 

Symptom

Syslog messages are sent with double slash in the username field.

 

Characters which are escaped with double slash are ,;{}\

 

Conditions

ISE 2.x version

 

Workaround

None

 

Further Problem Description

Below characters are escaped as of now

 

,;{}\

 

No Character should be escaped as per RFC 3164 which ISE follows.

0 Helpful

eltoncarvalho
Level 1
Level 1
In response to Charly

‎10-23-2018 06:23 AM - edited ‎10-23-2018 06:24 AM

Hi,

 

Did you find a solution to your problem?

I have the same problem.

I have to identify when a authentication comes from two different domains users but there is no domain name in the packet which contains the framed-ip-address.

0 Helpful

geder
Level 1
Level 1
In response to jj27

‎11-21-2018 01:14 AM

Many Thanks for yout hint.

I created 3 regexes for username detection and put in order in the Plaloalto Syslog-Receiver Settings:

1.) User-Name=mydomain\\\\([^,]+)

2.) User-Name=MYDOMAIN\\\\([^,]+)

3.) User-Name=([^,]+)

So I can match all my need.

Kind Regards

Gernot

0 Helpful

DB101
Level 1
Level 1
In response to geder

‎11-21-2018 02:24 PM

We received a patch from Cisco that addresses this issue and results in a single backslash. Suggest you contact Cisco and request the patch. I believe it will be incorporated in a future release.

0 Helpful

JON SHORTEN
Level 1
Level 1
In response to DB101

‎03-18-2019 08:03 AM

Was this a regular ISE patch file (e.g. patch2, patch4) or something Cisco sent outside the regular patch cycle?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card