Showing results for 
Search instead for 
Did you mean: 

ISE send bad information for Palo-Alto User-ID Agent



From our Firewall PALO ALTO, I try to get informations from ISE SNMP logs in order to identify users connected to ISE, to give them access to ressources.... I need to be able to link Username and IP address...


Then, I get info from this log : (for example)

CISE_RADIUS_Accounting 0000018222 2 0 2018-03-19 10:29:14.575 +01:00 0000939068 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=114, Device IP Address=, RequestLatency=2, NetworkDeviceName=NAD_10.10.10.241, User-Name=EUROPE\\TESTUSER, NAS-IP-Address=, NAS-Port=13, Framed-IP-Address=, Class=CACS:0a4058f100000cbe5aaf7bf8:SJLISE01/309110859/18792, Called-Station-ID=00-a2-89-b9-d9-60, Called-Station-ID=70-6b-b9-7d-3f-80:Boardriders-Employee, Calling-Station-ID=e4-a4-71-50-29-2c, NAS-Identifier=EU-SJL-WLC2504-CA1-1-241, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=1643432, Acct-Output-Octets=9346103, Acct-Session-Id=5aaf7bf8/e4:a4:71:50:29:2c/7968, Acct-Authentic=RADIUS, Acct-Session-Time=1774, Acct-Input-Packets=7687, Acct-Output-Packets=8562, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1521451754, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN,


I can link "User-Name=" with "Framed-IP-Address="


But, as we need to treat users with their domains, I need to get the info :

User-Name=EUROPE\TESTUSER, with only 1 backslash !!!


I tried to get the right info with regex manipulations in our Firewall, but no success.


The only way is to get the right info from ISE. Can we change the log form in ISE, removing 1 backslash ?

Please Help!



8 Replies 8

Rising star
Rising star



Have you tried this configuration in your Palo Alto for the Syslog filter?  Replace "DOMAIN" with your actual domain below.


Event Regex

Username Regex

Address Regex




Yes, of course...

The problem is I need to identify the Domain name as we have users from different domains allowed to connect...

Currently, we can offer the solution only for Users from Domain EUROPE, as we configured as you mentionned, but US, APAC or ASIA domain users cannot be identified...




I wonder if there is a way to obtain the logs with DOMAIN\UserName and IP Address from the controllers ???

Anyone ?

Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.


Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.


Defect Details

CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely



Syslog messages are sent with double slash in the username field.


Characters which are escaped with double slash are ,;{}\



ISE 2.x version





Further Problem Description

Below characters are escaped as of now




No Character should be escaped as per RFC 3164 which ISE follows.



Did you find a solution to your problem?

I have the same problem.

I have to identify when a authentication comes from two different domains users but there is no domain name in the packet which contains the framed-ip-address.

Many Thanks for yout hint.

I created 3 regexes for username detection and put in order in the Plaloalto Syslog-Receiver Settings:

1.) User-Name=mydomain\\\\([^,]+)

2.) User-Name=MYDOMAIN\\\\([^,]+)

3.) User-Name=([^,]+)

So I can match all my need.

Kind Regards


We received a patch from Cisco that addresses this issue and results in a single backslash. Suggest you contact Cisco and request the patch. I believe it will be incorporated in a future release.

Was this a regular ISE patch file (e.g. patch2, patch4) or something Cisco sent outside the regular patch cycle?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: