Solved: Re: Default ISE Syslog format for User-Name attribute?

jameswatson33 · ‎06-02-2017

We're working with a partner who consumes syslog output from ISE for identity tracking purposes.

They are reporting getting unexpected output, but I cannot see that any modifications made by us could be resulting in this. Basically they are saying, and it is easily confirmed by looking at output to rsyslog, that the User-Name attribute is not coming across as they expect it. It is coming across as:

Jun 2 16:25:25 servername CISE_RADIUS_Accounting 0009005642 2 0 2017-06-02 16:25:25.722 -05:00 0471296004 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=18, Device IP Address=10.192.65.11, RequestLatency=2, NetworkDeviceName=wlc, User-Name=ourDomain\\james.watson, NAS-IP-Address=10.192.65.11, NAS-Port=4, Framed-IP-Address=10.191.87.202, Class=CACS:4d41c00a019356ee5abd3159:servername/285090051/16636127, Called-Station-ID=TECH, Calling-Station-ID=b8-53-ac-76-06-2d, NAS-Identifier=wlc-1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=18206328, Acct-Output-Octets=97837917, Acct-Session-Id=5931bd5a/b8:53:ac:76:06:2d/36497162, Acct-Authentic=RADIUS, Acct-Session-Time=6760, Acct-Input-Packets=100572, Acct-Output-Packets=117663, undefined-52=#000#000#000#000, undefined-53=#000#000#000#000, Event-Timestamp=1496438725, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 1621,

They report that the double backslash is causing issues that they don't experience with other ISE customers.

So first question: Is this the default format for this output or not?

Second question: We are not currently using identity rewrite. Would it be effective in changing this output to syslog?

DB101 · ‎07-17-2018

Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.

Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.

Defect Details

CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely

Symptom

Syslog messages are sent with double slash in the username field.

Characters which are escaped with double slash are ,;{}\

Conditions

ISE 2.x version

Workaround

None

Further Problem Description

Below characters are escaped as of now

,;{}\

No Character should be escaped as per RFC 3164 which ISE follows.

View solution in original post

jameswatson33 · ‎06-05-2017

Any additional information I could provide to make the question more precise?

jameswatson33 · ‎06-06-2017

This seems like a pretty straightforward question. Is it possible I'm posting in the wrong forum? Any suggestions to improve my chances of finding an answer?

kd4fmt · ‎09-25-2017

did you get the problem fixed? I have htis issue also

LMCisco · ‎05-09-2018

Any luck solving this issue? Appreciate sharing your findings

ajc · ‎05-23-2018

We are running ISE 2.2 and we needed to collect username info in our palo alto live logs. The following link provides you information about this and I think it could probably help you.

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295

blahblarblah · ‎05-22-2018

for what its worth;

this is the standard format for windows domain joined machines when peap is configured to 'use windows logon details'. the double backslash is common in unix-like environments to escape the backslash.

also, as a note - identity-rewrite does not help here, because it only rewrites the identity sent to AD servers. it does not change the identity as far as ISE see's it.

so - my understanding is this: if ISE gets a request for "santa@north.pole", you can rewrite it to "easter.bunny@myAD.eggdomain" for your myAD.eggdomain servers to authenticate it. BUT, once authenticated, it will still use "santa@north.pole" for the identity (+ therefore radius syslog messages).

hth

DB101 · ‎07-17-2018

Cisco have now acknowledged this defect but are refusing to prioritize a fix. We need your help to add your name/company to the defect. Cisco allege we are the only organization impacted. If multiple people are impacted Cisco will provide a fix.

Please let Cisco know you are impacted and help us pressure Cisco to provide a fix.

Defect Details

CSCvk09565 ISE 2.x onwards RFC 3164 is not being followed completely

Symptom

Syslog messages are sent with double slash in the username field.

Characters which are escaped with double slash are ,;{}\

Conditions

ISE 2.x version

Workaround

None

Further Problem Description

Below characters are escaped as of now

,;{}\

No Character should be escaped as per RFC 3164 which ISE follows.

blahblarblah · ‎07-26-2018

logged the case and attached to the bug. cheers.

DB101 · ‎07-26-2018

No good news yet. Cisco have not made a commitment to fix this defect.

Still working on it.

DB101 · ‎08-09-2018

Defect updated from 'enhancement' to severity 3. Cisco has advised us they are working on a fix.

DB101 · ‎10-07-2018

FYI, we received a custom patch and are yet to test it. The fix will be added to future versions.

Nidhi · ‎10-07-2018

I suggest please reach out to your account team to get this defect prioritized and they can update you once the fix is available.

DB101 · ‎11-21-2018

We received a patch from Cisco that addresses this issue and results in a single backslash. Suggest you contact Cisco and request the patch. I believe it will be incorporated in a future release.

quangle1993 · ‎11-23-2018

Hi, can you share me the patch please. I really need it to fix my case. Thanks very much,Quang!