Quick Tip: Display Cisco ISE Usernames for Failed Authentications

In this quick tip Cisco ISE article I would like to point out how ISE administrators can displays usernames for failed authentications.

The following has been tested on ISE 2.4 but is relevant for older ISE versions.

When a user/machine fails authentication ISE will mask the identity automatically. This can be seen in the RADIUS Live Logs and looks like the screenshot (1) shown below.

Although you can click on the details of each live log, sometimes it’s good to know what the identity is to troubleshoot further. The good news is that with ISE, we can unmask the identity, however, the bad news for some is that you can only keep identities unmasked for a limited time, depending on ISE version. As of up to ISE 2.4 patch 3 you cannot keep identities unmasked permanently, in fact, the maximum time in which you can keep identities unmasked for is 30 minutes before ISE masks them again.

As mentioned, this is not convenient and was in fact raised as a bug (CSCvh91118). I believe ISE releases after ISE 2.4 patch 3 now allow you to disclose invalid usernames so long as ISE is configured to do so. If you are running versions of ISE before 2.4, patch 3 and you want this feature permanently enabled then you may want to consider upgrading or patching your system.

To allow unmasking of identities navigate to Administration > System > Settings > RADIUS. Under Authentication Details, check the box next to ‘Disclose invalid usernames’ and save your changes.

You are now set and should be able to view the identities of invalid usernames in the RADIUS Live Logs. Depending on the identity you should now see something similar to the screenshot below when looking at invalid usernames.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: