In this quick tip Cisco ISE article I would like to point out how ISE administrators can displays usernames for failed authentications.
The following has been tested on ISE 2.4 but is relevant for older ISE versions.
When a user/machine fails authentication ISE will mask the identity automatically. This can be seen in the RADIUS Live Logs and looks like the screenshot (1) shown below.
Although you can click on the details of each live log, sometimes it’s good to know what the identity is to troubleshoot further. The good news is that with ISE, we can unmask the identity, however, the bad news for some is that you can only keep identities unmasked for a limited time, depending on ISE version. As of up to ISE 2.4 patch 3 you cannot keep identities unmasked permanently, in fact, the maximum time in which you can keep identities unmasked for is 30 minutes before ISE masks them again.
As mentioned, this is not convenient and was in fact raised as a bug (CSCvh91118). I believe ISE releases after ISE 2.4 patch 3 now allow you to disclose invalid usernames so long as ISE is configured to do so. If you are running versions of ISE before 2.4, patch 3 and you want this feature permanently enabled then you may want to consider upgrading or patching your system.
To allow unmasking of identities navigate to Administration > System > Settings > RADIUS. Under Authentication Details, check the box next to ‘Disclose invalid usernames’ and save your changes.
You are now set and should be able to view the identities of invalid usernames in the RADIUS Live Logs. Depending on the identity you should now see something similar to the screenshot below when looking at invalid usernames.