PSK Exposure in ISE Authentication Logs - Recommendations for Mitigation?

[EvanusModestus]

I'm implementing iPSK Manager for IoT devices that lack 802.1X capabilities. The solution is working well, but I've identified a security concern regarding PSK exposure in ISE authentication logs.

Issue:
While the cisco-av-pair attributes in the Result section properly mask the PSK value (psk=****), the plaintext PSK is exposed in the "Other Attributes" section of ISE RADIUS authentication logs:

Other Attributes

SelectedAuthenticationIdentityStores iPSKManager
AuthenticationStatus AuthenticationPassed
IdentityPolicyMatchedRule iPSK AuthC
AuthorizationPolicyMatchedRule iPSK Trusted Data
ISEPolicySetName LAB WIFI
IdentitySelectionMatchedRule iPSK AuthC
ExternalGroups Lab-IoT
vlan 10
pskValue psk=L@bCr3ds2038!!0  <------------- psk exposed here
RADIUS Username B0:54:76:EB:6E:C0
NAS-Identifier WLC-LAB
Device IP Address 10.50.1.40
Called-Station-ID 78-bc-1a-36-82-c0:LabIoT
CiscoAVPair service-type=Call Check,
audit-session-id=2801320A000003478EE5C0C4,
method=mab,
client-iif-id=4143973033,
vlan-id=10,
cisco-wlan-ssid=LabIoT,
wlan-profile-name=LabIoT,
AuthenticationIdentityStore=iPSKManager
UseCase Host Lookup

Result

Tunnel-Type | (tag=1) VLAN
Tunnel-Medium-Type | (tag=1) 802
Tunnel-Private-Group-ID | (tag=1) 10
cisco-av-pair | psk-mode=****
cisco-av-pair | psk=****

Concerns:

• Anyone with ISE admin access can view plaintext device credentials
• PSKs are exposed in SIEM/syslog forwarding
• Log backups and archives contain plaintext credentials
• Potential compliance issues (HIPAA, audit requirements)

Questions:

1. Is this expected behavior, or is there a configuration option to mask the pskValue attribute in logs similar to how cisco-av-pair is handled?
2. Are there recommended ISE configuration changes to minimize this exposure while maintaining troubleshooting capabilities?
3. What are the community's best practices for managing this in production environments with strict security/compliance requirements?

Environment:

• ISE 3.2 Patch 6
• Cisco 9800 WLC
• iPSK Manager with ODBC external identity source

Any guidance on addressing this logging concern would be greatly appreciated!

[karrots]

This sounds like an ISE issue not a iPSK-Manager issue. Have you addressed it up that chain?