BugZero | Cisco BugID CSCvg72934 - ISE generates Accounting Response with incorrect k...

Cisco - Defect ID: CSCvg72934

ISE generates Accounting Response with incorrect key if packet in progress

Cisco - Defect ID: CSCvg72934

ISE generates Accounting Response with incorrect key if packet in progress

Last updated on 11/24/2020

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Intermittently a switch servicing clients via dot1x and MAB will mark the active RADIUS server DEAD: 038547: Oct 25 02:42:18.531 CDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 203.0.113.10:1812,1813 is not responding. 038560: Oct 25 03:07:18.681 CDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 203.0.113.10:1812,1813 is not responding. 038589: Oct 25 03:32:18.701 CDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 203.0.113.10:1812,1813 is not responding.

Conditions

The RADIUS server is use is Identity Services Engine. The radius key is set to use a PAC like: radius server ise201 address ipv4 203.0.113.10 auth-port 1812 acct-port 1813 pac key MAB and 802.1x need to be configured on the port to hit this issue.

Workaround

Switch to pre-shared key for dot1x and mab authentications: aaa group server radius ise201-noPAC server name ise201-noPAC aaa group server radius ise201 server name ise201 ! aaa authentication dot1x default group ise201-noPAC aaa authorization network default group ise201-noPAC aaa authorization network cts-mlist group ise201 aaa accounting dot1x default start-stop group ise201-noPAC ! cts authorization list cts-mlist ! radius server ise201 address ipv4 203.0.113.10 auth-port 1812 acct-port 1813 pac key ! radius server ise201-noPAC address ipv4 203.0.113.10 auth-port 1645 acct-port 1646 key This will allow Trustsec to use the PAC key which is required while dot1x authentications use the shared-key.

Further Problem Description

Whether or not this is seen depends on whether or not there is a miss-configure supplicant attached to the switch and is attempting to authenticate. Here is the overview of the order of events to hit this: 1) A client with a miss-configured supplicant connects and successfully authenticates via MAB either after failing 802.1x or timing out of 802.1x. It could also authenticate via MAB first. 2) The supplicant starts a new 802.1x authentication but stops responding. 3) Within 120 seconds MAB sends an accounting stop. At this point since there is an active 802.1x authentication in process ISE processes the accounting stop differently and sends its response with the shared-secret instead of the PAC.

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvg72934

ISE generates Accounting Response with incorrect key if packet in progress

Cisco - Defect ID: CSCvg72934

ISE generates Accounting Response with incorrect key if packet in progress

Last updated on 11/24/2020

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?