BugZero | Cisco BugID CSCvp21915 - RSN IE length mismatch between assoc and EAPOL-M2 ...

Cisco - Defect ID: CSCvp21915

RSN IE length mismatch between assoc and EAPOL-M2 frame

Cisco - Defect ID: CSCvp21915

RSN IE length mismatch between assoc and EAPOL-M2 frame

Last updated on July 28th, 2022

BugZero Risk Score
6.2 Medium

Overall: 6.2

Severity: 6.4

Lifecycle: 9.1

Popularity: 6.0

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 60

Description

Symptom

Older device attempting to use WPA2 to associate to WPA2/AES only WLAN. Client debugs show mismatch between association frame RSN IE and EAPOL-M2 frame RSN IE (length) as shown in example below: *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 Compare RSN IE in association and EAPOL-M2 frame(rsnie_len :20, and grpMgmtCipherLen:0) *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 rsnieCapabilty = 0 rsnie_len =20 *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 EAPOL-key M2 with invalid RSN IE received from mobile 00:40:17:6b:4d:90 rxed IE len :20, rxed IE length in association:22 rsnie_len to compare = 20 *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 Dumping RSNIE received in Association request(len = 22): *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000000: 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0............... *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000010: 00 0f ac 02 28 00 ....(. *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 Dumping RSNIE received in EAPOL M2 (len = 20): *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000000: 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ................ *Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000010: ac 02 00 00 ....

Conditions

Older device attempting to use WPA2 to associate to WPA2/AES only WLAN on 8.5.140.0 code.

Workaround

Utilize older code such as 8.2.170.2 which works fine or configure device to be WPA only and modify WLAN to be WPA/TKIP + WPA2/AES. We have introduced a new CLI to enable/disable RSN Capability validation. By default it will be enabled. (Cisco Controller) >config advanced eap rsn-capability-validation enable Enables RSN Capability validation disable Disables RSN Capability validation

Further Problem Description

Same device and same configuration works on 8.2.170.2 but does not work on 8.5.140.0.

Change history

2022-07-28 Added: 8.5.140.0

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.5.140.0

Fixed versions: 8.10.104.127, 8.10.104.148, 8.10.105.0, 8.10.112.0, 8.10.113.0, 8.10.120.0, 8.10.121.0, 8.10.122.0, 8.10.130.0, 8.10.142.0, 8.10.151.0, 8.10.162.0, 8.10.171.0, 8.5.151.0, 8.5.151.3, 8.5.151.4, 8.5.152.102, 8.5.160.0, 8.5.161.0, 8.5.164.0, 8.5.171.0, 8.5.182.0

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.5.140.0

Top Cisco Defects

9.7Defect ID: CSCwa70008
Expired certs cause Security Intelligence updates to fail
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions
9.7Defect ID: CSCvp36425
Cisco ASA & FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability
9.7Defect ID: CSCwf80292
ISE cannot retrieve a peer certificate during EAP-TLS authentication

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvp21915

RSN IE length mismatch between assoc and EAPOL-M2 frame

Cisco - Defect ID: CSCvp21915

RSN IE length mismatch between assoc and EAPOL-M2 frame

Last updated on July 28th, 2022

BugZero Risk Score6.2 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.2 Medium