Guest

Preview Tool

Cisco Bug: CSCtb62187 - 12.3(8) release notes "authentication client" could violate 3748 RFC

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Aironet 1250 Series

Known Affected Releases

3.0(59.0)

Description (partial)

Symptom:

12.3(8) and above release notes should state that the command "authentication client" could violate the RFC 3748.

Conditions:

In all the release notes from 12.3(8) and above

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_release_notes_list.html

under the session "Important Notes" a new paragraph called "Potential RFC 3748 Violation" should be added, stating the following:

-------------------------------------------------------------------------
In case the following command is configured under the SSID settings, for LEAP authentication

authentication client username <WORD> password [0 | 7] <LINE>

if the first access-challenge returned by the Radius server after the access-request from the AP is not for the LEAP method but for EAP-MD5 for example, the AP will violate the RFC 3748.
Instead of sending an EAP NAK requesting the LEAP authentication, the AP will send the user's credentials with EAP-MD5 and then dropping the derived keys, since it won't be able to read the EAP-MD5 from the access-accept.

This is a violation of RFC 3748.

The workaround for this is to use the commands "dot1x credentials" and "dot1x eap profile" for LEAP authentication, as described in the following section:

http://cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43auth.html#wp1071514
-------------------------------------------------------------------------

The documentations need to be updated as confirmed from the discussion and the closing comments of CSCtb40464.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.