Preview Tool

Cisco Bug: CSCtb62187 - 12.3(8) release notes "authentication client" could violate 3748 RFC

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Aironet 1250 Series

Known Affected Releases


Description (partial)


12.3(8) and above release notes should state that the command "authentication client" could violate the RFC 3748.


In all the release notes from 12.3(8) and above

under the session "Important Notes" a new paragraph called "Potential RFC 3748 Violation" should be added, stating the following:

In case the following command is configured under the SSID settings, for LEAP authentication

authentication client username <WORD> password [0 | 7] <LINE>

if the first access-challenge returned by the Radius server after the access-request from the AP is not for the LEAP method but for EAP-MD5 for example, the AP will violate the RFC 3748.
Instead of sending an EAP NAK requesting the LEAP authentication, the AP will send the user's credentials with EAP-MD5 and then dropping the derived keys, since it won't be able to read the EAP-MD5 from the access-accept.

This is a violation of RFC 3748.

The workaround for this is to use the commands "dot1x credentials" and "dot1x eap profile" for LEAP authentication, as described in the following section:

The documentations need to be updated as confirmed from the discussion and the closing comments of CSCtb40464.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.