Guest

Preview Tool

Cisco Bug: CSCua86441 - ISE drops Radius reqeust with no username violating RFC 2865

Last Modified

Feb 27, 2018

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.1(0.665.1)

Description (partial)

Symptom:
When sending a valid RADIUS packet to ISE that is missing attribute 1 (Username) the packet is dropped by ISE.  Per RFC the packet should be processed as Username is not a required attribute.
From section 4.1 of RFC 2865:
      An Access-Request SHOULD contain a User-Name attribute.  It MUST
      contain either a NAS-IP-Address attribute or a NAS-Identifier
      attribute (or both).

      An Access-Request MUST contain either a User-Password or a CHAP-
      Password or a State.  An Access-Request MUST NOT contain both a
      User-Password and a CHAP-Password.  If future extensions allow
      other kinds of authentication information to be conveyed, the
      attribute for that can be used in an Access-Request instead of
      User-Password or CHAP-Password.

Conditions:
ISE 1.1.0.665
A Radius request containing all the required attributes but missing the Username attribute.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.