Cisco Bug: CSCua86441 - ISE drops Radius reqeust with no username violating RFC 2865
Feb 27, 2018
- Cisco Identity Services Engine
Known Affected Releases
Symptom: When sending a valid RADIUS packet to ISE that is missing attribute 1 (Username) the packet is dropped by ISE. Per RFC the packet should be processed as Username is not a required attribute. From section 4.1 of RFC 2865: An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). An Access-Request MUST contain either a User-Password or a CHAP- Password or a State. An Access-Request MUST NOT contain both a User-Password and a CHAP-Password. If future extensions allow other kinds of authentication information to be conveyed, the attribute for that can be used in an Access-Request instead of User-Password or CHAP-Password. Conditions: ISE 188.8.131.525 A Radius request containing all the required attributes but missing the Username attribute.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases