Guest

Preview Tool

Cisco Bug: CSCuj34004 - User name change detected for the session removes all session attributes

Last Modified

Mar 16, 2019

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.1(4.218) 1.2(0.899)

Description (partial)

Symptom:
Machine auth followed by user authentication, with User name change detected for the session.Attributes for the session will be removed from the cache.
if there is a username change on the session, this cleans up all the session attributes including the ones that are in whitelist category (attrsToKeep).This can result in authz evaluation failure where the first user authentication falls into the wrong authz profile.
As long as the configured policies (authz policy) do not use any Session related attribute e.g. Session.PostureStatus,  username change will not cause those policies to break.

Conditions:
Issue is seen with using Machine auth followed by user authentication, wherein User name change detected for the session and with configured policies (authz policy) which uses Session related attribute.

As example, authz policy has condition "Session:PostureStatus EQUALS Unknown".
For Machine authentication, the session can have "attribute Session.PostureStatus=Unknown".
For same session and first user authentication attempt, we can then have a "User name change detected for the session.Attributes for the session will be removed from the cache".
This change in username is leading to cleaning up of the session attributes and thus authz evaluation failure as we can end up with "Attribute Session.PostureStatus value is null" which then doesn't meet the authz policy condition.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.