Guest

Preview Tool

Cisco Bug: CSCuq32696 - PSN removes removes proxy-state attributes from IPN

Last Modified

Jun 09, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(0.899)

Description (partial)

Symptom:
Topology:
VPN client <-> ASA <-> IPEP <-> PSN (proxy) <-> external RADIUS.

IPEP is proxying Radius requests from the ASA to the PSN and hence inserts a proxy state attribute in request.
PSN configured in proxy mode and doing authentication against external RADIUS server hence inserts another proxy state attribute.
When reply is received from external RADIUS PSN must remove own proxy state attribute before passing it back to IPEP, instead it removes both own and IPEP proxy attributes, hence authorization on IPEP fails.

Conditions:
ISE VPN IPEP deployment with PSN configured in proxy mode.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.