Guest

Preview Tool

Cisco Bug: CSCus44443 - ISE authentication duplication mechanism not using calling station id

Last Modified

Feb 25, 2018

Products (1)

  • Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.3(131.103)

Description (partial)

Symptom:
ISE is having mechanism to detect duplicated radius requests. It should not base only on radius id but also calling station id. That is critical in deployments with huge number of endpoints (wg. WLC of flexvpn with 200+ numbers of sessions). If reauthentication occurs for example as a result of link down/up ISE will receive hundreds of Access-Requests - but for some of those radius id will be the same (because it's just one byte value). In that scenario ISE will incorrectly detect them as duplicates.

That is a bug since ISE should use at least Calling Station ID as additional attribute for duplicate detection.

Conditions:
none
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.