Guest

Preview Tool

Cisco Bug: CSCvs54585 - auth fail for the second shared Secret

Last Modified

Jan 23, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.6(0.100)

Description (partial)

Symptom:
The second shared secret can't work for cisco devices, for example, asa, nexus switch, 3945 router, 3850 series switch etc.

Lab tested:
 
1:  3945 router configured with the first shared secret (same as ise),  the authentication works.
    
radius server test
 address ipv4 yy.yy.yy.yy  auth-port 1645 acct-port 1646
 key xx  ( same as the first shared secret as ise)
 
2:  3945 router configured with the second shared secret (same as ise),  the authentication can't work with ise live log ""22040 Wrong password or invalid shared secret"
    
radius server test
 address ipv4 yy.yy.yy.yy  auth-port 1645 acct-port 1646
 key yy  ( same as the second shared secret as ise)
 
 

 
3:  The corresponding info from support bundle : (corresponding to the live log of step 3)
  
HAPFlow::shouldInvoke,RadiusCHAPFlow.cpp:71
RadiusCHAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,RadiusCHAPFlow::validateContext,RadiusCHAPFlow.cpp:79
RadiusCHAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,ChapPassword is missing or invalid,RadiusCHAPFlow.cpp:113
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,RadiusPAPFlow::validateContext,RadiusPAPFlow.cpp:142
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,RadiusPAPFlow::isMandatoryAttributePresent,RadiusPAPFlow.cpp:98
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,All mandatory attributes are present,RadiusPAPFlow.cpp:130
EventHandler,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,Stack: 0x7facb0146d90 Calling RadiusPAPFlow: Method MethodCaller<RadiusPAPFlow, AuthenticateEvent> in thread: 140377668032256,EventStack.cpp:204
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,RadiusPAPFlow::validateContext,RadiusPAPFlow.cpp:142
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,RadiusPAPFlow::isMandatoryAttributePresent,RadiusPAPFlow.cpp:98
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,All mandatory attributes are present,RadiusPAPFlow.cpp:130
PolicyUtils,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,PolicyUtils::getServiceObject serviceID=1000001245, nVersionID = 639, ServiceObjectTypeID=1081,PolicyUtils.cpp:68
DeviceProfileManager,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,getDeviceProfileByContext: Acs::NetworkDeviceProfileID = b0699505-3150-4215-a80e-6753d45bf56c,DeviceProfileManagerUtils.cpp:184
DeviceProfileManager,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,DeviceProfileManager::getDeviceProfile - Device profile b0699505-3150-4215-a80e-6753d45bf56c was found !,DeviceProfileManager.cpp:88
DeviceProfileManager,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,DeviceAuthProfile::getAllowedProtocols: found DeviceProfile, returning it's allowed protocols,DeviceAuthProfile.cpp:85
Protocol,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,detectMACAuthenticationOnPAP: result is True ,Protocol.cpp:442
DeviceProfileManager,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,getDeviceProfileByContext: Acs::NetworkDeviceProfileID = b0699505-3150-4215-a80e-6753d45bf56c,DeviceProfileManagerUtils.cpp:184
DeviceProfileManager,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,DeviceProfileManager::getDeviceProfile - Device profile b0699505-3150-4215-a80e-6753d45bf56c was found !,DeviceProfileManager.cpp:88
DeviceProfileManager,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,DeviceAuthProfile::getAllowedProtocols: found DeviceProfile, returning it's allowed protocols,DeviceAuthProfile.cpp:85
Protocol,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,NIL-CONTEXT,detectCheckPwdOnMACAuthOnPAP: result is True ,Protocol.cpp:472
RadiusPAPFlow,2019-12-13 14:01:29,998,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,RADIUSUserPasswordValidator::decryptUserPassword,RADIUSUserPasswordValidator.cpp:44
EventHandler,2019-12-13 14:01:30,000,DEBUG,0x7fac39099700,Stack: 0x7facb0146d90 Calling PAPAuthenticator: Method MethodCaller<Authenticator<PAPAuthenticator>, AuthenticateEvent> in thread: 140377668032256,EventStack.cpp:204
PAPAuthenticator,2019-12-13 14:01:30,001,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,PAPAuthenticator::validateEvent Failed to decipher password,PAPAuthenticator.cpp:82
Logging,2019-12-13 14:01:30,001,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,Long step processing: msg_code=22040, has failure reason=yes, last step time=1576216889993, curtime=1576216890001, last step latency=8,LogNotificationCenter.cpp:614
Logging,2019-12-13 14:01:30,001,DEBUG,0x7fac39099700,cntx=0000087226,sesn=ise26b/364116634/159,CPMSessionID=0a7c3d6bAB1CQ9OcZG/KitQTGPMaTT6ttDfYLSrCo3mdRlOT0KU,user=test123,LogNotificationCenter::recordStepWithDataIfNeed: message code is 22040, step supplement is empty,LogNotificationCenter.cpp:764
 

4: Tested 3850 switch in tac lab, same issue can be reproduced.

Conditions:
If the device is configured with the second shared secret same as ISE, ise will always reported error as below:

"22040 Wrong password or invalid shared secret",
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.