BugZero | Cisco BugID CSCtw56571 - Dot1x/RADIUS accounting broken when trustsec is en...

Cisco - Defect ID: CSCtw56571

Dot1x/RADIUS accounting broken when trustsec is enabled

Cisco - Defect ID: CSCtw56571

Dot1x/RADIUS accounting broken when trustsec is enabled

Last updated on 2/19/2019

Overall: 3.53.5

Severity: 3.73.7

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.53.5

Severity: 3.73.7

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

General

Symptom

When aaa dot1x accounting and trustsec accounting are both enabled, RADIUS accounting does not work. When the ISE receives and accounting packet, it receives the following error.

Conditions

The following command needs to be present on the device. aaa accounting dot1x default start-stop group radius

Workaround

Two workarounds: 1. Disable aaa accounting : no aaa accounting dot1x default start-stop group radius 2. Define two AAA server groups: one with PAC for TrustSec and the other without PAC for non-TrustSec. Below is a snippet of sample configuration for Catalyst 3850 03.03.02SE, tested ok with ISE: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Define two radius servers; !! one uses ports 1645 and 1646 and !! the other uses PAC and ports 1812 and 1813 radius server ise.demo.local address ipv4 10.1.100.21 auth-port 1645 acct-port 1646 automate-tester username radius-test ignore-acct-port idle-time 5 key ISEc0ld ! radius server ise.demo.local+pac address ipv4 10.1.100.21 auth-port 1812 acct-port 1813 pac key ISEc0ld ! aaa group server radius ISE+PAC server name ise.demo.local+pac ! aaa group server radius ISE server name ise.demo.local ! aaa authentication dot1x default group ISE aaa authentication dot1x authc-dot1x group ISE aaa authorization network default group ISE aaa authorization network cts-mlist group ISE+PAC aaa accounting update newinfo periodic 15 aaa accounting dot1x default start-stop group ISE aaa accounting network acct-net start-stop group ISE ! ! aaa server radius dynamic-author client 10.1.100.21 server-key ISEc0ld auth-type any ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail ! ! aaa new-model aaa session-id common ! ! !!!! CTS configuration !!!!!!!!! cts authorization list cts-mlist cts sgt 2 cts logging verbose cts role-based enforcement cts role-based enforcement vlan-list 10,20,99-100,200

Further Problem Description

The documentation guide for trustsec shows that aaa accounting is enabled, however once that is done the RADIus accounting is broken and we see the following error when the ISE receives an accounting packet : 11038 RADIUS Accounting-Request header contains invalid Authenticator field

Original Vendor Announcement

9.65Defect ID: CSCvj49476
Telnet Sessions Hang/Become unavailable at execution of "show run"
9.65Defect ID: CSCvf73881
Cisco IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability
9.65Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCwj74769
After [non]pairwise key enabling and reboot, bfd ip and port mismatch on device.

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCtw56571

Dot1x/RADIUS accounting broken when trustsec is enabled

Cisco - Defect ID: CSCtw56571

Dot1x/RADIUS accounting broken when trustsec is enabled

Last updated on 2/19/2019

Vendor details

Vendor details

Description

General

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?