https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228473#M278109 <P>disable Op of allow protocol will apply to these AP only not all device&nbsp;</P> <P>MHM</P> Mon, 25 Nov 2024 14:11:03 GMT MHM Cisco World 2024-11-25T14:11:03Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228414#M278095 <P>Hello team, I hope you're well</P> <P>I have a problem that when I enable the Require Message-Authenticator Attribute in the ISE, the network that uses the guest portal stops working because the ISE drops all connection requests because it does not have the Message Authenticator, however in the other WLCs I do not have this problem, only in this 5502, has anyone experienced this and gotten a workaround?&nbsp;I have already checked the settings between the wlcs in order to find any difference and enable, but I have not identified it</P> <P>WLC Version&nbsp;<SPAN>8.3.150.3</SPAN></P> Mon, 25 Nov 2024 12:57:17 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228414#M278095 Vinicius Monteiro 2024-11-25T12:57:17Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228426#M278096 <P>&nbsp;</P> <P>&nbsp; - As per&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html</A><BR />&nbsp; &nbsp;you should<U> first</U> upgrade to <FONT color="#008000"><STRONG>8.10.196.0</STRONG></FONT> and try again , <FONT color="#FF6600"><EM>8.3.x is very old ,</EM></FONT></P> <P>&nbsp;M.</P> Mon, 25 Nov 2024 13:10:35 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228426#M278096 Mark Elsen 2024-11-25T13:10:35Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228432#M278098 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TEAP.JPG" style="width: 776px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/234483i6E8A1834A0E236F5/image-size/large?v=v2&amp;px=999" role="button" title="TEAP.JPG" alt="TEAP.JPG" /></span></P> <P>require Message-auth &lt;&lt;- dont select this op in ISE and I think it will work&nbsp;</P> <P>MHM</P> Mon, 25 Nov 2024 13:18:50 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228432#M278098 MHM Cisco World 2024-11-25T13:18:50Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228455#M278105 <P>Hi guys,&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291804">@Mark Elsen</a>&nbsp;and&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;&nbsp;thanks for the suggestions</P> <P>Just to clarify in this environment I cannot apply an update as there are APs that are not supported in version 8.10 and not checking the option is also not an option as I am trying to mitigate CVE-2024-3596 Blast Radius, which ISE is vulnerable to</P> Mon, 25 Nov 2024 13:51:21 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228455#M278105 Vinicius Monteiro 2024-11-25T13:51:21Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228461#M278106 <P>&nbsp;</P> <P>&nbsp; &nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1737313">@Vinicius Monteiro</a>&nbsp;wrote : &gt;<EM>Just to clarify in this environment<FONT color="#FF0000"> I cannot apply an update </FONT>as there are APs that are not supported in version 8.10&nbsp;</EM><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - This should be considered a<FONT color="#FF0000"> fatal showstopper</FONT> these days ; the aireos models are EOL and using the last release made available has become<STRONG> mandatory</STRONG> for this type&nbsp; of controllers.&nbsp; If not being able to use the extra features because of a bug then there is nothing more then <FONT color="#FF0000">(anything more)</FONT> then you can do , besides going back and <STRONG>not using</STRONG> that feature.<BR />If the restriction is due to certain older AP&nbsp; models , that also means that it is time to<FONT color="#008000"><U> modernize the wireless network ,&nbsp;</U></FONT></P> <P>&nbsp;M.</P> Mon, 25 Nov 2024 14:00:49 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228461#M278106 Mark Elsen 2024-11-25T14:00:49Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228473#M278109 <P>disable Op of allow protocol will apply to these AP only not all device&nbsp;</P> <P>MHM</P> Mon, 25 Nov 2024 14:11:03 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228473#M278109 MHM Cisco World 2024-11-25T14:11:03Z https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228866#M278150 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1737313">@Vinicius Monteiro</a>&nbsp;as per&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html</A>&nbsp;not all radius clients will send message authenticator on all requests and the option should <STRONG>only</STRONG> be enabled where you know that the radius client will <STRONG>always</STRONG> use message authenticator.</P> <P>As per&nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk70846" target="_blank" rel="noopener">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk70846</A>&nbsp;AireOS will only send&nbsp;message authenticator for&nbsp;<SPAN>EAP authentication flows which is strictly compliant with RFCs at the time of implementation.&nbsp; AireOS is end of life and this will not be changed (and certainly not ever in 8.3.x which is years past end of support!).&nbsp; As per the bug notes - if you need to protect that radius traffic (if it is exposed to interception for example across the internet) then you should transport it in IPSEC.&nbsp; If the radius is only transmitted across secure network links and devices (which you control and which should not be exposed to interception) then there is no real risk to start with.&nbsp; In that case you add it to your Risk Register and note that it is mitigated by transport over secure, controlled networks.&nbsp; If that's not good enough for your security team then ask them for the cash to upgrade all the equipment to current, supported technology.</SPAN></P> <P><SPAN>&gt;&nbsp;however in the other WLCs I do not have this problem, only in this 5502<BR />I presume you mean 5520? <BR />Are the other WLCs running the same version of code?<BR />Are the radius flows all identical? (for example maybe the others are EAP?)</SPAN></P> Tue, 26 Nov 2024 08:43:23 GMT https://community.cisco.com/t5/wireless/wlc-5502-not-sending-message-authenticator-attribute-to-ise/m-p/5228866#M278150 Rich R 2024-11-26T08:43:23Z