Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
1
Replies

ACS - reject on failure instead of dropping packets

thomas.kirsch
Level 1
Level 1

‎03-11-2015 06:23 AM - edited ‎03-10-2019 10:32 PM

Hello,

We are currently having an issue with ACS when using PKI authentication with a Alcatel SR router. The following error occurs:

Evaluating Service Selection Policy
15004  Matched rule
15012  Selected Access Service - Test Service - Radius
11021  RADIUS could not decipher password. packet missing necessary attributes
11021  RADIUS could not decipher password. packet missing necessary attributes
 

    
The problem is that the SR router sends a package which does not comply to any of the RADIUS authentication protocols (EAP, PAP , CHAP,...). 

As a consequence, the package gets dropped, no response is sent back to the router and the RADIUS status in the router is set to "down". Is there a way to configure ACS to send a reject message in case such a packet is received? I know that there is such a setting for identity policies but the process already fails before an identity policy is chosen...

Please note that the PKI authentication is just needed for local users on the router. As the priority is 1.) Radius 2.) Local (we need this priority), the request is sent to ACS although RADIUS PKI is not yet supported by the device. 

 

 

Thx in advance

 

 

Labels:
0 Helpful
1 Reply 1

mohanak
Cisco Employee
Cisco Employee

‎03-11-2015 07:07 AM

ACS doesn't reply with "Access-Reject" for request sent without user/pw
CSCuc93503
 
Description
Symptom:

RADIUS Request dropped : 11021 RADIUS could not decipher password. packet missing necessary attributes
The message is presented in logs, however nothing is sent back to a client.

Conditions:
Cisco ACS 5.x version

Workaround:

Correct the client, so it will not generate RADIUS requests without user or password fields.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
 
 
0 Helpful
Customers Also Viewed These Support Documents