Solved: Authentication failure for switch username on CAT6K when service password-encryption is enabled

umahar · ‎03-29-2016

Hello,

We have encountered an issue on Cat6K SUP720 running 12.2(33)SXI9 with the following command.

radius-server host <ip address –PSN1> test username <radius-test> idle-time X key <key>

If service password-encryption is enabled on the switch the PAP_ASCII authentication is failing on ISE.

If there is no service password-encryption enabled on the switch the authentication is passing.

The logs on ISE are as follows.

Root Cause :- Wrong password or invalid shared secret

DetailInfo :- UserPassword is corrupted.

Is this a known issue ?

hslai · ‎03-30-2016

I've seen this and it's a IOS bug. Please work with our IOS platform team to resolve it.

hslai · ‎03-30-2016

I've seen this and it's a IOS bug. Please work with our IOS platform team to resolve it.

umahar · ‎03-31-2016

Thank You Hsing-Tsu Lai.

Can you direct me to the IOS platform team which can address this.

hslai · ‎04-01-2016

If you are a Cisco customer/partner, please open a TAC case to address your concerns. Otherwise, I believe I already responded offline.