CSCwn09816 - RADIUS Shared Secret Masking

tamasd8 · ‎09-29-2025

Hi,

we have version 3.3.0.430 with patch 3,4,6,7 installed and we are hitting this bug still.

The known fixed version is 3.3.0.430 patch 5. Won't patch 6 and 7 contain the fix from patch 5?

Additionally: we are hitting this when modifying a device on the Administration -> Network devices page (for example adding a new IP will change the Radius password to ******** ) I can easily reproduce this with a test device.

Arne Bier · ‎09-29-2025

Patches are supposed to be cumulative - but maybe in this case, the defect CSCwn09816 didn't get included? Hard to say - I would get TAC to look into this.

Do you have the Administration > System Security Settings "show Password in Plaintext" ticked, or unticked?

tamasd8 · ‎09-30-2025

"show Password in Plaintext" is ticked

I will install patch 5 manually and see if it fixes it. If it doesn't, I open a TAC case.

Thanks for the reply, I'll get back with some info soon.

tamasd8 · ‎10-02-2025

@Arne Bier some progress, but not the good kind:

Since we had patch 6 and 7 installed, patch 5 was not allowed. So I had to remove 6 and 7, then install patch 5.

The issue is still present.

An easy way to reproduce it is to open a device's page, modify something and DO NOT unhide the password, so it stays hidden. In this way the password will get overwritten with the "*******" value - which is a crazy bug for ISE....

A workaround is to unhide any password before saving modifications.

Can anyone test this in version 3.4, if it still happens or not?

Arne Bier · ‎10-06-2025

I can't reproduce this in ISE 3.4. Having said that, I think I have experienced the bug in ISE 3.3 on one or two occasions, and I just thought it was user error. I was not aware of the bug at that time. But it's not a chronic problem and it's only happened once or twice.

I wonder if it might also have something to do with how the browser interacts with the page.

tamasd8 · ‎10-07-2025

I'm also suspecting the browser, but still it could potentially cause a big user impact. On 3.3 it is chronic, but we were running it for quite a while now and it started to do this recently.

Anyway, I installed 3.4 on our Lab deployment, then installed patch 1 and it broke the whole thing. The ISE application is not starting anymore. I suspect a complete reinstall or maybe I will try installing patch 2 on top of it.

k2no · ‎10-08-2025

Hi,

I had this issue couple of time even in ise running from 3.3 Patch 3 to 7.

I never unchecked the show password in plain text from the security settings and it broke few switches authentication.

I suspect this issue was introduced with 3.3 patch 2 with the show password feature that could maybe be activated by default and "unchecked" when the ise "synchronize" your current configuration. On some deployments only one switch is impacted, on other I saw more switches impacted.

I hope the 3.4 will resolve it, but I've the feeling that only fresh 3.4 versions will not be impacted and upgrading from a buggy 3.3 version could keep this issue...

tamasd8 · ‎10-09-2025

I just reinstalled our LAB device with 3.4 patch 3 and I can confirm the issue still exists. I will open a TAC case about it.

I did a debug in browser (Edge) and it is clear that the hidden password is being sent back to the ISE app server (can't attach screenshot sorry). Probably this is a browser issue.

Dustin Anderson · ‎10-09-2025

I have a test unit on 3.4 I can break at will. What browser are you using to try?

I can't reproduce with chrome or Firefox.

tamasd8 · ‎10-10-2025

Thanks Dustin in advance!

I use Edge, can't use anything else due to company policy.

To test it: Go to Administration -> Network devices -> select a device -> add a new IP address (do not unhide the radius password) -> save

Go back to Network devices -> select the same device -> unhide the password -> for me it will be a bunch of * characters instead of the actual password.

Tested it with Administration -> System -> Settings -> Security settings -> "Show password in plaintext" disabled, but it was the same.