Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
3
Helpful
6
Replies

WLC 5502 Not Sending Message-Authenticator Attribute to ISE

Go to solution
Vinicius Monteiro
Level 1
Level 1

‎11-25-2024 04:56 AM - edited ‎11-25-2024 04:57 AM

Hello team, I hope you're well

I have a problem that when I enable the Require Message-Authenticator Attribute in the ISE, the network that uses the guest portal stops working because the ISE drops all connection requests because it does not have the Message Authenticator, however in the other WLCs I do not have this problem, only in this 5502, has anyone experienced this and gotten a workaround? I have already checked the settings between the wlcs in order to find any difference and enable, but I have not identified it

WLC Version 8.3.150.3

Labels:
Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎11-26-2024 12:40 AM - edited ‎11-26-2024 12:43 AM

@Vinicius Monteiro as per https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html not all radius clients will send message authenticator on all requests and the option should only be enabled where you know that the radius client will always use message authenticator.

As per https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk70846 AireOS will only send message authenticator for EAP authentication flows which is strictly compliant with RFCs at the time of implementation.  AireOS is end of life and this will not be changed (and certainly not ever in 8.3.x which is years past end of support!).  As per the bug notes - if you need to protect that radius traffic (if it is exposed to interception for example across the internet) then you should transport it in IPSEC.  If the radius is only transmitted across secure network links and devices (which you control and which should not be exposed to interception) then there is no real risk to start with.  In that case you add it to your Risk Register and note that it is mitigated by transport over secure, controlled networks.  If that's not good enough for your security team then ask them for the cash to upgrade all the equipment to current, supported technology.

> however in the other WLCs I do not have this problem, only in this 5502
I presume you mean 5520?
Are the other WLCs running the same version of code?
Are the radius flows all identical? (for example maybe the others are EAP?)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

0 Helpful
6 Replies 6

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎11-25-2024 05:10 AM

 

  - As per https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
   you should first upgrade to 8.10.196.0 and try again , 8.3.x is very old ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
MHM Cisco World
VIP
VIP

‎11-25-2024 05:18 AM

TEAP.JPG

require Message-auth <<- dont select this op in ISE and I think it will work 

MHM

0 Helpful

Go to solution
Vinicius Monteiro
Level 1
Level 1

‎11-25-2024 05:51 AM

Hi guys, @marce1000 and @MHM Cisco World  thanks for the suggestions

Just to clarify in this environment I cannot apply an update as there are APs that are not supported in version 8.10 and not checking the option is also not an option as I am trying to mitigate CVE-2024-3596 Blast Radius, which ISE is vulnerable to

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Vinicius Monteiro

‎11-25-2024 06:00 AM

 

   @Vinicius Monteiro wrote : >Just to clarify in this environment I cannot apply an update as there are APs that are not supported in version 8.10 
            - This should be considered a fatal showstopper these days ; the aireos models are EOL and using the last release made available has become mandatory for this type  of controllers.  If not being able to use the extra features because of a bug then there is nothing more then (anything more) then you can do , besides going back and not using that feature.
If the restriction is due to certain older AP  models , that also means that it is time to modernize the wireless network , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
MHM Cisco World
VIP
VIP
In response to Vinicius Monteiro

‎11-25-2024 06:11 AM

disable Op of allow protocol will apply to these AP only not all device 

MHM

0 Helpful

Go to solution
Rich R
VIP
VIP

‎11-26-2024 12:40 AM - edited ‎11-26-2024 12:43 AM

@Vinicius Monteiro as per https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html not all radius clients will send message authenticator on all requests and the option should only be enabled where you know that the radius client will always use message authenticator.

As per https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk70846 AireOS will only send message authenticator for EAP authentication flows which is strictly compliant with RFCs at the time of implementation.  AireOS is end of life and this will not be changed (and certainly not ever in 8.3.x which is years past end of support!).  As per the bug notes - if you need to protect that radius traffic (if it is exposed to interception for example across the internet) then you should transport it in IPSEC.  If the radius is only transmitted across secure network links and devices (which you control and which should not be exposed to interception) then there is no real risk to start with.  In that case you add it to your Risk Register and note that it is mitigated by transport over secure, controlled networks.  If that's not good enough for your security team then ask them for the cash to upgrade all the equipment to current, supported technology.

> however in the other WLCs I do not have this problem, only in this 5502
I presume you mean 5520?
Are the other WLCs running the same version of code?
Are the radius flows all identical? (for example maybe the others are EAP?)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card