000020868 - Cisco Router with IOS 12.2(2)XB/12.2(4)T or later unable to handle New PIN Mode and Next Tokencode Mode Authentications through RADIUS

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020868
Applies ToCisco Router 3745
IOS 12.2(2)XB/12.2(4)T or later
IssueCisco Router with IOS 12.2(2)XB/12.2(4)T or later unable to handle New PIN Mode and Next Tokencode Mode Authentications through RADIUS
ResolutionThis is a known Cisco bug, and there is no workaround for this problem for Cisco Router model 3745 because this router model is restricted in terms of the code trains that can run on it. This problem exists in IOS 12.2(2)XB/12.2(4)T or later.

12.2 mainline should not have this problem, but model 3745 only runs 12.2T or 12.3, so there's no other option for the 3745. Bottom line - this is a bug in the IOS. The issue arises because Multitransaction RADIUS authentication uses the state attribute in the server's response packet to maintain continuity of the transaction which is handled in UDP packets. The router fails to respond with the same state attribute in the third packet of the communication. There is no state attribute in the packet.

Cisco is aware of the issue as of November 1, 2003, see Cisco defect CSCed22074.  Please contact Cisco for the fix.  The problem does appear to be fixed in IOS 12.3.7T.
Legacy Article IDa19296

Attachments

    Outcomes