Vulnslist

Cisco ISE devices are affected by this vulnerability only if Reject RADIUS requests from clients with repeated failures is configured.

As a workaround, administrators can disable this setting using the following steps:

Choose Administration > System > Settings > Protocols > RADIUS.
Navigate to the Suppress Repeated Failed Clients and repeated accounting section.
Uncheck only the Reject RADIUS requests from clients with repeated failures check box.

This setting is enabled by default and will be configured in most environments. If this configuration setting is disabled, the Cisco ISE device is not affected by this vulnerability. However, Cisco recommends re-enabling this configuration setting once the device has been upgraded to the fixed code.

For more information on this feature, which is new in Cisco ISE Release 3.4.0, see RADIUS Settings https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/admin_guide/b_ise_admin_3_4/b_ISE_admin_segmentation.html#t_security_settings_33 in the Cisco Identity Services Engine Administrator Guide, Release 3.4.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.