Guest

Cisco Authentication Agent

Field Notice: Kerberos Client Authentication Fails in Beginning of Leap Years


January 1, 2000


Products Affected

Product

Description

Kerberos-enabled Cisco products

Cisco products in which Kerberos Client functionality is employed for authentication are affected.

Problem Description

The Kerberos Client functionality on Cisco products, when configured to provide access control, will fail in a "deny" state when the expiration of the credentials is in January or February of leap years, thus denying any Kerberos-authenticated access.

This bug has been assigned Cisco bug ID CSCdp60101. If you are a registered CCO user and you have logged in, you can view the bug details.

DDTS

Description

CSCdp60101 (registered customers only)

The Kerberos Client functionality on Cisco products, when configured to provide access control, will fail in a "deny" state when the expiration of the credentials is in January or February of leap years, thus denying any Kerberos-authenticated access. A workaround for the problem is to choose an alternate form of authentication, such as TACACS+ or RADIUS.

Background

There is an error in how the Kerberos Client calculates timestamps in replies from the Key Distribution Center (KDC) during the first two months of a leap year. As a result, the authentication request fails. This problem will not occur in months later than February.

Note:?The default timezone on a Cisco router is based on UTC (Coordinated Universal Time) which is approximately equivalent to GMT (Greenwich Mean Time). The problem may occur at a time other than midnight on the indicated date, depending on the local time zone and the time zone configured on the router.

Problem Symptoms

Attempts to authenticate using the Kerberos Client will fail with a message similar to the following:

00:15:07: Kerberos: Received TGT reply from KDC
00:15:07: Kerberos: Received invalid credential. 
00:15:07: AAA/AUTHEN (868613526): password incorrect 
00:15:07: AAA/AUTHEN (868613526): status = FAIL

You will need to enter the debug aaa authen and debug kerberos Cisco IOS commands in order to see these symptoms.

Workaround/Solution

Workaround:

Choose an alternate form of authentication such as TACACS+ or RADIUS.

Interim solution:

Cisco IOS interim software solutions can now be obtained through the Cisco Systems Technical Assistance Center (TAC).

Maintenance Solution:

To obtain the next maintenance release, follow the instructions on the following page:

Software Downloading from CCO via World Wide Web

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.