The VLAN Policy Server hardware has been replaced by the Cisco 1101 VLAN Policy Server.
URT Release 2.5 contains the following new features:
Web-based logon from Windows, Macintosh, and Linux clients.
Support for Lightweight Directory Access Protocol (LDAP) directory authentication for Active Directory (AD) and Novell Directory Service (NDS).
RADIUS web authentication and accounting.
Secure link between the client and VLAN Policy Server (VPS).
Support for Windows XP clients.
Multiple users per port based on user ID (web logons only). Allows more than one user to connect to the internet through a hub served by a single switch port. All users behind the hub must be assigned to the same VLAN.
Prevents network access to unregistered MAC addresses.
MAC registration events can be viewed through the user interface.
All changes to the URT database are saved automatically. Changes to the database are immediately available for use on your network.
Support for additional Cisco Catalyst switches.
Documentation Roadmap
Note Although every effort has been made to validate the accuracy of the information
in the printed and electronic documentation, you should also review the URT
documentation on Cisco.com for any updates.
The following documents are provided in PDF on your product CD:
User Guide for the Cisco Secure User Registration Tool
Installation and Setup Guide for the Cisco Secure User Registration Tool
Installation and Setup Guide for the Cisco 1101 VLAN Policy Server
Regulatory Compliance and Safety Information for the Cisco 1101 VLAN Policy Server
User Registration Tool Software Developer's Guide
Note Adobe Acrobat Reader 4.0 or later is required.
Use these publications to learn how to install and use URT:
Installation and Setup Guide for the Cisco Secure User Registration Tool (DOC-7813389=)Provides instructions for installing URT, and quick-start steps for using URT. This publication is available on the URT CD-ROM in PDF.
User Guide for the Cisco Secure User Registration Tool (DOC-7813391=)Describes URT and provides instructions for configuring, administering, and operating it. This publication is available on the URT CD-ROM in PDF.
URT online helpContains all of the information available in User Guide for the Cisco Secure User Registration Tool. This ensures that you have complete information, even if you do not have the manual readily available while using URT.
Use this publication to learn how to install the Cisco 1101 VLAN Policy Server:
Installation and Setup Guide for the Cisco 1101 VLAN Policy Server (DOC-7814482=)Provides instructions for installing and setting up the 1101 VLAN Policy Server. This publication is available on the URT CD-ROM in PDF.
Additional Information Online
For information about URT supported devices, refer to the following URL, or check the documentation on Cisco.com for the correct location:
This section contains late-breaking updates to the URT documentation.
User Guide Updates
This section contains late-breaking updates to User Guide for the Cisco Secure User Registration Tool.
Chapter 1 Update
The following information was omitted after the second note in the "Understanding Traditional Logons and Web Logons" section on page 1-5:
For traditional logons, you can specify the same Active Directory server as both an NT domain and an LDAP directory; users can be associated with both. The LDAP association takes precedence over the NT domain association.
On page 4-11, the italicized information was omitted after the second paragraph in the section:
URT supports redundant LDAP servers. If the primary LDAP server fails, URT can query a second or third LDAP server for the user, group, or organizational unit assignment.
It is recommended that redundant LDAP servers use the same Base Distinguished Name.
In the Add Directory window, you can select multiple LDAP servers from the list of IP addresses. During logons, the VPS queries a random LDAP server from the list. If a connection to that server fails, logon attempts continue with other servers in the list until an available server is located.
LDAP associations are arranged in a hierarchical tree. An example tree might be structured as follows:
United States : Western States : California : San Francisco : Ken
URT might assign a VLAN to any place in the tree. If the username Ken has multiple organizational unit associations, URT searches for the username Ken first when looking for a VLAN association, and uses the first association it finds.
Adding LDAP Servers
On page 4-12, the italicized information was omitted from Step 7:
Step 7 Select the interval at which the Client Module looks up the user in the LDAP tree to determine if the user's Distinguished Name (DN) has changed.
When you use a long interval, the LDAP server is queried less frequently, resulting in less network traffic. If you change the interval, the change is not recognized until the original interval has elapsed. For example, if you first set the interval to 3 hours, and you make changes every hour thereafter, the changes are not recognized until 3 hours have passed.
When you use a short interval, network load on the LDAP server and the URT VPS increases.
Overview of RADIUS Authentication Support
At the top of page 4-16, the note was omitted from the description of the RADIUS attribute syntax example:
URT:Vlan-Association=URT-1:Vlan6;
URT:Vlan-Association=URT-2:Vlan16;
URT:Allow-Multiple-Users=TRUE;
URT:Logon-User-Only=FALSE
Note For a description of these attributes, see Step 4 in the "Setting Web Associations"
section on page 6-3.
Adding RADIUS Servers
On page 4-18, the italicized information was omitted from Step 8:
Step 8 Enter the interval for verifying client attributes. A client sync message takes 5 minutes and the default interval is 12 minutes; therefore, verification occurs every 60 minutes (12 x 5).
When you use a long interval, the RADIUS server is queried less frequently, resulting in less network traffic. If you change the interval, the change is not recognized until the original interval has elapsed. For example, if you first set the interval to 3 hours, and you make changes every hour thereafter, the changes are not recognized until 3 hours have passed.
When you use a short interval, network load on the RADIUS server and the URT VPS increases.
URT Installation Guide Update
This section contains late-breaking updates to Installation and Setup Guide for the Cisco Secure User Registration Tool.
Chapter 1 Update
In Table 1-1 on page 1-4, eDirectory should not be included as a supported domain server.
Cisco 1101 VLAN Policy Server Installation Guide Updates
This section contains late-breaking updates to Installation and Setup Guide for the Cisco 1101 VLAN Policy Server.
Chapter 3 Update
On page 3-12, disregard the second paragraph of Step 4 including Table 3-3.
Chapter 4 Updates
On pages 4-3 and 4-4, disregard the information in the "Administering User Accounts" and "Backing Up and Restoring Your VLAN Policy Server" sections.
Shutting Down and Reloading the VLAN Policy Server
On page 4-5, substitute the following for the second paragraph:
To restart the VLAN Policy Server using the web interface, select Diagnostic>Restart. Click Yes in the dialog box that appears. The VLAN Policy Server will restart.
Preparing to Install the Replacement VLAN Policy Server
On page 4-11, disregard Step 3.
Appendix C Updates
Command Summary
In Table C-1 on pages C-3 through C-6, disregard the following commands:
backup
backupconfig
restore
show anilog
show backupconfig
show collectorlog
In Table C-1, note the changes to the following commands:
Old Command
New Command
show hseaccesslog
show webaccesslog
show hseerrorlog
show weberrorlog
show hsesslaccesslog
show websslaccesslog
Privilege Level 15 Commands
Starting on page C-15 in the "Privilege Level 15 Commands" section, and all subsections therein, disregard the following commands:
Backup
Backupconfig
Restore
Show anilog
Show backupconfig
Show collectorlog
On page C-37, substitute the following for the first paragraph:
To configure the VLAN Policy Server to be a repository, and to download software updates and images from an ftp server (or the product CD-ROM), enter the following command:
On pages C-53 through C-55, note the changes to the following commands:
Old Command
New Command
show hseaccesslog
show webaccesslog
show hseerrorlog
show weberrorlog
show hsesslaccesslog
show websslaccesslog
Known and Resolved Problems
Known problems (bugs) in URT are graded according to severity level. These release notes contain descriptions of:
All severity level 1 or 2 bugs.
Significant severity level 3 bugs.
All customer-found bugs (regardless of severity level).
You can search for problems using the Cisco Software Bug Toolkit. To access the Software Bug Toolkit:
Step 1 Log into Cisco.com.
Step 2 Select Service & Support>Technical Support HelpCisco TAC>Tool Index.
Step 3 In the Jump to: links at the top of the page, click the letter S, then select Software Bug Toolkit.
You can also access the Software Bug Toolkit by entering the following URL in your web browser:
Table 1 describes the problems known to exist in this release; Table 2 describes the problems resolved since the last release of URT.
Table 1 URT 2.5 Known Problems
Bug ID (Severity)
Summary
Explanation
None
When Windows 2000 laptops are connected to a docking station, logon is not successful.
The default setting for a Windows 2000 laptop system when connected to docking a station is for all network adaptors to be enabled. The system cannot log on when more than one network adapter is enabled.
To work around this problem, set up your hardware profiles using the Hardware Device Manager option. Configure your system so that the network adapter for the docking station is the only network adapter enabled when the system is connected to the docking station.
CSCdu52546 (3)
VLAN Policy Server 1100 series cannot set or delete an NTP server.
If you log on to a VLAN Policy Server 1100 series as administrator or root and then try to delete an NTP command, the command-line interface returns an error. You cannot delete the NTP setting.
There is no workaround.
CSCdw08035 (3)
On MacOS 10.1 systems, the release and renew feature does not update the TCP/IP panel.
When logging on to a MacOS 10.1 system, the IP address is changed according to the VLAN assigned to the user. However, when you select TCP/IP>Properties, the new IP address is not shown.
There is no known workaround for this problem; however, you can obtain a client's IP address by entering ifconfig en0 in a terminal window.
CSCdw46686 (3)
When using a Cisco Catalyst 1900 or 2820 as the access layer switch, the client is not assigned to a user VLAN.
When using a Cisco Catalyst 1900 (v 9.00.05) or Cisco Catalyst 2820 (v 9.00.05) as an access layer switch, the client is not assigned to a user VLAN.
This happens when the client system is on any port from port 1 through port 9. The logon user is assigned to a logon VLAN, but is not assigned to a user VLAN.
To work around this problem, use port 10 or higher for all client systems.
CSCdx20706 (3)
When sync packet fails, there is no error message.
When logged on to either a RADIUS or LDAP server using a web client, and the client system fails to send a sync packet to the VPS server, an error message appears only in the web client log. No error message appears to indicate to the user that the sync packet has failed.
There is no workaround.
CSCdx35302 (3)
The web logon does not log off automatically when you log off Windows systems.
When you are using the web client on any supported Windows systems, the web client does not automatically log you off when you log off your Windows system. When you log back on to your system, you are still on the user VLAN. You remain on the user VLAN for approximately 5 minutes before being switched to the logon VLAN.
To work around this problem, you should log off the web client at the same time you log off your Windows system.
CSCdx45576 (4)
Search capabilities do not work on Windows XP after installing the URT Web Client.
This is a known Windows XP bug.
To work around this problem, use the following procedure, found at the Microsoft web site:
1. Log in as Administrator or as a member of the Administrators group.
2. From the Windows desktop, select Start>Run, then enter the following: %systemroot%\inf
3. Click OK to open the INF folder.
4. Right-click the Srchasst.inf file.
5. From the drop-down menu, select Install to reinstall the files that the search feature needs to proceed normally.
6. Using Windows Explorer, navigate to the C:\Windows\srchasst\mui\0409 folder.
7. Right-click each of the following files:
Balloon.xsl
Bar.xsl
Lclsrch.xml
8. For each file, in the drop-down menu, select Properties.
9. In the Properties dialog box, select the Read-only checkbox.
10. Click OK.
11. Repeat Step 7 through Step 10 for each file.
CSCdx50935 (3)
Netscape 6.2.2 on Windows systems requires you to download the Java plug-in even when it is already installed.
This occurs on Windows systems with Netscape 6.2.2.
When attempting to log on using a web client, you will be asked to download the Java plug-in. Even after you have installed the plug-in, you will be asked every time you open the browser to download and install the plug-in.
To work around this problem, use the following procedure, found at the Netscape web site
1. Uninstall the Java plug-in.
2. Delete the NPJAVA*.dll and NPOJI600.dll files from the <Netscape6>/plugins/ directory.
3. Reboot the system.
4. Install the Java plug-in.
5. Reboot the system if asked.
6. Verify that all the files are copied into the <netscape6>/plugins directory.
7. Run the web client.
CSCdx51792 (3)
Linux Mandrake 8.1 with Netscape 6.2.2 will not allow you to download the Java plug-in.
This problem occurs on Linux Mandrake 8.1 systems with Netscape 6.2.2 only.
If the Java plug-in is not installed and you try to install it, the download dialog box does not allow you to select anything and you canot download the plug-in.
To work around this problem, use Netscape 4.7 to download the plug-in.
CSCdx53561 (2)
The VQP is sending trunking port MAC address requests.
This happens when the client system is connected to a dynamic switch port and another switch port is set to trunking mode.
The VQP sends a request for two MAC addresses on the switch port. One MAC address is the client attached to the switch port, and the other is the MAC address for the trunking port.
The switch now behaves as if there are two MAC addresses on the switch port, causing the client to be switched back to the logon VLAN.
This behavior has been observed on Cisco 2900XL, 2950, and 3500XL switches.
There is no workaround.
CSCdx57155 (3)
The Web Client logon redirection does not work when using an IP address as the URL.
When entering an IP address in the web browser and the URT Web Client is still in the logon VLAN, the Web Client logon redirect does not work.
To work around this problem, enter the server name in the web browser.
CSCdx57498 (4)
Install on Demand message box opens.
When logging on using Internet Explorer 6.0 on a Windows XP web client, and the Java plug-in is not installed, the Install on Demand message box opens.
To work around this problem, do one of the following:
In the Internet Options window, disable the Install on Demand option.
When Internet Explorer 6.0 is launched, click Cancel in the Install on Demand message box.
CSCdx60047 (3)
The Administrative Server help search on Windows XP systems does not work with the Java plug-in.
On Windows XP systems, the online help search feature does not work if the Administrative Server is installed on a system on which the Java plug-in is installed.
To work around this problem, install the Windows update on the Windows XP system before installing the URT Administrative Server.
CSCdx60072 (3)
Switch sends out incorrect VQP message when using a hub.
When a client is connected to a hub, the switch caches the client information (what switch port the hub is connected to). The client is moved to another switch in the same VTP domain. The VQP update is sent by the first switch and the VPS responds as if the user is on both switch ports.
The user is moved to the logon VLAN, and the history log shows the client on both the new port and the hub port.
There is no workaround.
CSCdx60911 (3)
Cannot save the History log file with an extension on Windows XP systems.
When you save a file in the history log, you can save it as a text file or a comma-separated value (CSV) file. Whichever option you select, the file is saved without a file extension.
To work around this problem, right-click the file, then use the Windows Notepad application to read it.
CSCdx61384 (3)
The history events file logs multiple logon events if there is no reply from the VPS.
The history events log file reports multiple logon events for the same user if the VLAN Policy Server does not reply immediately.
There is no workaround.
CSCdx62862 (3)
The option to close browser window after logon does not work on VA Linux operating systems.
The web browser remains open after logon, even when the Close browser window on logon checkbox is selected in the Web Options settings of the Administrative Interface.
There is no workaround.
CSCdx63169 (4)
When using the command-line interface, a message appears, incorrectly stating that the process has been completed.
This message is displayed when you use the command-line interface command urtgui -cli [full path\filename] to import a text file containing the MAC addresses to VLAN mappings. If the VTP domain is not valid, an error message indicates that the VTP domain is unknown. The final message says:
Completed loading data into URT
The message should say that the import failed.
CSCdx63706 (3)
On Mandrake Linux systems using Netscape, the active and Grant Session windows close.
This problem occurs on Mandrake Linux web clients using Netscape 6.2.2. When you launch Netscape for web logon, if you do not click Grant Session or Grant All within 1 minute, the active Netscape window and the Grant session window close.
The following message appears in the browser status bar:
error:java.lang.NoClassDefFoundError.
You cannot log on because the Logon dialog box is not open.
To work around this problem, close and then reopen the browser window. When you log on, click Grant session. The Logon dialog box opens.
CSCdx63741 (4)
Non-DHCP hosts with static IP addresses can install the URT client service.
When you manually install the URT Client service through a Windows NT host, the following message appears:
NOTE:Install will fail on non-DHCP hosts.
You can disregard the message.
CSCdx70808 (3)
Client system is moved to the logon VLAN when the Energy Saver option is activated.
When the Energy Saver option is enabled on a client system and the client system powers down, the timer (clock) on the URT Administrative Interface stops. The user is then moved to the logon VLAN.
When the system is reactivated, the clock restarts and the user is moved back to the user VLAN during the next sync.
To work around this problem, disable the Energy Saver option.
CSCdx70956 (3)
Linux clients lose network connectivity.
During unique network situations, such as when all VLAN Policy Servers are being upgraded at the same time, logged on Linux client systems may lose network connectivity.
To work around this problem, you must restart the network using the following procedure (You must have root privileges):
1. Open a terminal window on the Linux system.
2. Stop the network by entering one the following commands:
/etc/rc.d/init.d/network stop
or
/etc/rc.d/network stop
The path you use depends on the location of the network script.
3. Enter /sbin/ifconfig eth0 down to stop the eth0 interface.
4. Use the DHCP client to issue a release command. Depending on the DHCP client your system uses, enter one of the following:
/sbin/pump -k
/sbin/dhcpcd -k
/sbin/dhclient -k
5. Start the network by entering one of the following commands:
/etc/rc.d/init.d/network start
or
/etc/rc.d/network start
CSCdx70956 (continued)
6. Enter /sbin/ifconfig eth0 up to start the eth0 interface.
7. Start the DHCP client. Enter the appropriate command:
/sbin/pump
/sbin/dhcpcd
/sbin/dhclient
You can now log on to the network.
CSCin09948 (3)
When installation fails, a URT option on the Programs menu and a shortcut are created.
This problem occurs when an invalid user ID is entered during the installation of the Administrative Server. An error message appears and the installation fails.
Even though the installation failed, the URT option is added to the Programs menu. Also, if you enable the Create desktop shortcut option during installation, a shortcut for URT is created on the desktop.
If you click the shortcut on the desktop or URT in the Programs menu, an error message appears and URT does not launch.
To work around this problem, reboot the system and install again.
CSCin09951 (3)
Reinstallation goes through a continual loop and is never reinstalled.
When you reinstall the Administrative Interface, the following message appears:
A previous version of URT was detected. You must uninstall the ....
You then do the following:
1. Click Yes to uninstall. After a confirmation dialog box appears, the following message is displayed:
The log file D:\urttest\UrtAdminServerUninst.isu is not valid or the data has been corrupted.Uninstallation will not continue.
2. Click Ok. The first message reappears, and you must repeat Step 1 and Step 2.
The reinstallation process continues in this manner, and the Administrative Server is never reinstalled.
To work around this problem, you must open the Registry Editor and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems\URT Administrative Server
After you remove this entry, URT no longer detects the previous version of URT, and the reinstall continues.
CSCin10062 (3)
Traditional logon is allowed even when the Web Only Logon option is selected.
If you deselect the Web Only Logon option and then later select it, you will be able to log on using the traditional logon method. This occurs even though the Web Only Logon option is selected.
There is no workaround.
Table 2 URT 2.5 Resolved Problems
Bug ID (Severity)
Summary
Additional Information
CSCdw65436 (4)
In the Administrative Interface, the View History Time of Event column does not display the times in chronological order.
The Time Event was changed from string format to date format.
CSCdw67827 (4)
Multiple instances of the URT Administrative Interface can be opened at one time.
You can now run only a single instance of the URT Administrative interface. A warning message is displayed when you try to run more than one instance.
CSCdw68416(4)
The Administrative Interface accepts invalid MAC addresses.
If you enter the MAC address in a format other than 00-00-00-00-00-00, an error message now appears.
CSCdw79430 (4)
The install script dialog box that appears when you choose a specific Windows domain controller (DC) within the same domain is misleading.
The message has been updated to indicate that the URT script might be replicated to other domain controllers.
CSCdw81489 (3)
UrtVmpsServerAttributes.xml file is placed in a subfolder that can be inadvertently removed.
TheUrtVmpsServerAttributes.xml file has been moved to the etc directory.
CSCin03687 (2)
The VPS goes down when using the web browser to install from the VPS Recovery CD.
The package information has been changed for the Recovery CD.
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following URL:
Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Feedback at the top of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Cisco Systems Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to
Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
Priority level 4 (P4)You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
Priority level 3 (P3)Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
Priority level 2 (P2)Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
Priority level 1 (P1)Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
This document is to be used in conjunction with the documents listed in the "Documentation Roadmap" section.