|
|
Table Of Contents
Release Notes for CiscoSecure ACS 2.3(5) for UNIX
Supplemental Copyright Information
Obtaining Technical Assistance
Release Notes for CiscoSecure ACS 2.3(5) for UNIX
April 17, 2000
These release notes contain important information and describe issues and workarounds regarding CiscoSecure Access Control Server (ACS) 2.3(5) for UNIX. For complete documentation on this product, please refer to the following documents:
•
CiscoSecure ACS 2.3 for UNIX User Guide
•
Contents
These release notes discuss the following topics:
•
•
•
New Information
The following new features are included in this release of CiscoSecure ACS for UNIX:
•
•
Supplemental Copyright Information
The following information supplements the copyright information in the CiscoSecure ACS 2.3 for UNIX User Guide:
•
•
•
•
•
•
•
•
Copyright (C) 2000 by Jef Poskanzer. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Closed Issues
This section identifies issues that have been resolved in CiscoSecure ACS 2.3(5) for UNIX.
•
Running stress test against SDI users caused CiscoSecure ACS to stop. New libraries from RSA Security have been incorporated.
•
The meaning of the message "Protocol-Garbled Message" was previously listed as "Bad data in the packet header." This has been corrected to state that the message is caused by an invalid license key.
•
Scroll bars now operate properly when using the Advanced>Servers window.
•
Documentation on RADIUS accounting header fields was clarified in, and additional documentation added to, Chapter 9 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
Documentation on the syslog feature was enhanced in Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
Documentation on password expiration was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
Documentation on the use of ValidClients in CSConfig.ini was added to Chapter 16 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
The Token Caching time unit of measure was corrected in Chapter 12 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
Explanation was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide stating that only clear passwords are changed when making a telnet connection to a NAS.
•
CSU.cfg debug options are now documented more completely in the CiscoSecure ACS 2.3 for UNIX User Guide.
•
Browser now operates properly when a non-standard 9900 port is used for CiscoSecure ACS.
•
CSImport was not parsing attributes correctly. When a # is found within a line of the user profile, CSimport utility incorrectly assumes that the line is a comment and ignores that line in the profile. The code has been modified so that the utility treats any line as a comment only when the first non-blank character in that line is #.
•
The minimum hardware requirements have changed. The correct hardware requirements are now listed in the CiscoSecure ACS 2.3 for UNIX Installation Guide.
•
Users received web I/O errors when accessing the AdvancedAdmin interface with Secure Support Layer (SSL). To resolve this issue, the following VeriSign certificates were renewed: Secure Server, Class Primary 1, Class Primary 2, and Class Primary 3.
•
Users could change the group-assigned Privilege-DES password with CHPASS. CiscoSecure ACS now checks for the enable privilege. If the user has the privilege "DES" used for the enable password, then the user can change his or her enable password; however, if the user inherits the property from the group, he or she will not be allowed to change it.
•
Documentation on the behavior of CiscoSecure ACS when the NAS is not configured was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
The address field in cs_user_accounting was renamed to Remote ID.
•
DNS Server issues that caused the AAA Server to stop responding and not answer requests have been resolved.
•
Documentation on DNS issues was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•
CiscoSecure ACS allowed users to authenticate with expired tokens. In addition to the user name, the port type of the call is now used to differentiate sessions.
Open Issues
This section identifies issues that remain open in CiscoSecure ACS 2.3(5) for UNIX.
•
CiscoSecure ACS did not allow profile changes from the GUI when there was a syntax error in the profile. A user had a typographical error in the "acl" attribute in one of the group profiles. CiscoSecure ACS accepted the profile without generating a message. When the user tried to correct the profile, CiscoSecure ACS did not allow the user to modify the user profile, but generated the message "
error in line..."The work around is for the customer to copy the profile to a new profile and modify the new profile.
•
During a Master-to-Master Replication in Oracle version 8.0.5, the update command via DBClient fails. There is no work around.
•
CiscoSecure ACS RADIUS password expiration works, but there are no warnings on expiration and no opportunity to change the password. When the NAS specifies Cisco as the Vendor and uses the Cisco Dictionary, password expiration does not work.
The work around is to configure CiscoSecure users and NASes as follows:
User profile
user = user6{profile_id = 37set server current-failed-logins = 0profile_cycle = 33radius=Ascend5 {check_items= {21=Mar 15 2000 (Edited for ease to understand)2=cisco123}reply_attributes= {6=17=1207=1208=30}}}NAS Profile
User Profile Informationuser = NAS.10.22.2.55{profile_id = 29profile_cycle = 10NASName="10.22.2.55"SharedSecret="cisco54321"RadiusVendor="Ascend"Dictionary="DICTIONARY.Ascend5"}The password change works as follows:telnet 10.22.2.55Trying 10.22.2.55...Connected to 10.22.2.55.Escape character is '^]'.User Access VerificationUsername: user6Password:Password Has ExpiredPlease enter new password.Password:Please re-enter your new password.Password:nas3>The NAS output is as follows:1w2d: AAA: parse name=tty38 idb type=-1 tty=-11w2d: AAA: name=tty38 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=38 channel=01w2d: AAA/AUTHEN: create_user (0x61297B5C) user='' ruser='' port='tty38' rem_addr='10.22.2.1/' authen_type=ASCII service=LOGIN priv=11w2d: AAA/AUTHEN/START (1572192080): port='tty38' list='' action=LOGIN service=LOGIN1w2d: AAA/AUTHEN/START (1572192080): using "default" list1w2d: AAA/AUTHEN/START (1572192080): Method=LOCAL1w2d: AAA/AUTHEN (1572192080): status = GETUSER1w2d: AAA/AUTHEN/CONT (1572192080): continue_login (user='(undef)')1w2d: AAA/AUTHEN (1572192080): status = GETUSER1w2d: AAA/AUTHEN/CONT (1572192080): Method=LOCAL1w2d: AAA/AUTHEN (1572192080): status = GETPASS1w2d: AAA/AUTHEN/CONT (1572192080): continue_login (user='user6')1w2d: AAA/AUTHEN (1572192080): status = GETPASS1w2d: AAA/AUTHEN/CONT (1572192080): Method=LOCAL1w2d: AAA/AUTHEN (1572192080): password incorrect1w2d: AAA/AUTHEN (1572192080): status = ERROR1w2d: AAA/AUTHEN/START (2502004780): port='tty38' list='' action=LOGIN service=LOGIN1w2d: AAA/AUTHEN/START (2502004780): Restart1w2d: AAA/AUTHEN/START (2502004780): Method=RADIUS1w2d: AAA/AUTHEN (2502004780): status = GETPASS1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')1w2d: AAA/AUTHEN (2502004780): status = GETPASS1w2d: AAA/AUTHEN (2502004780): Method=RADIUS1w2d: RADIUS: ustruct sharecount=11w2d: RADIUS: Initial Transmit tty38 id 150 10.22.2.1:1645, Access-Request, len761w2d: Attribute 4 6 0A1602371w2d: Attribute 5 6 000000261w2d: Attribute 61 6 000000051w2d: Attribute 1 7 757365721w2d: Attribute 30 2 1F0B31301w2d: Attribute 31 11 31302E321w2d: Attribute 2 18 611EE9DE1w2d: RADIUS: Received from id 150 10.22.2.1:1645, Password-Expired, len 421w2d: Attribute 18 22 506173731w2d: AAA/AUTHEN (2502004780): status = GETPASS1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')1w2d: AAA/AUTHEN (2502004780): status = GETPASS1w2d: AAA/AUTHEN (2502004780): Method=RADIUS1w2d: AAA/AUTHEN (2502004780): status = GETPASS1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')1w2d: AAA/AUTHEN (2502004780): status = GETPASS1w2d: AAA/AUTHEN (2502004780): Method=RADIUS1w2d: RADIUS: ustruct sharecount=21w2d: RADIUS: Initial Transmit tty38 id 151 10.22.2.1:1645, Change-Password, len901w2d: Attribute 4 6 0A1602371w2d: Attribute 5 6 000000261w2d: Attribute 61 6 000000051w2d: Attribute 1 7 757365721w2d: Attribute 30 2 1F0B31301w2d: Attribute 31 11 31302E321w2d: Attribute 2 18 27CB81A81w2d: Attribute 17 8 17BC5CC51w2d: Attribute 6 6 000000051w2d: RADIUS: Received from id 151 10.22.2.1:1645, Change-Password-Accept, len 201w2d: AAA/AUTHEN (2502004780): status = PASSIn addition to the Password Expired message, two other new messages, Change-Password and Change-Password-Accept, must be supported.
Obtaining Documentation
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Obtaining Technical Assistance
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco Connection Online
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
•
•
•
–
–
You can e-mail questions about using CCO to cco-team@cisco.com.
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
To contact by e-mail, use one of the following:
In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate and value your comments.
Posted: Wed Feb 16 09:46:39 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
