|
Table Of Contents
Release Notes for CiscoSecure ACS 2.3(5) for UNIX
Supplemental Copyright Information
Obtaining Technical Assistance
Release Notes for CiscoSecure ACS 2.3(5) for UNIX
April 17, 2000
These release notes contain important information and describe issues and workarounds regarding CiscoSecure Access Control Server (ACS) 2.3(5) for UNIX. For complete documentation on this product, please refer to the following documents:
•CiscoSecure ACS 2.3 for UNIX User Guide
•CiscoSecure ACS 2.3 for UNIX Installation Guide
Contents
These release notes discuss the following topics:
• "Supplemental Copyright Information" section
• "Obtaining Documentation" section
• "Obtaining Technical Assistance" section.
New Information
The following new features are included in this release of CiscoSecure ACS for UNIX:
•Support for RADIUS tunneling attributes
•Support for newer versions of browsers
Supplemental Copyright Information
The following information supplements the copyright information in the CiscoSecure ACS 2.3 for UNIX User Guide:
•CiscoSecure ACS software is derived in part from software of J-Lex. Permission by J-Lex; Copyright © 1996 by Elliot Joel Berk. Elliot Joel Berk disclaims all warranties with regard to this software, including all implied warranties of merchantability and fitness. In no event shall Elliot Joel Berk be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data, or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of this software.
•CiscoSecure ACS software is derived in part from the Generic Library Release Version 2.0 ("JGL"). Permission by ObjectSpace, Inc. Copyright © 1996.
•CiscoSecure ACS software is derived in part from the SUN Java JDK software from Sun Java Microsystems. CiscoSecure also uses JDBC-ODBC Bridges from Sun Java Microsystems. Copyright © 1992-1996. All rights reserved.
•CiscoSecure ACS software is derived in part from the SSLava Toolkit. The SSLava Toolkit is used strictly for the support of SSL. SSLava is a trademark of Phaos Technology Corporation. Copyright© 1996, 1997, Phaos Technology Corporation. All rights reserved.
•Copyright (c) 1994-1999 Netscape Communications Corporation
•Copyright (c) 1988-1999 Sybase, Inc.
•Trade Mark WebLogic, Inc.
•CiscoSecure ACS contains a modified version of the Acme Web Server (http://www.acme.com). The Acme Web Server is covered by the following copyright:
Copyright (C) 2000 by Jef Poskanzer. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Closed Issues
This section identifies issues that have been resolved in CiscoSecure ACS 2.3(5) for UNIX.
•CSCdk23062
Running stress test against SDI users caused CiscoSecure ACS to stop. New libraries from RSA Security have been incorporated.
•CSCdk81834
The meaning of the message "Protocol-Garbled Message" was previously listed as "Bad data in the packet header." This has been corrected to state that the message is caused by an invalid license key.
•CSCdm06713
Scroll bars now operate properly when using the Advanced>Servers window.
•CSCdm16651
Documentation on RADIUS accounting header fields was clarified in, and additional documentation added to, Chapter 9 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdm20277
Documentation on the syslog feature was enhanced in Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdm71166
Documentation on password expiration was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdm75729
Documentation on the use of ValidClients in CSConfig.ini was added to Chapter 16 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdm82471
The Token Caching time unit of measure was corrected in Chapter 12 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdm83172
Explanation was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide stating that only clear passwords are changed when making a telnet connection to a NAS.
•CSCdp20358
CSU.cfg debug options are now documented more completely in the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdp51406
Browser now operates properly when a non-standard 9900 port is used for CiscoSecure ACS.
•CSCdp63614
CSImport was not parsing attributes correctly. When a # is found within a line of the user profile, CSimport utility incorrectly assumes that the line is a comment and ignores that line in the profile. The code has been modified so that the utility treats any line as a comment only when the first non-blank character in that line is #.
•CSCdp73560
The minimum hardware requirements have changed. The correct hardware requirements are now listed in the CiscoSecure ACS 2.3 for UNIX Installation Guide.
•CSCdp74136
Users received web I/O errors when accessing the AdvancedAdmin interface with Secure Support Layer (SSL). To resolve this issue, the following VeriSign certificates were renewed: Secure Server, Class Primary 1, Class Primary 2, and Class Primary 3.
•CSCdp77646
Users could change the group-assigned Privilege-DES password with CHPASS. CiscoSecure ACS now checks for the enable privilege. If the user has the privilege "DES" used for the enable password, then the user can change his or her enable password; however, if the user inherits the property from the group, he or she will not be allowed to change it.
•CSCdp78698
Documentation on the behavior of CiscoSecure ACS when the NAS is not configured was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdp85073
The address field in cs_user_accounting was renamed to Remote ID.
•CSCdp89283
DNS Server issues that caused the AAA Server to stop responding and not answer requests have been resolved.
•CSCdp89362
Documentation on DNS issues was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
•CSCdp94132
CiscoSecure ACS allowed users to authenticate with expired tokens. In addition to the user name, the port type of the call is now used to differentiate sessions.
Open Issues
This section identifies issues that remain open in CiscoSecure ACS 2.3(5) for UNIX.
•CSCdr12880
CiscoSecure ACS did not allow profile changes from the GUI when there was a syntax error in the profile. A user had a typographical error in the "acl" attribute in one of the group profiles. CiscoSecure ACS accepted the profile without generating a message. When the user tried to correct the profile, CiscoSecure ACS did not allow the user to modify the user profile, but generated the message "
error in line..."
The work around is for the customer to copy the profile to a new profile and modify the new profile.
•CSCdr01226
During a Master-to-Master Replication in Oracle version 8.0.5, the update command via DBClient fails. There is no work around.
•CSCdr09956
CiscoSecure ACS RADIUS password expiration works, but there are no warnings on expiration and no opportunity to change the password. When the NAS specifies Cisco as the Vendor and uses the Cisco Dictionary, password expiration does not work.
The work around is to configure CiscoSecure users and NASes as follows:
User profile
user = user6{
profile_id = 37
set server current-failed-logins = 0
profile_cycle = 33
radius=Ascend5 {
check_items= {
21=Mar 15 2000 (Edited for ease to understand)
2=cisco123
}
reply_attributes= {
6=1
7=1
207=1
208=30
}
}
}
NAS Profile
User Profile Information
user = NAS.10.22.2.55{
profile_id = 29
profile_cycle = 10
NASName="10.22.2.55"
SharedSecret="cisco54321"
RadiusVendor="Ascend"
Dictionary="DICTIONARY.Ascend5"
}
The password change works as follows:
telnet 10.22.2.55
Trying 10.22.2.55...
Connected to 10.22.2.55.
Escape character is '^]'.
User Access Verification
Username: user6
Password:
Password Has Expired
Please enter new password.
Password:
Please re-enter your new password.
Password:
nas3>
The NAS output is as follows:
1w2d: AAA: parse name=tty38 idb type=-1 tty=-1
1w2d: AAA: name=tty38 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=38 channel
=0
1w2d: AAA/AUTHEN: create_user (0x61297B5C) user='' ruser='' port='tty38' rem_add
r='10.22.2.1/' authen_type=ASCII service=LOGIN priv=1
1w2d: AAA/AUTHEN/START (1572192080): port='tty38' list='' action=LOGIN service=L
OGIN
1w2d: AAA/AUTHEN/START (1572192080): using "default" list
1w2d: AAA/AUTHEN/START (1572192080): Method=LOCAL
1w2d: AAA/AUTHEN (1572192080): status = GETUSER
1w2d: AAA/AUTHEN/CONT (1572192080): continue_login (user='(undef)')
1w2d: AAA/AUTHEN (1572192080): status = GETUSER
1w2d: AAA/AUTHEN/CONT (1572192080): Method=LOCAL
1w2d: AAA/AUTHEN (1572192080): status = GETPASS
1w2d: AAA/AUTHEN/CONT (1572192080): continue_login (user='user6')
1w2d: AAA/AUTHEN (1572192080): status = GETPASS
1w2d: AAA/AUTHEN/CONT (1572192080): Method=LOCAL
1w2d: AAA/AUTHEN (1572192080): password incorrect
1w2d: AAA/AUTHEN (1572192080): status = ERROR
1w2d: AAA/AUTHEN/START (2502004780): port='tty38' list='' action=LOGIN service=L
OGIN
1w2d: AAA/AUTHEN/START (2502004780): Restart
1w2d: AAA/AUTHEN/START (2502004780): Method=RADIUS
1w2d: AAA/AUTHEN (2502004780): status = GETPASS
1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')
1w2d: AAA/AUTHEN (2502004780): status = GETPASS
1w2d: AAA/AUTHEN (2502004780): Method=RADIUS
1w2d: RADIUS: ustruct sharecount=1
1w2d: RADIUS: Initial Transmit tty38 id 150 10.22.2.1:1645, Access-Request, len
76
1w2d: Attribute 4 6 0A160237
1w2d: Attribute 5 6 00000026
1w2d: Attribute 61 6 00000005
1w2d: Attribute 1 7 75736572
1w2d: Attribute 30 2 1F0B3130
1w2d: Attribute 31 11 31302E32
1w2d: Attribute 2 18 611EE9DE
1w2d: RADIUS: Received from id 150 10.22.2.1:1645, Password-Expired, len 42
1w2d: Attribute 18 22 50617373
1w2d: AAA/AUTHEN (2502004780): status = GETPASS
1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')
1w2d: AAA/AUTHEN (2502004780): status = GETPASS
1w2d: AAA/AUTHEN (2502004780): Method=RADIUS
1w2d: AAA/AUTHEN (2502004780): status = GETPASS
1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')
1w2d: AAA/AUTHEN (2502004780): status = GETPASS
1w2d: AAA/AUTHEN (2502004780): Method=RADIUS
1w2d: RADIUS: ustruct sharecount=2
1w2d: RADIUS: Initial Transmit tty38 id 151 10.22.2.1:1645, Change-Password, len
90
1w2d: Attribute 4 6 0A160237
1w2d: Attribute 5 6 00000026
1w2d: Attribute 61 6 00000005
1w2d: Attribute 1 7 75736572
1w2d: Attribute 30 2 1F0B3130
1w2d: Attribute 31 11 31302E32
1w2d: Attribute 2 18 27CB81A8
1w2d: Attribute 17 8 17BC5CC5
1w2d: Attribute 6 6 00000005
1w2d: RADIUS: Received from id 151 10.22.2.1:1645, Change-Password-Accept, len 2
0
1w2d: AAA/AUTHEN (2502004780): status = PASS
In addition to the Password Expired message, two other new messages, Change-Password and Change-Password-Accept, must be supported.
Obtaining Documentation
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Obtaining Technical Assistance
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco Connection Online
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
•WWW: www.cisco.com
•Telnet: cco.cisco.com
•Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.
–From North America, call 408 526-8070
–From Europe, call 33 1 64 46 40 82
You can e-mail questions about using CCO to cco-team@cisco.com.
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
To contact by e-mail, use one of the following:
In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate and value your comments.
Posted: Wed Feb 16 09:46:39 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.