CSCdv41564

Need to send a warning message if we leave command argument blank

Symptom: When a user or a group profile is added through GUI, error "Error on line 7" occurs

Conditions: When the "command argument" in the permission tab is left as blank or when given some backspace.

Workaround: You need a default value in the command argument so that if one leaves the command argument field blank, he will not get the message "Error on line 7" after submitting the profile.

CSCdv26308

CiscoSecure Unix stops authentication when DNS lookup hangs.

Symptom: When using DNS on CiscoSecure Unix, and when DNS lookup fails AAA stops responding to AA requests.

Conditions: When using DNS with CSUNIX, a DNS lookup fails and AAA stops responding, causing the system to go down.

Workaround: Either add the failing DNS lookups manually in the hosts file in UNIX, or Disable DNS in CSUNIX by adding the following parameter to CSU.cfg and restart CiscoSecure: NUMBER config_get_names_from_dns = 0;

CSCdu75768

Unable to import radius profiles using CSimport - CSimport doesn't import radius profiles.

Workaround: Use $BASE/utils/CSmigrate.

CSCdt80249

CiscoSecure Unix install fails with ORA-00942

Conditions: Condition under which this failure occurs is not certain.

Workaround: If this is a brand new install use the following workaround; Otherwise call TAC.

First delete the file /$BASEDIR/utils/sql.scripts/ora_init.sql%

(Remember, the file with the % at the end)

Then do the following:

$BASE/utils/bin/CSdbTool drop --> drop all tables

$BASE/utils/bin/CSdbTool init

$BASE/utils/bin/CSdbTool init_radius --> run even if only tacacs+ is being used

Restart CiscoSecure.

CSCds88505

Maximum session value is incorrect with DSM; DSM states that a user's maximum sessions has been exceeded while the user is no longer connected and a stop record has been sent (and recorded in the csuslog).

Symptoms: Users will be rejected even if the number of active sessions is less than the allowed in case of DSM.

Conditions: This sort of behavior occurs only if the Solaris workstation has more than one interface. The accounting start packet should arrive from one interface and the DNS should have the machine's name configured for the other interface's IP. Which means that the session recorded will have one IP (that is in the DNS, as DSM uses DNS) and the stop packet will have the other. Hence the session count is not reduced.

Workaround: None

CSCds09639

Token Caching Fails when ISDN MLPPP user need authentication. The token caching fails when an ISDN user tries to authenticate second channel using MLPPP via SGBP.

Symptoms: When ISDN authenticates to CiscoSecure, the second ISDN channel fails intermittently. ISDN users cannot dial in, don't require full band width.

Conditions: The failure occurs because the current implementation of Cisco Secure has a security feature that does not allow two different type of interface (generated from IOS-NAS) for token caching validation scheme. In the current implementation, the interface type "virtual-access" (which is sourced from IOS-NAS after completing the SGBGP-VPN-L2F call for the second channel) and the "serial" sourced from IOS-NAS, first channel) combination are not allowed in token caching validation scheme.

Workaround: None.

CSCdp35848

Clear password is displayed in the View page. The clear password is displayed in the View page of the GUI, though ViewProfile hides it with asterisk.

Symptoms: You are able to see Clear Password in cleartext (unencrypted) in the Advanced admin password entry edit box.

Conditions: When entering the password for Password Clear, the password is seen as clear text in the edit box.

Workaround: None.

CSCdt42824

NIS+ system password does not work for Altiga VPN users Altiga VPN users are failing authentication when using a 'system' password with NIS+. Dial-up connections (via AS5300) work fine using the same profile. Local profiles with a 'clear' password work fine for both VPN and dialup.

Symptoms: Altiga users will rejected if password system is used for authentication

Conditions: The user profile has password system configured and Radius authentication is used. The system uses NIS server for user passwords

Workaround: None

CSCdr63518

From and until date increment by one day when password is changed through a telnet connection.

Symptoms: In Cisco Secure 2.3(4.2), when you change the password through telnet, From and Until date is incremented by one day.

Conditions: Sample Profile before password change through telnet:

The profile after password change through Telnet:

Workaround: Use Update Profile to update the correct "from" and "until" dates for the password.

CSCdr09956

CiscoSecure Unix radius password expiration works but there are no warnings on expiration and no opportunity to change the password.

Symptoms: Radius users with expired password are not prompted to change password

Conditions: The users should be using Cisco Radius Dictionary previous to 12.05.

Workaround: None

CSCdr83294

In CiscoSecure for Unix Version 2.3.5, Startup script displays message "DBServer Started" even if DBServer fails to start.

Symptoms: "DBServer Started" message is printed even if the DBServer fails to start.

Conditions: The start up script for CSU will print the message "DBServer Started", even if the database does not start.

Workaround: Ensure that the database connectivity exists. Then stop and restart CiscoSecure processes.

CSCdr91045

CSUnix does not like a profile that includes "cmd=set". In csuslog, the following

warning is displayed and the user fails authentication:

Jul 21 16:11:49 CiscoSecure: WARNING - errors detected in profile 'XXXX' in database

Symptoms: With the 'set' command in the profile, CiscoSecure does not allow you to login to either a switch or a router.

Conditions: This tends to occur when "cmd=show" is changed to "cmd=set" and the permit version is not changed to permit port speed.

Workaround: A space character should be configured in the profile's set command for authentication as in the following example:

CSCdr31220

After upgrading from CSU2.3.3 using TACACS+ where max-session worked fine to RADIUS, some have reported that max-session (high performance) seems to have broken. Many are reporting users unable to dial in after they have been disconnected and try to connect.

Symptoms: Radius users gets rejected due to improper max-session count.

Conditions: The problem appears when the NAS does not receive the ACK which the ACS sent for Accounting start and so retries. ACS takes this re-try as a separate request and increments the count by one.

Workaround: None

CSCdr34038

Adding VSA with ID 0 will cause Exception.

Symptoms: When we add new Radius Vendor specific Attribute with ID 0 in the dictionary there is no problem. The VSA is created. After doing this, if we try to create a new user and associate this VSA to this user, a exception occurs.

Conditions: Exception is thrown if a VSA has vendor ID as 0.

Workaround: None

CSCds76294

If Timezone not set, DBServer fails to start. In CSU ACS 2.3.5, DBServer will not start if TIMEZONE is not set in the Solaris Machine.

Symptoms: DBserver wont start.

Conditions: The timezone is not set in the system.

Workaround: Comment out the following lines below:

CSCds37958

Advanced GUI has problems with some of the attributes entered in User or Group profiles. Attributes can be entered in correctly, but when you reselect on the User or Group profile, a dialogue box will appear indicating: "Error at line xx: <partial attribute>." In addition, that profile will no longer be accessible via the GUI.

Symptoms: When you reselect on the User or Group profile, a dialogue box will appear indicating the following:

Conditions: The Advanced Graphical User Interface (GUI) for Cisco Secure Unix sometimes has problems with some of the attributes entered in User or Group profiles. Attributes can be entered in correctly, but when you reselect on the User or Group profile, a dialogue box will appear indicating:

Where line xx represents the profile line number where the error occurred. <partial attribute> is the attribute found on the line indicated, except the first few characters of the attribute are missing. In addition, that profile will no longer be accessible via the GUI.

This problem is only with the Advanced GU, and does not affect the operation of the Cisco Secure server. The profile can still be viewed and modified via the Command Line Interface and the attributes are still passed to the NAS.

Workaround: If you receive the above error message, use the Command Line Interface to add, delete, or modify that profile. No other profiles are affected

CSCds40980

Documentation does not state clearly that CSU ACS for UNIX should be the only program running on server.

Symptoms: In the CSUnix Installation Guide for all versions, it should be stated that the hardware recommendations are based on Cisco's recommendation that CiscoSecure be the only application running on this server. Combinations of different Cisco or non-Cisco applications have not been tested and are hence not supported.

CSCds62617

Aa Java error occurs intermittently. Things seem to work fine for a while then they must restart the ACS services to regain control.

Symptoms: the GUI works fine for a while and then reports Java errors/exceptions intermittently. ACS must be restarted to regain control.

Conditions: The ulimit value is very low in the AcmeServer.sh file

Workaround: increase the value of ulimit in the AcmeServer.sh to 256.

CSCds75404

Password Validation in GUI and telnet are inconsistent. Password checking should be implemented to ensure the above statements from CSU docs are valid.

Symptoms: Inconsistencies in password rules in CiscoSecure.

Workaround: None.

CSCdk69328

CiscoSecure pre-process and post-process attributes do not work.

Symptoms: Pre and post-process appears in the GUI

Workaround: None

CSCds86132

CiscoSecure Compatibility Matrix on:

http://www.cisco.com/warp/customer/480/13.html should include IE 5.0 as being supported by CSU 2.3.5.1.

Workaround: None

CSCdr03327

Would like to configure account disable for maximum login attempts per user.

Workaround: none

CSCdt04619

Oracle 8.0.5 is no longer supported by Oracle. 8.1.7 is the recommended version that customer wants to use. Need CSUnix to be supported on Oracle 8.1.X

Workaround: Oracle version supported by ciscosecure should be used.

CSCds02599

CiscoSecure Unix does not support Altiga VPN3000 attributes.

Workaround: None

CSCdp83755

Request for enhancement for CiscoSecure Unix support on Solaris 2.8 and all subsequent versions of Solaris.

Workaround: Solaris 2.5.1, 2.6, 2.7 can be used

CSCds79587

In CiscoSecure Unix, When you are trying to create or update a user profile through the GUI, dates below 10 give problem in From and Until columns

Symptoms: 'Invalid Date format' error pops in the advanced GUI

Conditions: When a date less than 10 as 'd mmm yyyy' is entered

Workaround None

CSCds08096

The clear password is displayed in the View page of the GUI, though ViewProfile hides it with asterisk.

Symptoms: Clear Password is displayed as cleartext (unencrypted) in the FastAdmin page and the View Profile in Text Format dialog in Advanced Admin.

Conditions: When viewing a user profile in Fast Admin, the Clear Password is displayed as clear text. In the Advanced Admin, when viewing the profile in text format, the Clear Password is displayed in clear text.

Workaround: None.

CSCds79583

The clear password is displayed in the View page of the GUI, though ViewProfile hides it with asterisk.

Symptoms: Clear Password is displayed as cleartext (unencrypted) in the Advanced admin password entry edit box after Submit button is clicked.

Conditions: When entering the password for Password Clear, the password is echoed as stars. But after the Submit button is clicked, it is seen as cleartext.

Workaround: None.

CSCds34799

Ciscosecure Unix will fail during Installation if environmental variable LIBPATH is not set.

Symptoms: error received during installation "pkgadd: ERROR: post-install script did not complete successfully"

Conditions: LIBPATH not set

Workaround: Add LIBPATH to the environment.

CSCdp88338

In Ciscosecure Unix, DBClient terminates when enter key is pressed without username.

Symptoms: DBClient doesn't ask for Username again if we press enter for username

Workaround: None.

CSCdp70661

Ciscosecure Unix allows a user profile to have From Time greater than Until time, where as it should not be.

Symptoms: no check for time in case of service attributes

Workaround: None.

CSCdp76168

Need option to login back when user logs off from advanced Admin

Symptoms: Ciscosecure Unix does not allow a user to login back when user logs off from advanced Admin.

Workaround: Default Login screen should be used for Login.

CSCds86121

stop accounting records for failure not stored in DB

Symptoms: Ciscosecure Unix does not allow accounting logging for authentication failure to the database. Accounting record for authentication failure due to user error are not stored in the database.

Workaround: None.

CSCdj72212

CSAdmin gives "out of memory" error trying to load 10,000 user group

Symptom: The CiscoSecure Admin GUI doesn't scale well for a large number of users when the GUI is used to manage large quantities of users (more than 10,000) or when a tiered user/group arrangement exists.

Conditions: CiscoSecure Admin GUI is used to manage a large number of users (more than 10,000).

Workaround: Try increasing the browser cache to 8M and Disk cache to 20M in Netscape.

1. Split the large group into smaller groups.

Use the Command Line Interface (CLI) instead of Graphical User Interface for large numbers of users.

CSCds25674

Acme server dies after GUI login the first time after reboot

Symptom: Acme server dies after GUI login the first time after reboot

Conditions: When the Solaris 7 server running CSU 2.3.5 is rebooted, the Acme web server process terminates abnormally when you login through the GUI for the first time.

Workaround: Manually stop and restart CiscoSecure for UNIX.

English

tac@cisco.com

Hanzi (Chinese)

chinese-tac@cisco.com

Kanji (Japanese)

japan-tac@cisco.com

Hangul (Korean)

korea-tac@cisco.com

Spanish

tac@cisco.com

Thai

thai-tac@cisco.com