|
|
These release notes provide important updated information regarding CiscoSecure Access Control Server (ACS) 2.3(5.1) for UNIX. This document includes information about system requirements, Sun Solaris patch requirements, troubleshooting information, and known anomalies, including symptoms and work-around solutions.
This document contains the following sections:
The following new features were included in CiscoSecure ACS 2.3(5) for UNIX:
The following information supplements the copyright information in the CiscoSecure ACS 2.3 for UNIX User Guide:
Copyright (C) 2000 by Jef Poskanzer. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \Q\QAS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
For complete documentation for this product, please refer to the following documents:
This document can be viewed online at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235
This document, product number DOC-CSA2.3UX-IG, can be viewed online at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/instl235.htm
The network components that interact with CiscoSecure ACS 2.3(5) for UNIX consist of:
 |
Note Cisco strongly recommends that CiscoSecure ACS be the only application running on this server. Combinations of different Cisco or non-Cisco applications have not been tested and are not supported. |
Each of these components has certain CiscoSecure configuration requirements.
CiscoSecure ACS (and its optional backup server) requires the following hardware and software:
Ultra 1 with a processor speed of 167 MHz or better
—Minimum 200 MHz if the Oracle or Sybase RDBMS is installed on the same system.
—Ultra 10 or better if the Oracle or Sybase RDBMS is installed on the same system
To check your version of Solaris, enter the Solaris command uname -a. If the system returns 5.5.1, Solaris 2.5.1 is installed. If the system returns 5.6, Solaris 2.6 is installed. If the system returns 5.7, Solaris 2.7 is installed.
|
Note To support the RADIUS tunneling feature of CiscoSecure, the Sun Ultra 1or compatible workstation must be running Solaris 2.6 or 2.7. |
CiscoSecure ACS works with the following network access servers (NASes):
|
Note To support the RADIUS tunneling feature of CiscoSecure, the AAA server must be running Cisco IOS Release 12.0(5)T or another vendor's NAS software that supports RADIUS tunneling attributes. |
The web-browser-based CiscoSecure ACS workstation console requires the following hardware and software:
|
Note Netscape Communicator 4.72 is not supported in CSU release 2.3(5), but is supported in CSU release 2.3(5.1). For a list of supported browsers, refer to http://www.cisco.com/warp/customer/480/13.html. |
To support CiscoSecure database requirements, you can use either the supplied SQLAnywhere database engine or supported versions of your own pre-installed Oracle Enterprise or Sybase Enterprise software running on your network.
CiscoSecure has been tested with the following database engines:
Supported database engines include:
If your network requires these support features, Cisco recommends pre-installing the Oracle Enterprise or Sybase Enterprise database engine.
|
Note If you intend to set up CiscoSecure with Oracle database replication, Cisco recommends that you read the PDF document Using CiscoSecure with Oracle's Distributed Database Feature (filename csbsdoc.pdf) before you install the Oracle or CiscoSecure software. This document is located in the $BASEDIR/FastAdmin/docs directory of the CiscoSecure distribution CD-ROM. It provides an easy-to-understand, start-to-finish, screen-by-screen configuration example of setting up Oracle database replication to work with CiscoSecure. |
If you are supporting token servers, they must be installed on the network before you install CiscoSecure ACS. Supported token servers include:
You can use the Solaris showrev -p command to determine which Solaris patches are already installed on your system.
Required patches or their latest versions can be downloaded from:
http://sunsolve.sun.com . README files for each patch are also available at this site.
|
Note You might require a SunSpectrum support contract to obtain some or all of the required patches. |
When using the Solaris 2.7 operating system, no patches are required.
When using the Solaris 2.6 operating system, the installation script checks for the following patches:
and at least one of the following:
When using the Solaris 2.5.1 operating system, the installation script checks for the following patches
CiscoSecure ACS for UNIX should be installed and running as a primary server installed on an UltraSPARC workstation. CiscoSecure ACS for UNIX should be the only application running on this workstation. Combinations of other applications running in parallel with CiscoSecure ACS have not been tested and are not supported.
This provides new and modified information.
By default, access to the Advanced GUI is not enabled after installation for security reasons. You can edit the CSConfig.ini file to control administrative access to the CiscoSecure ACS administration web pages and command-line interface (CLI) to a specified list of workstations to which you have assigned IDs.
Step 2 Insert or edit the following lines to the [ValidClients] section of the CSConfig.ini file:
ID_num is an arbitrary number you can assign for ID purposes to the workstation from which you want to access the CiscoSecure ACS.
my_wrk_station is a fully-qualified domain name (FQDN) or the IP address of the workstation from which you want to access the CiscoSecure ACS.
|
Note Repeat the line ID_num = my_wrk_station to assign a unique ID number to every workstation through which you want to access the CiscoSecure ACS administration web pages or the CLI. |
ValidateClients = {true | false} toggles on and off restricted access to the CiscoSecure ACS administration web pages or the CLI.
ValidateClients = true restricts access to only those workstations assigned IDs in the [ValidClients] section.
ValidateClients = false allows any workstation to access the CiscoSecure ACS administration web pages or CLI whether or not it is specifically listed in the [ValidClients] section.
Step 3 After editing the CSConfig.ini file, restart the CiscoSecure ACS to apply the changes.
In the following example, three workstations are authorized to access the CiscoSecure administration tools:
|
Note You must list fully-qualified domain names (FQDNs) for authorized workstations. |
The setting ValidateClients = true stops any workstation not specifically listed in the [ValidClients] section from accessing the CiscoSecure ACS web pages or CLI.
In the following example, the setting ValidateClients = false allows any workstation to access the CiscoSecure ACS web pages or the CLI, whether or not it is specifically listed in the [ValidClients] section:
CiscoSecure ACS for UNIX 2.3(5.1) supports RADIUS tunneling in a multivendor L2TP Access Concentrator (LAC) environment if the non-Cisco LAC sends a fully-qualified name. The fully-qualified name must be in the following format:
user@domain_name, as in somebody@abc.org
To configure CiscoSecure ACS for UNIX to handle fully-qualified names, follow these steps:
Step 2 Edit the CSU.cfg file and set config_remote_domain_authen to 1.
Step 3 Start CiscoSecure ACS.
Step 4 Using the graphical user interface (GUI), click AAA->Domain and enter the name of the remote domain or domains in the LAC CiscoSecure ACS AAA server field.
Step 5 Click AAA->Re-Initialize to re-initialize the AAA server.
Step 6 Set up the remote domain profiles as follows:
a. Specify password=no_password.
b. Do not specify User-Password (attribute 2) as a check item.
c. In reply_attributes, specify User-Service-Type (attribute 6) to be Outbound-User (5).
This section lists caveats known to exist in CiscoSecure ACS2.3(5.1) for UNIX and caveats resolved with its release.
The following caveats are known to exist in CiscoSecure ACS2.3(5.1) for UNIX.
CSCdj72212—CSAdmin gives "out of memory" error trying to load 10,000 user group
Symptom: The CiscoSecure Admin GUI doesn't scale well for a large number of users when the GUI is used to manage large quantities of users (more than 10,000) or when a tiered user/group arrangement exists.
Conditions: CiscoSecure Admin GUI is used to manage a large number of users (more than 10,000).
Workaround: Please try increasing the browser cache to 8M and Disk cache to 20M in Netscape.
1. Split the large group into smaller groups.
2. Use the Command Line Interface (CLI) instead of Graphical User Interface for large numbers of users.
CSCdr62411—Invalid client crash indicated csunix w/SSL and duplicate validateClient ID
Symptom: In CiscoSecure for Unix Version 2.3.5, when SSL is enabled and accessed from a duplicate client ID, Cisco Secure 2.3.5 behaves abnormally.
Condition: Under the [ValidClients] section of the CSConfig.ini file with SSL enabled, the following configuration causes abnormal behavior of CSU.
Workaround: Assign a unique client ID for each of the client by doing the following:
2. Entering the IP address and host name (in which case the CSU machine should be able to resolve the end host) in the machine's /etc/hosts file.
Further Description: You should not use the same client ID (100) for two different IP addresses. This problem occurs when an invalid client browser attempts to access the CSU GUI with secure socket layer (SSL) enabled. This causes a Java exception instead of indicating an unauthorized user.
CSCdr63518—From and Until date are both incremented by one day when password is changed via telnet
Symptom: In Cisco Secure 2.3.4.2, when you change the password through Telnet, From and Until date is incremented by one day.
Condition: Sample Profile before password change through telnet:
The profile after password change through Telnet:
Workaround: Use Update Profile to update the correct "from" and "until" dates for the password.
CSCdr83294—CiscoSecure for UNIX presents Erroneous "DBServer Started" messages
Symptom: "DBServer Started" message is printed even if the DBServer fails to start.
Condition: The start up script for CSU will print the message "DBServer Started", even if the database does not start.
Workaround: Ensure that the database connectivity exists. Then stop and restart CiscoSecure processes.
CSCds08096—Passwords are stored in unencrypted format
Symptom: You are able to see the clear (unencrypted) passwords.
Condition: If you perform a "view profile" in the GUI, you can see the clear passwords as character strings.
When you reselect on the User or Group profile, a dialogue box will appear indicating the following:
Condition: The Advanced Graphical User Interface (GUI) for Cisco Secure Unix sometimes has problems with some of the attributes entered in User or Group profiles. Attributes can be entered in correctly, but when you reselect on the User or Group profile, a dialogue box will appear indicating:
Where line xx represents the profile line number where the error occurred. <partial attribute> is the attribute found on the line indicated, except the first few characters of the attribute are missing. In addition, that profile will no longer be accessible via the GUI.
This problem is only with the Advanced GU, and does not affect the operation of the Cisco Secure server. The profile can still be viewed and modified via the Command Line Interface and the attributes are still passed to the NAS.
Workaround: If you receive the above error message, use the Command Line Interface to add, delete, or modify that profile. No other profiles are affected.
CSCdr91045—Unable to use cmd=set in profile
Symptom: With the 'set' command in the profile, CiscoSecure does not allow you to login to either a switch or a router.
Conditions: This tends to occur when "cmd=show" is changed to "cmd=set" and the permit version is not changed to permit port speed.
Workaround: A space character should be configured in the profile's set command for authentication as in the following example:
CSCds09639—Token caching fails when an ISDN user attempts to authenticate a second channel using MLPPP via SGBP.
Symptoms: When ISDN authenticates to CiscoSecure, the second ISDN channel fails intermittently. ISDN users cannot dial in, don't require full band width.
Conditions: The failure occurs because the current implementation of Cisco Secure has a security feature that does not allow two different type of interface (generated from IOS-NAS) for token caching validation scheme.
In the current implementation, the interface type "virtual-access" (which is sourced from IOS-NAS after completing the SGBGP-VPN-L2F call for the second channel) and the "serial" (sourced from IOS-NAS, first channel) combination are not allowed in token caching validation scheme.
CSCds25674—Acme server dies after GUI login the first time after reboot
Symptom: Acme server dies after GUI login the first time after reboot
Conditions: When the Solaris 2.7 server running CSU 2.3.5 is rebooted, the Acme web server process terminates abnormally when you login through the GUI for the first time.
Workaround: Manually stop and restart CiscoSecure for UNIX.
This section identifies issues that have been resolved in CiscoSecure ACS 2.3(5) for UNIX. The following were previously existing known caveats for CSU.
Running stress test against SDI users caused CiscoSecure ACS to stop. New libraries from RSA Security have been incorporated.
The meaning of the message "Protocol-Garbled Message" was previously listed as "Bad data in the packet header." This has been corrected to state that the message is caused by an invalid license key.
Scroll bars now operate properly when using the Advanced > Servers window.
Information about RADIUS accounting header fields was enhanced in Chapter 9 of the CiscoSecure ACS 2.3 for UNIX User Guide. This information is available on CCO at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/acctg.htm#32300
Information about the syslog feature was enhanced in Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide. This information is available on CCO at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/troubles.htm#xtocid1389215
Information about password expiration was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide.
Documentation on the use of ValidClients in CSConfig.ini was added to Chapter 16 of the CiscoSecure ACS 2.3 for UNIX User Guide. This information is available on CCO at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/app_b.htm#xtocid158298
The Token Caching time unit of measure was corrected in Chapter 12 of the CiscoSecure ACS 2.3 for UNIX User Guide. This information is available on CCO at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/9_token.htm#xtocid107696
Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide was enhanced and now states that only clear passwords are changed when making a telnet connection to a NAS. This information is available on CCO at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/aadb.htm#xtocid816714
CSU.cfg debug options are now documented more completely in the CiscoSecure ACS 2.3 for UNIX User Guide. This information is available on CCO at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/troubles.htm#xtocid1389215
Browser now operates properly when a non-standard 9900 port is used for CiscoSecure ACS.
CSImport was not parsing attributes correctly. When a # is found within a line of the user profile, CSimport utility incorrectly assumes that the line is a comment and ignores that line in the profile. The code has been modified so that the utility treats any line as a comment only when the first non-blank character in that line is #.
The minimum hardware requirements have changed. The correct hardware requirements are now listed in the CiscoSecure ACS 2.3 for UNIX Installation Guide.
Users received web I/O errors when accessing the AdvancedAdmin interface with Secure Support Layer (SSL). To resolve this issue, the following VeriSign certificates were renewed: Secure Server, Class Primary 1, Class Primary 2, and Class Primary 3.
Users could change the group-assigned Privilege-DES password with CHPASS. CiscoSecure ACS now checks for the enable privilege. If the user has the privilege "DES" used for the enable password, then the user can change his or her enable password; however, if the user inherits the property from the group, he or she will not be allowed to change it.
Documentation on the behavior of CiscoSecure ACS when the NAS is not configured was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
The address field in cs_user_accounting was renamed to Remote ID.
DNS Server issues that caused the AAA Server to stop responding and not answer requests have been resolved.
Documentation on DNS issues was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
CiscoSecure ACS allowed users to authenticate with expired tokens. In addition to the user name, the port type of the call is now used to differentiate sessions.
This section provides troubleshooting information to eliminate a known problem reported as security errors.
After login to CiscoSecure UNIX, when attempting to use the CiscoSecure Admin user interface to modify Advanced > Advanced, a security error might occur. To eliminate this error, modify the CSConfig.ini file in the $BASEDIR/config directory as described in the "Restricting Client Access to the CiscoSecure ACS Administration Tools" section.
You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-7208 or, in North America, call 800 553-NETS (6387).
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
You can e-mail questions about using CCO to cco-team@cisco.com.
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
To contact by e-mail, use one of the following:
| Language | E-mail Address |
|---|---|
In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate and value your comments.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQ Logo, iQ Readiness Scorecard, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, WebViewer, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0010R)
Copyright © 1999, 2000 Cisco Systems, Inc.
All rights reserved.
Posted: Sun Jan 19 08:47:23 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.