cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Release Notes for CiscoSecure ACS 2.3(5) for UNIX

Release Notes for CiscoSecure ACS 2.3(5) for UNIX

April 17, 2000

These release notes contain important information and describe issues and workarounds regarding CiscoSecure Access Control Server (ACS) 2.3(5) for UNIX. For complete documentation on this product, please refer to the following documents:

Contents

These release notes discuss the following topics:

New Information, 1

Supplemental Copyright Information, 2

Closed Issues, 3

Open Issues, 4

Obtaining Documentation, 7

Obtaining Technical Assistance, 7

New Information

The following new features are included in this release of CiscoSecure ACS for UNIX:

Supplemental Copyright Information

The following information supplements the copyright information in the CiscoSecure ACS 2.3 for UNIX User Guide:

Copyright (C) 2000 by Jef Poskanzer . All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \Q\QAS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Closed Issues

This section identifies issues that have been resolved in CiscoSecure ACS 2.3(5) for UNIX.

Running stress test against SDI users caused CiscoSecure ACS to stop. New libraries from RSA Security have been incorporated.
The meaning of the message "Protocol-Garbled Message" was previously listed as "Bad data in the packet header." This has been corrected to state that the message is caused by an invalid license key.
Scroll bars now operate properly when using the Advanced>Servers window.
Documentation on RADIUS accounting header fields was clarified in, and additional documentation added to, Chapter 9 of the CiscoSecure ACS 2.3 for UNIX User Guide.
Documentation on the syslog feature was enhanced in Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
Documentation on password expiration was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide.
Documentation on the use of ValidClients in CSConfig.ini was added to Chapter 16 of the CiscoSecure ACS 2.3 for UNIX User Guide.
The Token Caching time unit of measure was corrected in Chapter 12 of the CiscoSecure ACS 2.3 for UNIX User Guide.
Explanation was added to Chapter 8 of the CiscoSecure ACS 2.3 for UNIX User Guide stating that only clear passwords are changed when making a telnet connection to a NAS.
CSU.cfg debug options are now documented more completely in the CiscoSecure ACS 2.3 for UNIX User Guide.
Browser now operates properly when a non-standard 9900 port is used for CiscoSecure ACS.
CSImport was not parsing attributes correctly. When a # is found within a line of the user profile, CSimport utility incorrectly assumes that the line is a comment and ignores that line in the profile. The code has been modified so that the utility treats any line as a comment only when the first non-blank character in that line is #.
The minimum hardware requirements have changed. The correct hardware requirements are now listed in the CiscoSecure ACS 2.3 for UNIX Installation Guide.
Users received web I/O errors when accessing the AdvancedAdmin interface with Secure Support Layer (SSL). To resolve this issue, the following VeriSign certificates were renewed: Secure Server, Class Primary 1, Class Primary 2, and Class Primary 3.
Users could change the group-assigned Privilege-DES password with CHPASS. CiscoSecure ACS now checks for the enable privilege. If the user has the privilege "DES" used for the enable password, then the user can change his or her enable password; however, if the user inherits the property from the group, he or she will not be allowed to change it.
Documentation on the behavior of CiscoSecure ACS when the NAS is not configured was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
The address field in cs_user_accounting was renamed to Remote ID.
DNS Server issues that caused the AAA Server to stop responding and not answer requests have been resolved.
Documentation on DNS issues was added to Chapter 14 of the CiscoSecure ACS 2.3 for UNIX User Guide.
CiscoSecure ACS allowed users to authenticate with expired tokens. In addition to the user name, the port type of the call is now used to differentiate sessions.

Open Issues

This section identifies issues that remain open in CiscoSecure ACS 2.3(5) for UNIX.

CiscoSecure ACS did not allow profile changes from the GUI when there was a syntax error in the profile. A user had a typographical error in the "acl" attribute in one of the group profiles. CiscoSecure ACS accepted the profile without generating a message. When the user tried to correct the profile, CiscoSecure ACS did not allow the user to modify the user profile, but generated the message "error in line..."
The workaround is for the customer to copy the profile to a new profile and modify the new profile.
During a Master-to-Master Replication in Oracle version 8.0.5, the update command via DBClient fails. There is no workaround.
CiscoSecure ACS RADIUS password expiration works, but there are no warnings on expiration and no opportunity to change the password. When the NAS specifies Cisco as the Vendor and uses the Cisco Dictionary, password expiration does not work.
The workaround is to configure CiscoSecure users and NASes as follows:

User profile

     user = user6{
     profile_id = 37
     set server current-failed-logins = 0
     profile_cycle = 33
     radius=Ascend5 {
     check_items= {
     21=Mar 15 2000 (Edited for ease to understand)
     2=cisco123
     }
     reply_attributes= {
     6=1
     7=1
     207=1
     208=30
     }
     }
     }
     
    

NAS Profile

    User Profile Information
     user = NAS.10.22.2.55{
     profile_id = 29
     profile_cycle = 10
     NASName="10.22.2.55"
     SharedSecret="cisco54321"
     RadiusVendor="Ascend"
     Dictionary="DICTIONARY.Ascend5"
     
     }
     
     The password change works as follows:
     
     telnet 10.22.2.55
     Trying 10.22.2.55...
     Connected to 10.22.2.55.
     Escape character is '^]'.
     
     User Access Verification
     
     Username: user6
     Password:
    Password Has Expired
     Please enter new password.
     
     Password:
     Please re-enter your new password.
     
    

     Password:
     
     nas3>       
     
     The NAS output is as follows:
     
     1w2d: AAA: parse name=tty38 idb type=-1 tty=-1
     1w2d: AAA: name=tty38 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=38 channel
     =0
     1w2d: AAA/AUTHEN: create_user (0x61297B5C) user='' ruser='' port='tty38' rem_add
     r='10.22.2.1/' authen_type=ASCII service=LOGIN priv=1
     1w2d: AAA/AUTHEN/START (1572192080): port='tty38' list='' action=LOGIN service=L
     OGIN
     1w2d: AAA/AUTHEN/START (1572192080): using "default" list
     1w2d: AAA/AUTHEN/START (1572192080): Method=LOCAL
     1w2d: AAA/AUTHEN (1572192080): status = GETUSER
     1w2d: AAA/AUTHEN/CONT (1572192080): continue_login (user='(undef)')
     1w2d: AAA/AUTHEN (1572192080): status = GETUSER
     1w2d: AAA/AUTHEN/CONT (1572192080): Method=LOCAL
     1w2d: AAA/AUTHEN (1572192080): status = GETPASS
     1w2d: AAA/AUTHEN/CONT (1572192080): continue_login (user='user6')
     1w2d: AAA/AUTHEN (1572192080): status = GETPASS
     1w2d: AAA/AUTHEN/CONT (1572192080): Method=LOCAL
     1w2d: AAA/AUTHEN (1572192080): password incorrect
     1w2d: AAA/AUTHEN (1572192080): status = ERROR
     1w2d: AAA/AUTHEN/START (2502004780): port='tty38' list='' action=LOGIN service=L
     OGIN
     1w2d: AAA/AUTHEN/START (2502004780): Restart
     1w2d: AAA/AUTHEN/START (2502004780): Method=RADIUS
     1w2d: AAA/AUTHEN (2502004780): status = GETPASS
     1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')
     1w2d: AAA/AUTHEN (2502004780): status = GETPASS
     1w2d: AAA/AUTHEN (2502004780): Method=RADIUS
     1w2d: RADIUS: ustruct sharecount=1
     1w2d: RADIUS: Initial Transmit tty38 id 150 10.22.2.1:1645, Access-Request, len
     76
     1w2d:         Attribute 4 6 0A160237
     1w2d:         Attribute 5 6 00000026
     1w2d:         Attribute 61 6 00000005
     1w2d:         Attribute 1 7 75736572
     1w2d:         Attribute 30 2 1F0B3130
     1w2d:         Attribute 31 11 31302E32
     1w2d:         Attribute 2 18 611EE9DE
     1w2d: RADIUS: Received from id 150 10.22.2.1:1645, Password-Expired, len 42
     1w2d:         Attribute 18 22 50617373
     1w2d: AAA/AUTHEN (2502004780): status = GETPASS
     1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')
     1w2d: AAA/AUTHEN (2502004780): status = GETPASS
     1w2d: AAA/AUTHEN (2502004780): Method=RADIUS 
     1w2d: AAA/AUTHEN (2502004780): status = GETPASS
     1w2d: AAA/AUTHEN/CONT (2502004780): continue_login (user='user6')
     1w2d: AAA/AUTHEN (2502004780): status = GETPASS
     1w2d: AAA/AUTHEN (2502004780): Method=RADIUS
     1w2d: RADIUS: ustruct sharecount=2
     1w2d: RADIUS: Initial Transmit tty38 id 151 10.22.2.1:1645, Change-Password, len
      90
     1w2d:         Attribute 4 6 0A160237
     1w2d:         Attribute 5 6 00000026
     1w2d:         Attribute 61 6 00000005
     1w2d:         Attribute 1 7 75736572
     1w2d:         Attribute 30 2 1F0B3130
     1w2d:         Attribute 31 11 31302E32
     1w2d:         Attribute 2 18 27CB81A8
     1w2d:         Attribute 17 8 17BC5CC5
     1w2d:         Attribute 6 6 00000005
     1w2d: RADIUS: Received from id 151 10.22.2.1:1645, Change-Password-Accept, len 2
     0
     1w2d: AAA/AUTHEN (2502004780): status = PASS
In addition to the Password Expired message, two other new messages, Change-Password and Change-Password-Accept, must be supported.

Obtaining Documentation

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.

Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).

Obtaining Technical Assistance

Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.

Cisco Connection Online

Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.

You can access CCO in the following ways:

You can e-mail questions about using CCO to cco-team@cisco.com.

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.

To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.

To contact by e-mail, use one of the following:

Language E-mail Address

English

tac@cisco.com

Hanzi (Chinese)

chinese-tac@cisco.com

Kanji (Japanese)

japan-tac@cisco.com

Hangul (Korean)

korea-tac@cisco.com

Spanish

tac@cisco.com

Thai

thai-tac@cisco.com

In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate and value your comments.



hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri May 5 15:05:17 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.