Table of Contents
Release Notes for CiscoSecure ACS 2.3(2) for UNIX
March 31, 1999
These release notes contain important information and describe issues and workarounds regarding CiscoSecure Access Control Server (ACS) 2.3(2) for UNIX. For complete documentation on this product, please refer to the following documents:
- CiscoSecure ACS 2.3 for UNIX User Guide
- CiscoSecure ACS 2.3 for UNIX Reference Guide
- CiscoSecure ACS 2.3 for UNIX Installation Guide
These release notes discuss the following topics:
- New Information
- Corrections
- Additions
- Closed Issues
- Open Issues and Workarounds
- Cisco Connection Online
- Documentation CD-ROM
The following new features are included in this release of CiscoSecure ACS for UNIX:
- Year 2000 Compliance as defined on Cisco's Year 2000 web page at http://www.cisco.com/warp/public/752/2000/index.shtml
- Support for the Challenge Handshake Authentication Protocol-Challenge (CHAP-Challenge) (60) Remote Access Dial-In User Service (RADIUS) attribute
- Support for U.S. Robotics vendor-specific attributes
This section addresses errors in the CiscoSecure ACS 2.3 for UNIX Reference Guide and information that was not available before the reference guide was printed.
- Chapter 4---Tuning CiscoSecure ACS Performance and Configuration, "AAA Server Control File (CSU.cfg)" (page 4-7)
- The CiscoSecure AAA server does not support multiple license keys. In Table 4-2, the "Description and Example" for the config_license_key variable should be:
- The license key used to enable the product.
- Example:
LIST config_license_key = {"061db8afcf66db981f3c"};
- Chapter 4---Tuning CiscoSecure ACS Performance and Configuration, "AAA Server Control File (CSU.cfg)" (page 4-7)
- The config_local_timezone variable has been removed from the CSU.cfg file.
- Chapter 4---Tuning CiscoSecure ACS Performance and Configuration, "Message Catalog Format" (page 4-24)
- The list of default message IDs, message names, and message strings at the end of this section should be replaced with the following list:
Note Only messages 0 through 18 can be customized by the system administrator.
0, "\nUser Access Verification\n"
1, "Username:"
2, "Password:"
3, ""
4, "Change password sequence"
5, "Error - passwords the same"
6, "Your password has expired"
7, "Too many tries for username"
8, "Too many tries for password"
9, "New password:"
10, "New password again:"
11, "The passwords are different"
12, "Bad password"
13, "You cannot change your password"
14, "Your account will expire in %d days"
15, "Your password will expire in %d days"
16, "A password must be between 6 and 13 characters long, containing at least one alphabetic and one numeric character."
17, "Unable to save your changes in the database"
18, "Your account is currently disabled."
19, "Dummy"
20, "Authentication - User not found"
21, "Authentication - Bad method for user"
22, "Authentication - Bad type"
23, "Authentication - No username specified"
24, "Authentication - Insufficient privilege"
25, "Authentication - Unexpected data"
26, "Authentication - Unexpected reserved data"
27, "Authentication - Incorrect password"
28, "Authentication - Aborted sequence"
29, "Authentication - File handling error"
30, "Authentication - Unknown password type"
31, "Authentication - User not in file"
32, "Authentication - Error in external function"
33, "Authentication - Bad service"
34, "Authentication - Bad action"
35, "Authentication - Bad password"
36, "Authentication - No token passcode received"
37, "Authentication - SENDPASS successful"
38, "Authentication - SENDPASS failed"
39, "Authentication - LOGIN successful"
40, "Authentication - ENABLE successful"
41, "Authentication - CHPASS successful"
42, "Authentication - SENDAUTH successful"
43, "Authentication - SENDAUTH failed"
44, "Authentication - Too many tries"
45, "Authentication - Cant change password"
46, "Authentication - Change password failed"
47, "Authentication - Account disabled"
48, "Authentication - Maximum session exceeded"
49, "Protocol - Username too long"
50, "Protocol - Token passcode too long"
51, "Protocol - NAS name too long"
52, "Protocol - NAS port name too long"
53, "Protocol - NAC address too long"
54, "Protocol - Invalid privilege field"
55, "Protocol - Session id in use"
56, "Protocol - No session found"
57, "Protocol - Incorrect type"
58, "Protocol - Incorrect session"
59, "Protocol - Incorrect sequence"
60, "Protocol - Incorrect version"
61, "Protocol - Garbled message"
62, "Protocol - Read timeout"
63, "Protocol - Connection closed"
64, "Protocol - Bad type"
65, "Maximum number of users exceeded"
66, "Protocol - mismatched encryption"
67, "Protocol - mismatched encryption keys"
68, "Authorization - No service specified"
69, "Authorization - Failed mandatory argument"
70, "Authorization - Failed command line"
71, "Authorization - Failed service"
72, "Authorization - Failed time qualification"
73, "Authorization - Bad argument"
74, "Authorization - No command specified"
75, "Authorization - Failed command"
76, "Authorization - No protocol"
77, "Authorization - Unknown user"
78, "Authorization - Unauthorized NAS or PORT"
79, "Authorization - Request authorized"
80, "Authorization - Maximum sessions exceeded"
81, "RADIUS"
82, "DMS"
83, "Enter your new PIN, containing %s %s\nor press Y to have system generate a new PIN:"
84, "Re-Enter PIN:"
85, "PIN - %s Accept (Y/N)? "
86, "New PIN required! - Enter your new PIN, containing %s %s,\ncharacters or press return to cancel the New PIN procedure.\n\nEnter PIN:"
87, "Cannot change SDI password for user %s remotely"
88,"Enter PASSCODE:"
89, "Please enter the next code from your token:"
90, "New PIN required; do you wish to continue (Y/N)? "
The following information supplements the copyright information in the CiscoSecure ACS 2.3 for UNIX User Guide:
- CiscoSecure ACS software is derived in part from software of J-Lex. Permission by J-Lex; Copyright © 1996 by Elliot Joel Berk. Elliot Joel Berk disclaims all warranties with regard to this software, including all implied warranties of merchantability and fitness. In no event shall Elliot Joel Berk be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data, or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of this software.
- CiscoSecure ACS software is derived in part from the Generic Library Release Version 2.0 ("JGL"). Permission by ObjectSpace, Inc. Copyright © 1996.
- CiscoSecure ACS software is derived in part from the SUN Java JDK software from Sun Java Microsystems. CiscoSecure also uses JDBC-ODBC Bridges from Sun Java Microsystems. Copyright © 1992-1996. All rights reserved.
- CiscoSecure ACS software is derived in part from the SSLava Toolkit. The SSLava Toolkit is used strictly for the support of SSL. SSLava is a trademark of Phaos Technology Corporation. Copyright© 1996, 1997, Phaos Technology Corporation. All rights reserved.
This section contains additions to the CiscoSecure ACS for UNIX product documentation. The following topics are discussed:
As a security precaution, administrators who use the Microsoft Internet Explorer (IE) browser to access CiscoSecure ACS Administrator web pages should avoid saving any HTML bookmarks in their browser that might include clear text password strings to those pages.
This precaution is not necessary for administrators who use the Netscape Navigator or Netscape Communicator browser, for which the secure post method of HTML form processing and page retrieval has been enabled.
If necessary, the post method of HTML form processing and web page retrieval can also be activated for Microsoft IE browsers by running the IESecure UNIX script from the CiscoSecure $BASEDIR/utils/bin directory following successful CiscoSecure ACS installation:
Step 1 Log in as [root] to the machine on which the CiscoSecure ACS is installed.
Step 2 Change to the $BASEDIR/utils/bin directory, and enter:
./IESecure
 | Caution
Enabling the post method causes the CiscoSecure ACS Administrator web pages to hang within the Microsoft IE browser after a period of inactivity (around 5 minutes). In this situation, restart the Microsoft IE browser and log in to the web pages again. [CSCdk27030] |
If you have the CiscoSecure Distributed Session Manager (DSM) module licensed and enabled, you must avoid moving or deleting users from groups while those users are running active sessions. When a user who is still running active sessions is deleted or moved from a group, the number of active sessions belonging to that user is not decremented from that group's or any parent group's total active session count (as displayed in their Current Value field) until another user logs in to the same network access server (NAS) through the same port. When the new user logs in, the number of active sessions will be decremented for the user who was moved or deleted. Until the group's active session count is adjusted in this way, it will be higher than it actually is. Consequently, that group could be limited to fewer concurrent sessions than its Group Max Sessions setting actually allots it.
If your Terminal Access Controller Access Control System Plus (TACACS+) NASes are running Cisco IOS Release 11.3 or later, and you want to support CiscoSecure authorization of users who are dialing in over multiple Integrated Services Digital Network (ISDN) channels, use the Java-based CiscoSecure Administrator advanced configuration program to add the protocol = multilink attribute value to the profiles of the affected groups or users.
Cisco strongly recommends using the Max Sessions Enabled field in the CiscoSecure Administrator AAA General web page to enable or disable the various types of max sessions control as described in Chapter 6, "Limiting and Tracking Sessions Per User, Group, or VPDN" in the CiscoSecure ACS 2.3 for UNIX User Guide.
Alternatively, if you do not have access to a web browser, you can enable or disable max sessions control by editing the CSU.cfg and CSConfig.ini configuration files. In the $BASEDIR/config directory of your CiscoSecure ACS for UNIX server, edit your CSU.cfg and CSConfig.ini files as specified in Table 1 to enable the DSM or other supported types of max sessions control.
| Caution
f you edit the CSU.cfg and CSConfig.ini files, make sure that when you enable one type of max sessions control that you also disable all other types of max sessions control. Enabling the settings for one type of max sessions control in Table 1 without disabling the settings for the other types of max sessions control can cause extremely slow authentication performance and out-of-memory errors. |
Table 1: Max Sessions Enabling or Disabling CSU.cfg and CSConfig.ini Settings
| Enabling this Type of Max Sessions:
| Requires These
CSU.cfg Settings:
| And Requires These
CSConfig.ini Settings:
|
|---|
None (all max sessions control disabled)
| - config_maxsessions_enable = 0
- config_distmaxsessions_enable = 0
These settings disable AAA1 server and DSM max sessions control.
| - ProcessInMemoryMaxSessionInfo = disable
- ArchiveMaxSessionInfoToDB = disable
These settings disable DBServer-based max sessions control.
|
Distributed Session Manager (DSM)2
| - config_maxsessions_enable = 0
- config_distmaxsessions_enable = 1
These settings disable AAA server-based max sessions control and enable the DSM.
| - ProcessInMemoryMaxSessionInfo = disable
- ArchiveMaxSessionInfoToDB = disable
These settings disable DBServer-based max sessions control.
|
DBServer-based max sessions control
(default setting)
| - config_maxsessions_enable = 0
- config_distmaxsessions_enable = 0
These settings disable AAA server-based max sessions control and the DSM.
| - ProcessInMemoryMaxSessionInfo = enable
- ArchiveMaxSessionInfoToDB = enable
These settings enable DBServer-based max sessions control.
|
AAA server-based max sessions control
| - config_maxsessions_enable = 1
- config_distmaxsessions_enable = 0
These settings enable AAA server-based max sessions control and disable the DSM.
| - ProcessInMemoryMaxSessionInfo = disable
- ArchiveMaxSessionInfoToDB = disable
These settings disable DBServer-based max sessions control.
|
1AAA = authentication, authorization and accounting.
2DSM-based session control can only take effect if the optional DSM module has been licensed for this installation of CiscoSecure ACS 2.3 for UNIX.
|
Step 3 After making the above settings, stop and restart CiscoSecure ACS to make sure that all the above settings take effect:
- Log in as [root] to the UltraSPARC workstation where you installed CiscoSecure ACS. To stop CiscoSecure ACS, enter:
- # /etc/rc0.d/K80CiscoSecure
- To restart CiscoSecure ACS, enter:
- # /etc/rc2.d/S80CiscoSecure
Note All forms of max sessions control require that the AAA accounting functions be enabled in the client NASes.
If you want to specify a software license key after installing CiscoSecure ACS, or if you want to modify the software license key for an existing CiscoSecure ACS 2.3 UNIX installation because you have obtained a new key to enable the optional DSM module, you can use the CiscoSecure License Key field in the CiscoSecure Administrator AAA General web page.
Alternatively, you can manually edit the config_license_key variable in the CSU.cfg file:
Step 1 Open the file $BASEDIR/config/CSU.cfg.
$BASEDIR is the install directory for CiscoSecure that you specified at the time of installation.
Step 2 Find the config_license_key variable, and enter or modify the value for software license key number. For example:
LIST config_license_key = {"a9505ad08a77f927afa4"};
Step 3 After changing the software license key, stop and restart CiscoSecure ACS for your changes to the CSU.cfg file to take effect:
- Log in as [root] to the system where you installed CiscoSecure ACS. To stop CiscoSecure ACS, enter:
- # /etc/rc0.d/K80CiscoSecure
- To restart CiscoSecure ACS, enter:
- # /etc/rc2.d/S80CiscoSecure
To change the username and password on your FastTrack server, perform the following steps:
Step 1 Log in to FastTrack as the administrator using a web browser installed on the same machine:
http://name of your CiscoSecure Server:64000
A screen displays requesting your username and password.
Step 2 Enter your administrator username and password to gain access to the Web Server Administration section.
Note The default username is "admin" and the default password is "password."
Step 3 Click the Configure Administration box.
Step 4 Click the Access Control line.
Editable fields for username and password display.
Step 5 Replace the username and password as necessary.
An enable password will allow a user to carry out expanded system administrator-level EXEC operations. To specify an enable password for a given user, perform the following steps:
Step 1 In the CiscoSecure Administrator advanced configuration program, click the icon for the user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.
Step 2 Click the Profile icon to expand it.
Step 3 Click the Privilege - Clear icon.
Step 4 In the Attribute window, enter the privilege level (1-15) and the enable password.
Step 5 Click Apply.
Step 6 Click Submit.
Step 7 On the NAS, enter the following command:
aaa authen enable tacacs+ enable
This section identifies issues that have been resolved in CiscoSecure ACS 2.3(2) for UNIX.
- While Distributed Max Sessions (DMS) database counters were resetting, the DMS lock was held. This prevented any authentications until reset was complete, because the DMS lock must be acquired prior to any authentications. Now the DMS lock is periodically relinquished, allowing authentications to use it. If the system is very busy authenticating while the reset is occurring, the results will be inconsistent because authentication and reset might undo each other's results depending on the order of their execution. This is considered preferable to preventing any authentications while a reset is occurring.
- Login messages for one-time password Security Dynamics, Inc. ACE Server users have been added to the message catalog so they can be modified by the customer.
- The username can now contain the pound sign character (#).
- The CiscoSecure Advanced Administrator now accepts Class A IP addresses when creating NASes.
- Two parameters were added to the $BASE/CSU/libdb.conf file:
- MaxSocketError = #
- MaxReconnectError = #
- These parameters signify the number of socket errors or reconnect errors that CiscoSecure ACS for UNIX will accept and continue to return FAIL when the database cannot be contacted. When the number of socket or reconnect errors exceeds the specified limit, CiscoSecure ACS for UNIX will start to return ERROR (the requested behavior). For example:
- MaxSocketError = 4
- MaxReconnectError = 4
- After four socket errors or four reconnect errors have occurred, CiscoSecure ACS for UNIX will start returning ERROR for all the "user not found" failures. At this point, the database is considered to be down, and failure to retrieve user profiles is because CiscoSecure ACS for UNIX cannot contact the DBServer, not because the user does not exist.
- The default values for both parameters is 0, which signifies that this feature will not be used. For example:
- MaxSocketError = 5
- MaxReconnectError = 0
- This means that only socket errors will be tracked; reconnect errors will be ignored.
- Socket error happens once per failed authentication if the DBServer cannot be contacted. But in some situations, one error can count toward the profile update channel. So, with MaxSocketError configured to be four, it can take three or four failed authentications for the ACS to assume that the DBServer is down.
- Reconnect errors are added as backup mechanism. In cases where connections are dropped without triggering CiscoSecure ACS for UNIX to start returning ERROR, socket error will not be incremented with each failed authentication. In this situation, CiscoSecure ACS for UNIX depends on reconnect errors. Unfortunately, due to the retry mechanism in CiscoSecure ACS for UNIX, there is no way to predict the number of reconnect errors per authentication failure. Setting MaxReconnectError to 10 can still cause CiscoSecure ACS for UNIX to start returning ERROR right away. But this is only a backup situation; normally the MaxSocketError error will suffice.
- CiscoSecure ACS for UNIX now supports the CHAP-Challenge(60) RADIUS attribute.
- The CiscoSecure Administrator Graphical User Interface (GUI) no longer crashes with the "java.lang.OutOfMemoryError" message. This error occurred in CiscoSecure ACS 2.2(2) for UNIX.
- In CiscoSecure ACS 2.3(1) for UNIX and later, CiscoSecure running on Solaris 2.6 with Oracle 7.3.4 eventually runs out of file descriptors and crashes with the "Too Many Files Open" message. The problem has been repaired by increasing the file handles used by the DBServer.
- ViewProfile now properly displays dates after 2099.
- Time stamps are now automatically adjusted for daylight saving time in accounting records. To effect this change, the config_local_timezone and config_use_host_timezone variables have been removed from the CSU.cfg file.
- The config_local_timezone and config_use_host_timezone variables have been removed from the CSU.cfg file to effect the automatic adjustment of time stamps for daylight saving time in accounting records. Removing the variables was also necessary to ensure Year 2000 Compliance. If your CSU.cfg file contains these variables, you can ignore the following message that will appear on startup:
CiscoSecure WARNING - Obsolete feature config_local_timezone, using local time
- These variables will be ignored by CiscoSecure ACS for UNIX. By default, CiscoSecure ACS for UNIX uses the local system time.
- CiscoSecure ACS 2.3(1) for UNIX now sends U.S. Robotics vendor-specific attributes (VSAs) in hex format correctly. This problem only appeared in version 2.3(1).
- The CiscoSecure Administrator GUI now accepts a maximum of 255 characters for NAS name/IP address.
- When a user's password is changed through the CiscoSecure Administrator GUI, the new expiration date will now be properly incremented by the value of the RADIUS Attribute 208 (Password-Lifetime), if Attribute 21 (Password-Expiration) and Attribute 208 are present.
- Use \\n to specify new lines in profiles to be added using the AddProfile or CSimport utilities.
- A local domain name can now be entered in the CiscoSecure Administrator GUI in the Domain Name\User Name format.
- The CiscoSecure Administrator GUI now correctly accepts a value of 30 for Token Cache Absolute Timeout.
- The CiscoSecure Administrator GUI now accepts a username of $enab15$, which is the username sent when Enable Authentication is done using RADIUS in the Cisco IOS software.
- Future passwords now work correctly as follows. If a future password is specified for a user, the user will not be able to log on with the future password until the date specified as the "from" date. After the date specified as the "until" date, the password is invalid, and the user will no longer be able to log on with it.
- CiscoSecure Administrator advanced configuration program GUI now works correctly when clients are configured in the ValidClients section of the CSConfig.ini file.
- Users with expired passwords are now given an opportunity to change them. This problem originally occurred after installing patch002 for version 2.2.3.
- CiscoSecure ACS for UNIX now allows Date Encryption Standard (DES) encrypted password and SecurID ACE/Server authentication at the same time. To use both methods of authentication, do not specify the -D option when starting CiscoSecure ACS for UNIX.
- Vendor-specific attributes (VSAs) sent in accounting packets by Cisco Resource Pool Manager Server (RPMS) to CiscoSecure ACS for UNIX are now processed correctly. In versions of CiscoSecure ACS for UNIX earlier than 2.3(2), some VSAs sent by Cisco RPMS are treated as unknown users. This can cause processing overload problems if Cisco RPMS sends large numbers of accounting packets containing VSAs to CiscoSecure ACS for UNIX.
This section identifies issues with CiscoSecure ACS 2.3(2) for UNIX. Some of these issues will be addressed in a subsequent release.
- The CiscoSecure Administrator GUI might hang when handling large user groups. The following message is displayed:
Applet CSAdmin java.lang.OutOfMemoryError
- CiscoSecure ACS does not support CHAP passwords for EXEC sessions. Clear passwords must be used for EXEC sessions.
- When converting a CiscoSecure ACS 1.0 for UNIX file to a version 2.0 flat file using the cnv utility, the comments are not placed in their proper location.
- The AcctExport utility does not accept wildcards in the pathname argument.
- The DBPollInterval parameter in the [ProfileCaching] section of the $BASEDIR/config/CSConfig.ini file specifies the interval between updating of the cache for database entries that were made directly by a third party application, such as Oracle or Sybase replication. If this interval is less than the database replication time specified in Oracle or Sybase, there might be a period of time when the cache and the database are not the same. To avoid this situation, you can set the DBPollInterval parameter to as little as one second; however, frequent polling can affect CiscoSecure ACS performance. For more information on modifying the profile caching interval, see "Tuning Profile Caching" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
- When using the CiscoSecure Administrator GUI to create or edit a DSM authority, you can enter a Transmission Control Protocol (TCP) port for DSM and GUI. If you enter an invalid port number for either of these fields, an error message is displayed. The associated help file for the TCP port incorrectly shows the valid port range as 1-165535. The port range should be 1-65535.
- If you are planning to limit and track sessions using the optional DSM module, Cisco recommends that for optimum performance, the DSM authority you assign to manage sessions is on a machine that is at least as fast as the machines from which it will be receiving session information and requests.
- When CiscoSecure ACS receives AAA information through a CiscoSecure Global Roaming Server (GRS), the session count for a point-of-presence (POP) group might be inaccurate. Because the CiscoSecure GRS specifies itself as the NAS in all requests it sends, all NASes going through a given CiscoSecure GRS is seen as one NAS. This renders the session count for a POP group inaccurate.
- If the Security Socket Layer (SSL) feature is enabled on your web browser, the performance of the CiscoSecure Administrator GUI will be significantly slower because of the additional processing involved with SSL.
The following issues have been reported when administering CiscoSecure ACS through the Microsoft Internet Explorer 3.02 web browser. To remedy the following issues, upgrade to Microsoft Internet Explorer 4.01 or use Netscape Navigator 3.04 or 4.04.
- Focus---After you click OK in a dialog box in Internet Explorer 3.02, the focus will temporarily shift somewhere else, then shift back to Internet Explorer.
- Scrolling the Members tab tree---In the Members tab of the Java-based CiscoSecure Administrator advanced configuration program, when you click the gray area of the scroll bar for the tree (the area that contains neither the arrows nor the scroll button), portions of the tree momentarily flash on the screen. Additionally, the scrolling goes very slowly.
- Dictionary scrolls six items at a time---In the Dictionaries tab of the Java-based CiscoSecure Administrator advanced configuration program, clicking on the gray area of the scroll bar should take the user up or down one full screen. IE scrolls more than a single screen with each click. To view all the data, you must click the arrows on the scroll bar or drag the slider.
- The authentication methodology used by the one-time password (OTP) cards from Security Dynamics, Inc. (SDI) differs somewhat from that used by the CiscoSecure ACS for UNIX. Whereas SDI authentication uses a single process, CiscoSecure ACS for UNIX employs a multithreaded approach for improved performance. Although not seen in either a laboratory or a beta site, a large volume of simultaneous SDI-based authentications can theoretically generate unexpected failures. In this case, the authentication might fail even though the username and password are correct. If users encounter this issue, advise them to wait a few moments, and then retry the operation.
Depending on the size of your database and the number of client/server transactions taking place, you might experience some processing delays, such as waiting a long time for GUI screens to refresh. Although these GUI performance issues can be annoying, they do not result in system malfunction or loss of data.
Unlike other GUI-based applications that run locally on a given computer, CiscoSecure ACS is a network-based application and is therefore dependent on external data-transfer rates, such as that provided by local telephone services. In addition, CiscoSecure ACS is a client/server product that includes a full relational database management system, so you might experience wait time as profiles are written to and from the database.
- In cases where Oracle Master-to-Master or Sybase Peer-to-Peer database replication has been implemented, the CiscoSecure system administrators must avoid updating the same CiscoSecure user profile at two or more different CiscoSecure ACS profile database sites during the same time period between database replication processes.
- If the same user profile is updated at two different sites within the same time period between replications, the user-profile edits at both sites will neither be replicated nor reconciled. The user profile will remain with unreconciled settings at both sites.
- For more information, see "Oracle Database Replication Setup Following CiscoSecure Installation" or "Sybase Database Replication Setup Following CiscoSecure Installation" in the CiscoSecure ACS 2.3 for UNIX Installation Guide or "Setting Up Database Replication Among CiscoSecure ACSes" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
- In cases where Oracle Master-to-Master (or Master-to-Updateable-Snapshot) database replication has been implemented, precautions need to be taken to minimize the chance of a CiscoSecure user attempting a failed login at two or more different CiscoSecure ACS profile database sites during the same interval between database replication processes.
- If failed logins under the same user profile occur at two different sites within the same interval between replications, the next time replication is run, Oracle shows a Unique Constraint error because both profiles have the same name but different profile IDs.
- When the same user subsequently attempts to log in, that user will fail due to the user account being locked.
- The database administrator must delete one of the user's conflicting profiles at one of the sites and force replication before the user account can be reset.
- To minimize the possibility of failed login of the same user at two or more sites within the same interval between replications, do the following:
- Schedule replications as frequently as practical. The shorter the interval between replications, the less likely two failed logins at different CiscoSecure ACS for UNIX sites by the same user will occur.
- Arrange, as much as possible, for a single CiscoSecure ACS for UNIX to oversee the NAS sites that any one user is likely to dial in to within the period of time between replications (for example, a single CiscoSecure ACS for UNIX server overseeing all the access numbers within a given area code).
Cisco does not recommend that large enterprise or large Internet service provider customers, who anticipate rapid growth and scaling-up operations in the number of users, use the default SQLAnywhere CiscoSecure installation option as the Relational Database Management System (RDBMS) engine to support your users. Please note the following limitations of the SQLAnywhere RDBMS engine:
- SQLAnywhere does not support more than 5,000 users.
- SQLAnywhere does not support database fault tolerance or replication functions.
For customers who plan to carry out large scale database growth and update operations, Cisco recommends use of the Oracle Enterprise or Sybase Enterprise RDBMS engines.
- CiscoSecure ACS for UNIX installations using versions 7.3.3 and 7.3.2 of the Oracle client modules SQL*Net and TCP/IP protocol adapter sometimes experience profile retrieval and DBServer module failure problems under heavy usage. To forestall these problems, install the SQL*Net and TCP/IP protocol adapter client modules that come with Oracle 7.3.4 or later.
- The Oracle 7.3.4 upgrade is available free to all customers with a valid support contract.
- Failure to maintain sufficient available disk space on the SQLAnywhere, Oracle, or Sybase database server storing records for the CiscoSecure ACS can result in a general warning message and a failure to update CiscoSecure accounting records. To prevent such failures, the system administrator should do the following:
- Ensure that sufficient disk space exists to record and update all login transactions.
- A typical example of heavy accounting disk space requirements might be those of an ISP's ACS, running TACACS+ protocol, receiving about 200,000 login requests per day, and configured to send Start, Update, and Stop accounting records (approximately 200 bytes each) for each login.
- To calculate the accounting-related database disk space requirements for the above example, you would multiply 200,000 (logins per day) x 3 (accounting records per login) x 200 (bytes per record). The result indicates that 120 MB of disk space per day on the SQLAnywhere, Oracle, or Sybase database server would be required to accommodate the daily accounting data in the above example.
- Periodically run the CiscoSecure AcctExport tool to export the accounting records from the SQLAnywhere, Oracle, or Sybase RDBMS to a flat file.
- When the Oracle trace file exceeds 5 MB (as might happen under frequent and heavy loads), the Oracle server might occasionally dump core data and abort. This is a known Oracle problem (ID Number: 510778) that is remedied with Oracle version 8.0.4.
- If this condition is causing problems, Oracle recommends that you disable Oracle tracing as follows:
Step 1 Go to the $ORACLE_HOME/otrace/admin directory of your Oracle server.
Step 2 Delete the existing process.dat and regid.dat files and recreate them to the default size:
% otrccef
Step 3 Edit the Oracle user's shell startup file. For Bourne or Korn shell users, the following are settings to add or edit:
EPC_DISABLED=TRUE; export EPC_DISABLED
Step 4 Stop and restart the Oracle server.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Fri Mar 26 11:35:57 PST 1999
Copyright 1989-1999©Cisco Systems Inc.
