Release Notes for Cisco Secure Access Control System 5.8
Supported Virtual Environments
Supported Device and User Repositories
New Features in ACS 5.8 Release
Authenticating Administrators against RADIUS Identity and RSA SecurID Servers
Exporting Policies from ACS Web Interface
Changing Internal User Passwords using REST API
Internal Administrator Password Hashing
EAP-FAST Authentications with Cisco IP Phone
New Features Introduced in ACS 5.8 Patch 4
Support for Elliptic Curve Cryptography (ECC) Certificates
New Features Introduced in ACS 5.8 Patch 7
Internal Users Cache Mechanism
Configuring Log Accounting Updates
New Features Introduced in ACS 5.8 Patch 8
Exporting Reports to Local Machine
Wild Card Character Support for MAC Address of End Station or Destination
Upgrading Cisco Secure ACS Software
Monitoring and Reports Data Export Compatibility
Installation and Upgrade Notes
Installing, Setting Up, and Configuring Cisco SNS 3400 Series Appliances
Installing, Setting Up, and Configuring CSACS-1121
Limitations in ACS Deployments
Search Bugs Using the Bug Search Tool
Resolved Issues in Cumulative Patch ACS 5.8.0.32.1
Resolved Issues in Cumulative Patch ACS 5.8.0.32.2
Resolved Issues in Cumulative Patch ACS 5.8.0.32.3
Resolved Issues in Cumulative Patch ACS 5.8.0.32.4
Resolved Issues in Cumulative Patch ACS 5.8.0.32.5
Resolved Issues in Cumulative Patch ACS 5.8.0.32.6
Resolved Issues in Cumulative Patch ACS 5.8.0.32.7
Resolved Issues in Cumulative Patch ACS 5.8.0.32.8
Resolved Issues in Cumulative Patch ACS 5.8.0.32.9
Resolved Issues in Cumulative Patch ACS 5.8.0.32.10
Supplemental License Agreement
Obtaining Documentation and Submitting a Service Request
This release notes pertain to the Cisco Secure Access Control System (ACS), Release 5.8, hereafter referred to as ACS 5.8. This release notes describes the features, limitations and restrictions (caveats), and related documentation for Cisco Secure ACS. The release notes supplement the Cisco Secure ACS documentation that is included with the product hardware and software release.
Note: ACS 5.8 and ACS 5.8.1 releases are functionally equivalent, except that the ACS 5.8.1 release supports additional hardware platforms. These two releases leverage common patches and the details for patches included in this document apply to both ACS 5.8 and 5.8.1 releases.
■New Features in ACS 5.8 Release
■New Features Introduced in ACS 5.8 Patch 4
■New Features Introduced in ACS 5.8 Patch 7
■New Features Introduced in ACS 5.8 Patch 8
■Upgrading Cisco Secure ACS Software
■Monitoring and Reports Data Export Compatibility
■Installation and Upgrade Notes
■Limitations in ACS Deployments
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.1
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.2
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.3
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.4
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.5
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.6
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.7
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.8
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.9
■Resolved Issues in Cumulative Patch ACS 5.8.0.32.10
■Supplemental License Agreement
■Obtaining Documentation and Submitting a Service Request
ACS is a policy-driven access control system and an integration point for network access control and identity management.
The ACS 5.8 software runs on a dedicated Cisco SNS-3495 appliance, on a Cisco SNS-3415 appliance, on a Cisco 1121 Secure Access Control System (CSACS-1121) or on a VMware server. ACS 5.8 ships on Cisco SNS-3495 and Cisco SNS-3415 appliances. However, ACS 5.8 continues to support CSACS-1121 appliance. For more information on upgrade paths, see Upgrading Cisco Secure ACS Software.
This release of ACS provides new and enhanced functionality. Throughout this document, Cisco SNS-3495, Cisco SNS-3415 and CSACS-1121 refer to the appliance hardware, and ACS server refers to ACS software.
■Supported Virtual Environments
■Supported Device and User Repositories
Note: For more details on Cisco Secure ACS hardware platform and installation, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8.
Note: No third-party software such as anti-virus or anti-malware, is supported in Cisco Secure ACS.
Cisco Secure ACS 5.8 ships on the following platforms:
■Dual socket Intel E5-2609 2.4Ghz CPU 8 total cores, 8 total threads |
|
■Single socket Intel E5-2609 2.4Ghz CPU 4 total cores, 4 total threads |
|
Cisco 1121 Secure Access Control System Hardware (CSACS-1121) |
■Intel Core 2 Duo 2.4-GHz processor with an 800-MHz front side bus (FSB) and 2 MB of Layer 2 cache. |
■2 CPUs (dual CPU, Xeon, Core2 Duo or 2 single CPUs) ■NIC—1 GB NIC interface required (You can install up to 4 NICs.) ■For supported VMware versions, see Supported Virtual Environments. ■For information on VMware requirements, see Installation and Upgrade Guide for Cisco Secure Access Control System 5.8. |
Cisco Secure ACS 5.8.1 supports the following two additional platforms in addition to the above mentioned hardware platforms:
For more information about the supported hardware platforms for ACS 5.8.1, see Release Notes for Cisco Secure Access Control System 5.8.1.
Note: Cisco recommends you to use more than a 4GB RAM platform for a deployment that has more than 100,000 devices. ACS runtime crashes when you use a machine with 4GB RAM or less in a deployment that has more than 100,000 devices.
ACS 5.8 supports the following VMware versions:
■VMware ESXi 6.0 Update 3 (validated with ACS 5.8 patch 9)
For information on VMware machine requirements and installation procedures, see the “ Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8.
You can access the ACS 5.8 administrative user interface using the following browsers:
–Mozilla Firefox version 46.x (supported only after installing ACS 5.8 patch 3 or later)
–Mozilla Firefox version 52.x (supported only after installing ACS 5.8 patch 7 or later)
–Mozilla Firefox version 53.x (supported only after installing ACS 5.8 patch 8)
–Mozilla Firefox version 55.x (supported only after installing ACS 5.8 patch 9 or later)
–Mozilla Firefox version 60.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 61.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 62.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 38.2.0 ESR
–Mozilla Firefox version 45.0.2 ESR
–Mozilla Firefox version 45.4 ESR
–Mozilla Firefox version 45.5 ESR
–Mozilla Firefox version 45.6 ESR
–Mozilla Firefox version 45.7 ESR
–Mozilla Firefox version 45.8 ESR (supported only after installing ACS 5.8 patch 8)
–Mozilla Firefox version 45.9 ESR
–Mozilla Firefox version 52.0 ESR
–Mozilla Firefox version 52.1 ESR
–Mozilla Firefox version 52.2 ESR
–Mozilla Firefox version 52.3.0 ESR (supported only after installing ACS 5.8 patch 9)
–Mozilla Firefox version 52.4.0 ESR
–Mozilla Firefox version 52.5.0 ESR
–Mozilla Firefox version 52.6.0 ESR
–Mozilla Firefox version 60.2.2 ESR (supported only after installing ACS 5.8 patch 10 or later)
■Windows 7 32-bit and Windows 7 64-bit
–Internet Explorer version 11.x
–Mozilla Firefox version 46.x (supported only after installing ACS 5.8 patch 3 or later)
–Mozilla Firefox version 52.x (supported only after installing ACS 5.8 patch 7 or later)
–Mozilla Firefox version 53.x (supported only after installing ACS 5.8 patch 8)
–Mozilla Firefox version 55.x (supported only after installing ACS 5.8 patch 9)
–Mozilla Firefox version 60.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 61.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 62.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 38.1.0 ESR
–Mozilla Firefox version 38.2.0 ESR
–Mozilla Firefox version 45.0.2 ESR
–Mozilla Firefox version 45.4 ESR
–Mozilla Firefox version 45.5 ESR
–Mozilla Firefox version 45.6 ESR
–Mozilla Firefox version 45.7 ESR
–Mozilla Firefox version 45.8 ESR (supported only after installing ACS 5.8 patch 8)
–Mozilla Firefox version 45.9 ESR
–Mozilla Firefox version 52.0 ESR
–Mozilla Firefox version 52.1 ESR
–Mozilla Firefox version 52.2 ESR
–Mozilla Firefox version 52.3.0 ESR (supported only after installing ACS 5.8 patch 9)
–Mozilla Firefox version 52.4.0 ESR
–Mozilla Firefox version 52.5.0 ESR
–Mozilla Firefox version 52.6.0 ESR
–Mozilla Firefox version 60.2.2 ESR (supported only after installing ACS 5.8 patch 10 or later)
–Internet Explorer version 11.x
–Mozilla Firefox version 46.x (supported only after installing ACS 5.8 patch 3 or later)
–Mozilla Firefox version 52.x (supported only after installing ACS 5.8 patch 7 or later)
–Mozilla Firefox version 53.x (supported only after installing ACS 5.8 patch 8)
–Mozilla Firefox version 55.x (supported only after installing ACS 5.8 patch 9)
–Mozilla Firefox version 60.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 61.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 62.x (supported only after installing ACS 5.8 patch 10 or later)
–Mozilla Firefox version 38.2.0 ESR
–Mozilla Firefox version 45.0.2 ESR
–Mozilla Firefox version 45.4 ESR
–Mozilla Firefox version 45.5 ESR
–Mozilla Firefox version 45.6 ESR
–Mozilla Firefox version 45.7 ESR
–Mozilla Firefox version 45.8 ESR (supported only after installing ACS 5.8 patch 8)
–Mozilla Firefox version 45.9 ESR
–Mozilla Firefox version 52.0 ESR
–Mozilla Firefox version 52.1 ESR
–Mozilla Firefox version 52.2 ESR
–Mozilla Firefox version 52.3.0 ESR (supported only after installing ACS 5.8 patch 9)
–Mozilla Firefox version 52.4.0 ESR
–Mozilla Firefox version 52.5.0 ESR
–Mozilla Firefox version 52.6.0 ESR
–Mozilla Firefox version 60.2.2 ESR (supported only after installing ACS 5.8 patch 10 or later)
Note: Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser.
Note: When you import or export a .csv file from ACS 5.x, you must turn off the pop-up blocker.
For information on supported devices, 802.1X clients, and user repositories, see Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.8.
The following sections briefly describe the new features in the 5.8 release:
■Active Directory Enhancements
■Authenticating Administrators against RADIUS Identity and RSA SecurID Servers
■Exporting Policies from ACS Web Interface
■Changing Internal User Passwords using REST API
■Internal Administrator Password Hashing
■EAP-FAST Authentications with Cisco IP Phone
■FIPS 140-2 Level 1 Compliance
ACS 5.8 web interface includes the following new options in the Active Directory page:
■ Advanced Tuning —The advanced tuning feature provides node-specific changes and settings to adjust parameters deeper in the system. This tab allows configuration of preferred Domain Controllers, Global Catalogs, Domain Controller fail over parameters, and timeouts. This page also provides troubleshooting options such as disabling encryption. These settings are not intended for normal administration flow and should be used only under Cisco Support guidance.
■ Authentication Domains —This option allows you to restrict ACS to a subset of authentication domains while interacting with the Active Directory deployments. Configuring authentication domains enables you to select specific domains so that the authentications are performed against the selected domains only. Authentication domains improve security because they instruct ACS to authenticate users only from selected domains and not from all trusted domains.
■ Diagnostic Tool —The Diagnostic Tool is a service that runs on every Cisco ACS node. It allows you to automatically test and diagnose the Active Directory deployment and execute a set of tests to detect issues that may cause functionality or performance failures when ACS uses Active Directory. It helps you to detect the problems with networking, firewall configurations, clock sync, user authentication, and so on when ACS uses Active Directory.
■ Ambiguous Identity Resolution —If the user or machine name received by ACS is ambiguous, that is, it is not unique, it can cause problems for users when they try to authenticate. Identity clashes occur in cases when the user does not have a domain markup, or when there are multiple identities with the same username in more than one domain. For example, userA exists on domain1 and another userA exists on domain2. You can use the identity resolution setting to define the scope for the resolution for such users. Cisco highly recommends you to use qualified names such as UPN or NetBIOS. Qualified name reduces chances of ambiguity and increases performance by reducing delays.
■ Enable Kerberos for PAP authentications —Prior to version 5.8, ACS used Kerberos protocol for PAP authentications. But, ACS 5.8 uses MS-RPC protocol for PAP authentications by default. If you want to use Kerberos protocol for PAP authentications in ACS 5,8, then you must check the Use Kerberos for Plain Text check box in User and Identity Stores > External Identity Stores > Active Directory page.
ACS 5.8 introduces the following new alarms and reports to monitor and troubleshoot Active Directory-related activities.
The following alarms are triggered for Active Directory errors and issues:
■Configured name server not available
■Authentication domain is unavailable
■Active Directory forest is unavailable
■AD Connector had to be restarted
■AD: ACS account password update failed
■AD: Machine TGT refresh failed
You can monitor Active Directory-related activities using the following reports:
■RADIUS Authentications Report—This report shows detailed steps of the Active Directory RADIUS authentication and authorization. You can find this report here: Launch Monitoring and Report Viewer > Monitoring and Reports > Reports > ACS Reports > AAA Protocol > RADIUS Authentications.
■TACACS+ Authentications Report—This report shows detailed steps of the Active Directory TACACS+ authentication and authorization. You can find this report here: Launch Monitoring and Report Viewer > Monitoring and Reports > Reports > ACS Reports > AAA Protocol > TACACS Authentications.
■AD Connector Operations Report—The AD Connector Operations report provides a log of background operations performed by AD connector, such as ACS server password refresh, Kerberos ticket management, DNS queries, DC discovery, LDAP, and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to identify the possible causes. You can find this report here: Launch Monitoring and Report Viewer > Monitoring and Reports > Reports > ACS Reports > ACS Instance > AD Connector Operations.
For more information on Active Directory integration in ACS 5.8, see Active Integration in ACS 5.8 Guide and User Guide for Cisco Secure Access Control System 5.8.
Note: When you face permission issue for tokenGroups in ACS 5.8, run the below command in the Active Directory servers:
Note: In ACS 5.8, you must manually join ACS to Active Directory after upgrading ACS 5.x to ACS 5.8. See Installation and Upgrade Guide for Cisco Secure Access Control System for more information on upgrade methods.
Note: Prior to Release 5.8, ACS started the adclient process only after joining the Active Directory domain to ACS. But, ACS 5.8 starts the adclient process soon after installing it.
Note: Previous releases of ACS disconnects the Active Directory domain and displays the status as “joined but disconnected” in the Active Directory connection details page, when you stop the ad-client process manually from ACS CLI. But in ACS 5.8, when you stop the ad-client process manually from ACS CLI, ACS disconnects Active Directory domain and displays the status as “None” in Active Directory connection details page. If you start the ad-client process again from ACS CLI, ACS gets connected to the Active Directory domain and displays the status as “joined and connected” in AD connection details page.
Previous releases of ACS support authenticating ACS administrators only against AD or LDAP external identity stores. But, ACS 5.8 supports authenticating administrators against RADIUS Identity and RSA SecurID servers. This feature is available in both the ACS web interface and ACS configuration mode of ACS CLI. This feature provides additional security to administrator authentications by using an One Time Password (OTP) that the RADIUS Identity or RSA SecurID server generates. For information on how to authenticate administrators against RSA Identity and RADIUS SecurID servers, see the User Guide for Cisco Secure Access Control System 5.8.
ACS 5.8 allows you to export policies and policy elements from the ACS web interface as an XML file to a remote repository or to email ids that you have configured. You can perform an instant export or schedule it for a future day and time. ACS exports the policies as an XML file and encrypts it with a password that you can use for decrypting the XML file. You must have an administrator account with SuperAdmin role to export policies from the ACS web interface. ACS does not export access service policies of type external proxy. Fore more information on exporting policies, see the User Guide for Cisco Secure Access Control System 5.8.
ACS allows you to change the user password using REST APIs. You can use the GET method from REST API to retrieve the change password XML file from ACS. You can enter the old password and new password in the retrieved XML file and use the PUT method to update the password in ACS. This feature is applicable only for internal users. For more information on changing internal user password using the from REST API, see the Software Developer’s Guide Cisco Secure Access Control System.
To enhance security, ACS 5.8 introduces a new feature, “Enable Password Hash.” ACS runtime process must be up and running properly for this option to work. For information on hashing administrator password, see the User Guide for Cisco Secure Access Control System 5.8.
Cisco IP phone implements a specific use case of EAP-FAST for conducting certificate based authentications. Cisco IP phone expects the authentication server to send a certificate request during EAP-FAST authentication tunnel establishment and responds back with the certificate. ACS validates the certificate and if the certificate validation is successful, then ACS skips the inner method. Therefore, ACS must differentiate the EAP-FAST authentication with Cisco IP phone and other supplicants. To enable certificate request for EAP-FAST authentication with Cisco IP phones, ACS introduces new options under Access Policies > Access Services > Create > Allowed Protocols >Allow EAP-FAST page.
■If you use PACs, then you must check the Accept Client Certificate For Provisioning check box for ACS to differentiate Cisco IP phones from other supplicants.
■If you do not use PACs, you must check the Accept Client Certificate check box in ACS to differentiate Cisco IP phones from other supplicants.
ACS 5.8 is compliant with Federal Information Processing Standard (FIPS) 140-2 Level 1. ACS uses an embedded FIPS 140-2 Level 1 implementation using validated C3M and NSS modules, per the FIPS 140-2 Implementation Guidance section G.5 guidelines. The key size of Certificate Authority certificates and server certificates that are used in ACS should be greater than or equal to 2048 bits. The key size of client certificate should be greater than or equal to 1024 bits. In FIPS mode, ACS does not support PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-MD5, LEAP, and Anonymous PAC Provisioning in EAP-FAST protocols. For more information on how to enable FIPS in ACS, see the User Guide for Cisco Secure Access Control System 5.8.
ACS 5.8 Patch 4 introduces the following new features:
■Allowing Weak Ciphers for EAP
■Support for Elliptic Curve Cryptography (ECC) Certificates
ACS 5.8 after installing patch 4, enables TLS 1.2 for both browser access and runtime (AAA) access by default. For compatibility reasons, ACS allows you to enable and disable TLS 1.0 using the configuration available in System Administration > Configuration > Global System Options > Security Settings page.
For HTTPS, TLS 1.0 can be enabled/disabled using the “Enable TLS 1.0 for https access” option. This configuration will restart the management in Primary ACS. However, management services needs to be restarted manually in all the other secondary nodes in the ACS deployment for the changes to take effect.
By default, TLS 1.1 and 1.2 are enabled for GUI access and it is not possible to disable TLS 1.1.
For AAA access, runtime is enabled with all the TLS protocol versions 1.0, 1.1 and 1.2. ACS allows you to enable/disable TLS 1.0 using the “Enable TLS 1.0 only for legacy clients” option.
To disable SHA-1 specific ciphers for AAA access, uncheck the Enable SHA-1 only for legacy clients check box in the security settings page.
For more information on configuring security settings, see User Guide for Cisco Secure Access Control System, 5.8.
ACS 5.8 after installing patch 4, allows using weak ciphers such as RC4-SHA and RC4-MD5 for legacy clients. This option is disabled by default.
To enable the weak ciphers, ACS introduces an option “Allow weak ciphers for EAP” in the list of authentication protocols under the Allowed Protocols. For more information, see User Guide for Cisco Secure Access Control System, 5.8.
Note: If FIPS is enabled, ACS will not allow you to enable this option and vice-versa.
ACS 5.8 patch 4 supports ECC ciphers in the authentication flow to provide high security. Following are few relaxations for ECC certificates if FIPS is enabled.
■The minimum supported key size for ECC certificate is 224 (which is equal to 2048 of RSA key size).
■There is no check for PKCS#8 format for private key. Non-PKCS#8 format for EC type should be allowed even in FIPS mode.
The following sections briefly describe the new features in ACS 5.8 Patch 7 release:
■Authorizing Internal Users When the Password Type is set to RSA SecurID Token Server/RADIUS Identity Server
■Internal Users Cache Mechanism
■Configuring Log Accounting Updates
When the Treat authorization is passed for internal user with password type set to this identity source option (under Advanced tab in RSA SecurID token server/RADIUS identity server page) is enabled, authorization is passed for an unknown user if the user is found in the internal identity store and the password type is set to RSA SecurID token server/RADIUS identity server. When this option is enabled, authorization is passed always even if the user is not authenticated by this node previously and there is no corresponding entry in cache. This option is disabled by default.
Note: We strongly recommend that you enable this option only when you are using a NAS (such as, Cisco 5508 Wireless controller) that sends authentication and authorization requests to different AAA servers in a high-availability setup. Otherwise, we recommend that you always disable this option.
In a high-availability configuration, sometimes NAS sends TACACS+ authentication and authorization requests to different AAA servers. NAS sends authentication request to a AAA server and at the same time, sends the authorization/accounting request for the same user to another AAA server that is configured in the Authentication/Authorization Servers list on NAS. In this case, authentication succeeds, but the authorization fails with “User record was not found in the cache” message.
The user details are cached during authentication because User Lookups are not supported by RSA SecurID servers. ACS caches results of successful authentications and will process User Lookup requests against the cache. The authorization fails when the request is sent to a different ACS server (where authentication was not performed), because the cache (local to a server) is not replicated among ACS nodes in the deployment and hence user details would not be available in that cache. In such cases, you can enable this option to prevent this issue.
The cache mechanism is applicable only for TACACS+ authorization flow for internal users.
When this option is enabled, the username and user specific attributes read from the internal database are stored in the cache after the first successful authorization request, for the specified time period. You can also specify the time (TTL) for which the user details are to be stored in the cache. The valid range is from 1 to 5 minutes. Till the TTL expires, the authorization is passed if the user entry is found in the cache. The user entry is removed from the cache when the TTL is expired.
This option is disabled by default. You can enable this option to improve performance especially when scripts generating TACACS+ requests at high rate are used.
When the Skip Log Accounting Updates option (under System Administration > Configuration > Log Configuration > Logging Categories > Global) is enabled, accounting update packets are not sent to the log collector. This feature is applicable only for Accounting (update packets)—Radius Accounting (interim–update) and TACACS accounting (watchdog) logging category type.
This reduces the volume of logs stored and can be used for better data storage resiliency.
The following sections briefly describe the new features in ACS 5.8 Patch 8 release:
■Exporting Reports to Local Machine
■Wild Card Character Support for MAC Address of End Station or Destination
After installing ACS 5.8 patch 8, you can also export the reports to your local system as a.csv file and a pdf file in addition to exporting the reports to a repository. The reports that have multiple tables or graph can be exported only as a pdf file.
ACS allows you to export only 25000 records when you export the reports to your local system as a.csv or pdf file.
After installing ACS 5.8 patch 8, you can use the wildcard character ? for the MAC addresses of end stations or destinations that you want to permit or deny access to. For example, 1?-22-33-44-55-66, 1A-2?-3C-4D-5E-6F, or AA-BB-CC-D?-EE-FF.
Cisco Secure Access Control System (ACS) supports upgrades from different versions of ACS 5.x to ACS 5.8. The supported upgrade paths include:
■Cisco Secure ACS, Release 5.5, recommended with latest patch applied
■Cisco Secure ACS, Release 5.6, recommended with latest patch applied
■Cisco Secure ACS, Release 5.7, recommended with latest patch applied
Follow the upgrade instructions in the Installation and Upgrade Guide for Installation and Upgrade Guide for Cisco Secure Access Control System 5.8. to upgrade to Cisco Secure ACS, Release 5.8.
Exporting monitoring and troubleshooting records to a remote database does not work if the remote database is an Oracle database and it is configured in a cluster setup.
This section provides information on the installation tasks and configuration process for ACS 5.8.
■Installing, Setting Up, and Configuring Cisco SNS 3400 Series Appliances
■Installing, Setting Up, and Configuring CSACS-1121
You can install ACS software on Cisco SNS-3495 and SNS-3415 appliances. These appliances do not have a DVD drive. You must use the CIMC on the appliance or a bootable USB to install, set up, and configure ACS software on this appliance. For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.8 .
This section describes how to install, set up and configure the Cisco SNS-3495 and Cisco SNS-3415 appliance. The Cisco SNS-3495 and Cisco SNS-3415 appliance are preinstalled with the software.
To set up and configure the Cisco SNS-3495 and Cisco SNS-3415:
1. Open the box containing the Cisco SNS-3495 and Cisco SNS-3415 appliances and verify that it includes:
■The Cisco SNS-3495 and Cisco SNS-3415 appliance
■ Regulatory Compliance and Safety Information for Cisco Secure Access Control System 5.8
2. Go through the specifications of the Cisco SNS-3495 or Cisco SNS-3415 appliance.
For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.8 .
3. Read the general precautions and safety instructions that you must follow before installing the Cisco SNS-3415 or Cisco SNS-3495 appliance.
For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.8 and pay special attention to all safety warnings.
4. Install the appliance in the 4-post rack, and complete the rest of the hardware installation.
For more details on installing the Cisco SNS-3495 or Cisco SNS-3415 appliance, see the Installation and Upgrade guide for the Cisco Secure Access Control System 5.8.
5. Connect the Cisco SNS-3495 or Cisco SNS-3415 appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.
See the Installation and Upgrade guide for Cisco Secure Access Control System 5.8 for illustrations of the front and back panel of the Cisco SNS-3495 and Cisco SNS-3415 appliance and the various cable connectors.
Note: For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.
For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.8 .
For information on installing ACS 5.8 on VMware, see the” Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.8.
6. After completing the hardware installation, power up the appliance.
The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.8.
This section describes how to install, set up, and configure the CSACS-1121 series appliance. The CSACS-1121 series appliance is preinstalled with the software.
To set up and configure the CSACS-1121:
1. Open the box containing the CSACS-1121 Series appliance and verify that it includes:
■The CSACS-1121 Series appliance
■ Regulatory Compliance and Safety Information for Cisco Secure Access Control System 5.8
2. Go through the specifications of the CSACS-1121 Series appliance.
For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8 .
3. Read the general precautions and safety instructions that you must follow before installing the CSACS-1121 Series appliance.
For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8 and pay special attention to all safety warnings.
4. Install the appliance in the 4-post rack, and complete the rest of the hardware installation.
For more details on installing the CSACS-1121 Series appliance, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8.
5. Connect the CSACS-1121 Series appliance to the network, and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.
Figure 1 shows the back panel of the CSACS-1121 Series appliance and the various cable connectors.
Note: For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal emulation software.
For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8.
For information on installing ACS 5.8 on VMware, see the “ Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8.
Figure 1 CSACS 1121 Series Appliance Rear View
The following table describes the callouts in Figure 1.
6. After completing the hardware installation, power up the appliance.
The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.
The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and enter the initial administrator credentials for the ACS 5.8 server that is using the setup program. The setup process is a one-time configuration task.
At the login prompt, enter setup and press Enter.
The console displays a set of parameters. You must enter the parameters as described in Table 3.
Note: You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.
After you enter the parameters, the console displays:
After the ACS server is installed, the system reboots automatically. Now, you can log into ACS with the CLI username and password that was configured during the setup process.
You can use this username and password to log in to ACS only through the CLI. To log in to the web interface, you must use the predefined username ACSAdmin and password default.
When you access the web interface for the first time, you are prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the web interface.
To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.
Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.
Table 4 lists the types of licenses that are available in ACS 5.8.
ACS 5.8 does not support auto installation of the evaluation license. Therefore, if you need an evaluation version of ACS 5.8, then you must obtain the evaluation license from Cisco.com and install ACS 5.8 manually.
If you do not have a valid SAS contract with any of the ACS products, you will not be able to download the ISO image from Cisco.com. In such case, you need to contact your local partner or the Cisco representative to get the ISO image.
If you have ACS 5.5, ACS 5.6, or ACS 5.7 installed on your machine, you can upgrade to ACS 5.8 using one of the following two methods:
■Upgrading an ACS server using the Application Upgrade Bundle
■Re imaging and upgrading an ACS server
You can perform an application upgrade on a Cisco appliance or a virtual machine only if the disk size is greater than or equal to 500 GB. If your disk size is lesser than 500 GB, you must re-image to ACS 5.8, followed by a restore of the backup taken in ACS 5.5 or ACS 5.6, to move to ACS 5.8 Release.
See the Installation and Upgrade Guide for Cisco Secure Access Control System 5.8 for information on upgrading your ACS server.
Note: You must provide full permission to NFS directory when you configure the NFS location using the backup-stagging-url command in ACS 5.8 to perform a successful On Demand Backup.
Periodically, patches will be posted on Cisco.com that provide fixes to ACS 5.8 and ACS 5.8.1. These patches are cumulative. Each patch includes all the fixes that were included in previous patches for the release.
You can download ACS 5.8/5.8.1 cumulative patches from the following location:
http://software.cisco.com/download/navigator.html
To download and apply the patches:
1. Log in to Cisco.com and navigate to Products > Security > Access Control and Policy > Secure Access Control System > Secure Access Control System 5.8 > Secure Access Control System Software-5.8.0.32.
3. Install the ACS 5.8 cumulative patch. To do so:
Enter the following acs patch command in EXEC mode to install the ACS patch:
acs patch install patch-name .tar.gpg repository repository-name
ACS displays the following confirmation message:
Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine...
md5: aa45b77465147028301622e4c590cb84
sha256: 3b7f30d572433c2ad0c4733a1d1fb55cceb62dc1419b03b1b7ca354feb8bbcfa
% Please confirm above crypto hash with what is posted on download site.
5. The ACS 5.8 upgrade bundle displays the md5 and sha256 checksum. Compare it with the value displayed on Cisco.com at the download site. Do one of the following:
■Enter Y if the crypto hashes match. If you enter Y, ACS proceeds with the installation steps.
% Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
■Enter N if the crypto hashes do not match. If you enter N, ACS stops the installation process.
The ACS version is upgraded to the applied patch. Check whether all services are running properly, using the show application status acs command from EXEC mode.
7. Enter the show application version acs command in EXEC mode and verify if the patch is installed properly or not.
ACS displays a message similar to the following one:
acs/admin# show application version acs
Note: During patch installation, if the patch size exceeds the allowed disk quota, a warning message is displayed in the ACS CLI, and an alarm is displayed in the ACS Monitoring and Reports page.
Note: When you upgrade from ACS 5.8 patch 1 to ACS 5.8 patch 2, PUT CLEAR operation requires the password field even if the password value is not updated.
Table 5 describes the limitations in ACS deployments.
This section explains how to use the Bug Search Tool to search for a specific bug or to search for all bugs in a release.
■Search Bugs Using the Bug Search Tool
Use the Bug Search Tool to view the list of outstanding and resolved bugs in a release.
1. Go to https://tools.cisco.com/bugsearch/search.
2. At the Log In screen, enter your registered Cisco.com username and password; then, click Log In. The Bug Toolkit page opens.
Note: If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.
3. To search for a specific bug, enter the bug ID in the Search For field and press Enter.
4. To search for bugs in the current release:
a. Click Select from list link. The Select Product page is displayed.
b. Choose Security > Access Control and Policy > Cisco Secure Access Control system > Cisco Secure Access Control System 5.8.
d. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs based on different criteria such as status, severity, and modified date.
The Bug Search Tool provides the following option to export bugs to an Excel spreadsheet:
Click Export Results to Excel link in the Search Results page under the Search Bugs tab to export all the bug details from your search to the Excel spreadsheet. Presently, up to 10000 bugs can be exported at a time to an Excel spreadsheet.
If you are unable to export the spreadsheet, log in to the Technical Support Website at http://www.cisco.com/cisco/web/support/index.html for more information or call Cisco TAC (1-800-553-2447).
Table 6 lists the issues that are resolved in ACS 5.8.
Table 7 lists the issues that are resolved in the ACS 5.8.0.32.1 cumulative patch. You can download the ACS 5.8.0.32.1 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.1 patch can also be installed on ACS 5.8.1.4.
Table 8 lists the issues that are resolved in the ACS 5.8.0.32.2 cumulative patch. You can download the ACS 5.8.0.32.2 cumulative patch from the following location: Download Software location. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.2 patch can also be installed on ACS 5.8.1.4.
Table 9 lists the issues that are resolved in the ACS 5.8.0.32.3 cumulative patch. You can download the ACS 5.8.0.32.3 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.3 patch can also be installed on ACS 5.8.1.4.
Table 10 lists the issues that are resolved in the ACS 5.8.0.32.4 cumulative patch. You can download the ACS 5.8.0.32.4 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.4 patch can also be installed on ACS 5.8.1.4.
Table 11 lists the issues that are resolved in the ACS 5.8.0.32.5 cumulative patch. You can download the ACS 5.8.0.32.5 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.5 patch can also be installed on ACS 5.8.1.4.
Table 12 lists the issues that are resolved in the ACS 5.8.0.32.6 cumulative patch. You can download the ACS 5.8.0.32.6 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.6 patch can also be installed on ACS 5.8.1.4.
Table 13 lists the issues that are resolved in the ACS 5.8.0.32.7 cumulative patch. You can download the ACS 5.8.0.32.7 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.7 patch can also be installed on ACS 5.8.1.4.
Table 14 lists the issues that are resolved in the ACS 5.8.0.32.8 cumulative patch. You can download the ACS 5.8.0.32.8 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.8 patch can also be installed on ACS 5.8.1.4.
Table 15 lists the issues that are resolved in the ACS 5.8.0.32.9 cumulative patch. You can download the ACS 5.8.0.32.9 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Note: The ACS 5.8.0.32.9 patch can also be installed on ACS 5.8.1.4.
Table 16 lists the issues that are resolved in the ACS 5.8.0.32.10 cumulative patch. You can download the ACS 5.8.0.32.10 cumulative patch from the following location: Download Software. Refer to Applying Cumulative Patches section for instructions on how to apply the patch to your system.
Table 17 lists the known issues in ACS 5.8. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.
Note: Cisco runs a security scan on the ACS application during every major release. We do not recommend you run a security scanning in the ACS production environment because such an operation carries risks that could impact the ACS application. You can execute the security scan operation in a pre-production environment.
You can use the following bug search tool query to view all ACS 5.8 open caveats:
Table 18 lists the updates to Release Notes for Cisco Secure Access Control System 5.8.
Note: It is possible for the printed and electronic documentation to be updated after original publication. Therefore, you should review the documentation on http://www.cisco.com for any updates.
Table 19 lists the product documentation that is available for ACS 5.8. To find end-user documentation for all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs.
Select Products > Security > Access Control and Policy > Policy and Access Management > Cisco Secure Access Control System.
The following notices pertain to this software license.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE:
This End User License Agreement Supplement (“Supplement”) contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence.
In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.
For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are:
A. Advanced Reporting and Troubleshooting License
Enables custom reporting, alerting and other monitoring and troubleshooting features.
Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise.
C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release)
Enables Security Group Access policy control functionality and other advanced access features.
2. ADDITIONAL LICENSE RESTRICTIONS
■Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms are preinstalled. CDs containing tools to restore this Software to the SNS 3495, SNS 3415, and CSACS 1121 hardware are provided to Customer for re installation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms designed for its use. No unsupported Software product or component may be installed on the SNS 3495, SNS 3415, and CSACS 1121 Hardware Platform.
■Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control System Software upgrades for the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract.
■Reproduction and Distribution. Customer may not reproduce nor distribute software.
Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x].
Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].
4. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS
Please refer to the Cisco Systems, Inc., End User License Agreement.
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.