Guest

Cisco NAC Guest Server

Release Notes for Cisco NAC Guest Server, Release 2.0.5

  • Viewing Options

  • PDF (430.1 KB)
  • Feedback
Release Notes for Cisco NAC Guest Server, Version 2.0.5

Table Of Contents

Release Notes for Cisco NAC Guest Server, Version 2.0.5

Contents

Cisco NAC Guest Server Releases

System Requirements

Hardware Supported

Browsers Supported

Determining the Software Version

Upgrading to Software Release 2.0.5 from 2.0.x

Upgrading to Software Release 2.0.x from 1.x.x

Upgrading to Software Release 2.0.x Without Replication

Upgrading to Software Release 2.0.x With Replication Enabled from 1.x.x

New and Changed Information

Enhancements in Release 2.0.5

Features Removed in Release 2.0.5

Enhancements in Release 2.0.4

AD SSO on Multiple Domains and Multiple Forest

Deleting Suspended and Expired Guest User Accounts

Purging Unwanted Accounting Requests

Closing Dangling Sessions

Enhancements in Release 2.0.3

External Guest Authentication

Enhancements in Release 2.0.2

New Hardware Platform Support

External Portal Support Extended to Switches

Enhancements in Release 2.0.1

New Software Features in Release 2.0

Access Restrictions

Account Lockout

Active Directory Single Sign On

Application Programming Interface

Common Cisco User Interface

Credit Card Billing Support

Date/Time Formatting

External Portal Support

Group Account Permission

Guest Password Change

Guest Restrictions by the Minute

Guest Self Service

Hide Passwords

Management Reports

Note to Guest

NTP Enhancements

RADIUS Administrator Authentication

Reporting Enhancements

Restrict Concurrent Logins

Show Sponsor Username

SNMP Monitoring Support

SNMP Trap Support

Syslog Reporting

Time Profiles

Time Restrictions

Username Policy Enhancements

Warning on Duplicate Account Names

Caveats

Open Caveats - Release 2.0.5

Resolved Caveats - Release 2.0.5

Resolved Caveats - Release 2.0.4

Resolved Caveats - Release 2.0.3

Resolved Caveats - Release 2.0.2

Resolved Caveats - Release 2.0.1

Resolved Caveats - Release 2.0

Known Issues for Cisco NAC Guest Server

Known Issue with SSL Certificate

Known Issue with BIOS Settings in NAC-3315

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco NAC Guest Server, Version 2.0.5


Revised: November 1, 2012, OL-18373-01

Contents

These release notes provide late-breaking and release information for Cisco NAC Guest Server, Release 2.0.5. This document describes new features, changes to existing features, limitation and restrictions ("caveats"), upgrade instructions and related information.

These release notes supplement the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.

Cisco NAC Guest Server Releases

System Requirements

Upgrading to Software Release 2.0.5 from 2.0.x

Upgrading to Software Release 2.0.x from 1.x.x

New and Changed Information

Caveats

Known Issues for Cisco NAC Guest Server

Documentation Updates

Obtaining Documentation and Submitting a Service Request

Cisco NAC Guest Server Releases

Cisco NAC Guest Server Version
Release Date

2.0.5 ED

July 26, 2012

2.0.4.ED

April 10, 2012

2.0.3 ED

November 30, 2010

2.0.2 ED

February 23, 2010

2.0.1 ED

May 12, 2009

2.0.0 ED

February 9, 2009



Note Any ED release of software should be deployed to a test network first before being deployed to a production environment.


System Requirements

The Cisco NAC Guest Server can be integrated with the Cisco NAC Appliance Clean Access Manager through its API, or with Cisco Wireless LAN controllers through the RADIUS protocol. Cisco NAC Guest Server is compatible with the Cisco NAC Appliance and Cisco Wireless LAN Controller component versions shown in Table 1.

Table 1 Components Supported by Cisco NAC Guest Server

Cisco NAC Guest Server Version
Cisco NAC Appliance Version
Wireless LAN Controller Version

1.0.0 and later

4.0(1) and later

4.0.219 and later


Hardware Supported

The Cisco NAC Guest Server is a standalone hardware appliance based on the following Cisco NAC Appliance platforms:

NAC-3315

NAC-3310


Note Cisco NAC Guest Server Release 2.0.5 does not support NAC-3310.



Note Next generation Cisco NAC Appliance platform (NAC-3315) supports fresh installation of only Release 2.0.2 and later.



Note Releases 1.x.x can be installed only on Cisco NAC Appliance platform, NAC-3310.



Note The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for additional details.


For details on Cisco NAC Appliance hardware platforms, refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide available on Cisco.com at http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html

Browsers Supported

The Cisco NAC Guest Server is supported by the following web browsers:

Internet Explorer 9.0 is supported starting from NAC Guest Server Release 2.0.4

Internet Explorer 8.0, 7.0, and 6.0

Safari

Google Chrome

Firefox

Determining the Software Version

The bottom left of the Cisco NAC Guest Server administrator console displays the software version. You can also click the About button to get more details of the release. To determine the current software version, login to the administration interface.

To view the software version from the command line:

1. SSH or console to the Cisco NAC Guest Server.

2. Issue the following command on an appliance running release 1.x software:

cat /guest/www/admin/includes/version.html
 
   

3. Issue the following command on an appliance running release 2.0.0 and later software:

/guest/utils/version.sh
 
   

Upgrading to Software Release 2.0.5 from 2.0.x

The steps to upgrade to 2.0.5 are different for upgrading from 2.0.x or 1.x. For instructions on upgrading a 1.x.x release see Upgrading to Software Release 2.0.x from 1.x.x.


Note If the Cisco NAC Guest Server has replication active, you will need to do the following steps simultaneously on both Cisco NAC Guest Servers that form the replicating pair. You will also need to guarantee that there is connectivity between both.



Note If you are running an older software version of NAC Guest Server Release 2.0.2 or earlier, you must first upgrade your system to Release 2.0.3 and then to Release 2.0.5.



Note The /etc/httpd/conf.d/ssl.conf file is modified to allow chain certificates to be installed. During the upgrade process, this file is reset to default and the modifications are lost. This causes the failure of certificates. After the upgrade process, you need to re-configure the ssl.conf file.


The following steps need to be performed to install the 2.0.5 update.


Step 1 Download the nac-guest-upgrade-2-0-5.bin upgrade file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/cisco/web/download/index.html and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.0.

Step 2 Connect to the Cisco NAC Guest Server with an SFTP client such as WinSCP. You will need to log in using root account credentials. The default password for the account is cisco.

Step 3 Copy the nac-guest-upgrade-2-0-5.bin file using the SFTP client to the /guest/upgrade directory.


Note Ensure that the file is transferred in binary mode. Some clients (like WinSCP, for example) default to ASCII mode, which can corrupt the upgrade file.


Step 4 Connect to the Cisco NAC Guest Server console using SSH, a keyboard and monitor, or a serial connection and log in using root account credentials.

Step 5 Navigate to the /guest/upgrade directory

cd /guest/upgrade

Step 6 Run the following command at the console to ensure that the md5 value listed matches the MD5 value obtained by clicking the link to the upgrade file at http://www.cisco.com/public/sw-center/index.shtml:

md5sum nac-guest-upgrade-2-0-5.bin
 
   

Step 7 Execute the upgrade script.

sh /guest/upgrade/nac-guest-upgrade-2-0-5.bin
 
   

Step 8 When the upgrade has finished, the appliance automatically reboots and the login prompt appears.

 
   
 
   

Note A backup of the existing database is taken before the upgrade and is stored in /guest.bak. Cisco recommends backing up this directory from the appliance via SFTP.



Note The upgrade process is recorded in the /guest/logs/upgrade.log file. You can view the log file by entering less /guest/logs/upgrade.log in a command prompt window.


Upgrading to Software Release 2.0.x from 1.x.x

Upgrading to Software Release 2.0.x Without Replication

The Cisco NAC 3310 Guest Server comes pre-installed with initial software release 1.0.0. Software release 2.0.x can be applied to an existing release 1.1.2 or later installation. If you are running release 1.0.0, 1.1.0, or 1.1.1, then upgrade to release 1.1.3 before running the upgrade to the latest 2.0.x release.

If the appliance needs to be re-imaged, refer to the instructions in the installation chapter of the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0 before applying the release 2.0.x upgrade.


Note If the Cisco NAC Guest Server has replication active, you will need to follow the steps in Upgrading to Software Release 2.0.x With Replication Enabled from 1.x.x.



Note The /etc/httpd/conf.d/ssl.conf file is modified to allow chain certificates to be installed. During the upgrade process, this file is reset to default and the modifications are lost. This causes the failure of certificates. After the upgrade process, you need to re-configure the ssl.conf file.



Step 1 Create a manual backup snapshot of the Cisco NAC Guest Server from the Server > Backup > Snapshot page of the Administration interface.


Warning Because there is a possibility for data loss with upgrade, Cisco strongly recommends creating a backup snapshot to ensure your previous database is preserved prior to upgrade.

Step 1 Download the cisco-nac-guest-server-2.0.x-K9.iso ISO image file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.0.

Step 2 Burn the ISO to a blank CDR disc.

Step 3 Insert the CD into the Cisco NAC Guest Server.

Step 4 Connect to the Cisco NAC Guest Server console using SSH, a keyboard and monitor, or a serial connection and log in using root account credentials.

Step 5 Enter the following command:

reboot
 
   

The Cisco NAC Guest Server will reboot and run the upgrade from the CD ROM.


Caution If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in section "Configuring Boot Settings on NAC-3310 Based Appliances" in the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.

Step 6 At the upgrade screen:

If choosing to upgrade from keyboard and monitor, enter the upgrade command and press the Enter key:

upgrade
 
   

If choosing to upgrade via a serial connection, enter the upgradeserial command and press the Enter key:

upgradeserial
 
   

Note Before the 2.0.x upgrade, a backup snapshot of the existing 1.x.x or 2.0.x database is automatically created and stored in the /guest.bak directory. In the event of an upgrade failure, Cisco recommends making a local backup of this directory.


Step 7 When the upgrade has finished, the appliance automatically reboots and the login prompt appears.

Step 8 Login with the root user ID and change the password as instructed. The password needs to be a minimum of 6 characters, should not be based on a dictionary word and should contain at least 5 different characters.

The Cisco NAC Guest Server will be upgraded and running release 2.0.x.


Upgrading to Software Release 2.0.x With Replication Enabled from 1.x.x

The Cisco 3310 NAC Guest Server comes pre-installed with initial software release 1.0.0. Software release 2.0.x can be applied to an existing release 1.1.2 or later installation. If you are running release 1.0.0, 1.1.0, or 1.1.1 upgrade to release 1.1.3 before running the upgrade to the latest 2.0.x release.

If the appliance needs to be re-imaged, refer to the instructions in the installation chapter of the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0 before applying the release 2.0.x upgrade.


Note The /etc/httpd/conf.d/ssl.conf file is modified to allow chain certificates to be installed. During the upgrade process, this file is reset to default and the modifications are lost. This causes the failure of certificates. After the upgrade process, you need to re-configure the ssl.conf file.


Use the following upgrade instructions if you have configured Cisco NAC Guest Server replication, where the database is synchronized between two boxes.


Step 1 Create a manual backup snapshot of one of the Cisco NAC Guest Servers in the replication pair from the Server > Backup > Snapshot page of the Administration interface.


Warning Because there is a possibility for data loss with upgrade, Cisco strongly recommends creating a backup snapshot to ensure your previous database is preserved prior to upgrade.

Step 2 Download the cisco-nac-guest-server-2.0.x-K9.iso ISO image file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.0.

Step 3 Burn the ISO to a blank CDR disc.

Step 4 Insert the CD into the NAC Guest Server.

Step 5 Connect to the Cisco NAC Guest Server console using SSH, a keyboard and monitor, or a serial connection and log in using root account credentials.

Step 6 Enter the following command

reboot
 
   

Step 7 The Cisco NAC Guest Server will reboot and run the upgrade from the CD ROM.


Caution If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in section "Configuring Boot Settings on NAC-3310 Based Appliances" in the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.

Step 8 At the upgrade screen:

If choosing to upgrade from keyboard and monitor, enter the upgrade command and press the Enter key:

upgrade
 
   

If choosing to upgrade via a serial connection, enter the upgradeserial command and press the Enter key:

upgradeserial
 
   

Note Before the 2.0.x upgrade, a backup snapshot of the existing 1.x or 2.0.x database is automatically created and stored in the /guest.bak directory. In the event of an upgrade failure, Cisco recommends making a local backup of this directory.


Step 9 When the upgrade has finished, the appliance automatically reboots and the login prompt appears.

Step 10 Login with the root user ID and change the password as instructed. The password needs to be a minimum of 6 characters, should not be based on a dictionary word and should contain at least 5 different characters.

The Cisco NAC Guest Server will be upgraded and running release 2.0.x.

Step 11 Perform Steps 1 to 10 on the other Cisco NAC Guest Server unit in the pair.

Step 12 Once both Cisco NAC Guest Server appliances have been upgraded to release 2.0.x, you will need to reconfigure replication between the appliances. Replication is turned off as part of the upgrade process to avoid any inconsistencies in the upgrade.


Warning Failure to reconfigure replication immediately after upgrade will cause the two units to be unsynchronized and will cause data loss from one of the units when replication is set up at a later date.

New and Changed Information

This section describes new features and enhancements for this release of Cisco NAC Guest Server:

Enhancements in Release 2.0.5

Enhancements in Release 2.0.4

Enhancements in Release 2.0.3

Enhancements in Release 2.0.2

Enhancements in Release 2.0.1

New Software Features in Release 2.0

Enhancements in Release 2.0.5

Release 2.0.5 is a general and important bug fix release for the Cisco NAC Guest Server that addresses the caveats described in Resolved Caveats - Release 2.0.5.

Features Removed in Release 2.0.5

The support for NAC-3310 has been dropped from NAC Guest Server Release 2.0.5.

Enhancements in Release 2.0.4

Release 2.0.4 is a general and important bug fix release for the Cisco NAC Guest Server that addresses the caveats described in Resolved Caveats - Release 2.0.4.

Cisco NAC Guest Server Release 2.0.4 supports the following features:

AD SSO on Multiple Domains and Multiple Forest

Deleting Suspended and Expired Guest User Accounts

Purging Unwanted Accounting Requests

Closing Dangling Sessions

AD SSO on Multiple Domains and Multiple Forest

Starting from NAC Guest Server Release 2.0.4, you can configure AD SSO on multiple domains and multiple forests. Refer to the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0 for more details.

Deleting Suspended and Expired Guest User Accounts

The guest user accounts can be only suspended or it would automatically get expired upon crossing a specified time.

In NAC Guest Server Release 2.0.4, the guest accounts can be deleted by using the script "deleteSuspendedExpired.sh" present under /guest/utils. The following options are available:

Deleting all the suspended and expired guest user accounts created by a particular sponsor.

Deleting all the suspended and expired guest user accounts irrespective of the sponsor who created them.

Go to /guest/utils and enter the following:

# sh deleteSuspendedExpired.sh <sponsor name>
 
   

Replace <sponsor name> with the name of the sponsor for which you want to delete the suspended/expired guest accounts

To delete the suspended/expired guest accounts of all the sponsors, execute the following:

# sh deleteSuspendedExpired.sh --deleteall
 
   

See Also CSCte05145.

Purging Unwanted Accounting Requests

When accounting requests are sent to NAC Guest Server and the corresponding authentications are not done by the server, it causes performace issues. This happens because of mis-configuration in AAA client.

In NAC Guest Server 2.0.4, these requests can be removed by using the script clean_radacct.php, which is available in the /guest/utils directory.

The script can be run as /usr/bin/php /guest/utils/clean_radacct.php

In NAC Guest Server 2.0.4, this script has been placed in crontab so that it runs automatically at a regular interval of 23 hours. See Also CSCtl78360.

Closing Dangling Sessions

There could be a lot of active sessions of guest users present in the server for a very long period of time. This could happen when devices are not sending accounting stop requests. For example, there are many accounting starts generated from the device, but, if device suddenly goes down, then, account stop requests are not sent to the Guest Server. Over a period of time, there are lot of such sessions maintained in the Guest Server.

The script closeSession.sh can close out these active sessions. This script would be available under /guest/utils. This script can be invoked as follows:

# sh closeSession.sh <username>
 
   

Replace <username> with the username of the guest for which the session needs to be closed.

# sh closeSession.sh --closeall
 
   

This will close all open sessions. See Also CSCty08793.

Enhancements in Release 2.0.3

Release 2.0.3 is a general bug fix release for the Cisco NAC Guest Server that addresses the caveats described in Resolved Caveats - Release 2.0.3.

Cisco NAC Guest Server Release 2.0.3 supports the following feature:

External Guest Authentication

External Guest Authentication

Cisco NAC Guest Server Release 2.0.3 supports External Guest Authentication. This feature enables guest users to authenticate to the Cisco NAC Guest Server using their existing RADIUS user accounts. In addition, it allows guest users to create their own Guest Access without involving the sponsors.

Enhancements in Release 2.0.2

Release 2.0.2 is a general bug fix release for the Cisco NAC Guest Server that addresses the caveats described in Resolved Caveats - Release 2.0.2.

Cisco NAC Guest Server Release 2.0.2 supports the following features:

New Hardware Platform Support

External Portal Support Extended to Switches

New Hardware Platform Support

The Cisco NAC Guest Server Release 2.0.2 supports a new hardware platform, Cisco NAC Appliance (NAC-3315), which is based on the IBM System x3250 M2 server platform.


Note Next generation Cisco NAC Appliance platform (NAC-3315) supports fresh installation of Release 2.0.2 and later.


External Portal Support Extended to Switches

In Release 2.0.2, the External Portal Support has been extended to the Switches, which allows the Cisco NAC Guest Server to host the authentication portal for guest access. This allows pages to be fully customized for the Credit Card Billing Support and Guest Self Service features.


Note Release 2.0.2 is a bug fix release as well for the Cisco NAC Guest Server that addresses the caveats described in Resolved Caveats - Release 2.0.2.


Enhancements in Release 2.0.1

Release 2.0.1 is a general and important bug fix release for the Cisco NAC Guest Server that addresses the caveats described in Resolved Caveats - Release 2.0.1.

New Software Features in Release 2.0

Access Restrictions

Account Lockout

Active Directory Single Sign On

Common Cisco User Interface

Common Cisco User Interface

Credit Card Billing Support

Date/Time Formatting

External Portal Support

Group Account Permission

Guest Password Change

Guest Restrictions by the Minute

Guest Self Service

Hide Passwords

Management Reports

Note to Guest

NTP Enhancements

RADIUS Administrator Authentication

Reporting Enhancements

Restrict Concurrent Logins

Show Sponsor Username

SNMP Monitoring Support

SNMP Trap Support

Syslog Reporting

Time Profiles

Time Restrictions

Username Policy Enhancements

Warning on Duplicate Account Names

Access Restrictions

Administrators can restrict access to the administrator and sponsor interfaces from defined IP addresses.

Account Lockout

Guest accounts can automatically be disabled after a configured number of incorrect authentications.

Active Directory Single Sign On

Cisco NAC Guest Server 2.0 can be joined to an Active Directory Domain and then automatically authenticate Internet Explorer browsers using Integrated Windows Authentication. This removes the need for sponsors to enter their username and password.

Application Programming Interface

Cisco NAC Guest Server 2.0 introduces an HTTP/HTTPS Application Programming Interface (API) which can easily be used to access functions using POST or GET methods.

The API enables applications to add, delete and edit guest accounts with authentication via sponsor credentials. The API also provides the ability to get reporting information on guest accounts.

Common Cisco User Interface

The Cisco NAC Guest Server user interfaces now feature the Cisco product common look and feel, accessibility features and enhanced ease of use.

Credit Card Billing Support

Cisco NAC Guest Server 2.0 provides the ability for guests to purchase accounts via credit card support.

Date/Time Formatting

This feature allows the date and time shown in various forms and printouts to be formatted appropriately.

External Portal Support

External Portal Support allows the Cisco NAC Guest Server to host the authentication portal for guest access. This allows pages to be fully customized for the Credit Card Billing Support and Guest Self Service features.

Group Account Permission

This feature provides an additional account permission to allow sponsors to access accounts created by members of their sponsor group.

Guest Password Change

This feature provide guests with the ability to change their password when they authenticate using the External Portal (see External Portal Support).

Guest Restrictions by the Minute

Sponsors were previously restricted from creating accounts longer than a specified number of days. With release 2.0, account duration can be specified in minutes.

Guest Self Service

Guest Self Service allows guests to create their own accounts by entering their details.

Hide Passwords

This feature restricts sponsors from viewing the passwords of their guests. When this option is enabled, guests can only receive their account details via email or SMS.

Management Reports

Management reports are enhanced to provide the following guest network usage information:

Total Guest Accounts Created

Total Authenticated Guests

Total Cumulative Connect Time

Sponsor Usage Reporting

Access Summaries by Device

Note to Guest

Provides the ability to output any of the guest's details that are entered at account creation into the print, email or SMS templates. This enables the 5 optional fields to be used so that additional notes can be entered and sent to the guest.

NTP Enhancements

Cisco NAC Guest Server 2.0 allows 3 NTP Servers to be configured and also displays the NTP server associations and statistics.

RADIUS Administrator Authentication

Cisco NAC Guest Server 2.0 now allow access to the administration interface to be authenticated via an external RADIUS server. This feature also provides a backup RADIUS server configuration and the ability for administrators to fall through to local authentication if necessary.

Reporting Enhancements

The reporting interface is enhanced to provide the ability to sort the data in any format that is required.

Restrict Concurrent Logins

Guest Roles can now be restricted to a maximum number of concurrent logins. Any account created with the guest role can be limited to a specified number of concurrent user logins when authenticating via RADIUS.

Show Sponsor Username

Release 2.0 now displays the username of the sponsor who is logged in at the top of the page.

SNMP Monitoring Support

SNMP Monitoring support allows the NAC Guest Server to be monitored via an SNMP agent.

SNMP Trap Support

Cisco NAC Guest Server 2.0 can send SNMP traps or informs based upon the Guest Server appliance exceeding administrator configured levels.

Syslog Reporting

The Cisco NAC Guest Server can receive syslog reporting from network devices and will correlate the data with the IP address of logged-in guests. This allows the sponsor to audit and report on the exact activity undertaken by the guest.

Time Profiles

Time profiles allow the following options for defining when accounts are created for guests:

Start/End - Manually choose the start and end time.

From First Login - Specify a period of time the account is active starting from the first login.

Duration within - Specify a period of time the account is valid from the first login within a certain time period.

Time Restrictions

Time restrictions allow the administrator to define periods when the guest cannot access the network, such as outside working hours.

Username Policy Enhancements

Provides the ability for the username to be created as lowercase, UPPERCASE or the case that was entered by the sponsor.

Warning on Duplicate Account Names

When sponsors create accounts which duplicate an existing account name, the sponsor is warned that the condition has occurred and the new account name is appended with a random number to make it unique.

Caveats

This section describes caveats related to the Cisco NAC Guest Server:

Open Caveats - Release 2.0.5

Resolved Caveats - Release 2.0.5

Resolved Caveats - Release 2.0.4

Resolved Caveats - Release 2.0.3

Resolved Caveats - Release 2.0.2

Resolved Caveats - Release 2.0.1

Resolved Caveats - Release 2.0


Note If you are a registered cisco.com user, you can view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Release 2.0.5

Table 2 List of Open Caveats

DDTS Number
Software Release 2.0.5
Corrected
Caveat

CSCsz40132

No

Sponsors Activity Report circle users overlay on each other

When running a sponsor activity report if the numbers for a sponsor are too close together the text can overlap.

If there are certain sponsors with very large numbers of accounts and certain sponsors with very small numbers of accounts, the ones with very small numbers could have numbers that overlap on the screen.

Note The numbers can still be seen in the table below the report.

CSCty77644

No

Invalid SSL ceritificates should not be allowed to be uploaded in the NGS server.

When the administrator tries to install an SSL Certificate that is not relevant in the NAC Guest Server, the following error message is displayed: "The Current Private Key does not Correspond to the Current Certificate".

If the user clicks the Reboot Server option, the invalid certificate is uploaded and the GUI becomes inaccessible.

Workaround   Generate and install a self-signed SSL Certificate using CLI. This enables the user to access the GUI. Refer to Known Issues for Cisco NAC Guest Server.


Resolved Caveats - Release 2.0.5

Table 3 List of Resolved Caveats

DDTS Number
Software Release 2.0.5
Corrected
Caveat

CSCtz77366

Yes

NGS 2.0 API method "search" time offset ignored on startTime or endTime

When performing an account search through the NAC Guest Server API method "search", the time offset specified on the "startTime" and/or "endTime" is ignored, treating all times as UTC.

CSCtz77390

Yes

NGS 2.0 API method "search" returns startTime and endTime in UTC

The API method "search" returns the guest user "startTime" and "endTime" in UTC format. This is not consistent with the format stored on the Database, which is the local time.


Resolved Caveats - Release 2.0.4

Table 4 List of Resolved Caveats

DDTS Number
Software Release 2.0.4
Corrected
Caveat

CSCtq64462

Yes

NGS does not work with Internet Explorer 9.

NAC Guest Server does not accept login if Internet Explorer 9 is used as browser.

CSCte05145

Yes

Enhancement Request for Deleting Guest Accounts

Sponsors should be able to delete guest accounts per sponsor or sponsor group that created the guest accounts.

CSCtj49064

Yes

An error message should be displayed when user clicks the Upload button without selecting SSL Certificate or CA Certificate.

CSCtj72988

Yes

When broadcast address is entered for access restriction, a blank page is displayed.

CSCtk58872

Yes

Update Kerberos used within NAC Guest Server

CSCtl78360

Yes

When RADIUS accounting is configured with NAS that are sending a lot of messages for non-authenticated hosts, Guest Server becomes sluggish over time and software upgrade may fail or take a very long time.

CSCtn17463

Yes

Guest accounts created with time profile "time used" remain inactive.

CSCto50121

Yes

Excessive logging of "could not find sponsor for guest" found on NAC Guest Server.

CSCto62212

Yes

Crafted HTTP URL allows sponsors to fetch guest accounts from other sponsors.

CSCto99295

Yes

API allows blank passwords with auth servers that permit anonymous bind.

CSCtq36092

Yes

While writing a program to utilize API, the following issues are encountered:

Cisco Web Service returns invalid HTTP header specifying HTML content and in reality it is XML

Some Status XML Messages are returned with tag = <messsage> (typo in web service - it has 3 Ss) instead of <message>

Able to insert only one email address in a Guest Account record.

CSCtq86155

Yes

When creating StartEnd accounts between 12:00 PM and 12:59 PM, the start time is shown as AM instead of PM.

CSCtq86581

Yes

NAC Guest Server only suppports DES as the encryption algorithm for Kerberos tickets. Support of rc4-hmac to be included.

CSCtr09461

Yes

Unable to remove RADIUS mappings

Workaround   Removing a guest role will remove all radius mappings pointing to it.

CSCtr57602

Yes

Unable to display AUP in NGS for External Guest

CSCts41870

Yes

Security Issue in Apache

CSCtw66362

Yes

NGS changes hostname on submitting SSO configuration

CSCtw82088

Yes

Java Vulnerability with NGS uses 2.5.2 and 2.6.0 version of YUI.

CSCtx42578

Yes

NGS 2.0.3 patch 6 does not work for API notification of sms/email

CSCty08793

Yes

Option to close dangling guest user sessions to be included.

CSCty19273

Yes

User Interface not accessible with Fresh install on 3315

After installing and configuring NAC Guest Server 2.0.4 on NAC-3315 platform, the UI is not accessible.


Resolved Caveats - Release 2.0.3

Table 5 List of Resolved Caveats

DDTS Number
Software Release 2.0.3
Corrected
Caveat

CSCtf36849

Yes

NAS-IP-Address missing from Access Request.

NGS server does not send NAS-IP-Address in the Access Request. This creates an interoperational issue with Juniper RADIUS server, which expects the field to be there, so it sends an Access Reject. As a result, sponsor authentication fails. Per RADIUS RFC, NAS-IP-Address is mandatory in the Access Request.

CSCtf35011

Yes

Guest Hotspot Switch scripts do not handle ngsOptions elements correctly.

NAC Guest Server hotspot customization does not work for switch.

CSCtg45409

Yes

XSS on Sponsor and Admin pages.

External researcher reports potential cross-site-scripting (XSS) on NAC Guest Server.

CSCtg59379

Yes

MIT Kerberos issues.

There is a possibility that the NAC Guest Server is affected by MITKRB5-SA-2010-005, CVE-2010-132. This vulnerability has medium impact. Authentication would be required to carry out this exploit and currently it is POC exploit only.

CSCti65223

Yes

Users IP Address field under Guest User Accounting Report will show MAC.

If the calling-station-id of the packet from the WLC in the Radius accounting start packet is the mac-address of the client, then the NGS will show the MAC address in the field titled "Users IP Address". If the WLC sends the real clients IP address in the "Framed IP Address" attribute, it will be ignored.

CSCtg31005

Yes

NGS fails to make CAM API calls when Admin password contains & character.

When attempting to integrate NGS to CCA Manager, the NGS will fail to make API calls correctly against the CAM if the admin password contains special characters (notably the & symbol).

CSCth43152

Yes

Twin configuration errors out when trying to apply it.

CSCtf02132

Yes

Cannot delete account restriction in Time Profile.

CSCtf02802

Yes

Guest server max failed attempts only restrict after f+1 fail instead of f.

CSCtf11035

Yes

Backup restore does not create previous Hotspot directory.

hss does not exists under sites even though it can be seen on Hotspot>Sites UI.

CSCti13657

Yes

Log pages and backup page are inaccessible.

The NGS log table maintenance process appears to have failed to remove old records. The high levels of logging that were set led to the database table growing considerably, to the point of making some parts of the admin application (log pages and backup snapshot) unusable.

CSCti37563

Yes

Adding guest accounts in a natted network.

The NGS needs a RADIUS client entry for the IP address of the source address of the RADIUS packet (what the NAT changes the WLC address to), and also the NAS-IP-ADDRESS attribute in the packet (probably the original address of the WLC).

CSCti67880

Yes

User activity is not visible through the web interface.

On checking user activity through GUI for a particular user, not all entries are seen.

CSCtf51215

Yes

Hostname field accepts FQDN causing domain to appear twice.

The hostname field in the configuration screen accepts an FQDN, resulting in the domain name appearing twice in the configuration files.

CSCtg13979

Yes

Time profile duration not working as expected.

CSCtg35579

Yes

Norwegian characters are not read by NGS in CSV file.

There are two Norwegian characters that cause this problem. It is the A with a O on top of it, the "AE" in one char and the O with a stroke inside.


Resolved Caveats - Release 2.0.2

Table 6 List of Resolved Caveats

DDTS Number
Software Release 2.0.2
Corrected
Caveat

CSCsz80188

Yes

NGS does not populate month dropdown when using non-default template.

When the sponsor template is other than the default template, while accessing the Create Guest Account page, sponsors receive an empty month dropdown. This prevents them from creating a guest account. When this issue occurs, the Manage Account and Manage Bulk Account pages are also not displayed.

Workaround   In the Administration interface, go to the Common tab. From the Select Template for dropdown, choose the Formats option. In the Format settings, set the date/time format for all the templates in use.

CSCtb70650

Yes

NGS LDAP bind fails if admin password includes a "+" (plus) character.

LDAP binding fails on NGS 2.0.1, if the admin user password includes a `+' character. The sniffer trace shows that the `+' character is replaced by a space.

Workaround   Avoid using the `+' character in passwords.

CSCsy95597

Yes

Incorrectly encoded headers cause e-mail to display improperly

When the e-mail Subject field contains non ASCII characters, the e-mail headers are incorrectly encoded and the message is displayed incorrectly by e-mail clients.

CSCsz58979

Yes

The Postgres configuration file is not updated after upgrading from 1.x.x to 2.0.x

Workaround   Overwrite the postgresql.conf and pg_hba.conf files with the versions shipped with 2.0.x and reboot the Cisco NAC Guest Server.

CSCta13651

Yes

Authentication widgets fail on hotspot pages

When using authentication widgets, they will fail to authenticate a guest.

Workaround   A patch is available from the Cisco TAC at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.

CSCtb53416

Yes

AUP Page not finding user credentials on page refresh.

When the AUP page is refreshed, the user credentials are not found. While using AUP, the following error occurs:

'data.response.html' is null or not an object.

Workaround   Contact Cisco TAC to obtain a patch for this problem.

CSCtb47500

Yes

Print page doesn't show password when created by role with no view right.

While printing a user account created by a sponsor in a different role, the print page shows password as asterisks.

For example, "RoleA" has permission to create accounts but not to view or print the password. "RoleB" has permissions to manage and print any guest account. "RoleB" can view the password of "RoleA" in the Guest Server GUI on the manage page, but while printing, the password is printed as asterisks.

Workaround   Provide permission to the sponsors in "RoleA" to view the password (but not to print). Then sponsors in "RoleB" will be able to print the password properly.

CSCtb52569

Yes

NGS doesn't remove user from CAM after suspension or deletion.

If the user is logged in to the NAC, Guest server does not remove the user from the CAM, even after the user is suspended or deleted from the NGS.

Workaround   Contact the TAC to obtain a patch for this problem.

CSCta25485

Yes

Accounts of type "From Creation" generate e-mail with blank values

When you create a guest user and generate an e-mail with the account details, the mail which is generated contains blank values for start time, end time, and timezone.

CSCta60026

Yes

Guest server new users start time doesn't default to current time

When a sponsor creates a new user in the Guest Server, the time zone for the new user is based on time zone of the sponsor. However, if the Guest Server is located in a different time zone, then the start time is based on the time zone on the Guest Server.

This leads to manual adjustment of the start and end time.

CSCtb15889

Yes

CSV file does not show the accounts in the correct order

When generating random accounts in the Guest Access Server, the order in which they are created and printed does not match the order they are displayed in the exported CSV file.

CSCtb53845

Yes

NGS New Sponsor group named 'default' unable delete

NGS allows to create a new Sponsor group named 'default', but does not allow to delete the group.

CSCtb60157

Yes

JavaScript Pages Not Working on IE8 and Firefox Browsers

With the AUP option turned on, IE7 displays properly and the guest user can accept and be redirected to the web, but IE8 and Firefox simply reload the sign-in page and does not redirect to Acceptable User Policy (AUP) page.

CSCtc26885

Yes

NAC Guest server sponsor AD SSO can fail with large kerberos tickets

Sponsor authentication to NAC Guest server via AD SSO fails and displays the following error:

"Bad request: Your browser sent a request that this server could not understand Size of request header filed exceeds server limit"

This happens for users with large kerberos tickets and when they are members of several groups.

CSCtc27554

Yes

Accessing hotspot page requires using the HTML file name too

When setting up a hotspot page for Guest Server, the default file names like index.html or default.html are not recognized by NGS.

Workaround   Use the full URL including the full file name to access the site.

CSCtc43307

Yes

NAC Guest server Sponsor Access Restrictions can fail

Sponsor access restrictions as defined in the access server fail to be enforced and allow users from guest hotspot locations to log into the device as a sponsor.

CSCtc45617

Yes

Syslog settings changes not always acted upon

When modifying the syslog settings for the guest server the settings are not always modified in real time.

Workaround   After making the changes, enter the following commands from the command line:

service syslog-ng stop
service syslog-ng start

CSCtc76589

Yes

20 character passwords do not work on AD Auth Sponsor accounts

Sponsor accounts with 20 characters in the password fail authentication.

Workaround   Use passwords with less number of characters or contact the TAC to obtain a patch.

CSCtc87168

Yes

Cancel button on guest account edit screen has no effect.

While editing a Guest account, even if the Cancel button is clicked, the changes are saved.

CSCtc91472

Yes

Nov 1st 2009 appears twice in the calendar when creating guest account.

The November 2009 calendar shown when creating a guest account shows November 1st twice and the rest of the days in the month are off by one day.

CSCtc98345

Yes

Replication Not Working with Large Database.

When the servers have a large amount of data in the database, the replication between two NAC Guest servers fails.

CSCtd01462

Yes

IMPORTANT TLS/SSL SECURITY UPDATE

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.

CSCtd45002

Yes

NAC Guest server 2.0.1 IE 8 on Window 7/XP/Vista does not work.

Internet Explorer 8 on Window 7/XP/Vista does not work with the NAC Guest Server.

Workaround   Contact Cisco TAC to get a patch.

CSCtd69495

Yes

Some Telephone Country codes not available when creating Guest user

When creating a guest user account, in the Mobile phone number field, some country codes are not available in drop down list (for example, +420 for Czech Republic and +421 for Slovakia).

CSCtd78595

Yes

NGS 2.0.1 do not accept special character in template name

When a template name contains special characters like "&", the template name cannot be referred or deleted.

Workaround   Contact Cisco TAC to get a patch.

CSCte21166

Yes

Setting server access restrictions on host IPs can lock admin out

If you set host IPs for the access allowed feature to access the server then it denies the users. Needs to have a larger subnet than the host.

Workaround   Set valid subnet range larger than /32.

CSCte47471

Yes

NGS Guest accounts inactive for accounts with >= 90 day time profile

Guest accounts with time profiles of long duration (90 days) cause RADIUS server timeouts for NAS (wireless controller, WLC, etc).

Workaround   Contact Cisco TAC to get a patch.

CSCte97799

Yes

AD auth Test connection fails when password has + char

The bind to AD fails, when trying to login to AD server with password containing a plus (+) character.

CSCte98202

Yes

Blank log settings page when entered invalid input

In the Server > System Logs > Log Settings, if any invalid syslog server address is entered, then the Log Settings page becomes blank.

CSCtf00725

Yes

Guest Manager view 08:00 the same as 18:00 when using the XML interface

While using CLI to create an account, if the time is setup as 18:00, it is saves as 8:00. This leads to the Start time being later than the End time and causes error.

Workaround   This happens only when using the CLI. Use the GUI to create an account.


Resolved Caveats - Release 2.0.1

Table 7 List of Resolved Caveats

DDTS Number
Software Release 2.0.1
Corrected
Caveat

CSCso26993

Yes

Logo file is not replicated between two Cisco NAC Guest Servers configured as a replication pair

This issue affects Cisco NAC Guest Server Release 1.1.0.

Workaround   Manually upload the logo on the second Guest Server by editing the template (using the same method as on the first Guest Server).

CSCsv59139

Yes

Guest Server printuser.php page incorrectly parses "$" signs in passwords

After creating a user, Guest Server randomly creates a password based on the policies set on the server. If the server creates a password with a dollar sign ($) followed by a numerical string, then Guest Server cuts out that portion of the text from the password when attempting to print out the user page from the Active Accounts section.

This occurs when using the printuser.php print page under Active Accounts. It does not occur when initially printing out the user page after creation (that uses the print.php script).

Examples of passwords that are affected:

x13$14 has a problem; it becomes x13

ihR$94XIQ has a problem; it becomes ihRXIQ

mIYm$o35G does not have a problem

iA23Z$KmG does not have a problem

Workaround   You can address this issue as follows:

1. Remove the "$" from the password policy on the Guest Server.

2. Print the initial user information after creating the account instead of using the Active Accounts page.

Email the password from the Active Accounts page to the user outside of the Guest Server application (the Email script correctly parses the "$" signs).

CSCsv59906

Yes

The Preferences page under My Settings is missing, but configurable

When sponsors using Guest Server click on the web page under My Settings, they are redirected to the setdefaults.php page, even though there is no link in the main Sponsor page.

When sponsors go to the setdefaults.php page, they can override global settings such as default template and timezone and you can manually verify which templates each Sponsor is using as follows:

1. Log in to the Guest Server console via SSH.

2. Enter psql gapdb -U postgresql.

3. Enter SELECT username,userdefaults_language FROM userdefaults;.

There is no known workaround for this issue.

CSCsv94401

Yes

Login is not case sensitive

Credentials entered on the Sponsor login page are not case sensitive.

Workaround   If Sponsors log in to the admin page with the admin username using any upper/lower case combination, the credentials are accepted and the user immediately sees the default settings page.

CSCsw19750

Yes

SMS sent successfully with blank mobile phone field

When a Guest Policy is configured required to include a mobile phone number, new user accounts can be created with blank mobile phone number fields and Guest Server indicates that the SMS is sent successfully.

CSCsx09573

Yes

1.x.x Duration Functionality not supported

With the introduction of time profiles in 2.0.0, the 1.x.x Duration feature is not supported. The 1.x.x Duration feature was to create accounts for a certain time period with the start time being the same as the account creation. There is no exact feature in 2.0.0; this will be added back in a later version. Upgrades from 1.x.x which use Durations are moved to use Start/End accounts.

Workaround   Use Start/End accounts.

CSCsx20876

Yes

Setting in Guest Role > NAC Role is forced even if unchecked

Even though the checkbox for provisioning guest roles on NAC Managers is disabled, the account is still provisioned on the manager.

Workaround   Specify the role type as "unauthenticated." That way, even if the account is provisioned, the user is placed in a role that does not grant access.

CSCsx34376

Yes

Cisco NAC Guest Server rendered unusable after applying an incorrect license file

"System Error, contact your administrator."

Note You can find further details on this error in the application log.

CSCsx44023

Yes

CSV Export does not export all data

When performing a CSV Export from the Manage Accounts page the resulting CSV does not include all the fields from the guest user.

Note There is no known workaround for this issue.

CSCsx46550

Yes

Error messages on Guest Server console while rebooting

Error text:

"ngs: PHP Fatal error: Exception thrown without a stack frame in Unknown on line 0"

"Fatal error: Exception thrown without a stack frame in Unknown on line 0"

CSCsx46564

Yes

Cumulative time in Access Report should account for guest logins only

The Access Report is also taking into account the time the user was logged onto the network.

CSCsx46581

Yes

Trying to generate very large number of random guest accounts locks up the Guest Server

CSCsx46817

Yes

System error in User Interface when CSV is downloaded in the Activity Log web page

The Cisco NAC Guest Server returns a "System Error, contact your administrator." error message in the User Interface. This issue is appears when:

1. Have an entry in Activity report in sponsor User Interface.

2. Click Download CSV button in Accounting Log web page (Manage Accounts > View Detailed Report > Download CSV).

Note You can find further details on this error in the application log.

CSCsx46932

Yes

The Logs web page in admin User Interface is rendered blank if all the logs are selected.

Steps to reproduce:

1. Login to Guest Server administrator User Interface.

2. Go to Server > System Logs > Audit logs.

3. Select All in an attempt to display all logs in one screen.

The result is that the HTTPS utilization on Guest Server reaches 100% and the User Interface page either returns an error or blanks out.

CSCsx47140

Yes

The Guest Server system becomes unstable after restoring a snapshot

Steps to reproduce:

1. Take a snapshot in the Admin User Interface.

2. Delete the Cisco NAC appliances which were added in Guest Server. (This is to change the database.)

3. Now restore the data base taken earlier. User Interface returns a "System Error, contact your administrator." error after Data Base snapshot is complete.

As a result, the system becomes unstable and requires a reboot to recover.

Note You can find further details on this error in the application log.

CSCsx47161

Yes

User Interface returns an error while trying to configure AD SSO

Steps to reproduce:

1. Log in to the Guest Server administrator User Interface.

2. Go to Authentication > AD Single Sign On and enter server settings and AD admin credentials.

3. Click Save Settings.

4. User Interface returns an error and blanks out.

5. Check the Syslog for the following error:

"Message: dns_get_record(): res_nsend() failed; Type: Warning (2); Filename: Dns.class.php; Line: 24; Script: AdSingleSignOnConfig.php"

CSCsx47434

Yes

When saving the Administrator RADIUS Authentication web page, it gives message 'Backup settings saved'.

This message seems to be misplaced from the Backup configuration web page.

CSCsx49325

Yes

Some of the Guest Server Config is lost after restoring the backed up snapshot.

CSCsx49548

Yes

The calendar component in the Sponsors Activity Report or Access Report becomes hidden behind the chart when selected.

CSCsx49619

Yes

Trying to search based on IP address in Manage Accounts page returns a database error

The Cisco NAC Guest Server returns a "System Error, contact your administrator." error and the Application log has following error message:

"Message: SQLSTATE[42P18]: Indeterminate datatype: 7 ERROR: could not determine data type of parameter $7; Query: SELECT; distinct(guestusers.id),; guestusers.firstname,; guestusers.surname,"

Note You can find further details on this system error in the application log.

CSCsx52443

Yes

Activity reports are not being filtered correctly based on dates

To reproduce this issue:

1. Go to Sponsor Activity Report > Summary Report after logging into sponsor console page.

2. Select Feb 6th as the End Date.

3. Guest Server only filters out entries till Feb 5th.

CSCsx62268

Yes

Not able to delete second admin account

Symptom    Not able to delete "admin" account from the NAC Guest Server Authentication > Administrators page.

The UI should not allow the user to create a second ''admin'' account with the same username.

Conditions   When creating more than one "admin" account.

Note There is no known workaround for this issue.

CSCsx64570

Yes

Cannot access AD mappings page

Trying to is access the AD mappings page (Sponsor User Groups > Edit User Group > Active Directory Mapping) yields a system error.

The following message appears in the application log:

"ldap_search(): Partial search results returned; sizelimit exceed; type: warning(2); filename:adLDAP.php; Line: 503; Script: UserGroups.php"

This error is triggered when the Guest Server does an LDAP search to fetch all the AD groups and the number of results is over the Page limit set on the AD server (MaxPageSize setting). If the AD server is using the default setting, this problem occurs when the customer has more than 1000 groups.

Workaround   Increase the MaxPageSize setting on your AD server (http://support.microsoft.com/?kbid=315071).

CSCsx66219

Yes

AD group mapping not working when querying domain controller

Symptom    GUI: "System error, contact your administrator"

Application log:

admin Message: ldap_search(): Partial search results returned: Sizelimit exceeded; Type: Warning (2); Filename: adLDAP.php; Line: 503; Script: UserGroups.php

Conditions   Domain controller has more than 1000 AD groups.

Note There is no known workaround for this issue.

CSCsx67500

Yes

Application log counter always shows 0

The application log file appears as being 0 lines in length.

The application.log file is no longer used in release 2.0. All of the pertinent information is available in the Server > System Logs > Application Log screen.

The link to the application.log file will be removed in a future release to remove any confusion

CSCsx67509

Yes

The application.log data is saved in developer_log.csv. It should be saved under application.log file in the support logs.

Workaround   Find the developper_log.csv in logs.zip

CSCsy07460

Yes

Activity Logging doesn't display seconds, or sort within a second

When running an activity log report on a guest, the time of each message is displayed with hour:minute only, the :seconds part of the time is not displayed. Also when sorting the data, the data is not specifically sorted in order within the same second.

Workaround   There is no current workaround.

CSCsy10102

Yes

The start time and end time fields on the Creation/Modification page show incorrect values

Either the Start/End fields are empty by default when you create a new guest user, or they show random values when modified.

Cisco TAC has issued a patch to resolve this issue.

CSCsy15587

Yes

Some guest users remain inactive

When creating and scheduling guest users, some remain inactive and cannot access the network.

CSCsy18473

Yes

Setting logging level for Clean Access Manager fails

When specifying the logging level for some of the Clean Access Manager log settings to debug, the CAM web console page still shows default values.

Workaround   Set all components to "debug" and save them to get the CAM debug level to display correctly.

CSCsy18502

Yes

Following a link on a page that has not finished loading results in an error

When the user clicks a link or a button on a page that has not finished loading, an error can occur and the following message may be displayed:

System Error, please contact your administrator.
 
        

Note Further details of the error are in the application log.

CSCsy18504

Yes

Users should show what time profile they are using once created

In the current version, it is not possible to tell what time profile the guest users are assigned to, once the profile has been created. This situation occurs when users are created and assigned with a time profile from the Cisco NAC Guest Server graphical user interface.

CSCsy20297

Yes

RADIUS Attributes input boxes size limit is to low

The maximum character limit needs to be increased. For example, "auth-proxy:proxyacl#1=permit ip any any" does not fit in the current version.

CSCsy20315

Yes

RADIUS attributes are not being urldecoded before insert quotes and other characters are not displayed

The URL encoded value is displayed instead.

Workaround   Insert the value directly to the database.

CSCsy20333

Yes

Guest RADIUS authentication script does not support multiple attributes with the sa

If you set up a RADIUS client with several attributes that all have the same name, the RADIUS authentication script only returns the last entry.

For example, you can configure a RADIUS client with the following attributes:

cisco-AVPair "priv-lvl=15"

cisco-AVPair "auth-proxy:proxyacl#1=permit ip any any"

When you then authenticate with a sponsor using this RADIUS client, the authentication reply only shows the last key value pair.

CSCsy20353

Yes

Notification e-mail not being sent to sponsor when appropriate option is enabled

CSCsy20401

Yes

Provisioning process exits without updating/provisioning accounts

This situation can occur when the Guest Server fails to connect to the remote node. By the time the Guest Server stops trying to connect, another instance of the script starts, thus forcing the first script to terminate/exit.

CSCsy20423

Yes

Backup restore does not reset Twin configuration

Workaround   Reset twin settings manually after restore.

CSCsy29531

Yes

Date/Time format settings missing

Date/Time format settings are missing from the user interface in 2.0.

CSCsy29982

Yes

Select timezone to apply for time profile

Guest Server should let you select the Timezone that applies to your Timeprofile.

CSCsy44746

Yes

The Self Service js object does not display a Submit button

The Self service object embedded in the Hotspot page does not display a button to submit user data.

CSCsy45448

Yes

Authentication order cannot be modified for two servers with the same name

When using Sponsor authentication for login, and configuring an AD or LDAP server, then the authentication order can not be modified if two servers have the same name.

CSCsy69893

Yes

Guest Hotspot WLC scripts do not handle error messages correctly

When using the Guest Hotspot configuration with a WLC, invalid user names and passwords fail authentication, but none of the error messages display as intended.

Some examples of error messages to display on the system are:

ngsOptions.messages[1] = "You are already logged in. No 
further action is required on your part."
 
        
ngsOptions.messages[2] = "You are not configured to 
authenticate against web portal. No further action is 
required on your part."
 
        
ngsOptions.messages[3] = "The username specified cannot be 
used at this time. Perhaps the username is already logged 
into the system?"
 
        
ngsOptions.messages[4] = "The User has been excluded. 
Please contact your administrator."
 
        
ngsOptions.messages[5] = "Invalid username and password. 
Please try again."

CSCsy77998

Yes

After upgrading a pair of NAC Guest servers, the TWIN service will not start. The problem can be observed in the Secondary server's GUI. In the replication logs you may see: ERROR could not LOCK table hotspot.access_plans: ERROR: permission denied for schema hotspot FATAL unable to complete twinning process

Workaround   Run the following command on the secondary Guest Server after the upgrade:

psql gapdb -U postgres \dn+ \q grant all on schema hotspot to twin;

CSCsy79077

Yes

When NAC Guest Server is sending a notification email, the header will not be correctly formatted: ~~snip~~ From: "" <guest@cisco.com> ~~snip~~ The empty string "" is creating issue on some mail server.

CSCsy90148

Yes

The MIT krb5 implementation has multiple vulnerabilities that need to be addressed on the product.

CSCsz18581

Yes

NGS does not provision accounts provisioned by Hotspot self service portal. This is only supported for RADIUS authentication.

CSCsz19146

Yes

The "Check the group object (group DN)" within the Guest server GUI is restricted to 40 characters

CSCsz31445

Yes

When an invalid license is installed the NAC Guest Server redirects a user to the license page

The URL is generated based upon the IP address of the eth0 interface. If the user is accessing behind NAT, then this will fail.

Workaround   To resolve this issue, the administrator must access the box using the real IP address of the server to re-install a valid license.

CSCsz34223

Yes

Suspend all only suspend some guests when there is network outage

If Cisco NAC Guest Server cannot contact the Clean Access Manager when suspending accounts using the sponsor interface, the accounts will not be deleted from the CAM.

Workaround   Only suspend accounts when the Clean Access Manager is available on the network.

CSCsz34243

Yes

Suspend All always leave 1 guest in NGS & guests on CAM

Immediately suspending accounts created on the Guest Server may result in accounts not being deleted from the Clean Access Manager. This issue has been confirmed when suspending a relatively large number of accounts within 1 minute of creation.

Workaround   Wait at least 1 minute after creating accounts before using the "Suspend All" function.

CSCsz34493

Yes

Trying to display activity report on certain users shows a blank page

Sponsor is unable to see the Guest Account Activity Report when the guest has not logged out yet and the RADIUS accounting record has a blank start time.

Workaround   Wait until the user has logged out and you can then view the record.

CSCsz34646

Yes

Guest Server maximum failed attempts doesn't restrict number of failures

Release 2.0.0 guest users authenticating with RADIUS are not subject to the failed logins policy set under the user template.

Note There is no known workaround for this issue.

CSCsz39985

Yes

Blank Access Report if date is invalid

If searching the Access Report (RADIUS account) of a guest and you enter an invalid date (February 31st, for example), Guest Server returns a blank page.

Workaround   To avoid this issue, ensure all dates for which you are searching guest reports are correct.

CSCsz50705

Yes

"Device sends Calling Station IP" option always checked

When editing an existing RADIUS client on the Guest Server and configuring it to not require the Calling Station IP radius attribute, the option "Device sends Calling Station IP" option is checked whenever you go to the Devices > Radius Clients > Edit page, even if you have unchecked it and saved the settings.

Note This is a cosmetic issue. The database is updated correctly. Continue to uncheck/disable the option if you must make any changes in the Clean Access Server.

CSCsz51110

Yes

Syslog sync between twins fails due to SSL errors

When viewing Activity Logs for a guest user under Manage Accounts in the Sponsor interface, Guest Server returns the following error message:

"Could not access replicated server to retrieve logs. It is possible not all the logs are shown. Contact your administrator or retry later."

This can occur in Guest Server release 2.0 when twinning is configured and syslog data is sent to the Guest Server to track users' network access.

Workaround   Disable HTTPS by selecting HTTP only on the Administrator interface SSL Settings page.

CSCsz56267

Yes

Guest account status remains inactive after creation

When there are active From First Login/Time Used accounts that do not have a start and end time set yet, the provisioning process fails trying to compare the dates to see if they should be expired/restricted. Guest Server then does not proceed with any start/end time accounts.

Workaround   Use a pre-defined template (e.g., 1 day template) or only use Start/End time accounts when using the Clean Access Manager.


Resolved Caveats - Release 2.0

Table 8 List of Resolved Caveats

DDTS Number
Software Release 2.0
Corrected
Caveat

CSCsq76185

Yes

Variable names being printed after creating a guest user account rather than the values inputted by the sponsor.

Workaround   After creation go into Active Accounts page and print from there

CSCsq86376

Yes

Authentication attempts fail when "calling-station-id" is set to a MAC address

After upgrading to Cisco NAC Guest Server, Release 1.1.1, authentication fails if the wireless controller is set to send the MAC address for the "calling-station-id" attribute.

Workaround   Change the attribute to use the IP address instead of the MAC address. Alternatively, Cisco TAC can edit the configuration to remove the IP check, but the location feature does not work.

CSCsq86714

Yes

When using internet explorer to connect to NAC Guest Server over a HTTPS connection certain files do not download correctly. This is due to a bug with the IE browser.

Workaround   Connect using HTTP instead of HTTPS with Internet Explorer 6.0, alternatively use a later version of Internet Explorer or use a different browser such as Firefox or Safari.

CSCsq92773

Yes

Unable to edit additional active directory server because the Guest Server adds a space in front of the AD server name, the edit page comes up blank as it looks for a server name without a space in the database.

Workaround   You can delete the server and insert it again without the space character at the end of the name or:

1. Login to the box through ssh.

2. Connect to the database: psql -U postgres gapdb.

3. Execute the following SQL statements (note the server name is 'dc4 RWS Domain Controller ' here in this example):

UPDATE adservers SET domain = 'dc4 RWS Domain Controller' WHERE domain = 'dc4 RWS Domain Controller ';

UPDATE serverorder SET servername = 'dc4 RWS Domain Controller' WHERE servername = 'dc4 RWS Domain Controller ';

CSCsq94240

Yes

NAC Guest Server can fail to parse/sanity check the AD DC entry

NAC Guest Server can fail to parse/sanity check the AD DC entry with certain misconfigurations of Active Directory Server entries and will fail to display all entries in group mapping.

Workaround   Correct the entry for the domain controller IP address or hostname

CSCsq94602

Yes

Server creates bad username when importing a CSV file with Username Policy option 2

Workaround   There are two possible workarounds:

1. Open the CSV file in notepad, copy the contents and paste into the text entry form. User Accounts > Multiple Accounts > Create Multiple Accounts

2. Or, change the username policy to use email address instead of first/last names.

CSCsr19498

Yes

Twin service stops intermittently when performing a lot of failovers.

Note There is no known workaround for this issue.

CSCsr22834

Yes

LDAP users allowed to login without permissions to do so as the authentication function is not setting the user as invalid.

Workaround   Remove all the permissions for the local group, the user will be able to login but not perform any actions, however, there is a patch available from Cisco TAC

CSCsr68115

Yes

When calling the CAM API with the getuserinfo or getoobuserinfo operations, the Guest Server makes an incorrect call to CCA causing all users to get removed from the OUL.

Note There is no known workaround for this issue.

CSCsr82031

Yes

Changing a search whilst paging in a full report and viewing a page greater than the amount of results returned by a future query will show no results.

Workaround   Return to page 1 before changing the search

CSCsu00058

Yes

Radius Authentications fail when Role option set to Unused

Radius authentications for all users created on the Guest Server release 1.1.1 will fail even though password and shared secrets are correct. This occurs when the "Roles" setting under Guest Policy > Guest Details is set to unused.

Workaround   Set the Roles option to "Displayed" or "Not Displayed" (anything other than unused).

CSCsu70899

Yes

Hal Daemon using all available CPU prevents Radius daemon rom running.

Workaround   Login to the command line as root, then issue the following commands:

service haldaemon stop 
chkconfig haldaemon off 
 
        

This will stop the CPU issue by turning off the unneeded haldaemon service

CSCsu87661

Yes

Guest Server database only supports 32 character account session IDs, if the NAS sends a larger session ID it could cause the Radius service to crash.

Note There is no known workaround for this issue.

CSCsu88136

Yes

The LDAP server configuration on the NAC Guest server ignores any values in the "port" field and always applies the default value (389) irrespective of the value configured.

Workaround   Specify the port in the LDAP server URL, for example:

ldap://10.0.0.1:3387

CSCsx20606

Yes

Users can't login when password policy has a space or ampersand in it

Conditions   If the password policy includes spaces or ampersands then the passwords are not correctly created on the NAC Manager. This means guests cannot login with this account.

Workaround   Remove any spaces (" ") or ampersands "&" from the Other characters field of the password policy.

CSCsx20876

Yes

Setting in Guest Role > NAC Role is forced even if it's unchecked

The enabled checkbox for provisioning guest roles on NAC Managers doesn't work. The account is provisioned on the manager regardless of the enabled setting.

Workaround   The workaround is to set the role to be "unauthenticated." By doing this, even if the account is provisioned it will be placed in a role that the user cannot log in to.

CSCsx21004

Yes

IDE Error messages seen on Guest server during upgrade

When upgrading, depending on the status of the CD-ROM drive, "hdc: packet command error" errors may be seen on the console. These are purely cosmetic and do not affect the functioning of the box. After the upgrade all will be fine.

Workaround   There is no workaround to the errors; however if they are seen no damage is caused and they will not be seen again.


Known Issues for Cisco NAC Guest Server

This section describes known issues when working with Cisco NAC Guest Server:

Known Issue with SSL Certificate

Known Issue with BIOS Settings in NAC-3315

Known Issue with SSL Certificate

When the administrator tries to install an SSL Certificate that is not relevant in the NAC Guest Server, the following error message is displayed: "The Current Private Key does not Correspond to the Current Certificate".

If the user clicks the Reboot Server option, the invalid certificate is uploaded and the GUI becomes inaccessible. The workaround is to generate and install a self-signed SSL Certificate using CLI. This enables the user to access the GUI. See Also CSCty77644.

Perform the following steps to generate self-signed SSL Certificate using the CLI:


Step 1 Generate key and certificate file by entering the following command:

openssl req -new -key /etc/pki/tls/private/localhost.key -nodes -x509 -days 365 -out  
/etc/pki/tls/certs/localhost.crt
 
   

Step 2 Enter the approrpriate information to be incorporated into your certificate request, as follows:

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
 
   

Step 3 Provide a copy of the certificate and key to the postgres by entering the following commands:

cp /etc/pki/tls/certs/localhost.crt /var/lib/pgsql/data/server.crt
chmod 600 /var/lib/pgsql/data/server.crt
chown postgres:postgres /var/lib/pgsql/data/server.crt
 
cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key
chmod 600 /var/lib/pgsql/data/server.key
chown postgres:postgres /var/lib/pgsql/data/server.key
 
   

Step 4 Reboot the server.


You can access the GUI after rebooting the server.

Known Issue with BIOS Settings in NAC-3315

In NAC-3315, while booting NAC Guest Server through Console, you need to wait for 10 to 15 minutes for the server to boot up. If you are using a keyboard and monitor, you can view the message as "Press any key to continue..."

If you press any key, the appliance starts working normally. But if you do not press any key, then NAC Guest Server gets stuck at this stage.

To overcome this issue, you can disable the serial port redirection in BIOS settings. Go to BIOS Settings > Devices and I/O Ports > Remote Console direction > Remote Console Serial port and disable the option.

Documentation Updates

Table 9 Updates to Release Notes for Cisco NAC Guest Server

Date
Description

7/26/12

Updates in Cisco NAC Guest Server Release 2.0.5:

Added Enhancements in Release 2.0.5

Added Resolved Caveats - Release 2.0.5

4/9/12

Updates in Cisco NAC Guest Server Release 2.0.4:

Added Enhancements in Release 2.0.4

Added Resolved Caveats - Release 2.0.4

Added Known Issues for Cisco NAC Guest Server

Moved caveat CSCtq64462 to Resolved Caveats - Release 2.0.4

10/28/11

Added Browsers Supported section under System Requirements.

10/11/11

Added caveat CSCtq64462 to Open Caveats - Release 2.0.5

11/30/10

Added Enhancements in Release 2.0.3

Added Resolved Caveats - Release 2.0.3

5/25/10

Added New Hardware Platform Support

2/23/10

Added Enhancements in Release 2.0.2

Updated Resolved Caveats - Release 2.0.2

Added Resolved Caveats - Release 2.0.2

Moved caveats CSCsz80188, CSCtb70650, CSCtb52569, CSCtb47500, CSCta13651, and CSCsz58979 to Resolved Caveats - Release 2.0.2

Moved caveats CSCsz34646, CSCsv59139, CSCsv59906, CSCsv94401, CSCsw19750, CSCsx20876, CSCsx09573, CSCsx44023, CSCsx67500, CSCsy07460, CSCsy18473, CSCsy18504, CSCsy20297, CSCsy20333, CSCsy20353, CSCsy20401, CSCsy20423, CSCsy07460, CSCsx66219, and CSCsx62268 to Resolved Caveats - Release 2.0.1

6/12/09

Added caveat CSCsz34646 to Resolved Caveats - Release 2.0.1

6/3/09

Updated software download link to http://www.cisco.com/public/sw-center/index.shtml

Updated upgrade from release-to-release message

5/12/09

Updates in Cisco NAC Guest Server Release 2.0.1:

Updated Cisco NAC Guest Server Releases

Added Enhancements in Release 2.0.1

Added Resolved Caveats - Release 2.0.1

2/9/09

Cisco NAC Guest Server Release 2.0


Related Documentation

For the latest updates to Cisco NAC Guest Server and Cisco NAC Appliance documentation on Cisco.com see: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

or simply http://www.cisco.com/go/nac/appliance

Release Notes for Cisco NAC Guest Server, Release 2.0.5 (this document)

Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0

Cisco NAC Appliance Service Contract/Licensing Support

Cisco NAC Guest Server Data Sheet

Cisco NAC Guest Server Q & A

Cisco NAC Appliance - Cisco Clean Access Manager Installation and Configuration Guide

Cisco Wireless LAN Controller Configuration Guide, Release 4.0

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.