Guest

Cisco NAC Guest Server

Release Notes for Cisco NAC Guest Server, Release 2.1

  • Viewing Options

  • PDF (200.0 KB)
  • Feedback

Table of Contents

Release Notes for Cisco NAC Guest Server, Version 2.1

Contents

Cisco NAC Guest Server Releases

System Requirements

Hardware Supported

Browsers Supported

Determining the Software Version

Re-Imaging the Appliance

Upgrading to Software Release 2.1 from 2.0.x

Upgrading to Software Release 2.1 from 1.x.x

Upgrading to Software Release 2.1 Without Replication

Upgrading to Software Release 2.1 With Replication Enabled from 1.x.x

New and Changed Information

Enhancements in Release 2.1

New Hardware Platform Support

Support for Internet Explorer 10

Patch with Fix for Bash Vulnerability

Features Removed in Release 2.1

Caveats

Open Caveats - Release 2.1

Resolved Caveats - Release 2.1

Known Issues for Cisco NAC Guest Server

Known Issue with SSL Certificate

Known Issue with BIOS Settings in NAC-3315

Known Issue with Database Size

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco NAC Guest Server, Version 2.1

Revised: October 21, 2014, OL-28255-01

Contents

These release notes provide late-breaking and release information for Cisco NAC Guest Server, Release 2.1. This document describes new features, changes to existing features, limitation and restrictions (“caveats”), upgrade instructions and related information.

These release notes supplement the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1.

Cisco NAC Guest Server Releases

 

Cisco NAC Guest Server Version
Release Date

2.1 ED

November 27, 2012


Note Any ED release of software should be deployed to a test network first before being deployed to a production environment.


System Requirements

The Cisco NAC Guest Server can be integrated with the Cisco NAC Appliance Clean Access Manager through its API, or with Cisco Wireless LAN controllers through the RADIUS protocol. Cisco NAC Guest Server is compatible with the Cisco NAC Appliance and Cisco Wireless LAN Controller component versions shown in Table 1 .

 

Table 1 Components Supported by Cisco NAC Guest Server Release 2.1

Cisco NAC Guest Server Version
Cisco NAC Appliance Version
Wireless LAN Controller Version

2.0.4 and later

4.8(x) and later

4.0.219 and later

Hardware Supported

The Cisco NAC Guest Server is a standalone hardware appliance based on the following Cisco NAC Appliance platforms:

  • NAC-3415
  • NAC-3315

Note • Cisco NAC Appliance platform (NAC-3415) supports fresh installation of only Release 2.1.

  • Next generation Cisco NAC Appliance platform (NAC-3315) supports fresh installation of only Release 2.0.2 and later.
  • Cisco NAC Guest Server Release 2.1 does not support NAC-3310.


 

For details on Cisco NAC Appliance hardware platforms, refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide available on Cisco.com at http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html

Browsers Supported

The Cisco NAC Guest Server is supported by the following web browsers:

  • Internet Explorer 10 is supported starting from NAC Guest Server Release 2.1
  • Internet Explorer 9.0 is supported starting from NAC Guest Server Release 2.0.4
  • Internet Explorer 8.0, 7.0, and 6.0
  • Safari
  • Google Chrome
  • Firefox

Determining the Software Version

The bottom left of the Cisco NAC Guest Server administrator console displays the software version. You can also click the About button to get more details of the release. To determine the current software version, login to the administration interface.

To view the software version from the command line:

1. SSH or console to the Cisco NAC Guest Server.

2. Issue the following command on an appliance running release 1.x software:

cat /guest/www/admin/includes/version.html
 

3. Issue the following command on an appliance running release 2.0.0 and later software:

/guest/utils/version.sh
 

Re-Imaging the Appliance

When the Cisco NAC Guest Server is shipped, a default version of the system image is already preloaded on the unit, so imaging is not required. If you need to re-image the appliance to factory defaults, you can download the system image ISO from Cisco Secure Software Downloads on Cisco.com and burn this ISO file to a blank CD-ROM.


Caution Imaging the appliance deletes all data on the appliance. There is no method of recovery of data from the Guest Server after imaging has started. Make sure to backup any data that you need before starting this process.

Once you have the system image on a bootable CD, you can perform the following steps to install the system image onto the appliance.


Step 1 Download the ISO image file from the Cisco NAC Guest Server download page. Login with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/cisco/web/download/index.html and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.1 .

Step 2 Burn this ISO file to a blank CD-ROM to create a bootable disk.

Step 3 Decide whether to perform the installation using a keyboard and monitor connection or over a serial console.

a. Connect either a keyboard and monitor to the back of the unit, or

b. Attach a null modem cable to the serial port on the back of the appliance. From the computer to which the serial cable is attached, run a terminal emulation program with settings set to: 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

Step 4 Once you have connected to the appliance, insert the bootable CD into the CD-ROM drive of the appliance.

Step 5 Power on the appliance. If the appliance is already started, switch it off and then switch it on again.

Step 6 The appliance should now boot from the CD-ROM drive and the initial install is displayed.


Caution If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, you need to change the appliance settings to boot from CD ROM as described in section “Configuring Boot Settings on NAC-3415 / NAC-3315 Based Appliances” in the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1.

Step 7 At the Initial Installation, run the installation according to the method you are connected to the appliance:

  • If directly connected using a keyboard and monitor, type install and press <Enter> .
  • If you are using a serial connection, type installserial at the boot prompt, then press <Enter> .

Step 8 The system image is automatically installed on the hard disk.

Step 9 When the install image is successfully transferred, the system reboots automatically.

Step 10 The CD-ROM automatically ejects from the appliance. Remove the CD and store it safely so that the appliance does not accidentally reboot from it at a later time.

Step 11 The Cisco NAC Guest Server appliance boots and runs the final setup of the image automatically. The imaging process is complete when the login is displayed.


 

Upgrading to Software Release 2.1 from 2.0.x

The steps to upgrade to 2.1 are different for upgrading from 2.0.x or 1.x. For instructions on upgrading a 1.x.x release see Upgrading to Software Release 2.1 from 1.x.x.


Note If the Cisco NAC Guest Server has replication active, you will need to do the following steps simultaneously on both Cisco NAC Guest Servers that form the replicating pair. You will also need to guarantee that there is connectivity between both.



Note If you are running an older software version of NAC Guest Server Release 2.0.3 or earlier, you must first upgrade your system to Release 2.0.4 and then to Release 2.1.



Note The /etc/httpd/conf.d/ssl.conf file is modified to allow chain certificates to be installed. During the upgrade process, this file is reset to default and the modifications are lost. This causes the failure of certificates. After the upgrade process, you need to re-configure the ssl.conf file.


The following steps need to be performed to install the 2.1 update.


Step 1 Download the nac-guest-upgrade-2-1-0.bin upgrade file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/cisco/web/download/index.html and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.1 .

Step 2 Connect to the Cisco NAC Guest Server with an SFTP client such as WinSCP. You will need to log in using root account credentials. The default password for the account is cisco.

Step 3 Copy the nac-guest-upgrade-2-1-0.bin file using the SFTP client to the /guest/upgrade directory.


Note Ensure that the file is transferred in binary mode. Some clients (like WinSCP, for example) default to ASCII mode, which can corrupt the upgrade file.


Step 4 Connect to the Cisco NAC Guest Server console using SSH, a keyboard and monitor, or a serial connection and log in using root account credentials.

Step 5 Navigate to the /guest/upgrade directory

cd /guest/upgrade

Step 6 Run the following command at the console to ensure that the md5 value listed matches the MD5 value obtained by clicking the link to the upgrade file at http://www.cisco.com/public/sw-center/index.shtml :

md5sum nac-guest-upgrade-2-1-0.bin
 

Step 7 Execute the upgrade script.

sh /guest/upgrade/nac-guest-upgrade-2-1-0.bin
 

Step 8 When the upgrade has finished, the appliance automatically reboots and the login prompt appears.


 


Note A backup of the existing database is taken before the upgrade and is stored in /guest.bak. Cisco recommends backing up this directory from the appliance via SFTP.



Note The upgrade process is recorded in the /guest/logs/upgrade.log file. You can view the log file by entering less /guest/logs/upgrade.log in a command prompt window.


Upgrading to Software Release 2.1 from 1.x.x

Upgrading to Software Release 2.1 Without Replication

Software release 2.1 can be applied to an existing release 2.0.4 or later installation. If you are running release 1.x.x, then upgrade to release 2.0.4 before running the upgrade to the latest 2.1 release.

If the appliance needs to be re-imaged, refer to the instructions in the installation chapter of the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1 before applying the release 2.1 upgrade.


Note If the Cisco NAC Guest Server has replication active, you will need to follow the steps in Upgrading to Software Release 2.1 With Replication Enabled from 1.x.x.



Note The /etc/httpd/conf.d/ssl.conf file is modified to allow chain certificates to be installed. During the upgrade process, this file is reset to default and the modifications are lost. This causes the failure of certificates. After the upgrade process, you need to re-configure the ssl.conf file.



Step 1 Create a manual backup snapshot of the Cisco NAC Guest Server from the Server > Backup > Snapshot page of the Administration interface.


Warning Because there is a possibility for data loss with upgrade, Cisco strongly recommends creating a backup snapshot to ensure your previous database is preserved prior to upgrade.



Step 1 Download the cisco-nac-guest-server-2.1-K9.iso ISO image file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.1 .

Step 2 Burn the ISO to a blank CDR disc.

Step 3 Insert the CD into the Cisco NAC Guest Server.

Step 4 Connect to the Cisco NAC Guest Server console using SSH, a keyboard and monitor, or a serial connection and log in using root account credentials.

Step 5 Enter the following command:

reboot
 

The Cisco NAC Guest Server will reboot and run the upgrade from the CD ROM.


Caution If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in section “Configuring Boot Settings on NAC-3415 / NAC-3315 Based Appliances” in the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1.

Step 6 At the upgrade screen:

  • If choosing to upgrade from keyboard and monitor, enter the upgrade command and press the Enter key:
upgrade
 
  • If choosing to upgrade via a serial connection, enter the upgradeserial command and press the Enter key:
upgradeserial
 

Note Before the 2.1 upgrade, a backup snapshot of the existing 1.x.x or 2.0.x database is automatically created and stored in the /guest.bak directory. In the event of an upgrade failure, Cisco recommends making a local backup of this directory.


Step 7 When the upgrade has finished, the appliance automatically reboots and the login prompt appears.

Step 8 Login with the root user ID and change the password as instructed. The password needs to be a minimum of 6 characters, should not be based on a dictionary word and should contain at least 5 different characters.

The Cisco NAC Guest Server will be upgraded and running release 2.1.


 

Upgrading to Software Release 2.1 With Replication Enabled from 1.x.x

Software release 2.1 can be applied to an existing release 2.0.4 or later installation. If you are running release 1.x.x upgrade to release 2.0.4 before running the upgrade to the latest 2.1 release.

If the appliance needs to be re-imaged, refer to the instructions in the installation chapter of the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1 before applying the release 2.1 upgrade.


Note The /etc/httpd/conf.d/ssl.conf file is modified to allow chain certificates to be installed. During the upgrade process, this file is reset to default and the modifications are lost. This causes the failure of certificates. After the upgrade process, you need to re-configure the ssl.conf file.


Use the following upgrade instructions if you have configured Cisco NAC Guest Server replication, where the database is synchronized between two boxes.


Step 1 Create a manual backup snapshot of one of the Cisco NAC Guest Servers in the replication pair from the Server > Backup > Snapshot page of the Administration interface.


Warning Because there is a possibility for data loss with upgrade, Cisco strongly recommends creating a backup snapshot to ensure your previous database is preserved prior to upgrade.


Step 2 Download the cisco-nac-guest-server-2.1-K9.iso ISO image file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.1 .

Step 3 Burn the ISO to a blank CDR disc.

Step 4 Insert the CD into the NAC Guest Server.

Step 5 Connect to the Cisco NAC Guest Server console using SSH, a keyboard and monitor, or a serial connection and log in using root account credentials.

Step 6 Enter the following command

reboot
 

Step 7 The Cisco NAC Guest Server will reboot and run the upgrade from the CD ROM.


Caution If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in section “Configuring Boot Settings on NAC-3415 / NAC-3315 Based Appliances” in the Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1.

Step 8 At the upgrade screen:

  • If choosing to upgrade from keyboard and monitor, enter the upgrade command and press the Enter key:
upgrade
 
  • If choosing to upgrade via a serial connection, enter the upgradeserial command and press the Enter key:
upgradeserial
 

Note Before the 2.1 upgrade, a backup snapshot of the existing 1.x or 2.0.x database is automatically created and stored in the /guest.bak directory. In the event of an upgrade failure, Cisco recommends making a local backup of this directory.


Step 9 When the upgrade has finished, the appliance automatically reboots and the login prompt appears.

Step 10 Login with the root user ID and change the password as instructed. The password needs to be a minimum of 6 characters, should not be based on a dictionary word and should contain at least 5 different characters.

The Cisco NAC Guest Server will be upgraded and running release 2.1.

Step 11 Perform Steps 1 to 10 on the other Cisco NAC Guest Server unit in the pair.

Step 12 Once both Cisco NAC Guest Server appliances have been upgraded to release 2.1, you will need to reconfigure replication between the appliances. Replication is turned off as part of the upgrade process to avoid any inconsistencies in the upgrade.


Warning Failure to reconfigure replication immediately after upgrade will cause the two units to be unsynchronized and will cause data loss from one of the units when replication is set up at a later date.



 

New and Changed Information

This section describes new features and enhancements for this release of Cisco NAC Guest Server:

Enhancements in Release 2.1

Release 2.1 is a general and important bug fix release for the Cisco NAC Guest Server that addresses the caveats described in Known Issues for Cisco NAC Guest Server.

Cisco NAC Guest Server Release 2.1 supports the following:

New Hardware Platform Support

The Cisco NAC Guest Server Release 2.1 supports a new hardware platform, Cisco NAC Appliance (NAC-3415), which is based on the UCS C220 M3 server platform.


Note Cisco NAC Appliance platform (NAC-3415) supports only fresh installation of Release 2.1.


Support for Internet Explorer 10

The Cisco NAC Guest Server Release 2.1 works with Internet Explorer 10.

Patch with Fix for Bash Vulnerability

You can download the patch to address the bash vulnerability in Cisco NAC Guest Server from the following URL:

http://software.cisco.com/download/navigator.html

  • Navigate to Security > Access Control and Policy > Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.1 > Network Admission Control (NAC) Guest Server System Software-2.1.0
  • Download and apply CSCur05629.tar.gz .

See Also CSCur05629.

Features Removed in Release 2.1

The support for NAC-3310 has been dropped from Cisco NAC Guest Server Release 2.1.

Caveats

This section describes caveats related to the Cisco NAC Guest Server:


Note If you are a registered cisco.com user, you can view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


 

Open Caveats - Release 2.1

 

Table 2 List of Open Caveats

DDTS Number
Software Release 2.1
Corrected
Caveat

CSCsz40132

No

Sponsors Activity Report circle users overlay on each other

When running a sponsor activity report if the numbers for a sponsor are too close together the text can overlap.

If there are certain sponsors with very large numbers of accounts and certain sponsors with very small numbers of accounts, the ones with very small numbers could have numbers that overlap on the screen.

Note The numbers can still be seen in the table below the report.

CSCty77644

No

Invalid SSL certificates should not be allowed to be uploaded in the NGS server.

When the administrator tries to install an SSL Certificate that is not relevant in the NAC Guest Server, the following error message is displayed: “The Current Private Key does not Correspond to the Current Certificate”.

If the user clicks the Reboot Server option, the invalid certificate is uploaded and the GUI becomes inaccessible.

Workaround Generate and install a self-signed SSL Certificate using CLI. This enables the user to access the GUI. Refer to Known Issue with SSL Certificate.

CSCui52504

No

DB pruning procedure for DB >300MB

When the size of the database exceeds 300 MB, it might result in delayed activation of newly created Guest accounts and might affect overall performance. You can prune the database to avoid these issues. Refer to Known Issue with Database Size.

Resolved Caveats - Release 2.1

 

Table 3 List of Open Caveats

DDTS Number
Software Release 2.1
Corrected
Caveat

CSCur05629

Yes

Cisco NAC Guest Server evaluation for CVE-2014-6271 and CVE-2014-7169

The Cisco NAC Guest Server includes a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271

CVE-2014-7169

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Known Issues for Cisco NAC Guest Server

This section describes known issues when working with Cisco NAC Guest Server:

Known Issue with SSL Certificate

When the administrator tries to install an SSL Certificate that is not relevant in the NAC Guest Server, the following error message is displayed: "The Current Private Key does not Correspond to the Current Certificate".

If the user clicks the Reboot Server option, the invalid certificate is uploaded and the GUI becomes inaccessible. The workaround is to generate and install a self-signed SSL Certificate using CLI. This enables the user to access the GUI. See Also CSCty77644.

Perform the following steps to generate self-signed SSL Certificate using the CLI:


Step 1 Generate key and certificate file by entering the following command:

openssl req -new -key /etc/pki/tls/private/localhost.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt
 

Step 2 Enter the approrpriate information to be incorporated into your certificate request, as follows:

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
 

Step 3 Provide a copy of the certificate and key to the postgres by entering the following commands:

cp /etc/pki/tls/certs/localhost.crt /var/lib/pgsql/data/server.crt
chmod 600 /var/lib/pgsql/data/server.crt
chown postgres:postgres /var/lib/pgsql/data/server.crt
 
cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key
chmod 600 /var/lib/pgsql/data/server.key
chown postgres:postgres /var/lib/pgsql/data/server.key
 

Step 4 Reboot the server.


 

You can access the GUI after rebooting the server.

Known Issue with BIOS Settings in NAC-3315

In NAC-3315, while booting NAC Guest Server through Console, you need to wait for 10 to 15 minutes for the server to boot up. If you are using a keyboard and monitor, you can view the message as "Press any key to continue..."

If you press any key, the appliance starts working normally. But if you do not press any key, then NAC Guest Server gets stuck at this stage.

To overcome this issue, you can disable the serial port redirection in BIOS settings. Go to BIOS Settings > Devices and I/O Ports > Remote Console direction > Remote Console Serial port and disable the option.

Known Issue with Database Size

When the size of the database exceeds 300 MB, it might result in delayed activation of newly created Guest accounts and might affect overall performance. You can prune the database to avoid these issues. To know more about database pruning, contact Cisco Technical Assistance Center (TAC). See Also CSCui52504.

Documentation Updates

 

Table 4 Updates to Release Notes for Cisco NAC Guest Server

Date
Description

10/21/14

Added Patch with Fix for Bash Vulnerability

11/27/12

Cisco NAC Guest Server Release 2.1

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.