Release Notes for Cisco TrustSec General Availability Releases
Release Notes for Cisco TrustSec 1.99 General Deployability 2011 Release
Downloads: This chapterpdf (PDF - 389.0KB) | Feedback

Release Notes for Cisco TrustSec 1.99 General Deployability 2011 Release

Table Of Contents

Release Notes for Cisco TrustSec 1.99
General Deployability 2011 Release

Contents

Introduction

Cisco Validated Design Documents

TrustSec 1.99 Validated Cisco Identity Based Networking Services (IBNS) Features

Supported Hardware and Software

Important Notes

Caveats

Open Caveats - Trustsec 1.99 General Availability 2011 Release

Cisco Security Access Control Server (ACS)

Cisco Catalyst 3500 Series Switches

Cisco Catalyst 4500 Series Switches

Cisco Catalyst 6500 Series Switches

Resolved Caveats

Cisco Catalyst 3500 Series Switches

Cisco Catalyst 6500 Series Switches

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Cisco IOS Software Documentation Set


Release Notes for Cisco TrustSec 1.99
General Deployability 2011 Release


Published: September 8, 2011

Contents

The most current version of this document is available on Cisco.com at the following URL:

http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html

This document contains the following sections:

Introduction

Cisco Validated Design Documents

TrustSec 1.99 Validated Cisco Identity Based Networking Services (IBNS) Features

Supported Hardware and Software

Caveats

Related Documentation

Introduction

The Cisco TrustSec 1.99 General Deployability 2011 Release validates the operation of TrustSec features with Cisco Identity Based Networking Services 4.0 (IBNS) features on the Catalyst Series switches.

The Cisco Validated Design (CVD) for the TrustSec 1.99 release provides deployment guidelines and best practices for proven network architectures in complex scenarios. The TrustSec 1.99 Baseline CVD is the list of qualified software images and the published design and deployment guides.

Cisco Validated Design Documents

All CVD documents can be obtained from the following URL:

http://www.cisco.com/go/designzone

The Cisco TrustSec 1.99 CVD documents can be obtained at the following URLs:

TrustSec Planning and Deployment Checklist
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/TrustSec_Checklist/trustsec-199_checklist.html

TrustSec Phased Deployment Configuration Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html

Scenario-Based TrustSec Deployments Application Note
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html

Wired 802.1X Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

IP Telephony for 802.1X Design Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html

MAC Authentication Bypass Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/MAB/MAB_Dep_Guide.html

Local WebAuth Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html

TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/FlexAuthNote/flexauth-note.html

TrustSec 1.99 Validated Cisco Identity Based Networking Services (IBNS) Features

802.1X Authentication

MAC Authentication Bypass (MAB)

Open Access

Flexible Authentication

Single-Host Mode

Multi-Domain-Authentication (MDA) Host Mode

Multi-Host Mode

Multi-Auth Host Mode

VLAN assignment

Downloadable ACL (dACL)

Inactivity timer (MAB and 802.1X)

Local Web Authentication (LWA)

Wake-on-LAN (WoL)

CDP 2nd port disconnect

Integration with DAI, IPSG, port security

MDA with dynamic Voice VLAN assignment

Filter ID

RADIUS-supplied time out

Guest VLAN, Auth-Fail VLAN

RADIUS accounting

Critical Port / Inaccessible Authentication Bypass (IAB)

Conditional logging/debugging on per port basis

Additonal Information on Cisco IBNS can be found at the following URL or in your switch configuration guide:

http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html

Supported Hardware and Software

For a complete table of features, platforms, IOS images, and servers that have been validated for the TrustSec 1.99 release, please see the Platform Support Matrix in the Cisco TrustSec 1.0 Product Bulletin at the following URL:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-616556.html

Important Notes

The following caveats citing Catalyst 3000 Series switch documentation are relevant to 802.1X configuration with Cisco TrustSec 1.99:

CSCtl94043 Port Security blocks voice device from authenticating.

TrustSec Deployment Note: The Port Security feature is not recommended for TrustSec Endpoint Admission Control deployments (EAC). We recommend 802.1X Multi-Domain Authentication host mode (MDA) for TrustSec customers implementing ordinary 802.1X mode or implementing TrustSec Low Impact mode. For TrustSec Monitor Mode, we recommend configuring 802.1X Multi-Auth host mode.

CSCtn43105 & CSCtn59023 strider_hacl_asic_pacl_load_into_tcam: 411: ...Not enough space for IP

TrustSec Deployment Note: For a TrustSec deployment, we recommend to create dACLs with as few ACE's as possible.

Downloadable Access Control Lists (dACL) are loaded into the switch's Ternary Content Addressable Memory (TCAM). The total TCAM space available for use varies between switch platforms, and is directly related to the ASICs of the switch. The number of dACLs used and the number of Access Control Entries (ACE's) used in a dACL depends on the available TCAM space on the switch. It is not possible to predict the available TCAM space on each ASIC at the time of authorization.

If the switch runs out of TCAM space on the ASIC where the dACL is being applied, the dACL is not applied successfully. Additionally, the Catalyst 2000 series switches are not currently sending any notification of the failed application of the dACL. (See caveat CSCtn59023).

CSCtn20365 idle-timeout (attribute 28) not applied to authc sessions voice domain

TrustSec Deployment Note: With the exception of the dot1x timeout tx-period timer, we recommend to not make changes to default timers, unless those changes solve a specific problem, and the modifications have been thoroughly examined and tested. This caveat only applies if using the idle-timeout as required in the Voice Domain of the TrustSec deployment.

Caveats

Open Caveats - Trustsec 1.99 General Availability 2011 Release

Cisco Security Access Control Server (ACS)

Identifier
Technology
Software Release
Description

CSCtk34409

ACS

ACS 5.X

Node should be removed from secondary instance list after deregistration.

CSCtl81564

ACS

ACS 5.X

Internal error when creating rule in Alarms Thresholds for machine disabled.

CSCtl84134

ACS

ACS 5.X

Network Device Authen Summary doesn't have any info about failed Authen

CSCtn17876

ACS

ACS 5.X

Authentication Fails when one ID Store is unreachable

CSCto22927

ACS

ACS 5.X

Authentication failing because Active Directory is unavailable after Active Directory is back online.


Cisco Catalyst 3500 Series Switches

Identifier
Technology
Software Release
Description

CSCtl52690

802.1X

12.2(55)SE

%PM-3-INTERNALERROR: Port Manager Internal Software Error with dot1x

CSCtn03251

Identity

12.2(55)SE

Call drop/phone unregistered with reauth behind IPP with reauth

CSCtn04471

Identity

12.2(55)SE

Non-responsive host is placed in critical-auth VLAN instead of guest VLAN

CSCtn61717

Identity

12.2(55)SE

Security violation seen at times when data & voice try to go to critical.

CSCtn96939

802.1X

12.2(55)SE1

Security violation triggered for known MAC after age/reauth timer expiry.

CSCto55784

AAA

12.2(55)SE1

RADIUS sessions timing out when rx'ing frag packets.

CSCto97524

802.1X

15.0(1)SE

After switchover, Device Classifier failed to classify the device on member switch.


Cisco Catalyst 4500 Series Switches

Identifier
Technology
Software Release
Description

CSCtq64788

802.1X

12.2(53)SG

Account-term-cause reported as "0" after session expires and reauth fails.


Cisco Catalyst 6500 Series Switches

Identifier
Technology
Software Release
Description

CSCtq43027

802.1X

12.2(33)SXI

TB@const_dot1x_get_earl_entry upon Authfail- >Guest

CSCtq94581

802.1X

12.2(33)SXI

Voice domain cannot authc when port-security is enabled (MDA mode).

CSCtr43355

802.1X

12.2(33)SXI

MDA: Recovering from Critical Auth, PC goes into guest VLAN.


Resolved Caveats

Cisco Catalyst 3500 Series Switches

Identifier
Technology
Software Release
Description

CSCtl77011

802.1X

12.2(55)SE1

Security Violation occurs when port-security is set on port (MDA)

CSCtn16828

802.1X

12.2(55)SE1

IPv6 Multicast Listener Storm on 3750G modules with 802.1x enabled

CSCtn80373

802.1X

12.2(55)SE3

Continous traceback @dot1x_switch_pm_port_set_state

CSCtn84442

802.1X

12.2(55)SE3

Phone should not auth in single-host mode.

CSCto05912

802.1X

12.2(55)SE

Port in err-disabled when voice and data are in the same vlan (MDA mode).


Cisco Catalyst 6500 Series Switches

Identifier
Technology
Software Release
Description

CSCsk94501

802.1X

12.2(33)SXI7

AUTHPROXY: info timestamp array size not the same as max-login-attempts


Related Documentation

Release-Specific Documents

Release-Specific Document Title
TrustSec Topics

Cisco TrustSec Switch Configuration Guide

TrustSec feature configurations for Cisco Catalyst series switches

System error messages


Platform-Specific Documents

Platform-specifc Document Title
TrustSec Topics

Catalyst 3000 Series Switches

Release Notes for Catalyst 3560 and 3750 Switches

Open and resolved caveats

Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE

802.1x configuration procedures

Catalyst 3750 Switch Software Configuration Guide, 12.2(52)SE

Catalyst 4500 Series Switches

Release Note for the Catalyst 4500 Series Switch, Cisco IOS, 12.2EW and 12.2SG

Open and resolved caveats

Catalyst 4500 Series Switch Software Configuration Guide, 12.2(53)SG

802.1x configuration procedures

Catalyst 6500 Series Switches

Catalyst 6500 Series Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases

Open and resolved caveats

Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide

802.1x configuration procedures

Nexus 7000 Series Switches

Cisco Nexus 7000 Series Switches Release Notes

Open and resolved caveats

Cisco Nexus 7000 Series Switches Configuration Guides

TrustSec feature configurations for Cisco Nexus 7000 series switches, Release 4.1 and more recent

802.1X configuration procedures

Cisco Secure Access Control System

Cisco Secure Access Control System Release Notes

Open and resolved caveats

Cisco Secure Access Control System End-User Guides

TrustSec configurations for Cisco ACS 5.1 and more recent


Cisco IOS Software Documentation Set

Cisco IOS Document Title
TrustSec Topics

Cisco IOS Security Configuration Guide: Securing User Services

802.1x configuration procedures

Cisco IOS Security Command Reference

Syntax and usage guidelines for TrustSec-specific and related commands