Release Notes for Cisco TrustSec 1.99
General Deployability 2011 Release
Published: September 8, 2011
Contents
The most current version of this document is available on Cisco.com at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html
This document contains the following sections:
•Introduction
•Cisco Validated Design Documents
•TrustSec 1.99 Validated Cisco Identity Based Networking Services (IBNS) Features
•Supported Hardware and Software
•Caveats
•Related Documentation
Introduction
The Cisco TrustSec 1.99 General Deployability 2011 Release validates the operation of TrustSec features with Cisco Identity Based Networking Services 4.0 (IBNS) features on the Catalyst Series switches.
The Cisco Validated Design (CVD) for the TrustSec 1.99 release provides deployment guidelines and best practices for proven network architectures in complex scenarios. The TrustSec 1.99 Baseline CVD is the list of qualified software images and the published design and deployment guides.
Cisco Validated Design Documents
All CVD documents can be obtained from the following URL:
http://www.cisco.com/go/designzone
The Cisco TrustSec 1.99 CVD documents can be obtained at the following URLs:
TrustSec Planning and Deployment Checklist
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/TrustSec_Checklist/trustsec-199_checklist.html
TrustSec Phased Deployment Configuration Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html
Scenario-Based TrustSec Deployments Application Note
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html
Wired 802.1X Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html
IP Telephony for 802.1X Design Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html
MAC Authentication Bypass Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/MAB/MAB_Dep_Guide.html
Local WebAuth Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html
TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/FlexAuthNote/flexauth-note.html
TrustSec 1.99 Validated Cisco Identity Based Networking Services (IBNS) Features
•802.1X Authentication
•MAC Authentication Bypass (MAB)
•Open Access
•Flexible Authentication
•Single-Host Mode
•Multi-Domain-Authentication (MDA) Host Mode
•Multi-Host Mode
•Multi-Auth Host Mode
•VLAN assignment
•Downloadable ACL (dACL)
•Inactivity timer (MAB and 802.1X)
•Local Web Authentication (LWA)
•Wake-on-LAN (WoL)
•CDP 2nd port disconnect
•Integration with DAI, IPSG, port security
•MDA with dynamic Voice VLAN assignment
•Filter ID
•RADIUS-supplied time out
•Guest VLAN, Auth-Fail VLAN
•RADIUS accounting
•Critical Port / Inaccessible Authentication Bypass (IAB)
•Conditional logging/debugging on per port basis
Additonal Information on Cisco IBNS can be found at the following URL or in your switch configuration guide:
http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html
Supported Hardware and Software
For a complete table of features, platforms, IOS images, and servers that have been validated for the TrustSec 1.99 release, please see the Platform Support Matrix in the Cisco TrustSec 1.0 Product Bulletin at the following URL:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-616556.html
Important Notes
The following caveats citing Catalyst 3000 Series switch documentation are relevant to 802.1X configuration with Cisco TrustSec 1.99:
•CSCtl94043 Port Security blocks voice device from authenticating.
TrustSec Deployment Note: The Port Security feature is not recommended for TrustSec Endpoint Admission Control deployments (EAC). We recommend 802.1X Multi-Domain Authentication host mode (MDA) for TrustSec customers implementing ordinary 802.1X mode or implementing TrustSec Low Impact mode. For TrustSec Monitor Mode, we recommend configuring 802.1X Multi-Auth host mode.
•CSCtn43105 & CSCtn59023 strider_hacl_asic_pacl_load_into_tcam: 411: ...Not enough space for IP
TrustSec Deployment Note: For a TrustSec deployment, we recommend to create dACLs with as few ACE's as possible.
Downloadable Access Control Lists (dACL) are loaded into the switch's Ternary Content Addressable Memory (TCAM). The total TCAM space available for use varies between switch platforms, and is directly related to the ASICs of the switch. The number of dACLs used and the number of Access Control Entries (ACE's) used in a dACL depends on the available TCAM space on the switch. It is not possible to predict the available TCAM space on each ASIC at the time of authorization.
If the switch runs out of TCAM space on the ASIC where the dACL is being applied, the dACL is not applied successfully. Additionally, the Catalyst 2000 series switches are not currently sending any notification of the failed application of the dACL. (See caveat CSCtn59023).
•CSCtn20365 idle-timeout (attribute 28) not applied to authc sessions voice domain
TrustSec Deployment Note: With the exception of the dot1x timeout tx-period timer, we recommend to not make changes to default timers, unless those changes solve a specific problem, and the modifications have been thoroughly examined and tested. This caveat only applies if using the idle-timeout as required in the Voice Domain of the TrustSec deployment.
Caveats
Open Caveats - Trustsec 1.99 General Availability 2011 Release
Cisco Security Access Control Server (ACS)
|
|
|
|
CSCtk34409 |
ACS |
ACS 5.X |
Node should be removed from secondary instance list after deregistration. |
CSCtl81564 |
ACS |
ACS 5.X |
Internal error when creating rule in Alarms Thresholds for machine disabled. |
CSCtl84134 |
ACS |
ACS 5.X |
Network Device Authen Summary doesn't have any info about failed Authen |
CSCtn17876 |
ACS |
ACS 5.X |
Authentication Fails when one ID Store is unreachable |
CSCto22927 |
ACS |
ACS 5.X |
Authentication failing because Active Directory is unavailable after Active Directory is back online. |
Cisco Catalyst 3500 Series Switches
|
|
|
|
CSCtl52690 |
802.1X |
12.2(55)SE |
%PM-3-INTERNALERROR: Port Manager Internal Software Error with dot1x |
CSCtn03251 |
Identity |
12.2(55)SE |
Call drop/phone unregistered with reauth behind IPP with reauth |
CSCtn04471 |
Identity |
12.2(55)SE |
Non-responsive host is placed in critical-auth VLAN instead of guest VLAN |
CSCtn61717 |
Identity |
12.2(55)SE |
Security violation seen at times when data & voice try to go to critical. |
CSCtn96939 |
802.1X |
12.2(55)SE1 |
Security violation triggered for known MAC after age/reauth timer expiry. |
CSCto55784 |
AAA |
12.2(55)SE1 |
RADIUS sessions timing out when rx'ing frag packets. |
CSCto97524 |
802.1X |
15.0(1)SE |
After switchover, Device Classifier failed to classify the device on member switch. |
Cisco Catalyst 4500 Series Switches
|
|
|
|
CSCtq64788 |
802.1X |
12.2(53)SG |
Account-term-cause reported as "0" after session expires and reauth fails. |
Cisco Catalyst 6500 Series Switches
|
|
|
|
CSCtq43027 |
802.1X |
12.2(33)SXI |
TB@const_dot1x_get_earl_entry upon Authfail- >Guest |
CSCtq94581 |
802.1X |
12.2(33)SXI |
Voice domain cannot authc when port-security is enabled (MDA mode). |
CSCtr43355 |
802.1X |
12.2(33)SXI |
MDA: Recovering from Critical Auth, PC goes into guest VLAN. |
Resolved Caveats
Cisco Catalyst 3500 Series Switches
|
|
|
|
CSCtl77011 |
802.1X |
12.2(55)SE1 |
Security Violation occurs when port-security is set on port (MDA) |
CSCtn16828 |
802.1X |
12.2(55)SE1 |
IPv6 Multicast Listener Storm on 3750G modules with 802.1x enabled |
CSCtn80373 |
802.1X |
12.2(55)SE3 |
Continous traceback @dot1x_switch_pm_port_set_state |
CSCtn84442 |
802.1X |
12.2(55)SE3 |
Phone should not auth in single-host mode. |
CSCto05912 |
802.1X |
12.2(55)SE |
Port in err-disabled when voice and data are in the same vlan (MDA mode). |
Cisco Catalyst 6500 Series Switches
|
|
|
|
CSCsk94501 |
802.1X |
12.2(33)SXI7 |
AUTHPROXY: info timestamp array size not the same as max-login-attempts |
Related Documentation
Release-Specific Documents
Platform-Specific Documents
Cisco IOS Software Documentation Set