Readme File for Cisco Secure Access Control Server (ACS)
Release: ACS 5.1.0.44 Patch: 5-1-0-44-3.tar.gpg
=======================================================================================
This patch fixes:
*Bug Id:
CSCtc41730 - ACS resets SYN packets if MSS isn't set
CSCtc20671 - ACS 5 develops filesystem issues with SAN over Fiber
CSCtd16825 - CLI "copy" command is broken when working with "disk:"
Patch 2:
CSCtd10767 - Syslog data loss during upgrade
CSCtc12382 - ACS View upgrade fails on scale configuration (improve view db performance)
CSCtd37384 - ACS view 5.0/5.1 does not display "Remote Address"
CSCtd54592 - Support for webAuth in ViewCollector
CSCtd57980 - EPM Syslogs are not parsed as expected in View collector
CSCte81150 - ACS 5.x reports key mismatch for unknown authen type
CSCte79051 - ACS 5.1 crashing on concurrent T+ session authorization requests
CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed"
CSCtd24949 - Tacacs authorization failure when authen_type=0
CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication
CSCtd99822 - AD users with expired passwords fail authentication
CSCtd69364 - adclient fail to restart
CSCtd00585 - ACS 5.1 adclient rebuilds the domain info map from scratch each time
Patch 3:
CSCte88357 ACS5.1 Tacacs Accounting Report missing few attributes due to NULL char
CSCtb94187 Migration of users - ' or space or _ charachters limitation
CSCtd48173 Post upgrade: can't create/edit a VSA attribute
CSCtf06311 All internal users disabled automatically after logging in a single user
CSCte72751 ACS 5.1 drops authentication with empty password
CSCsy54062 ACS doesn't verify SubjectKeyID / AuthorityKeyID in CertChain building
CSCtf85659 ACS 5 doesn't distinguish between unique certificates
CSCtf60490 Windows Mobile 5.0 Clients Fail LEAP on ACS 5.1
CSCtf65179 AD PERF Discovery of host account domain is done several time
CSCtf62721 AD PERF Translation of Group SID to Group name is very inefficient
CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios
CSCtd00477 Active directory get group don't retrieved group when domain 'sap.corp'.
CSCtf30684 Password change using web service doesn't work
CSCtf75806 ACS 5.1 does not log accounting details for some AAA clients
Patch 5-1-0-44-3.tar.gpg consists of:
* files
acs-db-5.1.0.44.B.2347.jar
acsview_schema_upgrade_5_1.sql
acsview.war
dataupgrade-5.0.jar
rebuildAggregationForAcct.sql
viewcleantempdb.sh
viewcopytempdb.sh
viewswitchdb.sh
collection-5.0.jar
adclient
libeda.so.0
liblrpc.so.0.0.0
liblber-2.2.so.7.0.19
libldap-2.2.so.7.0.19
libldap_r-2.2.so.7.0.19
libeap.so
libtacacs.so
libTacacsAuthenFlows.so
libActiveDirectoryIDStore.so
libShellProfile.so
libCryptoLib.so
libActiveDirectoryIDStore.so
acs-common-5.1.0.44.B.2347.jar
acsadmin.war
acs-bl-framework-5.1.0.44.B.2347.jar
PI.war
libLogging.so
migration.zip
libRadiusAuthenflow.so
libRadiusCommon.so
Prerequisites
=============
This is a patch for release ACS 5.1.0.44. ACS 5.1.0.44 must be installed before installing this
patch. Other prerequisites are same as for ACS 5.1.0.44 (FCS Version)
What the Patch Fixes
====================
The patch fixes for the DDTS:
- CSCtc20671 - ACS 5 develops filesystem issues with SAN over Fiber
The issue only occurs on virtual hosts (hosts running as VM images).
The issue is also only prevalent when the VM is running on a VM host that has fiber attached storage.
In the case of a VM guest running on a VM host that has fiber attached storage, we may see
the filesystems become read-only. This will render the system inoperable. The lower layer details of the problem are described in this VMware forum article:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=51306
The solution to the issue is to use an updated mptscsi linux kernel driver that contains the fix.
This code fix was put in the ADE-OS VM kernel. ADE-OS bundles separate kernels for use
with VMware and hardware appliances. Here are the kernel RPM names:
kernel-ade-2.6.18.8ADE-1
kernel-adevm-2.6.18.8ADEVM-1
At ADE-OS install time, the OS installer chooses the correct kernel to use based on the Unique Device Identifier (UDI). The fix for this defect went only in the kernel-adevm RPM. Hence, users that use the real hardware appliance are completely unaffected by this fix.
- CSCtd16825 - CLI "copy" command is broken when working with "disk:"
The fix will allow the target TFTP URL to either include or not include the filename. If the URL ends with a '/', it assumes to drop the file in that directory. If the URL does not end in a '/', it assumes that is the target filename.
So either any of these will work:
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/running-config
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/dir3/
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/dir3/carsconfg1
carsdev-vm2/admin#
carsdev-vm2/admin# copy disk:/d1/d2/d3/running-config tftp://acsview-build1/dir1/dir2/dir3/carsconfg1
carsdev-vm2/admin# copy disk:/d1/d2/d3/running-config tftp://acsview-build1/dir1/dir2/dir3/
With the existing code, only the copy command with the filenames specified at the end will work.
- CSCtd10767 - Syslog data loss during upgrade
After upgrade from 5.0.* to 5.1.0.44, while switching over the database to 5.1.0.44, syslog data collected during the upgrade process could be lost.
Please apply the fix and then switch over the database to avoid any data loss.
Please see more details in the release notes.
- CSCtc12382 - ACS View upgrade fails on scale configuration (improve view db upgrade performance)
The ACS view database upgrade process is time consuming and it depends on the amount of log data collected in the database.
This fix improves the ACS view database upgrade performance significantly.
- CSCtd37384 - ACS view 5.0/5.1 does not display "Remote Address"
The fix will display the "Remote Address" attribute in the TACACS reports.
- CSCtd54592 - Support for webAuth in ViewCollector
The fix will provide limited data collection support for NAD syslogs carrying webauth information.
- CSCtd57980 - EPM Syslogs are not parsed as expected in View collector
The fix will parse the EPM NAD syslogs correctly.
- CSCtd99822 - AD users with expired passwords fail authentication
The issue has been observed on ACS 5.1 using Windows AD as the external Identity Store.
This fix allows users to pass authentications after the password has been reset.
- CSCtd24949 - Tacacs authorization failure when authen_type=0
This fix enables ACS to accept TACACS+ authorization requests with authen type
equal to 0.
- CSCte81150 - ACS 5.x reports key mismatch for unknown authen method
This fix enables ACS to accept TACACS+ accounting requests with authen method
equal to 0xa.
- CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication
This fix enables ACS to accept TACACS+ authentication requests with the PPP service type
- CSCte79051 - ACS 5.1 crashing on concurrent T+ session authorization requests
This fix allows ACS to handle several T+ session authorization requests
simultaneously without the reported issue.
- CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed"
This fix allows ACS to handle successfully LEAP requests from AP devices
attempting to join WDS domain.
- CSCtd48173 - Post upgrade: can't create/edit a VSA attribute
This fix will enable updating the VSA new vendors and thier attribute after upgrade from ACS 5.0
- CSCtf65179 AD PERF Discovery of host account domain is done several time
- CSCtf62721 AD PERF Translation of Group SID to Group name is very
inefficient
These two fixes optimize performance of corresponding operations against Active Directory
- CSCtf30684 Password change using web service doesn't work
This fix provide make UCP available in all situations
- CSCte88357 - ACS5.1 Tacacs Accounting Report missing few attributes due to NULL char
This fix will log all the attributes properly in the Tacacs Accounting report
- CSCtb94187 - Migration of users - ' or space or _ characters limitation
ACS 5.1 does not allow space and apostrophe characters while creating Users. With this fix User Strings can contain space and apostrophe characters also. And hyperlinks were disabled if User string contains apostrophe or space.
Due to this bug fix UserAuthenticationSummary Report will not be able to do its operation successfully. An error will be displayed in the UI while generating Report using path Monitoring and Reports -> Reports -> Catalog -> User -> User_Authentication_Summary if User contains apostrophe. Other reports will be executed without any issues. This will be fixed in future versions.
Also, customer needs to download the new zip after patch install and only then run the migration
- CSCtf06311 - All internal users disabled automatically after logging in a single user
After this fix, no internal users should expire until really the expiration time comes
- CSCtf60490 - Windows Mobile 5.0 Clients Fail LEAP on ACS 5.1 (Patch 2)
This fix was made to work Leap authentication for Windows Mobile 5.0 clients
- CSCte72751 - ACS 5.1 drops authentication with empty password
Currently runtime drops packet if length of password attribute (after decrypting) is zero. This fix was done in such a way that to move forward with processing authentication even though password is empty.
- CSCtf75806 - ACS 5.1 does not log accounting details for some AAA clients
In ACS view Tacacs Accounting report was missing few attributes such as username,privilege
level when NX-OS client sends argument value with null char, which has been
resolved in this.
- CSCsy54062 ACS doesn't verify SubjectKeyID / AuthorityKeyID in CertChain building
ACS was building up the certificate chain based on "Subject" -> "Issuer" mapping.
After this fix ACS is building up the certificate chain based on Subject Key Identifier and Authority Key Identifier.
- CSCtf85659 ACS 5 doesn't distinguish between unique certificates
In ACS 4, two CA certs with the same subject could be installed in ACS. ACS 5 does not allow this even though the two certificates are not the same. ACS 5 is only using the subject name to check for certificate uniqueness.
After this fix certificate uniqueness checking ( by serial number and SKI ) is added.
- CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios
AD groups cannot be listed when the domain is X.Y.Z and the global catalog is contained in W.Y.Z.
Such a scenario is referred to as a single forest with multiple trees.
After this fix AD groups retrieved in single forest with multiple trees.
Version patch will be displayed :
#show application version acs
Cisco ACS VERSION INFORMATION
=============================
Version : 5.1.0.44
Internal Build ID:
patches:
5.1.0.44.3
Instructions on how to install the patch
========================================
1. open CLI console
2. define new repository in which the 5-1-0-44-3.tar.gpg resides
3. issue: 'acs patch install 5-1-0-44-3.tar.gpg repository YOUR_REPOSITORY'
4. verify installation via CLI by issuing:
'show application version acs' and getting the following data:
Cisco ACS VERSION INFORMATION
=============================
Version : 5.1.0.44
Internal Build ID:
patches:
5.1.0.44.3
Instructions on how to remove the patch
========================================
1. open CLI console
2. acs patch remove 5-1-0-44-3
3. verify patch removal via CLI by issuing:
'show application version acs' and getting the following data:
Cisco ACS VERSION INFORMATION
=============================
Version : 5.1.0.44
Internal Build ID:
=======================================================================
Copyright (C) 2010 Cisco Systems, Inc. All rights reserved.
Cisco and Cisco Systems are registered trademarks of Cisco Systems,
Inc., in the U.S. and certain other countries. All other trademarks
mentioned in this document are the property of their respective owners.
=======================================================================