Readme File for Cisco Secure Access Control Server (ACS)
Release: ACS 5.1.0.44 Patch: 5-1-0-44-4.tar.gpg
=======================================================================================
This patch fixes:
*Bug Id:
CSCtc41730 - ACS resets SYN packets if MSS isn't set
CSCtc20671 - ACS 5 develops filesystem issues with SAN over Fiber
CSCtd16825 - CLI "copy" command is broken when working with "disk:"
Patch 2:
CSCtd10767 - Syslog data loss during upgrade
CSCtc12382 - ACS View upgrade fails on scale configuration (improve view db performance)
CSCtd37384 - ACS view 5.0/5.1 does not display "Remote Address"
CSCtd54592 - Support for webAuth in ViewCollector
CSCtd57980 - EPM Syslogs are not parsed as expected in View collector
CSCte81150 - ACS 5.x reports key mismatch for unknown authen type
CSCte79051 - ACS 5.1 crashing on concurrent T+ session authorization requests
CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed"
CSCtd24949 - Tacacs authorization failure when authen_type=0
CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication
CSCtd99822 - AD users with expired passwords fail authentication
CSCtd69364 - adclient fail to restart
CSCtd00585 - ACS 5.1 adclient rebuilds the domain info map from scratch each time
Patch 3:
CSCte88357 ACS5.1 Tacacs Accounting Report missing few attributes due to NULL char
CSCtb94187 Migration of users - ' or space or _ charachters limitation
CSCtd48173 Post upgrade: can't create/edit a VSA attribute
CSCtf06311 All internal users disabled automatically after logging in a single user
CSCte72751 ACS 5.1 drops authentication with empty password
CSCsy54062 ACS doesn't verify SubjectKeyID / AuthorityKeyID in CertChain building
CSCtf85659 ACS 5 doesn't distinguish between unique certificates
CSCtf60490 Windows Mobile 5.0 Clients Fail LEAP on ACS 5.1
CSCtf65179 AD PERF Discovery of host account domain is done several time
CSCtf62721 AD PERF Translation of Group SID to Group name is very inefficient
CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios
CSCtd00477 Active directory get group don't retrieved group when domain 'sap.corp'.
CSCtf30684 Password change using web service doesn't work
CSCtf75806 ACS 5.1 does not log accounting details for some AAA clients.
Patch 4:
CSCtf72641 ACS 5.x does not allow LEAP-first authentication
CSCtf08567 ACS5.1 permits command without arguments where it should deny it.
CSCtg15941 ACS5.1 high mem usage - more than 90% when idle or with less load
CSCtd46884 ACS 5.x - AD save changes fails if admin password contains a space
CSCtg38950 EAP-GTC always use hardcoded password prompt 'password:'
CSCtg52633 adclient fixed to be able to handle duplicate CLDAP on UDP port 329
CSCtf78048 Optimize discovery of host's account domain
CSCtf23507 Support non MS Kerberos (MIT)
CSCth59823 Replication is broken due to ActiveMQ exception
CSCtg58234 EAP-FAST wont work if username case different between PAC, inner method
CSCtg38987 Password / passcode is not configurable for RSA Identity Store
CSCtg87278 ACS not able to establish SSL tunnel with LDAP server with CRL verification
CSCte95063 After "clock set" view-logprocessor going to 'not monitored' state
CSCth62273 ACS database can become large due to incomplete user password changes
CSCth82664 ACS DB need to be compressed as a maintenance operation
CSCth62139 ACS authentication rate decreases with internal user attributes
CSCtf43054 Group assignment dialog does not allow "+" symbol in group name
CSCtd14560 GUI session got logged out when launch monitoring
CSCtg78120 Monitoring & Report Viewer redirects to ACS view using the hostname only
CSCth66146 Some failure reasons disappear in Failure Reasons Editor
CSCtg38950 EAP-GTC always use hardcoded password prompt 'password
CSCth77468 ACS 5.1 not including 'C' and 'V' values in MS-CHAP-v2 Failure Packet
CSCth72626 MS-CHAPv2 Responses with bad Flags value will not be dropped
CSCtg60923 Apostrophe in password causes ACS 5 upgrade to fail
CSCti93393 Accounts created to expire beyond 24 days are disabled
Patch 5-1-0-44-4.tar.gpg consists of:
* files
acs-db-5.1.0.44.B.2347.jar
acsview_schema_upgrade_5_1.sql
acsview.war
dataupgrade-5.0.jar
rebuildAggregationForAcct.sql
viewcleantempdb.sh
viewcopytempdb.sh
viewswitchdb.sh
collection-5.0.jar
adclient
libeda.so.0
liblrpc.so.0.0.0
liblber-2.2.so.7.0.19
libldap-2.2.so.7.0.19
libldap_r-2.2.so.7.0.19
libeap.so
libtacacs.so
libTacacsAuthenFlows.so
libActiveDirectoryIDStore.so
libShellProfile.so
libCryptoLib.so
libActiveDirectoryIDStore.so
acs-common-5.1.0.44.B.2347.jar
acsadmin.war
acs-bl-framework-5.1.0.44.B.2347.jar
PI.war
libLogging.so
migration.zip
libRadiusAuthenFlow.so
libRadiusCommon.so
libCommandSets.so
rt_daemon
ACS_AD_Runner.sh
libRadiusEapFlow.so
libService.so
monit_script.sh
loadaafc.sql
Prerequisites
=============
This is a patch for release ACS 5.1.0.44. ACS 5.1.0.44 must be installed before installing this
patch. Other prerequisites are same as for ACS 5.1.0.44 (FCS Version)
What the Patch Fixes
====================
The patch fixes for the DDTS:
- CSCtc20671 - ACS 5 develops filesystem issues with SAN over Fiber
The issue only occurs on virtual hosts (hosts running as VM images).
The issue is also only prevalent when the VM is running on a VM host that has fiber attached storage.
In the case of a VM guest running on a VM host that has fiber attached storage, we may see
the filesystems become read-only. This will render the system inoperable. The lower layer details of the problem are described in this VMware forum article:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=51306
The solution to the issue is to use an updated mptscsi linux kernel driver that contains the fix.
This code fix was put in the ADE-OS VM kernel. ADE-OS bundles separate kernels for use
with VMware and hardware appliances. Here are the kernel RPM names:
kernel-ade-2.6.18.8ADE-1
kernel-adevm-2.6.18.8ADEVM-1
At ADE-OS install time, the OS installer chooses the correct kernel to use based on the Unique Device Identifier (UDI). The fix for this defect went only in the kernel-adevm RPM. Hence, users that use the real hardware appliance are completely unaffected by this fix.
- CSCtd16825 - CLI "copy" command is broken when working with "disk:"
The fix will allow the target TFTP URL to either include or not include the filename. If the URL ends with a '/', it assumes to drop the file in that directory. If the URL does not end in a '/', it assumes that is the target filename.
So either any of these will work:
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/running-config
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/dir3/
carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/dir3/carsconfg1
carsdev-vm2/admin#
carsdev-vm2/admin# copy disk:/d1/d2/d3/running-config tftp://acsview-build1/dir1/dir2/dir3/carsconfg1
carsdev-vm2/admin# copy disk:/d1/d2/d3/running-config tftp://acsview-build1/dir1/dir2/dir3/
With the existing code, only the copy command with the filenames specified at the end will work.
- CSCtd10767 - Syslog data loss during upgrade
After upgrade from 5.0.* to 5.1.0.44, while switching over the database to 5.1.0.44, syslog data collected during the upgrade process could be lost.
Please apply the fix and then switch over the database to avoid any data loss.
Please see more details in the release notes.
- CSCtc12382 - ACS View upgrade fails on scale configuration (improve view db upgrade performance)
The ACS view database upgrade process is time consuming and it depends on the amount of log data collected in the database.
This fix improves the ACS view database upgrade performance significantly.
- CSCtd37384 - ACS view 5.0/5.1 does not display "Remote Address"
The fix will display the "Remote Address" attribute in the TACACS reports.
- CSCtd54592 - Support for webAuth in ViewCollector
The fix will provide limited data collection support for NAD syslogs carrying webauth information.
- CSCtd57980 - EPM Syslogs are not parsed as expected in View collector
The fix will parse the EPM NAD syslogs correctly.
- CSCtd99822 - AD users with expired passwords fail authentication
The issue has been observed on ACS 5.1 using Windows AD as the external Identity Store.
This fix allows users to pass authentications after the password has been reset.
- CSCtd24949 - Tacacs authorization failure when authen_type=0
This fix enables ACS to accept TACACS+ authorization requests with authen type
equal to 0.
- CSCte81150 - ACS 5.x reports key mismatch for unknown authen method
This fix enables ACS to accept TACACS+ accounting requests with authen method
equal to 0xa.
- CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication
This fix enables ACS to accept TACACS+ authentication requests with the PPP service type
- CSCte79051 - ACS 5.1 crashing on concurrent T+ session authorization requests
This fix allows ACS to handle several T+ session authorization requests
simultaneously without the reported issue.
- CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed"
This fix allows ACS to handle successfully LEAP requests from AP devices
attempting to join WDS domain.
- CSCtd48173 - Post upgrade: can't create/edit a VSA attribute
This fix will enable updating the VSA new vendors and thier attribute after upgrade from ACS 5.0
- CSCtf65179 AD PERF Discovery of host account domain is done several time
- CSCtf62721 AD PERF Translation of Group SID to Group name is very
inefficient
These two fixes optimize performance of corresponding operations against Active Directory
- CSCtf30684 Password change using web service doesn't work
This fix provide make UCP available in all situations
- CSCte88357 - ACS5.1 Tacacs Accounting Report missing few attributes due to NULL char
This fix will log all the attributes properly in the Tacacs Accounting report
- CSCtb94187 - Migration of users - ' or space or _ characters limitation
ACS 5.1 does not allow space and apostrophe characters while creating Users. With this fix User Strings can contain space and apostrophe characters also. And hyperlinks were disabled if User string contains apostrophe or space.
Due to this bug fix UserAuthenticationSummary Report will not be able to do its operation successfully. An error will be displayed in the UI while generating Report using path Monitoring and Reports -> Reports -> Catalog -> User -> User_Authentication_Summary if User contains apostrophe. Other reports will be executed without any issues. This will be fixed in future versions.
Also, customer needs to download the new zip after patch install and only then run the migration
- CSCtf06311 - All internal users disabled automatically after logging in a single user
After this fix, no internal users should expire until really the expiration time comes
- CSCtf60490 - Windows Mobile 5.0 Clients Fail LEAP on ACS 5.1 (Patch 2)
This fix was made to work Leap authentication for Windows Mobile 5.0 clients
- CSCte72751 - ACS 5.1 drops authentication with empty password
Currently runtime drops packet if length of password attribute (after decrypting) is zero. This fix was done in such a way that to move forward with processing authentication even though password is empty.
- CSCtg15941 - ACS5.1 high mem usage - more than 90% when idle or with less load
After the fix, memory consumption is calculated based on MemTotal and MemFree, Cached, Buffers. This is equivalent to what is shown in the second line of the output of 'free -m" command. This is the right way to calculate free and used memory in Linux system.
- CSCtf08567 - ACS5.1 permits command without arguments where it should deny it.
This fix was made to permit or deny command access to the device correctly based on the commands configured in the command sets
- CSCtg38950 EAP-GTC always use hardcoded password prompt 'password:'
This fix will allow to enter new password and authentication succeeded.
-CSCtg52633 adclient fixed to be able to handle duplicate CLDAP on UDP port 329
This fix will managed to handle duplicated CLDAP responses (UDP port 329) and seen on the ACS interface
- CSCtf78048 Optimize discovery of host's account domain
This fix the performance issue that is related to discovery of host's account domain. (Centrify case id:
100308-016003)
- CSCtf23507 Support non MS Kerberos (MIT)
Fixed in Centrify release 4.3.0.191
- CSCth59823 Replication is broken due to ActiveMQ exception
Active MQ reported on 'channel was inactive for too long', the inactivity check was removed.
- CSCtg58234 EAP-FAST wont work if username case different between PAC, inner method
This fix is now comparison of username from PAC against MSCHAP-V2 inner method username is case INSENSITIVE.
- CSCtg38987 Password / passcode is not configurable for RSA Identity Store (wait for delivery)
This fix enable passcode configuration through Management
- CSCtg87278 ACS not able to establish SSL tunnel with LDAP server with CRL verification
This fix allows establish of SSL tunnel with LDAP server with CRL verification.
- CSCth62273 ACS database can become large due to incomplete user password changes
This fix update the user record, only if the user is enable.
- CSCth62139 ACS authentication rate decreases with internal user attributes
The fix includes 2 parts :
1. Read only attributes value from request from DB (without user information - UserName, Password, EnablePassword, LastLoginTimae etc...).
2. Check default attribute value without try-catch mechanism.
- CSCth82664 ACS DB need to be compressed as a maintenance operation
ACS database needs to be compressed as a maintenance operation.
Follow these steps to compress the ACS database:
1. Move all the secondary nodes to local mode.
2. On the primary node run the command:
acs-config database-compress [truncate_log]
This maintenance operation compresses the ACS database by rebuilding each table in the database
and releasing unused space. The command also has the option to release the replication transaction
table.
3. After the database compression is completed and all the services are up again, reconnect the
secondary nodes one by one.
After reconnecting the secondaries, full-sync between the primary and the secondary will be
initiated automatically.
- CSCtf75806 ACS 5.1 does not log accounting details for some AAA clients.
-After this fix ACS logs accounting details, such as username, NAS IP address, etc., for AAA clients even when the command argument values sent by the client contains null char.
- CSCtf43054 - Group assignment dialog does not allow "+" symbol in group name
After this fix, Group assignment dialog allows "+" symbol in AD configurations.
- CSCtf72641 ACS 5.x does not allow LEAP-first authentication
After the fix, ACS will be able to use less secured eap protocols like EAP-MD5
if checked from GUI. Currently ACS will use highly secured protocols ignoring
low secured even though supplicant request that.
- CSCtd46884 ACS 5.x - AD save changes fails if admin password contains a space
After the fix, ACS will be able join the domian even though active directory
administrator password contain spaces.
- CSCtd14560 GUI session got logged out when launch monitoring
After the fix, if ACS GUI session timed out and after if click M&T, then it
will not go to login page. It will continue to use same session.
- CSCtg78120 Monitoring & Report Viewer redirects to ACS view using the hostname only
After the fix, monitoring and reporting gets launched with domain name instead of hostname only.
- CSCte95063 After "clock set" view-logprocessor going to 'not monitored' state
After the fix, even though if we set clock view-logprocessor will start normally without any issues.
- CSCth66146 Some failure reasons disappear in Failure Reasons Editor
After the fix, we will be able to see if any missing entries in the Failure Reasons Editor.
- CSCtg38950 EAP-GTC always use hardcoded password prompt 'password
after the fix, We will be able to enter new password and authentication succeeded.
- CSCtg60923 Apostrophe in password causes ACS 5 upgrade to fail
after this fix, We will be able to upgrade from 5.0 users with apostrophe in thier password
- CSCti93393 Accounts created to expire beyond 24 days are disabled
after this fix, accounts created will not be disable beyond 24 days
Version patch will be displayed :
#show application version acs
Cisco ACS VERSION INFORMATION
=============================
Version : 5.1.0.44
Internal Build ID:
patches:
5.1.0.44.4
Instructions on how to install the patch
========================================
1. open CLI console
2. define new repository in which the 5-1-0-44-4.tar.gpg resides
3. issue: 'acs patch install 5-1-0-44-4.tar.gpg repository YOUR_REPOSITORY'
4. verify installation via CLI by issuing:
'show application version acs' and getting the following data:
Cisco ACS VERSION INFORMATION
=============================
Version : 5.1.0.44
Internal Build ID:
patches:
5.1.0.44.4
Instructions on how to remove the patch
========================================
1. open CLI console
2. acs patch remove 5-1-0-44-4
3. verify patch removal via CLI by issuing:
'show application version acs' and getting the following data:
Cisco ACS VERSION INFORMATION
=============================
Version : 5.1.0.44
Internal Build ID:
=======================================================================
Copyright (C) 2010 Cisco Systems, Inc. All rights reserved.
Cisco and Cisco Systems are registered trademarks of Cisco Systems,
Inc., in the U.S. and certain other countries. All other trademarks
mentioned in this document are the property of their respective owners.
=======================================================================