Readme File for Cisco Secure Access Control Server (ACS) Release: ACS 5.1.0.44 Patch: 5-1-0-44-4.tar.gpg ======================================================================================= This patch fixes: *Bug Id: CSCtc41730 - ACS resets SYN packets if MSS isn't set CSCtc20671 - ACS 5 develops filesystem issues with SAN over Fiber CSCtd16825 - CLI "copy" command is broken when working with "disk:" Patch 2: CSCtd10767 - Syslog data loss during upgrade CSCtc12382 - ACS View upgrade fails on scale configuration (improve view db performance) CSCtd37384 - ACS view 5.0/5.1 does not display "Remote Address" CSCtd54592 - Support for webAuth in ViewCollector CSCtd57980 - EPM Syslogs are not parsed as expected in View collector CSCte81150 - ACS 5.x reports key mismatch for unknown authen type CSCte79051 - ACS 5.1 crashing on concurrent T+ session authorization requests CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed" CSCtd24949 - Tacacs authorization failure when authen_type=0 CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication CSCtd99822 - AD users with expired passwords fail authentication CSCtd69364 - adclient fail to restart CSCtd00585 - ACS 5.1 adclient rebuilds the domain info map from scratch each time Patch 3: CSCte88357 ACS5.1 Tacacs Accounting Report missing few attributes due to NULL char CSCtb94187 Migration of users - ' or space or _ charachters limitation CSCtd48173 Post upgrade: can't create/edit a VSA attribute CSCtf06311 All internal users disabled automatically after logging in a single user CSCte72751 ACS 5.1 drops authentication with empty password CSCsy54062 ACS doesn't verify SubjectKeyID / AuthorityKeyID in CertChain building CSCtf85659 ACS 5 doesn't distinguish between unique certificates CSCtf60490 Windows Mobile 5.0 Clients Fail LEAP on ACS 5.1 CSCtf65179 AD PERF Discovery of host account domain is done several time CSCtf62721 AD PERF Translation of Group SID to Group name is very inefficient CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios CSCtd00477 Active directory get group don't retrieved group when domain 'sap.corp'. CSCtf30684 Password change using web service doesn't work CSCtf75806 ACS 5.1 does not log accounting details for some AAA clients. Patch 4: CSCtf72641 ACS 5.x does not allow LEAP-first authentication CSCtf08567 ACS5.1 permits command without arguments where it should deny it. CSCtg15941 ACS5.1 high mem usage - more than 90% when idle or with less load CSCtd46884 ACS 5.x - AD save changes fails if admin password contains a space CSCtg38950 EAP-GTC always use hardcoded password prompt 'password:' CSCtg52633 adclient fixed to be able to handle duplicate CLDAP on UDP port 329 CSCtf78048 Optimize discovery of host's account domain CSCtf23507 Support non MS Kerberos (MIT) CSCth59823 Replication is broken due to ActiveMQ exception CSCtg58234 EAP-FAST wont work if username case different between PAC, inner method CSCtg38987 Password / passcode is not configurable for RSA Identity Store CSCtg87278 ACS not able to establish SSL tunnel with LDAP server with CRL verification CSCte95063 After "clock set" view-logprocessor going to 'not monitored' state CSCth62273 ACS database can become large due to incomplete user password changes CSCth82664 ACS DB need to be compressed as a maintenance operation CSCth62139 ACS authentication rate decreases with internal user attributes CSCtf43054 Group assignment dialog does not allow "+" symbol in group name CSCtd14560 GUI session got logged out when launch monitoring CSCtg78120 Monitoring & Report Viewer redirects to ACS view using the hostname only CSCth66146 Some failure reasons disappear in Failure Reasons Editor CSCtg38950 EAP-GTC always use hardcoded password prompt 'password CSCth77468 ACS 5.1 not including 'C' and 'V' values in MS-CHAP-v2 Failure Packet CSCth72626 MS-CHAPv2 Responses with bad Flags value will not be dropped CSCtg60923 Apostrophe in password causes ACS 5 upgrade to fail CSCti93393 Accounts created to expire beyond 24 days are disabled Patch 5-1-0-44-4.tar.gpg consists of: * files acs-db-5.1.0.44.B.2347.jar acsview_schema_upgrade_5_1.sql acsview.war dataupgrade-5.0.jar rebuildAggregationForAcct.sql viewcleantempdb.sh viewcopytempdb.sh viewswitchdb.sh collection-5.0.jar adclient libeda.so.0 liblrpc.so.0.0.0 liblber-2.2.so.7.0.19 libldap-2.2.so.7.0.19 libldap_r-2.2.so.7.0.19 libeap.so libtacacs.so libTacacsAuthenFlows.so libActiveDirectoryIDStore.so libShellProfile.so libCryptoLib.so libActiveDirectoryIDStore.so acs-common-5.1.0.44.B.2347.jar acsadmin.war acs-bl-framework-5.1.0.44.B.2347.jar PI.war libLogging.so migration.zip libRadiusAuthenFlow.so libRadiusCommon.so libCommandSets.so rt_daemon ACS_AD_Runner.sh libRadiusEapFlow.so libService.so monit_script.sh loadaafc.sql Prerequisites ============= This is a patch for release ACS 5.1.0.44. ACS 5.1.0.44 must be installed before installing this patch. Other prerequisites are same as for ACS 5.1.0.44 (FCS Version) What the Patch Fixes ==================== The patch fixes for the DDTS: - CSCtc20671 - ACS 5 develops filesystem issues with SAN over Fiber The issue only occurs on virtual hosts (hosts running as VM images). The issue is also only prevalent when the VM is running on a VM host that has fiber attached storage. In the case of a VM guest running on a VM host that has fiber attached storage, we may see the filesystems become read-only. This will render the system inoperable. The lower layer details of the problem are described in this VMware forum article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=51306 The solution to the issue is to use an updated mptscsi linux kernel driver that contains the fix. This code fix was put in the ADE-OS VM kernel. ADE-OS bundles separate kernels for use with VMware and hardware appliances. Here are the kernel RPM names: kernel-ade-2.6.18.8ADE-1 kernel-adevm-2.6.18.8ADEVM-1 At ADE-OS install time, the OS installer chooses the correct kernel to use based on the Unique Device Identifier (UDI). The fix for this defect went only in the kernel-adevm RPM. Hence, users that use the real hardware appliance are completely unaffected by this fix. - CSCtd16825 - CLI "copy" command is broken when working with "disk:" The fix will allow the target TFTP URL to either include or not include the filename. If the URL ends with a '/', it assumes to drop the file in that directory. If the URL does not end in a '/', it assumes that is the target filename. So either any of these will work: carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/ carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/running-config carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/ carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/dir3/ carsdev-vm2/admin# copy disk:/running-config tftp://acsview-build1/dir1/dir2/dir3/carsconfg1 carsdev-vm2/admin# carsdev-vm2/admin# copy disk:/d1/d2/d3/running-config tftp://acsview-build1/dir1/dir2/dir3/carsconfg1 carsdev-vm2/admin# copy disk:/d1/d2/d3/running-config tftp://acsview-build1/dir1/dir2/dir3/ With the existing code, only the copy command with the filenames specified at the end will work. - CSCtd10767 - Syslog data loss during upgrade After upgrade from 5.0.* to 5.1.0.44, while switching over the database to 5.1.0.44, syslog data collected during the upgrade process could be lost. Please apply the fix and then switch over the database to avoid any data loss. Please see more details in the release notes. - CSCtc12382 - ACS View upgrade fails on scale configuration (improve view db upgrade performance) The ACS view database upgrade process is time consuming and it depends on the amount of log data collected in the database. This fix improves the ACS view database upgrade performance significantly. - CSCtd37384 - ACS view 5.0/5.1 does not display "Remote Address" The fix will display the "Remote Address" attribute in the TACACS reports. - CSCtd54592 - Support for webAuth in ViewCollector The fix will provide limited data collection support for NAD syslogs carrying webauth information. - CSCtd57980 - EPM Syslogs are not parsed as expected in View collector The fix will parse the EPM NAD syslogs correctly. - CSCtd99822 - AD users with expired passwords fail authentication The issue has been observed on ACS 5.1 using Windows AD as the external Identity Store. This fix allows users to pass authentications after the password has been reset. - CSCtd24949 - Tacacs authorization failure when authen_type=0 This fix enables ACS to accept TACACS+ authorization requests with authen type equal to 0. - CSCte81150 - ACS 5.x reports key mismatch for unknown authen method This fix enables ACS to accept TACACS+ accounting requests with authen method equal to 0xa. - CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication This fix enables ACS to accept TACACS+ authentication requests with the PPP service type - CSCte79051 - ACS 5.1 crashing on concurrent T+ session authorization requests This fix allows ACS to handle several T+ session authorization requests simultaneously without the reported issue. - CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed" This fix allows ACS to handle successfully LEAP requests from AP devices attempting to join WDS domain. - CSCtd48173 - Post upgrade: can't create/edit a VSA attribute This fix will enable updating the VSA new vendors and thier attribute after upgrade from ACS 5.0 - CSCtf65179 AD PERF Discovery of host account domain is done several time - CSCtf62721 AD PERF Translation of Group SID to Group name is very inefficient These two fixes optimize performance of corresponding operations against Active Directory - CSCtf30684 Password change using web service doesn't work This fix provide make UCP available in all situations - CSCte88357 - ACS5.1 Tacacs Accounting Report missing few attributes due to NULL char This fix will log all the attributes properly in the Tacacs Accounting report - CSCtb94187 - Migration of users - ' or space or _ characters limitation ACS 5.1 does not allow space and apostrophe characters while creating Users. With this fix User Strings can contain space and apostrophe characters also. And hyperlinks were disabled if User string contains apostrophe or space. Due to this bug fix UserAuthenticationSummary Report will not be able to do its operation successfully. An error will be displayed in the UI while generating Report using path Monitoring and Reports -> Reports -> Catalog -> User -> User_Authentication_Summary if User contains apostrophe. Other reports will be executed without any issues. This will be fixed in future versions. Also, customer needs to download the new zip after patch install and only then run the migration - CSCtf06311 - All internal users disabled automatically after logging in a single user After this fix, no internal users should expire until really the expiration time comes - CSCtf60490 - Windows Mobile 5.0 Clients Fail LEAP on ACS 5.1 (Patch 2) This fix was made to work Leap authentication for Windows Mobile 5.0 clients - CSCte72751 - ACS 5.1 drops authentication with empty password Currently runtime drops packet if length of password attribute (after decrypting) is zero. This fix was done in such a way that to move forward with processing authentication even though password is empty. - CSCtg15941 - ACS5.1 high mem usage - more than 90% when idle or with less load After the fix, memory consumption is calculated based on MemTotal and MemFree, Cached, Buffers. This is equivalent to what is shown in the second line of the output of 'free -m" command. This is the right way to calculate free and used memory in Linux system. - CSCtf08567 - ACS5.1 permits command without arguments where it should deny it. This fix was made to permit or deny command access to the device correctly based on the commands configured in the command sets - CSCtg38950 EAP-GTC always use hardcoded password prompt 'password:' This fix will allow to enter new password and authentication succeeded. -CSCtg52633 adclient fixed to be able to handle duplicate CLDAP on UDP port 329 This fix will managed to handle duplicated CLDAP responses (UDP port 329) and seen on the ACS interface - CSCtf78048 Optimize discovery of host's account domain This fix the performance issue that is related to discovery of host's account domain. (Centrify case id: 100308-016003) - CSCtf23507 Support non MS Kerberos (MIT) Fixed in Centrify release 4.3.0.191 - CSCth59823 Replication is broken due to ActiveMQ exception Active MQ reported on 'channel was inactive for too long', the inactivity check was removed. - CSCtg58234 EAP-FAST wont work if username case different between PAC, inner method This fix is now comparison of username from PAC against MSCHAP-V2 inner method username is case INSENSITIVE. - CSCtg38987 Password / passcode is not configurable for RSA Identity Store (wait for delivery) This fix enable passcode configuration through Management - CSCtg87278 ACS not able to establish SSL tunnel with LDAP server with CRL verification This fix allows establish of SSL tunnel with LDAP server with CRL verification. - CSCth62273 ACS database can become large due to incomplete user password changes This fix update the user record, only if the user is enable. - CSCth62139 ACS authentication rate decreases with internal user attributes The fix includes 2 parts : 1. Read only attributes value from request from DB (without user information - UserName, Password, EnablePassword, LastLoginTimae etc...). 2. Check default attribute value without try-catch mechanism. - CSCth82664 ACS DB need to be compressed as a maintenance operation ACS database needs to be compressed as a maintenance operation. Follow these steps to compress the ACS database: 1. Move all the secondary nodes to local mode. 2. On the primary node run the command: acs-config database-compress [truncate_log] This maintenance operation compresses the ACS database by rebuilding each table in the database and releasing unused space. The command also has the option to release the replication transaction table. 3. After the database compression is completed and all the services are up again, reconnect the secondary nodes one by one. After reconnecting the secondaries, full-sync between the primary and the secondary will be initiated automatically. - CSCtf75806 ACS 5.1 does not log accounting details for some AAA clients. -After this fix ACS logs accounting details, such as username, NAS IP address, etc., for AAA clients even when the command argument values sent by the client contains null char. - CSCtf43054 - Group assignment dialog does not allow "+" symbol in group name After this fix, Group assignment dialog allows "+" symbol in AD configurations. - CSCtf72641 ACS 5.x does not allow LEAP-first authentication After the fix, ACS will be able to use less secured eap protocols like EAP-MD5 if checked from GUI. Currently ACS will use highly secured protocols ignoring low secured even though supplicant request that. - CSCtd46884 ACS 5.x - AD save changes fails if admin password contains a space After the fix, ACS will be able join the domian even though active directory administrator password contain spaces. - CSCtd14560 GUI session got logged out when launch monitoring After the fix, if ACS GUI session timed out and after if click M&T, then it will not go to login page. It will continue to use same session. - CSCtg78120 Monitoring & Report Viewer redirects to ACS view using the hostname only After the fix, monitoring and reporting gets launched with domain name instead of hostname only. - CSCte95063 After "clock set" view-logprocessor going to 'not monitored' state After the fix, even though if we set clock view-logprocessor will start normally without any issues. - CSCth66146 Some failure reasons disappear in Failure Reasons Editor After the fix, we will be able to see if any missing entries in the Failure Reasons Editor. - CSCtg38950 EAP-GTC always use hardcoded password prompt 'password after the fix, We will be able to enter new password and authentication succeeded. - CSCtg60923 Apostrophe in password causes ACS 5 upgrade to fail after this fix, We will be able to upgrade from 5.0 users with apostrophe in thier password - CSCti93393 Accounts created to expire beyond 24 days are disabled after this fix, accounts created will not be disable beyond 24 days Version patch will be displayed : #show application version acs Cisco ACS VERSION INFORMATION ============================= Version : 5.1.0.44 Internal Build ID: patches: 5.1.0.44.4 Instructions on how to install the patch ======================================== 1. open CLI console 2. define new repository in which the 5-1-0-44-4.tar.gpg resides 3. issue: 'acs patch install 5-1-0-44-4.tar.gpg repository YOUR_REPOSITORY' 4. verify installation via CLI by issuing: 'show application version acs' and getting the following data: Cisco ACS VERSION INFORMATION ============================= Version : 5.1.0.44 Internal Build ID: patches: 5.1.0.44.4 Instructions on how to remove the patch ======================================== 1. open CLI console 2. acs patch remove 5-1-0-44-4 3. verify patch removal via CLI by issuing: 'show application version acs' and getting the following data: Cisco ACS VERSION INFORMATION ============================= Version : 5.1.0.44 Internal Build ID: ======================================================================= Copyright (C) 2010 Cisco Systems, Inc. All rights reserved. Cisco and Cisco Systems are registered trademarks of Cisco Systems, Inc., in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. =======================================================================