 Feedback
|
Table Of Contents
Release Notes for Cisco Secure ACS Release 3.3.4
Matching Framed-IP-address with User IP
System Requirements for ACS 3.3.4
Installing ACS 3.3.4 for Windows
Upgrading to ACS 3.3.4 for Windows
Upgrading to ACS 3.3.4 on 1111 and 1112 Appliances
Installing ACS SE 3.3.4 on 1113
Specifying Private Key File Name on ACS SE
Replication with Different Send and Receive Configurations
Preventing Folder Locking During Upgrade
RDBMS Synchronization Failure Codes
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
Obtaining Technical Assistance
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS Release 3.3.4
Revised: December 28, 2006These release notes pertain to Cisco Secure Access Control Server (ACS), release 3.3.4. These release notes contain information for the Windows and Solution Engine (SE) platforms. Where necessary, the appropriate platform is clearly identified.
Note
The release numbering system that ACS software uses includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is ACS 3.3.4.12. Elsewhere in this document where 3.3.4 is used, it refers to 3.3.4.12. ACS major release numbering starts at 3.3.1, not 3.3.0. Use this information when working with your customer service representative.
Contents
•
•
•
•
Introduction
ACS 3.3.4 is a maintenance release for ACS 3.3 that consolidates ACS 3.3 customer patches and resolves other customer and internally found defects. ACS 3.3.4 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments.
Note
Table 1 describes the packages that ACS SE 3.3.4 includes.
Table 2 describes the packages that ACS for Windows 3.3.4 includes.
For information about installing and upgrading to ACS 3.3.4, see Installation Notes.
Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1.
•
•
2.
Please refer to the Cisco Systems, Inc., Software License Agreement.
Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1.
•
•
•
2.
Please refer to the Cisco Systems, Inc., Software License Agreement.
New and Changed Information
ACS 3.3.4 includes the following new features:
•
Note
ACS SE on the 1113 Appliance
The ACS SE 1113 is a new hardware device that replaces the previous ACS SE 1112 appliance. The ACS SE 1113 appliance conforms to Reduction in Hazardous Substances (RoHS) directives of the European Economic Community (EEC)—Directive 73/23/EEC and Directive 89/336/EEC as Directive 93/68/EEC amends it.
The ACS SE 1113 comes equipped with ACS 4.0 installed. ACS 3.3 is not currently supported on the 1113 appliance. You can re-image the appliance with ACS 3.3.4 by using the Recovery CD for 1113. For more details, see Installing ACS SE 3.3.4 on 1113.
Configuring a Logging Queue
The Logging Queue Configuration feature provides a solution for bug CSCeg40355. Remote logging delays due to network-related problems caused problems with authentication requests.
When you enable the logging queue, ACS maintains an internal queue for performing logging, which enables the processing of authentication and accounting requests to proceed without waiting for the logging operation to complete.
We recommend that you use this feature only if you have enabled remote logging, and remote logging targets are slow or non-responding, which might cause problems with authentication.
Note
To enable the Logging Queue:
Step 1
Step 2
The Logging Configuration page appears.
Step 3
Step 4
Manual Group Mapping
The manual group mapping feature provides a solution for bug CSCef95887.
On the ACS appliance, ACS group mapping failed to enumerate groups in Active Directory when the Active Directory server had a large number of groups; for example, more than 500 groups. Use the Add Manual Mapping feature to add groups manually when you have too many groups to enumerate.
To map manually to an ACS group:
Step 1
Step 2
Step 3
Step 4
The Group Mappings for Domain: domainname table appears.
Step 5
a.
b.
c.
Step 6
Note
Matching Framed-IP-address with User IP
This feature provides a solution for bug CSCse33323.
When the AAA client uses Cisco SSL WebVPN, the VPN concentrator sends two accounting packet pairs for each user session, which causes ACS to drop the session along with the IP address that was assigned to the user. On the next successful request processing, ACS gives out the dropped IP address, even though it is still assigned.
Use the Match Framed-IP-Address with user IP address for accounting packets from this AAA Client feature in the AAA Client page when the AAA client uses Cisco SSL WebVPN. This action ensures that ACS assigns different IP addresses to two different users when they log in through a Cisco SSL WebVPN client. By default, this check box is unchecked.
To access the AAA Client page:
Step 1
The Network Configuration page opens.
Step 2
•
•
The Add AAA Client page appears.
Step 3
•
•
The AAA Client Setup For Name page appears.
Step 4
Installation Notes
This section contains installation information for ACS 3.3.4:
•
•
•
•
•
Upgrade Paths
ACS Software
We support upgrading to ACS 3.3.4 from the following versions:
•
•
•
•
•
•
•
•
Note
ACS Solution Engine
We support upgrading ACS SE 1111 and 1112 appliances to ACS 3.3.4, and re-imaging ACS SE 1113 with ACS 3.3.4. (ACS 3.3 is not currently supported on the 1113 appliance.)
System Requirements for ACS 3.3.4
The system requirements for ACS 3.3.4 are the same as for ACS 3.3.3. For information on supported operating systems and web browsers for ACS 3.3.3 for Windows, see Release Notes for Cisco Secure ACS for Windows 3.3.3 at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/release/notes/RNwin333.html.
In addition, ACS 3.3.4 is supported on Pentium dual-core processors.
Note
Installing ACS 3.3.4 for Windows
The installation instructions for ACS 3.3.4 are the same as for ACS 3.3.3. For information about installing ACS, see Installation Guide for Cisco Secure ACS for Windows 3.3 at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html.
Upgrading to ACS 3.3.4 for Windows
The instructions for upgrading to ACS 3.3.4 are the same as for upgrading to ACS 3.3.3. For information about upgrading ACS, see Installation Guide for Cisco Secure ACS for Windows 3.3 at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html.
Upgrading to ACS 3.3.4 on 1111 and 1112 Appliances
The instructions for upgrading to ACS 3.3.4 on the 1111 and 1112 appliances are the same as for upgrading to ACS 3.3.3 on those appliances. For information about upgrading ACS SE, see Release Notes for Cisco Secure ACS Solution Engine 3.3.3 at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/release/notes/RNsol333.html.
Installing ACS SE 3.3.4 on 1113
The 1113 appliance has ACS 4.0 pre-installed. You must first install and set up the 1113 appliance and then re-image the 1113 appliance with ACS 3.3.4.
•
•
Installing the 1113 Appliance
For instructions on installing the 1113 appliance, see Installation Guide for Cisco Secure ACS Solution Engine 4.1 at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/igse41.html.
Re-imaging the 1113 Appliance
Caution
To re-image the 1113 appliance:
Step 1
Step 2
Step 3
Result: ACS SE displays the following message on the console:
ACS Appliance Recovery Options[1] Reset administrator account[2] Restore hard disk image from CD[3] Exit and rebootEnter menu item number: [ ]Step 4
Result: ACS SE displays the following message on the console:
This operation will completely erase the hard drive. Press `Y' to confirm, any other key to cancel: __Step 5
Result: ACS SE processes the new image (this may take more than 2 minutes) while displaying odd characters and then displays the following message on the console:
The system has been reimaged successfully. Please remove this recovery CD from the drive, then hit RETURN to restart the system:Step 6
Step 7
Result: The appliance reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which the screen displays no feedback; this is normal system behavior.
After re-imaging the solution engine hard drive, you must perform initial configuration of ACS SE. For detailed instructions, see the section "Configuring the Cisco Secure ACS Solution Engine" in Installation Guide for Cisco Secure ACS for Windows 3.3 at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html.
Documentation Updates
This section provides updates for errors and omissions in the ACS user documentation:
•
•
•
•
Note
Errors
This section provides updates for errors in the ACS user documentation.
Specifying Private Key File Name on ACS SE
The user guide for the ACS appliance states that you should provide the full directory path for the private key file, for example, c:\privateKeyFile.pem.
This information is incorrect and causes the certificate generation to fail with an error (bug CSCed95260).
On ACS SE, you must specify only the file name; otherwise the certificate generation fails with an error.
Replication with Different Send and Receive Configurations
The user guide states that the primary ACS compares the list of database components that it is configured to send with the list of database components that the secondary ACS is configured to receive. If the secondary ACS is not configured to receive any of the components that the primary ACS is configured to send, the database replication fails.
This information is incorrect (bug CSCsg93907).
The primary ACS first synchronizes with the secondary ACS, and sends only the components that the secondary ACS is configured to receive. The primary ACS does not send components that the secondary ACS is not configured to receive, even if you configure the primary ACS to send those components. Thus, database replication does not fail when different send and receive configurations exist on the primary and secondary ACS.
Omissions
This section provides updates for omissions in the ACS user documentation.
Preventing Folder Locking During Upgrade
The following troubleshooting information was omitted in the ACS user guide (bug CSCeg16365).
Condition
When upgrading ACS, setup.exe hangs and displays an error message:
The CiscoSecure ACS folder appears to be locked by another application... . Please close any applications that are using any files or directories and re-run Uninstall.
Action
Remove excess log files. ACS stores log files in \CiscoSecure ACS v.3.3\Logs. If you cannot upgrade because a log file folder is too large, you must first delete all but the last three log files from the folder. When ACS starts up, choose System Configuration > Service Control. In the Services Log File Configuration, check Manage Directory, and choose Keep only the last <n> files. Set <n> to 3.
If PNLogAgent is running, stop that service to release any locks that it might have on the folder.
RDBMS Synchronization Failure Codes
The following information was omitted in the ACS user guide (bug CSCsd41474).
Fatal as well as nonfatal RDBMS synchronization errors can occur during a single transaction. When a nonfatal error message is written to the RDBMS synchronization audit log, and processing continues as if it is a successful transaction, the record is deleted from the action table. When a fatal error message is written to the RDBMS synchronization audit log, synchronization stops.
Although the expected behavior for ACS is to send the error code 2 to the database, ACS RDBMS synchronization does not send the error code 2, nor does it delete the database records if a failure occurs.
You can add new devices and NDGs when performing RDBMS synchronization from the database to ACS. The new devices are appended to the end.
If the device already exists in ACS, ACS reports an error in the log Failed to create new NAS/AAA record- Host database failure. Host already exists. Although the expected behavior for ACS is to delete the database records if a failure occurs, ACS remove the entries from the database and does not send an error code to the database.
Table 3 lists RDBMS Synchronization fatal errors.
Caveats
These release notes include:
Open Caveats
Table 4 describes the known bugs in ACS 3.3.4.
Note
Resolved Caveats
Table 5 describes the bugs that have been fixed in ACS 3.3.4.
Note
Table 5 Resolved Bugs in ACS 3.3.4
CSCdu43103
ACS Perflib cosmetic error message 8-byte boundary alignment.
The problem has been fixed and the warning message no longer appears.
CSCea74289
Cascade replication due to user pass change-doesn't work.
Cascade replication with password changes now replicates successfully.
CSCeb43948
Could not generate valid Password with password length => 9.
The problem has been fixed. No errors are issued.
CSCec54223
ENH: Need ability to add more than 30 LDAP servers to ACS.
You can now add more than 30 LDAP servers to ACS.
CSCed83628
Replication displays error when nothing to be replicated.
The problem has been fixed. No errors are issued.
CSCee14756
ACS with Open LDAP server - Secure LDAP does not work.
ACS supports Secure LDAP, but only for server-side authentication. Some LDAP servers may request that ACS (as the LDAP client) send a certificate to identify itself. ACS will fail to open connections over SSL to servers with such a configuration. To use communication over SSL between ACS and LDAP server, configure the LDAP server to use SSL without client certificate authentication.
CSCee65661
Need the NoCacheUser feature for unknown user policy.
The problem has been fixed.
CSCee83680
Transport service failed to go up after using Automation CLI-Shutdown.
The problem has been fixed.
CSCee88908
CSLog crash if a logged attribute is deleted due to replication.
The CSLog works as expected after replication.
CSCee94357
Illegal characters are not checked when config set admin or recovery.
Input characters are now validated.
CSCef05950
Access to ACS Admin without Authentication.
The problem has been fixed.
CSCef27403
Email sender stays as default, even when ACS appliance gets renamed.
The problem has been fixed.
CSCef95887
ACS Appliance should support more than 500 Windows groups.
The problem has been fixed. For details, see Manual Group Mapping.
CSCeg04666
CSRadius service stops with junk attributes.
The problem has been fixed.
CSCeg04788
CSRadius services stops with long length tunnel attributes.
The problem has been fixed.
CSCeg24513
Cannot import large route table via RDBMS.
The exception caused by the profile exceeding its allocated buffer has been fixed. When the profile is too large, an error message appears in the RDBMS Sync report: Failed to add TACACS+ attribute - Profile is larger than maximum allowed size.
CSCeg40355
Authentication failures when remote logging fails.
The problem has been fixed. For details, see Configuring a Logging Queue.
CSCeg51873
ACS chooses wrong NDG for NAR with TACACS/RADIUS NAS on same IP.
ACS no longer chooses the wrong NDG for NAR matching if both a TACACS+ and RADIUS NAS are defined with the same IP, and placed in separate NDGs and the authentication is performed via RADIUS.
CSCeh17104
ACS Appliance: Certain Hostname/Admin name cause loss of access
ACS will not allow you to use the same name for hostname and administrator name.
CSCeh24688
CSAuth mem leak after EAP-TLS authentications to LDAP.
The problem has been fixed.
CSCeh37849
TACACS performance limited to 14 sessions/s, winsock-1 causes TCP RSTs.
The problem has been fixed.
CSCeh37907
Duplicate IP assignment due to accounting packets reordering.
Duplicate IP address are no longer assigned.
CSCeh42116
EAP-TLS Machine Authentication fails when AD PDC emulator down.
The problem has been fixed.
CSCeh54670
ACS couldn't find user in AD if sent w/out domain name.
The Windows EAP Setting, EAP-TLS Strip Domain Name check box, has been removed from the user interface, and the Active Directory (AD) search functionality enables you to authenticate a username.
CSCeh55725
Failed to get NIC config FFFFFFFF.
The problem has been fixed. No errors are issued.
CSCeh69359
CSLog/ODBC exception after timeout of log update.
The problem has been fixed.
CSCeh91809
VoIP messages cause CSRadius service unexpected termination.
CSRadius no longer terminates unexpectedly.
CSCeh96024
LDAP Failback Retry Delay parameter ignored in failover scenario.
The problem has been fixed.
CSCei07191
Logged Remotely Attribute is not present in Solaris Remote-Agent.
Logged Remotely attributes are now present in the Solaris remote agent logs.
CSCsa86272
ACS discards EAP-FAST reauthentication requests from 350 wireless cards.
The problem has been fixed.
CSCsb06387
ACS: Authentication fails, while CSRadius is up.
The problem has been fixed.
CSCsb25098
ACS SE upgraded to 3.3.3 generates a Backup and Restore failure.
The problem has been fixed.
CSCsb25151
When AAA client has multiple/range of IP addresses, NAF for DACLs fails.
NAF for downloadable ACLs no longer fails for AAA clients.
CSCsb26537
PAC Invalid isn't responded by TLS_Alert, hence no auto provisioning.
The problem has been fixed.
CSCsb26676
Console unavailable after upgrade.
The problem has been fixed.
CSCsb36764
ACLs from ACS can not be downloaded to the PIX.
The problem has been fixed.
CSCsb47726
WLSE - AP/WDS fails to fully authenticate.
The problem has been fixed.
CSCsb47755
Upgrading appliance leaves the SNMP port open.
The problem has been fixed.
CSCsb71359
Hostname limited to 15 characters.
The hostname limit is 15 characters; you can no longer enter more than 15 characters.
CSCsb74859
Click on Next in Radius Accounting, TACACS +Accounting & Admin error 500.
The problem has been fixed. No errors are issued.
CSCsb81671
CSTacacs and CSRadius services fail to start with Windows 2003.
The problem has been fixed.
CSCsb83399
ACS SE should save the FTP settings during software upgrade.
ACS SE saves the FTP settings during a software upgrade.
CSCsb94681
ACU 6.5 Shows Garbage Characters with Manual Login in EAP-FAST.
The problem has been fixed.
CSCsb99213
CSAuth fails intermittently on ACS Windows 3.3.3 build 11.
The problem has been fixed.
CSCsc12154
Logging tables aren't reset after restore.
The problem has been fixed.
CSCsc12614
RSA ext. DB stop working after failure with wrong password.
The problem has been fixed.
CSCsc33346
ACS Appliance remote logging missing system-posture-token attribute.
The problem has been fixed.
CSCsc49596
Enhancement Request: Print EAP requests in Radius Logging.
The EAP value is now displayed in hexadecimal format in the logs.
CSCsc50048
ACS 3.3.3 may fail to reconnect to ODBC for logging.
The problem has been fixed.
CSCsc54772
NTLM Version 2, Win2k Domain, ACS 3.3.3.11, Patch CSCea91947 doesn't work.
The problem has been fixed.
CSCsc62488
ACS: AAA client with overlapping IP address can be configured.
The problem has been fixed. An error message appears when there are overlapping IP addresses.
CSCsc66978
ACS RA will crash for user belonging to many AD groups.
The problem has been fixed.
CSCsc69608
Deleting RSA database unchecks PEAP,EAP-TLS options in Windows database.
The problem has been fixed.
CSCsc74808
CSRadius.exe memory leak.
The problem has been fixed.
CSCsc80481
Proxy distribution table prevents SNMP from working.
The problem has been fixed.
CSCsc84951
RDBMS synchronization fails after some time.
The problem has been fixed.
CSCsc87874
Shared profile can causes IE to display Action Cancelled, Shared Profile.
The problem has been fixed.
CSCsd11868
CSRadius doesn't forward IPADDR VSAs for accounting.
The problem has been fixed.
CSCsd12551
IP pools disappear occasionally from Group Setup/Edit Settings.
The problem has been fixed.
CSCsd14562
Incorrect string size check for IETF Attribute 22 (Framed-route).
The problem has been fixed.
CSCsd18735
ODBC logging to Oracle DB fails if embedded quote marks in data.
The problem has been fixed.
CSCsd21392
CSMon fails to restart CSAuth after varsdb check failure.
The problem has been fixed.
CSCsd40764
ACS SE on 3.3.3 build 11 cannot allocate CSAuth threads.
The problem has been fixed.
CSCsd41569
CSAuth crashed during MS-PEAP authen using wired environment.
The problem has been fixed.
CSCsd52574
MachineSPNToSAM: __DsCrackNames failed message in auth.log.
The problem has been fixed, and the failed messages no longer appear.
CSCsd63894
ACS does not respond with the same IP address for RADIUS.
ACS now responds with the correct IP address.
CSCsd83232
Unicode on Full name in AD breaks EAP-TLS.
The problem has been fixed.
CSCsd84485
ACS Appliance memory leak.
The problem has been fixed.
CSCsd94968
ACS SE:AAA server IP for UCP changes to SE IP after reboot.
The problem has been fixed.
CSCsd96132
Same value (16) on registry key for two different error message on ACS.
Value 16 appears now only for External DB Password Invalid error message.
CSCsd96293
Crash when using special string in HTTP get (CSAdmin).
The problem has been fixed.
CSCse06667
Problem in the RADIUS Token Servers failover logic.
When the primary server is not available all requests are now forwarded to a secondary server.
CSCse18250
CSRadius crashes on a specific Access-Request message.
The problem has been fixed.
CSCse18278
CSRadius crashes on specific Accounting-Request packet.
The problem has been fixed.
CSCse26719
Cisco Secure Port Redirect may be predictable.
The problem has been fixed.
CSCse33323
ACS assigns duplicate IPs from address pool.
The problem has been fixed. For details, see Matching Framed-IP-address with User IP.
CSCse57094
MachineSPNToSAM: __DsCrackNames failed errors in auth.log.
The problem has been fixed, and the failed messages no longer appear.
CSCse74158
ACS SE 4.01 does not accept machine authentication.
The problem has been fixed.
CSCse75718
ACS reports External DB account Restriction error for Internal Error.
The problem has been fixed.
CSCse80031
CSAuth fails in PPTP environment with roaming 3rd-party supplicant.
The problem has been fixed.
CSCse81436
Incorrect user reported when EAP-TLS SSL handshake failure.
This problem occurred if another user was concurrently negotiating EAP-TLS. The username field of the Failed Attempts report now displays only Framed-IP address when the EAP-TLS or PEAP authentication fails during SSL handshake.
CSCse87913
Memory leak in CSRadius when VSA attrs are present in proxied requests.
The problem has been fixed.
CSCse94583
ACS EAP processing can inadvertently create new sessions.
ACS now maintains the original session.
CSCse94593
CTA client and ACS can get stuck in PEAP start/NAK loop.
The problem has been fixed.
CSCse94684
Starting and ending spaces are allowed in password field.
A message now appears stating that starting and ending spaces will be ignored.
CSCsf06306
ACS not replicating all clients in NDG.
The information was replicated, but did not appear in the ACS web interface. An error message now appears when this happens.
CSCsf07405
Admin log entries are truncated and bleed to a second line.
The problem has been fixed.
CSCsf23731
Invalid message while connecting to a non-existing server from upgrade g.
The message has been changed to Error due to Invalid Host Name, or Upgrade image is not for this hardware platform.
CSCsf96289
ACS Logs are not available for initial authentication requests.
The problem has been fixed.
CSCsg02249
Restore fails in appliance when SNMP is already running in same port.
The problem has been fixed.
CSCsg18312
LDAP group mapping can not be created for the 2nd connection.
The problem has been fixed.
CSCsg37835
MS-CHAP authentication failed when username in UPN format.
The problem has been fixed.
CSCsg56177
EAP-TLS may fail for AD user if username has NetBIOS domain prefix.
The problem has been fixed.
CSCsg63983
Message for large accounting packets in RDS should be modified in 3.3.4.
The following message now appears: Error in logging packet: the incoming RADIUS packet is too large 4221 bytes.
CSCsg81524
CSAuth Crashed at time of EAP-FASTv1a stress against Active Directory.
The problem has been fixed.
Product Documentation
Table 6 describes the product documentation that you should use with ACS 3.3.4.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the HTML documentation and some of the PDF files found on the Cisco website at this URL:
http://www.cisco.com/univercd/home/home.htm
The Product Documentation DVD is created and released regularly. DVDs are available singly or by subscription. Registered Cisco.com users can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
Ordering Documentation
You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
If you do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Documentation Feedback
You can provide feedback about Cisco technical documentation on the Cisco Support site area by entering your comments in the feedback form available in every online document.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to do the following:
•
•
•
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:
To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
•
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•
In an emergency, you can also reach PSIRT by telephone:
•
•
Tip
Never use a revoked encryption key or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending any sensitive material.
Product Alerts and Field Notices
Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive these announcements by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.
To access the Product Alert Tool, you must be a registered Cisco.com user. Registered users can access the tool at this URL:
http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en
To register as a Cisco.com user, go to this URL:
http://tools.cisco.com/RPF/register/register.do
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Support website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Support Website
The Cisco Support website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day at this URL:
http://www.cisco.com/en/US/support/index.html
Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Tip
If you suspect that the browser is not refreshing a web page, force the browser to update the web page by holding down the Ctrl key while pressing F5.
To find technical information, narrow your search to look in technical documentation, not the entire Cisco.com website. After using the Search box on the Cisco.com home page, click the Advanced Search link next to the Search box on the resulting page and then click the Technical Support & Documentation radio button.
To provide feedback about the Cisco.com website or a particular technical document, click Contacts & Feedback at the top of any Cisco.com web page.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—An existing network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of the network is impaired while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/offer/subscribe
•
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/en/US/products/index.html
•
http://www.cisco.com/discuss/networking
•
http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
