ggggggg ,gg _pggg,_ ggggggg @ pg gggggg
M@00@F! j0M0, j0MMMM00 @F00@@! 0# ]0M~~~~
0# j0' 0# 0# 08 #8 0f #0MMMMf
0f p000000Y 0&,,,g0! ]0f 0f ]0g,,, 0#____,
*M *M' M# MMMM#MM *M M #MMMMM MMMM#M'
·
..Presents..
+--------------------------------------------------------------------------+
| |
| Source : CD Release Date : June 09 |
| |
| Section : Apps Disk Count : 1x15mb |
| |
| Content : UTIL Tactile Rating : 5/5 |
| |
+ -------------------------------------------------------------------------+
Update for our earlier release.
Readme File for Cisco Secure Access Control Server (ACS) for Windows
Release: ACS 4.2.0.124 for Windows Patch: Acs-4.2.0.124.11-SW.zip
=======================================================================================
This patch provides support for Windows 2008 along with the following bug fixes.
*Bug Id:
CSCsk94878 - Windows password change does not work when PDC Emulator is down
CSCsm66268 - Group Mapping fails with Ext DB when service-type=10,if there is no NAP. on line help doc.
CSCsm20261 - TCS.log doesn't show TACACS arguments for requests coming from multi-nas
CSCsf25057 - ACS support for TACACS single-connection
CSCsm69491 - Disable users accounts still check external databases
CSCsf02761 - ACS sends the accounting-response to a wrong NAS IP address
CSCsq29364 - Password change does not work using XP supplicant against AD
CSCsq24346 - Wrong ACS version numbers in GUI of 4.2.0.124 patch 1
CSCsq31732 - External DB is checked for Cached Expired user (Account Disabled)
CSCsq52930 - With NDG, services not starting after upgra to 4.1.4.13.9 or 4.2.0.124.1
CSCsq58224 - Need to select the database for tacacs+ authentication at NDG level
CSCsm64286 - Request from NAS fails when default NAS is defined under NDG
CSCsm64931 - NAR doesn't filter users when Apply password change rule is selecte
CSCsq86723 - Need to select the database for tacacs+ authentication at NAS level
CSCsq77689 - Help section not available for the new option to select ext DB in NDG
CSCsm45861 - Windows DB Group Mapping failing when username is in UPN format
CSCsm43674 - Fields edited for an upgraded user, gives wrong info in AdminstrnAudit
CSCse93831 - Number of IP addresses per AAA client is limited in 4.0
CSCso42219 - ACS GUI - IP Length Checking should be increased to 16K
CSCsq65591 - Windows authentications fail when ACS install in windows2008 member serv
CSCsj60407 - ACS Backup filename is changed to uppercase letters
CSCso25557 - need toggle option for ACS and cross domain authen
CSCso39795 - Disable and Enable Network Card in S/W ACS results in Loop Back
CSCsl07742 - Support for Windows Server 2008 RC0
CSCso75686 - Support for Multiple LDAP servers for MAB
CSCsq45036 - ACS 4.2 RAC/NAP Autz - User assigned to Default Group VLAN
CSCsq79127 - CSUpdate doesn't behave correctly when doing an upgrade
CSCsq81191 - Problem in initializing the logging component of the RsaDserv.dll
CSCsq28953 - CSAuth crashes during outbound replication on Windows 2008
CSCsq09264 - "Remote Agent Config" component for Replication not applicable to s/w
CSCsr43305 - Groupmapping fails in MAB when an LDAP is selected below Internal DB
CSCsr42945 - Help not available on Support for Multiple LDAP in MAB
CSCsq10103 - Crafted EAP ID Response causes Cisco Secure CSRadius to crash
CSCsq96755 - ACS needs manual restart to recover machine authentication
CSCsq93877 - LDAP bind fails first time with clients using RSA token
CSCsq87007 - Machine Authentication fail host is not in PrimaryDNSSuffix
CSCso84928 - ACS 4.1.4 - Multiple LDAP bindings with wrong user credentials
CSCsq24607 - Replication creates new CSV report files on the secondary server
CSCsi27554 - ACS 4.1 : EAP-FAST secondary will not switch to Slave.
CSCsq00710 - ACS: RDBMs VSA Import creats invalid vendor length
CSCsm99926 - ACS 4.1 EAP-FAST provisioning repeatedly prompts for username
CSCsr95985 - CSRadius does not terminate when it cannot bind to its socket
CSCsr98419 - SSL based EAP authentication fails after replication
CSCsu39804 - ACS generates "Internal Error" whn supplicant responses with fail
CSCsu24347 - Reporting Needed for Multiple LDAP servers for MAB
CSCsu29010 - Incorrect Prompt for 'Next Token Code' from RSA
CSCsu42166 - Incorrect group name in failed attempts report for MAB
CSCsu35277 - ACS needs consistent method of ordering MAB LDAP query order
CSCsu76869 - Upgrade fails to list Internal DB under "Selected MAC DB" for MAB
CSCsu79556 - Replication: NAP enabled, Log config disabled, Log Config replica occurs
CSCsv45003 - Sybase patch 9.0.2
CSCsv10062 - CSTacacs service restarts frequently
CSCsv04715 - Excessive logging with "no challenge provided by client
CSCsk09761 - Called station id value not logged in passed/failed attempts reports
CSCsm99518 - ACS does not log authentitcation timeouts with Failed Attempts
CSCso55280 - ACS session handling for EAP packet retransmission need improvement
CSCsv49287 - PEAP-GTC and EAP-TLS may fail after replication
CSCsv65072 - Importing VSA results in incorrect value added
CSCsl79098 - ACS doesn't verify SubjectKeyID? / AuthorityKeyID? in CertChain? building
CSCsw74922 - Need support of including message of session timeout for EAP-FAST GTC
CSCsw78746 - Incomplete removal of ACS files after using Unistall / Clean utility
CSCsq13749 - Started & Completed Inbound Replica logs shows different ACS name
CSCsw61276 - Copyright information needs to be corrected.
CSCsv70331 - Restore from db backup fails to register XML files from Common Services
CSCsq43088 - ACS: Token Caching for Session not allowing multiple logins.
CSCsj99992 - RDS logs shows Merge control attr missing from PDE policy output!
CSCsx31676 - EAP performance degrades as load increases
CSCsu79579 - Doc: GUI says with NAP logging configuration should be replicated
CSCsh37811 - RDS log msg is not clear
CSCsw99081 - RSA SecurID? Token and LDAP Group Mapping not able to browse full AD tree
CSCsu79354 - CSAuth hangs under high EAP load in ACS 4.2.0.124
CSCsy10257 - Extra failed attempt shows less information
CSCsx79898 - Command Authorization Crashing Tacacs
CSCsy53254 - After RDBMS sync large DB causes: CPU 100% CSAdmin Unresponsive
CSCsy14207 - 2 Failed Attempts are created for 1 authentication failure
CSCsy64782 - ACS caught an exception if EAP fragment has invalid length
CSCsx37420 - CSTacacs service is crashing on ACS 4.2 on Windows 2000 Server
CSCsz89429 - Upgrade fails frm 4.2 Pat 7 to 11when Tacacs serivce is in stopping mode
Patch Acs-4.2.0.124.11-SW.zip consists of:
* files -
CSAdmin.exe
CSAuth.exe
CSTacacs.exe
CSRadius.exe
CSLog.exe
CSupdate.exe
CSDbSync.exe
CSutil.exe
CSMon.exe
Tactest.exe
Radtest.exe
NAS.dll
NTlib.dll
NTAuthenDLL.dll
SchemeLayer.dll
acsEapMschap.dll
DServDll.dll
RsaDserv.dll
AironetACS.dll
backupRestoreSupport.dll
AironetEAP.dll
GenericEAP.dll
DnldACLs.dll
acsEapGtc.dll
RadiusSPC .dll
PDE.dll
Install.dll
LsaAuthLib.dll
SH_renameNDG.htm
SH_newNDG.htm
SH_HOST_EDIT.htm
SH_HOST_ADD.htm
SH_PAGE.htm
SH_NT_PAGE.htm
SH_NAP_AUTH.htm
AuthenPolicy.htms
main_b.htm
upgrade.dat
Vendors.dll
UdvDll.dll
acsTeap.dll
acsPeap.dll
acsEaptls.dll
eap-fastConfig.htm
SH_EAPFAST.htm
AuthenPolicyButtonBar.htm
SecurID.dll
dbctrs9.dll
dblgen9.dll
dbodbc9.dll
dbserv9.dll
dbsrv9.exe
dbsrv9.lic
ccmp.dll
CryptoLib.dll
CryptoLib.dll.sha1
odbcLogger.dll
csvLog.dll
SyslogClient.dll
UnInstall.dll
readme.txt
trial_expired.htm
SH_GLOBAL_LOG.htm
SH_LOG_CONF.htm
SCAdv10.html
eapCM.dll
ace.dll
Prerequisites
=============
1. This is a patch for release ACS ACS 4.2.0.124. ACS 4.2.0.124 must be installed before installing this
patch. Other prerequisites are same as for ACS 4.2.0.124
2. For Windows 2008 support:
In the Windows 2008 machine where you install ACS, you must keep the following ports open in Windows 2008 firewall
settings. These ports are used by ACS.
RADIUS Authentication and Authorization (original draft RFC)
1645
RADIUS Accounting (original draft RFC)
1646
RADIUS Authentication and Authorization (revised draft RFC)
1812
RADIUS Accounting (revised draft RFC)
1813
TACACS+ AAA
49
Replication and RDBMS Synchronization
2000
Cisco Secure ACS Remote Logging
2001
Cisco Secure ACS Distributed Logging (appliance only)
2003
HTTP Administrative Access (at login)
2002
DHCP
68
Administrative Access (after login) Port Range
Configurable (default 1024-65535). Cisco Secure ACS assigns a unique port number from the range to each administration session.
What the Patch Fixes
====================
The patch got fix for the DDTS CSCsk94878, CSCsm66268, CSCsm20261, CSCsf25057, CSCsm69491, CSCsf02761, CSCsq31732, CSCsq29364, CSCsq24346, CSCsq52930 , CSCsq58224, CSCsm64286, CSCsm64931,CSCsq86723 & CSCsq77689,
CSCsm45861,CSCsm43674,CSCse93831,CSCso42219,CSCsq65591,CSCsj60407,CSCso25557,CSCso39795,CSCsl07742,CSCso75686,CSCsq45036,CSCsq79127,CSCsq81191,CSCsq28953,CSCsq09264,CSCsr43305,CSCsr42945,CSCsq10103,CSCsq96755,CSCsq93877,CSCsq87007,CSCso84928,CSCsq24607,CSCsi27554,CSCsq00710,CSCsm99926,CSCsr95985, CSCsr98419, CSCsu39804, CSCsu24347, CSCsu29010, CSCsu42166, CSCsu35277, CSCsu76869, CSCsu79556, CSCsv45003, CSCsv10062, CSCsv04715, CSCsk09761, CSCsm99518, CSCso55280, CSCsv49287, CSCsv65072, CSCsl79098, CSCsw74922,CSCsw78746,CSCsq13749,CSCsw61276,CSCsv70331,CSCsq43088,CSCsj99992,CSCsx31676,CSCsu79579,CSCsh37811, CSCsw99081, CSCsu79354, CSCsy10257,CSCsx79898,CSCsy53254,CSCsy14207,CSCsy64782,CSCsx37420 & CSCsz89429.
This patch displays new patch number [4.2.0.124.11] in ACS GUI welcome page & Patched ACS processes' log files.
Apart from the these places, version will be displayed as 4.2.0.124
Important Notice:
=============
1. The fix of DDTS CSCsm99926 inlcudes the availability of the new check box named "Allow stripped user identity on PAC provisioning" under EAP-FAST configuration section. This new check box is added to provide backward compatibilty i.e. domain information will be stripped and only the user identity will be stored as part of PAC-IID.The check box should be enabled ONLY when you encounter the repeated PAC provisioning after UPGRADE from ACS 3.3.x version to ACS 4.x version.This new check box SHOULD NOT be checked in any other circumstances as this is a woraround fix for the problematic behavior of Intel supplicant.
2. The fix of the DDTS "CSCsv65072 - Importing VSA results in incorrect value added" is applicable only for the newly added User Defined Vendors after applying the patch. If the DB is already corrupted it has to be manually cleaned by running accountActions.csv file with action code 351 + VSA ID and re-add it.
Instructions on how to install the patch
========================================
1. Disable the option 'Test login process every x minutes' under 'System Configuration -> ACS Service Management -> System Monitroing'in ACS GUI page.
2. Stop all ACS services.
3. If you have problem in stopping any of the ACS services, then reboot the machine and follow the instructions again to install the patch.
4. Copy the accumulative patch to any location in the computer where ACS is installed.
5. Extract the Zip file and Run the exe by double clicking it.
6. On doing this, it will try to stop all the ACS services.
7. On successfully stopping all the services it will create a backup directory.
For eg: If ACS is installed in C:\Program Files\CiscoSecure ACS v4.2 then a root backup folder will be created in C:\AcsFilesBackup. If patch 11 for 4.2.0.124 is installed, then a folder named ACS-4.2.0.124.11-SW is created in C:\AcsFilesBackup\ACS-4.2.0.124.11-SW
8. It now moves the files from the to the backup location. Now it replace them with the new files from the patch.
9. It will invoke CSUpdate.exe for any DB related changes in the patch.
10. It will then try to start all the services.
11. The command window will show minimal information on whatÆs happening. For detailed logs please locate AcsPatchInstall.log in the root folder of . On applying the next patch this log gets overwritten.
12. Please note that though we do a backup of the ACS files before applying the patch, there is no rollback supported by this feature. Because DB changes cannot be rolled back.
Note:
====
1. CSUpdate command has to be executed before starting the services
2. Back-up and restore on the same version of ACS's requires both the ACS's are having same patch number also. For example, if you have ACS 4.2.0.124 with patch11 on your machine and want to restore the backup taken from ACS 4.2 machine, make sure that, on the source machine patch 11 was applied before taking backup.
3. The fix of the bugs CSCsm99518 and CSCsv04715 is refixed in the 4.2.0.124 patch9 as follows
The options to configure "Excessive Logging" and "Retry" which are present under CSV,ODBC and Syslog configuration page in 4.2.0.124 patch8, is now moved to a new page "Global Logging Configuration". If you had configured these options in patch 8 it has to be re-configured in patch 11 under "Global Logging Configuration".
The configuration changes that you make in the "Global Logging Configuration" would be applicable to all the three types of reports viz. CSV, ODBC and Syslog.
The configuration changes that you make in the "Global Logging Configuration" would be applicable to Remote logger as well.
=======================================================================
Copyright (C) 2009 Cisco Systems, Inc. All rights reserved.
Cisco and Cisco Systems are registered trademarks of Cisco Systems,
Inc., in the U.S. and certain other countries. All other trademarks
mentioned in this document are the property of their respective owners.
=======================================================================