Table Of Contents
Release Notes for Cisco NAC Profiler, Release 3.1.1
Contents
Cisco NAC Profiler Releases
System Requirements
Licensing
Hardware Supported
Software Compatibility
Cisco NAC Appliance/ Cisco NAC Profiler Compatibility Matrix
Cisco NAC Profiler Collector Support and NAC Server Deployment Modes
Cisco NAC Profiler Integration with Cisco NAC Appliance Deployments
Standalone Cisco NAC Profiler (not Integrated with Cisco NAC Appliance)
Supported Web Browsers for Release 3.1.1
Determining the Software Release Version
Cisco NAC Profiler Server
Cisco NAC Profiler Collector (on Cisco NAC Server)
Product Change Information
Enhancements in Cisco NAC Profiler Release 3.1.1
NAC Profiler Server Advanced Options
Profiler Server based on NAC 3315
Work Queue Size Option
High Availability Pairs and Failover
License File Sync
LDAP Enhancements
Factory Endpoint Profiles
NetMap Polling of Network Devices and Active Directory Servers
Caveats
Open Caveats - Release 3.1.1-18
Open Caveats in Documentation - Release 3.1.1-18
Resolved Caveats - Release 3.1.1-18
New Installation of Cisco NAC Profiler Release 3.1.1-18
Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server
Upgrade Instructions for Release 3.1.1-18
Upgrading 2.1.8 Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server Standalone Systems to 3.1.0-24
Upgrading Cisco NAC Profiler Systems from 3.1.0 to 3.1.1
Upgrading Standalone Cisco NAC Profiler Systems (Release 3.1.0 to 3.1.1-18)
Upgrading NAC Profiler Server HA Pairs (3.1.0 to 3.1.1-18)
Installing New/Upgrading Cisco NAC Profiler Collector Service on Cisco NAC Server
Documentation Updates
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco NAC Profiler, Release 3.1.1
November 16, 2011, OL-23117-01
Contents
These release notes provide late-breaking and release information for Cisco NAC Profiler, Release 3.1.1. This document describes enhancements, limitations, and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Profiler and Cisco NAC Appliance documentation that is included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Profiler Releases
•System Requirements
•Software Compatibility
•Product Change Information
•Caveats
•Upgrade Instructions for Release 3.1.1-18
•Documentation Updates
Cisco NAC Profiler Releases
Cisco NAC Profiler Version
|
Release Date
|
3.1.1-18
|
August 17, 2010
|
Note Cisco recommends that you deploy early deployment releases in a test network before you attempt top deploy this in a production network.
System Requirements
This section contains the following:
•Licensing
•Hardware Supported
Licensing
For general information on licensing for Cisco NAC Profiler Server and Cisco NAC Profiler Collector see Cisco NAC Appliance Service Contract/Licensing Support.
Hardware Supported
The supported Cisco NAC Profiler system consists of a Cisco NAC Profiler Server or Cisco NAC Profiler Lite Server, implemented as a standalone appliance or a high availability (HA) pair, and one or more NAC Profiler Collectors that run on Cisco NAC Server appliances. The NAC Profiler Collectors can also be deployed as HA pairs when run on Cisco NAC Server HA pairs. The Cisco NAC Profiler appliances leverage the Cisco NAC Appliance 3300-series hardware platforms.
Note Cisco NAC Appliance Release 4.7.(0) and Release 4.8 are the only tested FIPS 140-2 compliant releases. Cisco NAC Profiler and Cisco NAC Guest Server are not supported in FIPS-compliant deployments in Cisco NAC Appliance Releases 4.7.(0) or 4.8.
Cisco NAC Profiler Lite
The Cisco NAC Profiler Lite is a hardware platform that comes pre-installed with a default version of the Cisco NAC Profiler Lite software. Cisco NAC Profiler Lite requires a separate ISO file.
Note The Cisco NAC Profiler Server is only supported on the NAC-3355 hardware platform. If ordering a NAC Profiler Lite, you will actually receive a NAC-3355 based appliance with a NAC Profiler Lite License.
Cisco NAC Profiler Server
The Cisco NAC Profiler Server is based on the NAC-3350/3355 hardware platforms and is pre-installed with a default version of the Cisco NAC Profiler Server software (3.1.1-18).
Cisco NAC Profiler Collector (on Cisco NAC Servers)
A default version of the Cisco NAC Profiler Collector component is included as a service on Cisco NAC Server appliances beginning with the Cisco NAC Appliance 4.1.2.1 and later releases. The Cisco NAC Server operates on NAC-3310/NAC-3315 and/or NAC-3350/3355 Server appliance platforms only.
The Cisco NAC Profiler Collector is a distributed component that typically resides on the Cisco NAC Appliance Server - Clean Access Server (CAS) and communicates with the Cisco NAC Profiler Server. A default version of the Cisco NAC Profiler Collector is shipped with each CAS, and there is one Profiler Collector per CAS.
Note For proper operation, both the Cisco NAC Profiler Collector component on the Cisco NAC Server and Cisco NAC Profiler Server (Profiler Server or Profiler Lite) must run the same version of the Cisco NAC Profiler software. Refer to Cisco NAC Appliance/ Cisco NAC Profiler Compatibility Matrix for details.
Note You need to upgrade the default version of the Profiler Collector shipped with the NAC Server software for compatibility with the latest Cisco NAC Profiler. For details refer to Cisco NAC Appliance/ Cisco NAC Profiler Compatibility Matrix.
Cisco NAC Profiler Collector (Standalone Version)
Note The Cisco NAC Profiler Collector standalone version is an option that is only valid for non-HA Collectors.
You can also deploy a standalone version of the Cisco NAC Profiler Collector component on appliances that are running only the Cisco NAC Profiler Collector service on Cisco NAC Servers that are running without the Cisco NAC Server services enabled.
For example, standalone Cisco NAC Profiler Collector components can be started and operated using the server connection type or the client connection type. For specific details, see the following sections in "Installing and Performing an Initial Configuration" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1 at: http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html
•"Starting Up a Standalone NAC Profiler Collector using the Client Connection Type"
•"Starting Up a Standalone NAC Profiler Collector using the Server Connection Type"
While performing a service collector config command on a Cisco NAC Server appliance, you need to make sure to select the following options:
•Connection type (server/client) [client]:
•Connect to IP [127.0.0.1]: 10.30.30.5
•Port number [31416]:
•Encryption type (AES, Blowfish, none) [AES]: AES
•Shared secret []: cisco123 (this is an example only)
See Product Change Information for details on the latest release 3.1.1 builds.
For ordering information, refer to the Cisco NAC Profiler Ordering Guide.
Software Compatibility
This section describes the following:
•Cisco NAC Appliance/ Cisco NAC Profiler Compatibility Matrix
•Cisco NAC Profiler Collector Support and NAC Server Deployment Modes
•Supported Web Browsers for Release 3.1.1
•Determining the Software Release Version
Note Cisco NAC Profiler Release 3.1.1 has been tested with Cisco Secure Access Control System (ACS) Release 5.1.
Cisco NAC Appliance/ Cisco NAC Profiler Compatibility Matrix
Table 1 shows Cisco NAC Appliance and Cisco NAC Profiler compatibility and software versions supported for each component of the Cisco NAC Profiler solution. For proper operation, both the Profiler Collector(s) and Profiler Server (Profiler Server or Profiler Lite) must run the same version of the Cisco NAC Profiler software.
Note Cisco NAC Profiler release 3.1.1 replaces and supersedes all previous releases of Cisco NAC Profiler.
Note Cisco NAC Appliance releases are shipped with a default version of the NAC Collector version. When upgrading the NAC Server to a newer Cisco NAC Appliance release, the current version of the Collector is replaced with the default version of the Collector shipped with the Cisco NAC Appliance release. For example, if you are running NAC 4.7.2 and Profiler 3.1.1-18 and you upgrade to NAC 4.8.0, you need to manually re-install the NAC Collector release 3.1.1 and configure it following the NAC Server upgrade.
Note Cisco NAC Appliance Release 4.7.(0) and Release 4.8 are the only tested FIPS 140-2 compliant releases. Cisco NAC Profiler and Cisco NAC Guest Server are not supported in FIPS-compliant deployments in Cisco NAC Appliance Releases 4.7.(0) or 4.8.
Table 1 Cisco NAC Appliance / Cisco NAC Profiler Compatibility Matrix1
Cisco NAC Server Appliance Components 2
|
Cisco NAC Profiler Appliance
|
Cisco NAC Appliance Version
|
Cisco NAC Profiler Collector Version Shipped with Cisco NAC Server
|
Upgrade Cisco NAC Profiler Collector Version to: 3
|
Upgrade Cisco NAC Profiler Server to:
|
4.8.0
|
3.1.0-24
|
3.1.1-18
|
3.1.1-184
|
4.7.2
|
2.1.8-39
|
4.6.1
|
2.1.8-38
|
Cisco NAC Profiler Collector Support and NAC Server Deployment Modes
The Cisco NAC Profiler system can be deployed in the following two primary modes:
1. Integrated with Cisco NAC Appliance. In this mode, the NAC Profiler Collectors run as:
–An additional software service on Cisco NAC Servers.
–The Cisco NAC Servers on which this service runs are part of an operational Cisco NAC Appliance solution.
–The Cisco NAC Appliance solution is one in which Cisco NAC Manager and NAC Servers provide posture and remediation.
2. Not integrated with Cisco NAC Appliance. In this mode, the Profiler Collectors run:
–On the Cisco NAC Servers, but the difference is that the Cisco NAC Manager is not present and the Cisco NAC Appliance system is not used for posture or remediation.
–In this mode, the Cisco NAC Profiler system provides endpoint discovery, profiling, and identity monitoring.
–The endpoint directory is enabled for LDAP access that allows other systems (for example, Cisco Secure ACS) to use the Cisco NAC Profiler as an external database for MAC Authentication/MAC Authentication Bypass (MAB).
The Collector service running on the NAC Server is composed of the NetMap, NetTrap, NetWatch, NetInquiry, and NetRelay component modules that collect endpoint data, and the Forwarder module that provides communication between the NAC Collector service running on a NAC Server and the Profiler Server. Depending upon deployment type, there are other considerations regarding Profiler Collector deployment that are outlined in the following sections.
Cisco NAC Profiler Integration with Cisco NAC Appliance Deployments
In this Cisco NAC Profiler deployment type, the NAC Server operating mode determines considerations for the Profiler Collector running on the NAC Server. Table 2 details the product features supported for each of the endpoint data collection modules based on NAC Server operating mode.
A Yes in the column for each of the operational modes in the following table indicates that the collection function is available and lists caveats with notes. Selective indicates that the collection function is available, but is subject to certain limitations as outlined in the notes.
Table 2 NAC Profiler Collector Modules and Cisco NAC Appliance Server Operating Mode
NAC Profiler Collector Module / Function
|
Clean Access Server Operating Mode
|
Real-IP Gateway
|
Virtual Gateway
|
Real-IP Gateway OOB
|
Virtual Gateway OOB
|
NetMap
SNMP polling of switches and routers
|
Yes
|
Yes1
|
Yes
|
Yes 1
|
NetTrap
Receive SNMP traps from switches
|
Yes
|
Yes 1
|
Yes
|
Yes 1
|
NetWatch 2
•Observe traffic on eth2 (if not used for HA heartbeat)
•Observe traffic on eth3
Note Interfaces eth0 and eth1 on CAS/Collector are not supported for Profiler Netwatch.
|
Yes 3
Yes
|
Yes 3
Yes
|
Yes 3
Yes
|
Yes 3
Yes
|
NetInquiry
Active Profiling of endpoints
|
Yes
|
Yes1
|
Yes
|
Yes 4
|
NetRelay
Reception of NetFlow Export Data Records
|
Yes
|
Yes 1
|
Yes
|
Yes 1
|
Standalone Cisco NAC Profiler (not Integrated with Cisco NAC Appliance)
Even when the Cisco NAC appliance-specific Cisco NAC Server services are not enabled, the NAC Profiler Collector can operate in a standalone deployment mode and use the operating system and the underlying configuration of the NAC Server to continue performing endpoint data collection operations.
The Cisco NAC Profiler in either standalone or HA modes can function independently of how the Cisco NAC appliance in configured. The Cisco NAC Profiler can be integrated into either of these modes. The Cisco NAC Profiler standalone or HA modes are determined based upon how the Cisco NAC Profiler devices are configured.
To perform a minimum configuration of the NAC Server, see the following sections:
•Perform the Initial CAS Configuration; for a complete description, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.8 at: http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/48/48hwinstal.html
•Startup of NAC Profiler Collectors; for a complete description, see the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1 at: http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html
Supported Web Browsers for Release 3.1.1
Release 3.1.1 of the Cisco NAC Profiler User Interface (UI) has been tested thoroughly with Windows® Internet Explorer® Versions 7 and 8, and Firefox® 3.0.x and later.
Note While efforts have been made to extend support back to Windows Internet Explorer Version 6.0.2900.2180.xpsp_sp2_qfe.080814-1242, it is recommended that you use Windows Internet Explorer Version 7, and Firefox Version 3.0.x for optimal UI performance.
Determining the Software Release Version
You can determine the release version for the following Cisco NAC Profiler components:
•Cisco NAC Profiler Server
•Cisco NAC Profiler Collector (on Cisco NAC Server)
Cisco NAC Profiler Server
Via the UI
•Navigate to the Home Tab (System Dashboard). The Cisco NAC Profiler Modules table of the System Status area of the dashboard indicates the Profiler Server version in parentheses following the Server link.
Via SSH
•SSH to the Profiler Server and type service profiler status. For example:
[root@profiler ~]# service profiler status
Version: Profiler-3.1.1-18
o Forwarder Not Installed
o NetInquiry Not Installed
Cisco NAC Profiler Collector (on Cisco NAC Server)
•SSH to the NAC Server machine running the Collector service and type service collector status.
[root@bcas1 beacon]# service collector status
Version: Collector-3.1.1-18
Product Change Information
This section describes enhancements made to this release of the Cisco NAC Profiler:
•Enhancements in Cisco NAC Profiler Release 3.1.1
Enhancements in Cisco NAC Profiler Release 3.1.1
Cisco NAC Profiler release 3.1.1 is a maintenance release that contains a number of bug fixes and minor enhancements to existing functionality. The Cisco NAC Profiler Release 3.1.1 is available as an ISO image for the Cisco NAC Profiler Server and Cisco NAC Profiler Lite or as an upgrade from release 3.1.0 to release 3.1.1.
The enhancements made in Release 3.1.1 of the Cisco NAC Profiler are detailed in the following sections:
•NAC Profiler Server Advanced Options
•Profiler Server based on NAC 3315
•Work Queue Size Option
•High Availability Pairs and Failover
•License File Sync
•LDAP Enhancements
•Factory Endpoint Profiles
•NetMap Polling of Network Devices and Active Directory Servers
Refer to the following sections for additional details regarding this release of the Cisco NAC Profiler:
•Caveats
•Open Caveats - Release 3.1.1-18
•Resolved Caveats - Release 3.1.1-18
•Upgrade Instructions for Release 3.1.1-18.
NAC Profiler Server Advanced Options
The NAC Profiler Server module now has relocated the configuration parameters to a new location on the Configure Server form labeled as Advanced Options:
•Work Queue Size
•Delay Collection
•Active Response Delay
For more details, see "Configuring the Cisco NAC Profiler Server" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1, at: http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html)
Profiler Server based on NAC 3315
NAC 3315 and 3355 Hardware platforms also supports NAC Profiler version 3.1.1-18 in FIPS 140-2 mode.
Work Queue Size Option
The NAC Profiler Server now provides a work queue size parameter in the Collector module that allows you to designate the size of messages that can be sent from the Collectors to the Cisco NAC Server module, in kilobytes.
For more details, see "Configuring Collector Modules" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1, at:
http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html)
High Availability Pairs and Failover
The NAC Profiler now supports the capability to force a NAC Profiler Server HA pair to failover. This means that you can now manually initiate the transfer of primary node duties to the secondary to ensure that the failover capability of the pair is fully operational.
For example, this capability is desirable should you want the HA system to be tested, or at anytime you want to determine whether to shift the Primary duties to the other appliance in the HA pair.
For more details, see "Using the Cisco NAC Profiler Server Command Line" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1, at:
http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html)
License File Sync
Starting from version 3.1.1-18 for a Cisco NAC Profiler running HA, a "FO Bundle" license with the eth0 MAC ID of the Primary as well as the secondary can be uploaded on the active node and the license will be replicated to the passive or secondary node. Replication of the license file is asynchronous, and will not occur if license files are deleted or are uploaded through SCP to either of the appliances in the failover pair.
LDAP Enhancements
Performance and scalability enhancements made to the NAC Profiler integration layer now improve routine LDAP directory operations. Group implementation changes have improved the performance of directory operations for LDAP-enabled endpoint profiles containing a large number of endpoints.
To supplement this change, optimizing available caching options was also implemented. These LDAP enhancement changes are not visible in the user interface nor do they affect the configuration of the LDAP integration layer. In effect, these enhancements are transparent to users of the endpoint data using LDAP (for example, RADIUS server users).
Factory Endpoint Profiles
Enhancements to the Endpoint Profiles included with the 3.1.1 release now make administration easier. The factory profiles that are loaded at the time of installation are now organized into Profile Groups that allow for Profiles of endpoints of the same type to be viewed collectively.
Note This enhancement is only supported in new installations of the Cisco NAC Profiler, Release 3.1.1. The act of upgrading an existing system to Release 3.1.1 will not be able to benefit from having additional factory profiles or default profile groups being added.
Release 3.1.1 also included a minor change to the Profile Group implementation. In previous releases, endpoint profiles that were not assigned to a specific group were placed in the "uncategorized" group by default. In this release, this has now been changed to "ungrouped." If you want to remove an Uncategorized default group, you can delete it using the UI. Upon deletion, all profiles that were in the Uncategorized group are now moved to Ungrouped upon deletion of the old default Profile Group.
NetMap Polling of Network Devices and Active Directory Servers
This release supports a user-selectable polling interval in the Server configuration that allows you to control the frequency of polling for Active Directory servers system-wide (the default is 120 minutes). By setting this value to 0 minutes, this causes the system to cease polling for Active Directory Servers.
Caveats
This section describes the following caveats.
•Open Caveats - Release 3.1.1-18
•Open Caveats in Documentation - Release 3.1.1-18
•Resolved Caveats - Release 3.1.1-18
Note If you are a registered cisco.com user, you can view Bug Toolkit on cisco.com at the following website:
https://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
To become a registered cisco.com user, go to the following website:
https://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 3.1.1-18
For Cisco NAC Appliance caveats that impact Cisco NAC Profiler, refer to the "Caveats" section of the applicable version of the Release Notes for Cisco NAC Appliance (Clean Access) at: http://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.html
Table 3 List of Open Caveats (Sheet 1 of 13)
DDTS Number
|
Software Release- Cisco NAC Profiler Version 3.1.1-18
|
Corrected
|
Caveat
|
CSCtr22225
|
No
|
cleanaccess.conf displays CAM credentials in plain text.
Cisco NAC Appliance - Clean Access Manager (CAM) credentials are stored in plain-text in the NAC Profiler.
Conditions NAC Profiler Deployed with NAC Appliance integration.
Workaround
1. Create a special account/password with privileges restricted to the API for the NAC Profiler to use when interacting with the Cisco NAC Manager. This blocks them from using the GUI and requires experience/knowledge of the NAC API interface with normal system operations.
2. It is possible to remove the file after the NAC Profiler integration is established on 3.1.1 systems with Cisco NAC Manager (CAM).
Note Apply Changes -> Update Modules re-generates the file, so remove the file upon each full restart of the system as a workaround.
|
CSCta83480
|
No
|
Default Collector status 4.7.0 should not be "Could not find install file."
When using system collector status on an uninstalled NAC Server 4.7.0 (CAS) collector, the system prompts "could not find install file." This is before configuring and starting collector.
[root@cas3-3350-rachnar beacon]# rpm -q Collector
Collector-2.1.8-38
[root@cas3-3350-rachnar beacon]# service collector status
Could not find installation file
This message needs to be changed to make it more understandable. Such as a warning that collector needs to be configured/started. A more user friendly output would be: Collector is not installed, please install using system collector config
Conditions Checking collector status.
Workaround None.
|
CSCsy84379
|
No
|
SNMP informs needed for Cat 6500 Profiler compatibility.
NAC Profiler does not process SNMP informs in release 2.1.8
Conditions Access switch SNMP configuration.
Workaround Access switch SNMP configuration should use traps not informs to send mac-notiification mib.
|
CSCsy37162
|
No
|
Debug trace needs detail levels.
Debugging on collector or server gives little or no useful information for troubleshooting purposes. This is not a scalable approach for support in the field.
The application needs to provide more detail in the form of standard log levels. 0--7 are standard, for example syslog:
<0-7> Logging severity level
7-debug; debugging. Debugging messages (severity=7)
6-inform; informational. Informational messages (severity=6)
5-notif; notifications. Normal but significant conditions (severity=5)
4-warn; warnings. Warning conditions (severity=4)
3-err; errors. Error conditions (severity=3)
2-crit; critical. Critical conditions (severity=2)
1-alert; alerts. Immediate action needed (severity=1)
0-emerg; emergencies. System is unusable (severity=0)
Conditions Observed in version 002.001(008.037)
Workaround The collector does not offer field debug capabilities.
|
CSCsx42320
|
No
|
Profiler and Collector unable to communicate through NAT device.
NAC Profiler and Collector can not communicate with each other between a NAT device.
Conditions When a Profiler and Collector are connected between a NAT device, communication is not established.
Workaround NAT breaks the communication and should be moved to a Non-Nat setup between Collector and Profiler.
|
CSCsv91750
|
No
|
NacProfiler - xml configuration file protected by a signature.
The configuration file is not secure and susceptible to get changed manually. The goal is to have a protection mechanism on the file, as only the software can change it. It ensures the integrity of the file. Having a Digest+Signature at the end of each XML file increases product security by avoiding manual and unauthorized change in the config file.
Conditions Observed in version 002.001(008.037)
Workaround None.
|
CSCsy40430
|
No
|
Breadcrumbs do not match the actual category name sometimes.
Conditions Observed in version 003.000(000.000). Click > Configuration > Accounts: Configuration > NAC Profiler Users is displayed for breadcrumbs.
Workaround None. Cosmetic.
|
CSCsy37696
|
No
|
Mac osx Firefox and Safari clear endpoint message unclean formatting.
When clearing endpoint the system prompts, "Are you sure you want to clear this Endpoint? All current information about this endpoint in the endpoint database will be removed. History information will be retained should the endpoint be rediscovered. Click OK to permanently remove this endpoint."
Conditions Using OS X Firefox 3.0.7 & Safari.
Workaround Use Windows IE6 or Firefox 3.0.7 if you want to see it right, operationally it does not matter.
|
CSCsz73384
|
No
|
Service collector status lists profiler status.
Lists collector status as profiler status.
Conditions Observed in version 003.000(000.000). On CAS collector - service collector status.
Workaround None, cosmetic issue.
|
CSCta97229
|
No
|
Collector Modules show "Stopping" instead of "Stopped" in Profiler UI.
When the collector is stopped manually, the Profiler UI "Table of Collectors" shows status of "All modules Stopped".
However, the collector services (such as NetMap, NetTrap, NetWatch) always remain in Stopping state.
They never change to reflect "Stopped" state even upon waiting or clicking Refresh.
Conditions Profiler/Collector 2.1.8.39. Stopping collector manually.
Workaround The services are actually stopped (can do a service collector status on the CAS).
|
CSCsw30875
|
No
|
NAC Profiler license is not included in the CCA evaluation bundle.
The Clean Access evaluation license does not include the NAC Profiler and Collector licenses.
Conditions Request for NAC evaluation license in order to evaluate NAC Profiler and Collector.
Workaround The current workaround is to provide the customer with manually generated licenses, after asking the customer for the appliance MAC address (the other NAC evaluation licenses are not bound to a specific MAC).
|
CSCtn27257
|
No
|
Profiler GUI shows CSV Import success for devices even if import fails.
Profiler GUI reports successful import of network devices even if import fails due to format or other issues.
Conditions Observed in version 003.001(001.000). Data import from CSV file in improper format.
Workaround dberrlog log to show an insert error stating syntax is wrong.
|
CSCti25311
|
No
|
When doing "Clear Endpoint" page should navigate back to Table of Profile"
NAC Profiler GUI should navigate back to "Table of Profile Name" or the Clear Endpoint should be disabled, but navigation still remains same and Clear Endpoint is enabled.
Conditions GUI does not refresh back or move away in version 3.1.x.
Workaround None. Need to navigate manually.
|
CSCti16784
|
No
|
NAC Profiler not able to profile netflow traffic.
The NAC Profiler ignores Netflow summary packets when the IP address is not known for the end-point.
Conditions Netflow summary packets are forwarded to the NAC collector to be used as a network layer profiling method for the endpoint. The Netflow summary packets contain network and transport layer information of the endpoint, which includes the source/destination IP address and port number. However, since the IP to MAC mapping is not know to the Profiler, the Netflow summary packets are being dropped and not profiled. This occurs when Netflow is the only network layer profiling method.
Workaround None.
|
CSCsl59431
|
No
|
Devices in L3 IB NAC deployments cannot be added/removed from filterlist.
Devices in L2 can be added to the filter list, removed from the filter list--based on their profile information; as the profiler can call addmac or removemac API calls towards CAM. But, if these devices are at L3 and IB is the mode of CASs, then Profiler has to use addip/removeip type of APIs to add IP addresses to the IP filter list. This is not currently done for L3 IB devices.
IP address is missing from the CAM when populated via addMac from the profiler: CAM GUI - device management - filters - list.
This is because the profiler call to the CAM is not using the parameter for the device IP address. If the IP address is available, you should try to populate the listing as an added feature to the customer. Tested with 4.5 and 4.1.3.1 CAMs using 2.1.8-37 profiler.
Conditions L3 inband removal of devices via IP address.
Workaround None. This is not a supported feature.
|
CSCtn17418
|
No
|
Profiler can not see 2950 VLANs via SNMP
When using device provisioning on the NAC Profiler, the Profiler can not obtain the VLAN information from a Cisco 2950 switch. The switch is configured for basic SNMPv1 communities.
Configuration -->Network Devices --> Add Infrastructure Device. Once the 2950 is contacted, if you then go to Display Endpoints by Network Infrastructure Device Ports and then manage the 2950, the VLAN information is not available.
Conditions NAC Profiler 3.1.1 or earlier. Cisco 2950 switch which runs 12.1(22)EA14 or earlier
Workaround Remove the network device from the group and set the individual switch settings accordingly.
|
CSCtg62414
|
No
|
RNE from CDETs_On Primary Profiler appliance under /backup folder .dump files increase drastically in size when HA subsystem on Profiler is non functional.
Conditions In Cisco NAC Profiler version 2.1.8-x or even with latest 3.1 Profiler code, it is a known behavior for Profiler to output .dump files in /backup folder which is ideally to be used as backup and also for DB sync between Primary and Secondary Profilers. In particular situation of HA subsystem of Profiler, when synchronizing DB from primary to secondary it is observed that .dump files in /backup directory of "Primary Profiler" increase in size with days of HA subsystem being non functional. Ideal size of .dump files is ~60-100MB, but anything higher ~800MB is a direct indication that DB is not being synchronized on HA pairs.
Workaround To check if HA subsystem is working fine:
1. One of the best ways to detect issues on the heartbeat network that will be the precursor to DB sync failure is monitoring the /usr/beacon/logging/HAPing.out. This is an error log that logs failures of HAPing. Nothing in HAPing out is an indication that all is well on the heartbeat network.
2. more /var/log/messages | grep heartbeat
Heartbeat messages can be monitored for error conditions using that technique. Any issue with HA should be resolved by removing and then re-adding HA configuration as mentioned in document very elaborately. Issue with HA has to be resolved at the earliest as .dump file size might consume all of hard disk space on Primary Profiler causing it to be non responsive to SSH, Profiling.
|
CSCtg62424
|
No
|
RNE from CDETs_psql: FATAL: sorry, too many clients already.
Conditions Error observed in 2.1.8-x version of NAC Profiler appliances in Server.out logs. This essentially suggests that there are too many open connections to Beacon DB and they have to be closed. One possible issue could be that HA subsystem on Profiler pair is non functional and/or some of the scripts have opened connections to DB and have not closed.
Workaround None.
|
CSCsr58170
|
No
|
The CAS service collector status should not list the server module status as "not installed".
Conditions The CAS Collector does not include a server module, only the NAC Profiler includes this module.
Workaround None. This should not be listed on the CAS Collector status output.
Note This does not affect the function of the NAC Collector.
|
CSCsr91618
|
No
|
The Profiler service status lists the services not supported on the NAC Profiler server. The NAC Profiler status shows all the modules for the NAC Collector that will never be running or be installed.
Conditions Forwarder, NetMap, NetTrap, NetWatch, NetInquiry, or NetRelay will never be installed or supported on the NAC Profiler server so they should not be listed in its status:
[root@profiler1 ~]# service profiler status
Version: Profiler-2.1.8-37
o Forwarder Not Installed
o NetInquiry Not Installed
Workaround None.
Note This does not affect the function of the NAC Profiler Server.
|
CSCti28260
|
No
|
The NAC Profiler restarts its services every minute.
Conditions This issue can be seen if the directory containing the licenses for the NAC Profiler includes an extra entry or the directory is one that the NAC Profiler is not able to parse (for example, /usr/home/beacon/.lmlic). It is also possible that this issue may occur in the /usr/beacon/working/flexlm directory.
Workaround Remove all non-license entries from the license subdirectory of the NAC Profiler.
|
CSCsu46348
|
No
|
The NAC Profiler UI NAC roles should use an API call to populate the listing. NAC roles should be populated using a query instead of manually typing them in the NAC Profiler server config—this reduces the chance of error with user input and increases the ease of use for customers.
Conditions This occurs during the entry of NAC roles.
Workaround Carefully performing a manual entry of roles.
|
CSCsy37604
|
No
|
The NAC Profiler does not verify that the Collector and Profiler versions running are the same.
Conditions The Collector version should be running the same version as the NAC Profiler.
Workaround Verify that the version of Collector software matches the version running on the NAC Profiler. You can use the NAC Profiler UI to view the versions of the Collector service running on each Collector and the version running on the NAC Profiler.
|
CSCth26878
|
No
|
An issue with invalid characters in the NAC Profiler profile name can cause the Cisco NAC Profiler database to not start up properly.
Conditions This has been caused by invalid non-alphanumeric characters used in profile names.
Workaround Rename the profiles using supported alphanumeric characters.
|
CSCth94818
|
No
|
The NAC Profiler displays wrong endpoint VLAN identifier when the VLAN is changed by access switch (Authenticator) via dynamic VLAN assignment. Using Profiler UI > Endpoint Console > View/Manage Endpoints > Display Endpoints by Profile does not display correct VLAN information when the endpoint is enabled with 802.1X/MAB authentication.
Conditions VLAN assignment is used for dynamically assigning an access switch port to a policy-controlled VLAN for each authenticated supplicant. When the supplicant is authenticated, the switch-port VLAN is changed from the port-assigned VLAN to the dynamically-assigned VLAN defined on the RADIUS server. When the access port is updated with the dynamically-assigned VLAN, the NAC Profiler does not update the endpoint VLAN identifier. The VLAN displays the default port-assigned VLAN or a zero.
Workaround None.
|
CSCth96702
|
No
|
Active Response port disable, bounce, and re-authentication will not be working properly in NAC Profiler if the location information (switch IP address and port information) is not present. The location information is a mandatory requirement for NAC Profiler because this is needed to handle race conditions in profile creation to trigger the appropriate events.
Conditions Normally, during the Cisco NAC Profiler event delivery methods (Configuration > NAC Profiler Events > Edit Event), as soon as NAC Profiler learns endpoint details, it should fire off the following events:
•Active Response
•Disable Port
•Bounce Port
•Re-authenticate (Cisco switches)
The error is with the re-authentication process. The NAC Profiler needs to be configured such that re-authentication is triggered only when the endpoint is moved from one to another NAC Profiler.
Workaround There is no current workaround.
|
CSCth97458
|
No
|
When a profile matches more than one NAC event, this cause NAC synchronization to behave erratically. While this is happening, devices that are profiled and should be added to the CAM filter list may not be added to the CAM as a result.
Conditions For example, if you have a profile name of "Cisco IP Phone" and two NAC events with filter strings of "/IP Phone/i" and "/Cisco IP Phone/i", the profile will match both of these events. In the Server.out log, you will see a NAC sync start, but there will be be no NAC sync end. Something similar to the following error will occur:
NAC_SYNC: CCA Event Rule Configuration Conflict: profile `Cisco IP Phone' is matched by more than one CCA Event Rule. At a minimum, the following CCA Event Rules are involved:
•IP Phone
•Cisco IP Phone
Workaround You need to modify the filter so that only one profile can match any one NAC event. For instance, using this example, change the first regex string to "/^IP Phone/i" so that it will match only those profiles that start with "IP Phone". Cisco NAC event names are wild card entries, which should match specific wild card event names.
|
CSCth84633
|
No
|
The Admin UI in NAC Profiler allows a NAC Collector name to exceed the 24-character limit.
Conditions The NAC Profiler UI should validate the NAC Collector name and limit or truncate any name that exceeds 24 characters in length.
Workaround There is no current workaround.
|
CSCtg22772
|
No
|
The endpoint is correctly modeled and the Active Response event is triggered. However, NAC Profiler 3.1.0 release was unable to bounce, disable, or re-authenticate the switch port. Under the even summary, the switch IP and port information is shown as 0.0.0.0/0.
Conditions Related conditions can include the following:
•Under some conditions (network/switch behavior), the NAC Profiler 3.1.0 release receives the NetWatch information on DHCP a few milliseconds (MS) before the TrapReport information for SNMP.
•As a result of this timing issue, this causes new endpoints to be profiled and events to be triggered before getting the switch IP and port information via TrapReport. So, this means it is without the data it needs to perform an Active Response event (bounce, disable, or re-authenticate) on the witch ports.
•The switch learns the MAC on the port, adds it to its FDB which will in turn generates a MAC Notification trap (this is done via the "slow path", which requires switch CPU interaction).
•As the DHCP discover is forwarded by the switch ("fast path") it is seen by NetWatch. The DHCP discover reported to the server by NetWatch results in the Profiler discovering the endpoint and profiling it simultaneously (because the DHCP VCI rule is the one used in the endpoint profile). This also cause the New Endpoint event to trigger.
•As the endpoint is discovered by NAC Profiler, it is also being modeled into the endpoint profile, which triggers the event immediately upon the modeler action initiated upon receipt of the DHCP information from NetWatch.
•This results in the DHCP discover triggering the endpoint profile and the event even before the NAC Profiler is able to get the switch IP and port info via SNMP.
Workaround None.
|
CSCti29950
|
No
|
The secondary high availability (HA) configuration is failing with the following error:
ERROR: invalid input syntax for type timestamp: "Tue Aug 10 09:05:06.603466 2010 IDT".
Conditions The Cisco NAC Profiler HA setup configured with NTP of Asia, Israel (IDT) rounds.
Workaround Perform the following:
1. Remove the HA (/root/.resetProfiler removeHA).
2. Change the time zone to be for example, US or CSET on each member (service profiler setupntp).
3. Attempt to join the HA (service profiler setupha).
|
CSCti13583
|
No
|
When looking at the licensing page of the Cisco NAC Profiler in an HA setup, a green check is displayed for the local Profiler but a red x is displayed for the remote Profiler and Collector, even when valid licenses are uploaded. These are display characteristics only and do not affect Cisco NAC Profiler operations.
Conditions Cisco NAC Profiler in an HA setup mode.
Workaround This is only a display characteristic. No action required.
|
CSCti13604
|
No
|
If a NAC Profiler is connected to a HA set of NAC Collectors and they experience a failover, there is a minimal delay period before reconnection is made between the NAC Collector and the NAC Profiler.
This is caused because the CAS is in a secondary mode and its eth0 is shutdown so no traffic is passed through until it resumes its active state. When this resumes, the NAC collector again shows its status as running.
Conditions Can occur when NAC Collectors are running in an HA mode.
Workaround This is a minimal recovery period (one minute or less).
|
CSCti03181
|
No
|
NAC Profiler does not seem to emulate the condition that previously known devices have not been heard from.
Conditions This issue can occur because the NAC Profiler has a 'certainty' mechanism that reduces confidence that a device matches against any previously matched profile over a period of time. This is intended to handle devices that have not responded for some length of time.
By adjusting the date on a NAC Profiler server, you can emulate the condition that previously known devices have not responded for a period of time (for example, a week, a month, etc.). This could be a previously profiled endpoint (such as an HP Printer) that has been disconnected for a number of days.
Workaround There is no current workaround.
|
CSCts98131
|
No
|
NAC Profiler HA does not work with all timezones as their NTP sources.
After configuring HA on NAC Profiler, if WIT or some of the other timezone formats are used, HA on profiler is known to have issues during replication to secondary node.
Workaround Use only GMT or UTC as NTP timezone on the NAC Profiler for the NTP and HA to work properly. Use the command service profiler setupntp to make changes to the NTP setttings on an HA Profiler installation.
|
CSCtu16631
|
No
|
NAC Profiler MAC Address Rule Allows Unlimited Characters.
NAC Profiler DB has a limit of 24 characters. While adding a rule, the number of characters added in the MAC Address are not automatically limited. Anyway, the string is truncated to 24 characters when saved.
|
Table 4 List of Open Caveats - Documentation
DDTS Number
|
Software Release- Cisco NAC Profiler Version 3.1.1-18
|
Corrected
|
Caveat
|
| |
CSCtl66972
|
No
|
Profiler 3.1.1 guide does not document OUI update feature.
Profiler 3.1.1.18 introduced a feature to update the vendor OUIs from the internet with a script. This needs to be documented.
Workaround [beacon@BeaconHA1 ~]$ cd /usr/beacon/scripts/maint
[beacon@BeaconHA1 /usr/beacon/scripts/maint]$ ls
altBuild.php bundle convertLog.pl restoreDB-HA.pl rmNetDev.pl
beacondb.gz check.sh ouiUpdate.pl restoreDB.pl setHTPass.php
[beacon@BeaconHA1 /usr/beacon/scripts/maint]$ ./ouiUpdate.pl
Downloading the OUI file... Please Wait...
Validating OUI file... Please Wait...
Found a total of 14165 entries.
Please type 'list' to see the new entries or 'replace' to replace your current OUI table with the new one:
replace
Updating the Profiler's Database... Please Wait...
The update is complete.
[beacon@BeaconHA1 /usr/beacon/scripts/maint]$
New feature in 3.1.1, does not have any dependency on 3.1.1--you could copy the script from a 3.1.1 system to a 3.1.0 system.
|
CSCtk99552
|
No
|
NAC profiler certificate type and conversion.
OpenSSL on NAC Profiler appliance can convert different encoding types to PEM. Though this is not Profiler specific feature, including this information in the configuration guide helps customers (and Cisco as well) to easily convert certificates to PEM in order to get the profiler up and running.
In chapter "Configuring Cisco NAC Profiler for the Target Environment" under section "Importing a Digitally Signed SSL Certificate onto the Cisco NAC Profiler System" add:
Note The certificates must be encoded in PEM. If the profiler and/or CA chain certificates are in different formats, they must be converted.
This can be done from the Profiler server CLI, by logging in as root:
openssl <current encoding> -print_certs -in <current certificate name> -out <output name>
To verify that the profiler certificate is valid and signed by a CA somewhere in the chain certificate bundle:
openssl verify -CAfile <chain certificate> <profiler certificate>"
Workaround Convert the certificates to PEM. This can be done from the Profiler server CLI, by logging in as root: openssl <current encoding> -print_certs -in <current certificate name> -out <output name>
|
CSCte93969
|
No
|
NAC profiler does not update the complete MAC address list on the CAM.
Full synchronization between the NAC profiler and CAM does not happen properly. Individual MAC address entries make it through to the CAM filer list.
The following sync error is seen:
NAC_SYNC: unexpected error -- timeout on stderr at /usr/lib/perl5/site_perl/5.8.8/IPC/Session.pm line 93.
Conditions Keyless ssh works but the ssh config file has referenced a banner file that has no trailing EOL
Workaround RNE suggests that when configuring Banner is on CAM, when you want interoperability with the profiler, you need to make sure the EOL is at every line and the end of the doc.
The trailing EOL can be introduced by opening the banner file with VI editor and saving it. Other Linux editors might allow a file to be saved without an EOL
Workaround
It can be easily corrected on the customer's system with the following steps (on both NAC Manager nodes):
1. Log in as root
2. Open in 'vi' editor -- vi banner.pre
3. Save file by typing ":wq"
4. (renable banner) Edit /etc/ssh/sshd_config and un-comment last line ("Banner ...")-- write changes
5. Restart ssh service -- service sshd restart
|
CSCta06865
|
No
|
Profiler Documentation does not cover configuring Failover NAC Managers.
The Cisco NAC Profiler Installation and Configuration Guide, Release 2.1.8 section "Integration with Cisco NAC Appliance" does not cover how to add failover NAC managers to the NAC Profiler.
RNE from CDETs suggests the need to add the DNS/IP of the CAM VIP and secondary (comma separated) in the Profiler server config Address field.
Conditions NAC Profiler 2.1.8
Workaround Add the Manager Service IP/DNS Name followed by the Secondary Manager IP/DNS Name and separate them by a comma.
|
CSCtj15872
|
No
|
RNE from CDETs_Password recovery procedure for 2.1.8-x and 3.1.x versions of Profiler.
Procedure to set a new password for root for 2.1.x NAC Appliance.
1. Press any key during the GRUB Loading message
2. Select appropriate kernel (mostly there is only one) and press e:
3. Select the kernel boot line (typically the second line) and press e:
4. Add capital S at the end of the line
5. Press Enter and verify your edit
6. Press b to boot into Single User mode
7. Use passwd to set a new root password at the prompt
8. Once the password is set, use shutdown -r now to reboot
9. Type "passwd beacon" from root and press Enter
10. Enter the Beacon user password and press Enter
Note Ignore messages that password is short or a dictionary word
11. Retype password when prompted press Enter
Procedure to set a new password for root on a 3.x and above NAC Appliance.
1. Boot the appliance and press 4 at the boot option menu
2. Enter the path to the shell you wish to use for single user mode session or press Enter for default (bourne shell)
3. Use mount -u / followed by mount -a to mount the root file system (this must be done for the password to take)
4. Use passwd to set the root password, at the command line prompt
5. Use the sync command (issued as sync;sync) to make sure the new password is written to disk
6. Use reboot OR shutdown -r now to reboot the system
|
|
CSCtd37697
|
No
|
NAC Collector 3.1 on a Cisco NAC 4.6.1 gets downgraded when the Cisco NAC is upgraded to 4.7.1.
When a user upgrades the Cisco NAC Profiler including the Profiler Collector to 3.1 in Cisco NAC 4.6.1, followed by upgrading the NAC 4.6.1 to 4.7.1, it overwrites the Collector 3.1 with Collector 2.1.8.39.
Workaround After upgrading NAC 4.6.1 to 4.7.1, you must manually upgrade the Profiler Collector 2.1.8.39 to 3.1, because Cisco NAC Profiler Collector 2.1.8.39 comes bundled in NAC 4.7.1.
|
CSCtg65296
|
No
|
NAC Profiler 3.1.0 and later releases do not retrieve VLAN information for Cisco 4500 switches that are configured for NAC out-of-band (OOB).
Conditions The following conditions need to be met:
•Profiler needs to query the OID .1.3.6.1.4.1.9.5 so it can retrieve the VLAN information from the Cisco 4500 switches.
•The MIB CISCO-SMI containing this OID .1.3.6.1.4.1.9.5 is supported only on certain images of the Cisco 4500 switches. See the following:
http://tools.cisco.com/ITDIT/MIBS/AdvancedSearch?ReleaseSel=0&PlatformSel=94&fsSel=0&mibIdArr=4623&totalPages=14226&totalNoOfImages=-1&pgSelect=1
•IOS 12.2(23) is the latest code version that supports the CISCO-SMI MIB, and in turn, the OID .1.3.6.1.4.1.9.5.
•However, Cisco 4500 switches are supported in NAC out-of-band (OOB) starting from 12.2(31)SGA02. See the following for details:
http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html#wp40017
Workaround None.
|
CSCti30635
|
Yes
|
NAC Profiler licensing guide recommends using upper case MAC addresses when generating a license.
Conditions The Cisco NAC Appliance Service Contract/Licensing Support documentation incorrectly states that "When entering the MAC address to generate the license, you must enter all upper case hexadecimal characters."
Because the licenses are case-sensitive, licenses for the Cisco NAC Profiler and Collector must be generated with lower case MAC(s). When entering the MAC address to generate the license, you must enter all lower-case hexadecimal characters.
Workaround None.
|
CSCsw97514
|
No
|
Unable to delete a NAC Collector from the Cisco NAC Profiler. An error displays that indicates that the NAC Collector does not exist in the database.
Conditions If you enter a Collector name when initially configuring the service that exceeds 24 characters in length, the name is truncated when added to the database. This results in a mismatch between what is displayed in the UI and what is stored in the database, which prevents the NAC Collection from being deleted.
Workaround Manually delete the Collector from the Profiler database.
1. SSH to the Profiler Server as user 'beacon'.
2. Enter the following command at the prompt:
echo "delete from beacon_component where name LIKE '<collector name as it appears in the UI>';" | psql
|
CSCtg57780
|
No
|
Events are triggered even without any switch IP and port information.
Conditions Profiler can correctly bounce, disable, or re-authenticate a port through an Active Response only when receiving switch IP and port information before an event is triggered. This is done only when SNMP data is received before DHCP data by the Profiler. However, if DHCP information is received before the SNMP data, it could cause the following scenarios to occur:
•When the switch learns the MAC on the port, adds it to its FDB, this in turn, generates a MAC Notification trap (done using the "slow path" that requires CPU interaction). As DHCP discover is forwarded by the switch ("fast path") and seen by NetWatch. DHCP discover is reported to the server by NetWatch which results in the Profiler discovering and profiling the endpoint simultaneously (due to the use of DHCP VCI rule for endpoint profiles). This also triggers a New Endpoint event.
•When the endpoint is discovered by the Profiler it is also being modeled into an endpoint profile that triggers an event immediately upon the modeler action initiated on receipt of DHCP information from NetWatch. The DHCP discover triggers an endpoint profile and an event even before the Profiler is able to get the switch IP and port information via SNMP.
•As a result, an Active Response event could be fired without any switch IP and port information. Thus, not allowing the Profiler to bounce, disable, or re-authenticate the switch port.
The order of receipt of the data by the Server is important here. If the NetWatch/DHCP data used for discovery, profiling, and event triggering precedes the NetTrap location information, the system does not have a valid location (switch and port) at the instant the endpoint is profiled. Hence, it cannot fire the event. However, by the time the NAC Profiler UI is checked, the location information has already been received and stored in the database, so that it falsely appears that the location information was known.
This means that the switch IP and port information in the event summary may not appear because at the time the event was triggered, that information had not yet been received via SNMP. This may cause a condition for example, when a non-PoE device (PC, printer, etc.) plugged into a switch interface is (re)booted. The switch will first forward first the DHCP traffic, and next the SNMP traps. Because only after an IP is tied to the MAC address does the switch send out SNMP notification. Consequently, the NAC Profiler cannot support Active Response events with devices that are (re)booting.
Workaround None.
|
Open Caveats in Documentation - Release 3.1.1-18
Resolved Caveats - Release 3.1.1-18
Table 5 List of Resolved Caveats (Sheet 1 of 9)
DDTS Number
|
Software Release- Cisco NAC Profiler Version 3.1.1-18
|
Corrected
|
Caveat
|
CSCsw70560
|
Yes
|
NAC Profiler configuration guide page 9-4 LDAP AAA list incorrect
Workaround Replace Cisco ACS or Juniper with Cisco Secure ACS or comparable AAA server.
|
CSCtl94426
|
Yes
|
Document needs to clarify what MAC addresses should be in the Profiler/Collector licenses.
Conditions If it is Profiler HA, the Collector license needs to contain 2 MAC addresses (no matter if it is Collector HA or Stand alone): One of the eth0 of the Primary Profiler; the other is eth0 of the Secondary Profiler.
Workaround License File Sync -Starting from version 3.1.1-18 for a Cisco NAC Profiler running HA, a "FO Bundle" license with the eth0 MAC ID of the Primary as well as the secondary can be uploaded on the active node and the license is replicated to the passive or secondary node. Replication of the license file is asynchronous, and does not occur if license files are deleted or are uploaded through SCP to either of the appliances in the failover pair."
|
CSCtl51096
|
Yes
|
Profiler document needs to document that eth0/eth1 are not Supported for NetWatch.
Conditions This may be related to issues running NetWatch on eth0/eth1 interface. Still an open issue-run NetWatch on eth2/3 interface.
Workaround Document that eth0 and eth1 are not supported for Profiler NetWatch. Since this is applicable to all current Profiler versions, update the equivalent documents for all releases.
|
CSCtc34810
|
Yes
|
Endpoint location data is not displayed when trunk port info is received.
Conditions If Profiler receives data that indicates the endpoint (a single mac address) is seen on two ports, such as a physical port and a trunk port, no information is displayed for the endpoint.
Workaround There is a patch released for this and same will be the workaround.
|
CSCtd69946
|
Yes
|
In the CAM Device Filter list (integrated to Cisco NAC Profiler), upon clicking on the Profiler link in the Description field, the user cannot login to the profiler to view the summary information for the endpoint.
Conditions No display of the endpoint summary in CAM Device Filter List if browsing through Internet Explorer.
Workaround Right click on the profiler link and chose Open link in new window or Open link in new tab to view the Profiler summary information.You can also use Mozilla Firefox browser for this purpose.
|
CSCte41353
|
Yes
|
SNMP Session Reauthentication is not working.
Conditions When the re-authentication event is triggered, the NAC Profiler has insufficient information about the authentication session on the switch to carry out the operation via an SNMP set. This issue is specific to Cisco NAC Profiler Release 3.1.
Workaround Download Patch-CSCte41353-K9.zip from http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162, and apply this patch on NAC Profiler/Collector 3.1.0 version.
|
CSCte93435
|
Yes
|
The Profiler MAC Address OU database is outdated for HP MAC address.
Conditions New HP Printer MAC addresses are not being recognized by Profiler because the OU database does not have the entries.
Workaround None.
|
CSCsy03646
|
Yes
|
There was an issue with the Cisco NAC Profiler HA license requirements. Based on CCO documentation it is not clear which License files are required for Profiler HA/Collector HA setup. See the following:
http://www.cisco.com/en/US/docs/security/nac/appliance/
support_guide/license.html#wp39197
•For Cisco NAC Profiler or Cisco NAC Profiler Failover (HA) licenses, submit the eth0 MAC address of the Primary Profiler Server.
•For Cisco NAC Profiler Failover (HA) license only, submit the eth0 MAC address of the secondary Profiler Server.
http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html#wp39086
•A Profiler Server license—installed on the Profiler Server
•A Profiler Collector license for each CAS Collector— installed on the Profiler Server.
•Failover Profiler Server (based on NAC-3350) - for HA pair.
Conditions Profiler HA / Collector HA setup.
Workaround One Profiler HA LIC file with MAC address primary Profiler eth0 and secondary Profiler eth0.
|
CSCtb17189
|
Yes
|
Profiler incorrectly sets switch ports connecting endpoints other than IP Phones using CDP as trunk ports in the Cisco NAC Profiler UI. Cannot view endpoints on trunk ports in UI.
Conditions In 2.1.8 version, automatic trunk detection was excluded only on ports that registered CDP Platform Type containing the string `phone.' Endpoints using CDP Platform Type not containing phone would be marked as trunk ports in the UI.
Workaround None.
Note 3.1.0 version requires administrator configuration of CDP Trunk Exclusion parameter of Profiler Server module to exclude CDP Platform Types in addition to the default of `phone.'.
|
CSCsl20917
|
Yes
|
The installed licenses are not displayed.
Conditions When displaying the Admin UI - Upload Licenses, the installed licenses are not displayed.
Workaround Check the file via the CLI at the following location: /usr/beacon/working/flexlm
|
CSCsl21160
|
Yes
|
Profiler Admin session should Logout after timed interval. The Cisco NAC Profiler GUI Admin logged in never is logged out.
Workaround None.
|
CSCte60976
|
Yes
|
Trap Handling for v2c traps are INOP for version 4.7.1 of the CAS/Collector Only. Older versions of SNMP Research in the CentOS build used for Cisco NAC Appliance Release 4.7.1 result in NetTrap being unable to determine the IP address of the trapping agent.
Conditions This issue is specific to Cisco NAC Profiler Release 3.1 when integrated with Cisco NAC Appliance Release 4.7.1.
Workaround Download Patch-CSCte60976-K9.gz from http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162, and apply this patch on the Cisco NAC Profiler/Collector 3.1 version.
|
CSCsm72012
|
Yes
|
Need SSL import/export certificate GUI tab for the Profiler.
Profiler needs to have an import/export utility for SSL certificates on the Profiler GUI.
Workaround None.
|
CSCsq34147
|
Yes
|
The primary NAC Profiler shows database errors on Endpoint Console. The standby NAC Profiler displays Unknown DB Error on the Endpoint Console page.
Conditions Cisco NAC Profiler running 2.1.8-37 in a failover pair. This will only show up on the standby Profiler.
Workaround Nothing specific, this is a display issue.
Further Problem Description
The Active Profiler has the secondary database locked. When the secondary endpoint console page is brought up it tries to write to the database, but is denied. This error will not affect the operation of the Profilers.
|
CSCsq42942
|
Yes
|
Cisco NAC Profiler: secondary NAC Profiler shows License Error.
The secondary Profiler in a failover pair will display a license error for the Collector licenses installed on the server since they were generated with the primary Profiler's MAC address.
Conditions Cisco NAC Profilers running in a failover pair. This is only seen on the secondary Profiler. This was observed in 2.1.8-37.
Workaround None, this is a display issue and will not affect the operation of the Profilers.
Further Problem Description
Example error:
INFO: [2008-05-02 15:48:44 (fcapGetHWAddr:91)] Retrieving
HWAddr for eth0 ERROR: (FlexLM): Unknown MAC ->XXXXXXXXXXXX
ERROR: (FlexLM): No match found in ->
[<Count>2</Count><PrimaryMAC>YYYYYYYYYYYY</PrimaryMAC>]
|
CSCsu29905
|
Yes
|
Cisco NAC Profiler SNMP trap receive does not check community string.
Cisco NAC Profiler NetMap Collector solution is unable to verify network device (switch) snmp trap community string. Operationally the solution is processing endpoints and correctly profiling.
Conditions Any SNMP (v1, v2c) trap sent community string.
Workaround None.
|
CSCsu46247
|
Yes
|
Cisco NAC Profiler GUI allows duplication of Collector entry. A Collector with the same name and IP address can be created as a duplicate in the Cisco NAC Profiler GUI.
Conditions When a Collector of the same info already exists.
Workaround None.
|
CSCsu46273
|
Yes
|
Cisco NAC Profiler GUI needs the ability to set time and NTP information. Currently, there is no way to set the time using the GUI.
Workaround The time must be set through the Linux CLI and there is a procedure for how to setup NTP (requires HA setup to be uninstalled when doing this). This document is out of the scope of the defect. The current system time is now shown on the Home tab and when viewing the system log from the Utilities tab.
|
CSCsu46311
|
Yes
|
Cisco NAC Profiler GUI does not display IP or name of active Profiler.
When you click on the Config - Cisco NAC Profiler modules - List Config - Server server it displays Server Name: Server. The CLI name shows machines profiler1 and profiler2, but this is not shown nor the actual IP config on the boxes using the GUI.
Workaround None.
|
CSCsv66296
|
Yes
|
Changes of Collector NetWatch config corrupt network block formatting.
The formatting of the network block is corrupted and saving the config gives an error (example 172.16.17.0/24172.16.18.0/24 is not a IP v4 Address).
Conditions Removing/adding/editing the NetWatch interface under the Collector configuration and then saving the Collector.
Workaround Fix the blocks before saving the configuration or return to the configuration and correct it.
|
CSCsu46247
|
Yes
|
A NAC Collector with the same name and IP can be created as a duplicate in the Cisco NAC Profiler UI without warning the user.
Conditions Adding Collectors to the Cisco NAC Profiler configuration, no validation that the Collector Name already exists.
Workaround None.
|
CSCtg99187
|
Yes
|
During the process of querying, Profiler 3.1.1 now adds cn=user to the Active Directory (AD) user.
Conditions A patch was released to address this issue for customers with NAC Profiler 3.1.0-24. Release 3.1.1 of the Cisco NAC Profiler has resolved this issue.
Workaround None.
|
CSCth25337
|
Yes
|
In Profiler 3.1.0 and earlier releases, high availability (HA) setups can encounter database corruption if the active database is rapidly "flipped" back and forth between servers.
Conditions Reboot or shutdown of the NAC Profiler is not consistent in NAC Profiler 3.1.0 and earlier releases as these release encountered issues withe database sync and the NAC Profiler service not starting up properly. A patch was released patch for NAC Profiler 3.1.0, and this was and resolved in NAC Profiler 3.1.1.
Workaround The same "graceful" HA commands added to the NAC Profiler service CLI in 3.1.1 are also available in the 3.1.0 patch.
|
CSCth43163
|
Yes
|
When using the DNS Zone Transfer feature in NAC Profiler 3.1.0 release code, retrieving an IPv6 DNS entry could cause the NAC Collector to be unable to send the DNS entries to the NAC Profiler.
Conditions When any IPv6 entries were found in a reverse DNS lookup, this would cause the NAC Profiler to stall.
Workaround This issue was resolved in release 3.1.1. However, in the 3.1.0 release, IPv6 entries need to be removed manually.
|
CSCth43091
|
Yes
|
NAC Profiler release 3.1.0 encounters an issue with large DNS tables in which the collector correctly polls the DNS table, but is unable to send the table to the profiler. There is a hard-coded limit at 1 megabyte (MB).
Conditions For better performance in release 3.1.0, on CAS the limit for DNS tables was set to 1 MB only. The limit is on work queue size for communication between the NAC Collector and the NAC Profiler via TCP port 31416.
Conditions Starting with release 3.1.1, the number of endpoints that NAC Profiler can now support has been increased, and there is a configurable work queue size on the NAC Profiler UI under collector configuration (Configuration--> click on collector name--> Forwarder- "Work Queue Size").
|
CSCtc84603
|
Yes
|
The Profiler does not purge old entries from the database, even after the timers have expired and regardless of timer settings used.
Conditions This has been observed and reported on NAC Profiler, release 2.1.8-38.
Workaround None.
|
CSCsx97856
|
Yes
|
The software version in the Profiler and Collector CLI and GUI views should reflect the same version (for example, both should show as r_6). The problem reflects the Profiler GUI version in 3.0 displaying one version (3.0.0r.6), while the CLI version for the NAC Profiler and Collector displays another version (3.0.0r_6).
Conditions There was a mismatch in the versions displayed in the GUI and the version showing up using CLI commands. ny workarounds.
Workaround None. This issue has been resolved in release 3.1.1.
|
CSCtd02716
|
Yes
|
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
Conditions An advisory is posted at the following location: http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtmlConsult the advisory.
|
CSCtg50546
|
Yes
|
CDP-based profiling for IP phones may not work as expected, due to some known issues.
Conditions The issues were with NAC Profiler release 3.1.0-24.
Workaround It is recommended that you change to DHCP-based profiling for the IP phones until NAC Profiler release 3.1.1 is available.
|
CSCsy37604
|
Yes
|
The NAC Profiler does not verify whether the NAC Collector version is different from the version it is running.
Conditions This can occur when the NAC Profiler and NAC Collector are running different versions of the supported software.
Workaround Ensure that all NAC Collectors are running the same version of the software running on the NAC Profiler.
|
CSCth45393
|
Yes
|
Some devices may fail to be profiled despite the correct information about these devices having been received by the NAC Profiler.
Conditions In NAC Profiler release 3.1.0, profiling was based only on the MAC notification trap.
Workaround It is recommended that you uncheck the Trust Cisco MAC Notification Trap option on the server module of the NAC Profiler UI, and perform an Apply Changes.
|
CSCsx62489
|
Yes
|
An issue exists with the 2.1.8.x and 3.0.0 versions of the Cisco NAC Profiler and Collector. When setting up a collector using the service collector configuration, set the default encryption type to 'none', which should default to AES for security and match the server config defaults. Check the NAC Profiler UI that the server defaults to AES (Configuration > NAC Profiler Modules > List Modules > Server > Add Network Connection).
Conditions When configuring the NAC Collector, use service collector config.
Workaround Enter the type in which you want to match.
|
CSCth39950
|
Yes
|
A condition existed where the first installed NAC 3355 appliance in an earlier release was installed and it detected the ports as: port 1 as eth0 and port 2 as eth1. A subsequent installation using the NAC Profiler ISO image detected these port interfaces in the reverse order. This caused network issues when the NAC Profiler did not correctly recognize the order of the interfaces.
Conditions This condition has been resolved.
Workaround None.
|
CSCsw97514
|
Yes
|
An error occurred because of an inability to delete a NAC Collector from the NAC Profiler. This error indicates that the NAC Collector does not exist in the database.
Conditions The NAC Controller version is 2.1.8-37 and the NAC Collector name exceeded the 24-character length limit.
Workaround A manual workaround exists for deleting the NAC Collector from the NAC Profiler database. To do this, perform the following:
•SSH to the NAC Profiler server as user `beacon'.
•Enter the following command at the prompt: `<collector name as it appears in the UI>%;' | psql
Note The database field for the NAC Collector name is limited to 24 characters in length. The NAC Profiler UI currently does not check the length of the user input for this value. If a name exceeds the 24-character limit, it is truncated to that length when entered into the database.
|
CSCth58694
|
Yes
|
An issue occurred when attempting to grab Active Directory (AD) data for a large number of AD users that exceeded the 1MB limit, which caused data to be discarded on the NAC Collector without alerting user.
Conditions Active Directory data collected exceeded the 1 MB limit.
Workaround None.
|
New Installation of Cisco NAC Profiler Release 3.1.1-18
The following section describes the process for performing a new installation of the Cisco NAC Profiler software (3.1.1-18) required for the Cisco NAC Profiler and Profiler Lite appliances. The files required for installing Cisco NAC Profiler Release 3.1.1-18 are available from Cisco Secure Software at:
•http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162
The software installation files for performing a new installation of Cisco NAC Profiler and Profiler Lite appliances are:
•Profiler-3.1.1-18-iso-md5sum.txt-This is a 128-bit MD5 hash checksum file (defined in RFC 1321) that verifies the file's digital fingerprint and integrity as having not changed as a result of file transfer or disk error.
•nac-collector-3.1.1-18-K9.rpm-This is the NAC Collector RPM that is loaded onto the NAC Server (CAS) to upgrade the NAC Collector component.
•nac-profiler-3.1.1-18-K9-iso-This is the ISO installation file for the Cisco NAC Profiler appliance.
•nac-profilerlite-3.1.1-18-K9.iso-This is the ISO installation file for the Cisco NAC Profiler Lite appliance.
You must log in using your Cisco.com registration user name and password to download these files.
Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server
If performing a new CD installation/upgrade of the Cisco NAC Profiler software on the Cisco NAC Profiler Server or Cisco NAC Profiler Lite Server or HA pair that has yet to be configured/deployed, use the steps described below.
For upgrade of an operational Cisco NAC Profiler system running version 2.1.8, refer to the instructions in Upgrade Instructions for Release 3.1.1-18 in order to retain all system configuration and data.
Note The Profiler Lite appliance platform is supported starting from release 2.1.8-37 and requires a separate ISO file. Only the nac-profilerlite-3.1.1-18-K9.iso file can be installed on the Profiler Lite platform. See Hardware Supported and Software Compatibility for details.
Step 1 Follow the instructions on your welcome letter to obtain a license file for your installation. See Cisco NAC Appliance Service Contract/Licensing Support for details. (If you are evaluating Cisco NAC Profiler, visit http://www.cisco.com/go/license/public to obtain an evaluation license.)
•Log into the Security Software download site for Cisco NAC Appliance and download the latest Cisco NAC Profiler version 3.1.1 ISO image from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162
•For the standard NAC Profiler Server, download the latest nac-profiler-3.1.1-18-K9.iso.
•For the NAC Profiler Lite, download the latest nac-profilerlite-3.1.1-18-K9.iso.
Step 2 Burn the ISO as a bootable disk to a CD-R.
Step 3 Insert the CD into the CD-ROM drive of the appliance that the NAC Profiler Server/Profiler Lite Server is to be installed on, and reboot the appliance to start the ISO process.
Step 4 Follow the on-screen instructions to complete a "standard" (for example, no custom keyword) ISO of the NAC Profiler Server or Profiler Lite Server appliance, or appliances in the case of high availability (HA) configuration of Profiler Server appliances. Once the ISO installation completes, the appliance ejects the ISO CD and boots to the root prompt. It is now in the same state as a new NAC Profiler Server or Profiler Lite Server would be shipped from the factory with version 3.1.1-18 installed.
Step 5 Upgrade the Profiler Collector component on each Clean Access Server to the appropriate version as described in Installing New/Upgrading Cisco NAC Profiler Collector Service on Cisco NAC Server.
Step 6 See "Installing and Performing an Initial Configuration" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1 for complete installation and configuration instructions for installing new Cisco NAC Profiler systems.
Upgrade Instructions for Release 3.1.1-18
This section provides instructions to upgrade operational Cisco NAC Profiler systems that are running the earlier supported release (3.1.0-24) to this release, 3.1.1-18.
•nac-profiler_upgrade-3.1.1-18-K9-iso-This is the ISO upgrade file required for upgrading to this release of the Cisco NAC Profiler software.
Note Only a new installation of NAC Profiler release 3.1.1-18 software or an upgrade from release 3.1.0 to 3.1.1-18 is supported. If you are running an earlier release (for example, 2.1.8-xx), you must first upgrade your system to release 3.1.0 before upgrading to release 3.1.1-18.
Note To support Cisco NAC Profiler release 3.1.1-18, the NAC Server(s) must already be configured and running the latest supported Cisco NAC Appliance release as described in Software Compatibility. The Profiler Collector component must also be upgraded on the NAC Server to the corresponding version as described in Software Compatibility and Installing New/Upgrading Cisco NAC Profiler Collector Service on Cisco NAC Server.
Note The Profiler Lite appliance platform is supported starting from release 2.1.8-37 and requires a separate ISO file. Only the nac-profilerlite-3.1.1-18-K9.iso file can be installed on the Profiler Lite platform. See Hardware Supported and Software Compatibility for details.
The upgrade instructions for the Profiler Server include both standalone and HA-pair configurations, and the following sections provide these instructions:
•Upgrading 2.1.8 Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server Standalone Systems to 3.1.0-24
•Upgrading Cisco NAC Profiler Systems from 3.1.0 to 3.1.1
•Installing New/Upgrading Cisco NAC Profiler Collector Service on Cisco NAC Server
Caution Cisco strongly recommends performing a database backup and moving the backup file off-appliance before you begin the upgrade process.
Note You must complete the upgrade for all Profiler Servers and Profiler Collectors in the system to bring all components up to the most current version.
Upgrading 2.1.8 Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server Standalone Systems to 3.1.0-24
Two conditions require that early releases (2.1.8) of the Cisco NAC Profiler and Profiler Lite Server systems be upgraded to release 3.1.0-24 before these systems can be upgraded to Release 3.1.1-18:
1. The operating system of the Cisco NAC Profiler Server system changed in version 3.1.0, requiring systems running 2.1.8 to undergo a complete reinstallation of the NAC Profiler Server software to successfully upgrade to release 3.1.0.
2. There are only two supported methods for installing Cisco NAC Profiler and Profiler Lite release 3.1.1-18 system software on Cisco NAC Server appliances:
–A new installation of the release 3.1.1-18 software.
–An upgrade of earlier releases to release 3.1.0-24, and then an upgrade to release 3.1.1-18. This requires migrating the 2.1.8 database forward to release 3.1.0 compatibility.
For information about database migration and upgrading the Cisco NAC Profiler and Profiler Lite Servers release 2.1.8 to release 3.1.0-24, see "Upgrading 2.1.8 Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server Standalone Systems to 3.1.0" in the Release Notes for Cisco NAC Profiler, Release 3.1.0 at:http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/310/310rn.html.
Upgrading Cisco NAC Profiler Systems from 3.1.0 to 3.1.1
 |
Warning The 3.1.1 upgrade package requires the Cisco NAC Profiler system to be upgraded and running release 3.1.0 before proceeding with this upgrade to release 3.1.1. The release 3.1.1 upgrade will check the current version of the Cisco NAC Profiler running on the system and will terminate without completing the upgrade if the running version is other than release 3.1.0.
|
Tip If the system to be upgraded is not running release 3.1.0, refer to Upgrading 2.1.8 Cisco NAC Profiler Server and Cisco NAC Profiler Lite Server Standalone Systems to 3.1.0-24.
Upgrading existing Cisco NAC Profiler systems running release 3.1.0 can be performed so that most existing configuration and system data is seamlessly migrated forward as the system is upgraded to release 3.1.1 using the provided upgrade package and without requiring any ISO re-imaging of the appliances.
Note The only configuration of the release 3.1.0 Cisco NAC Profiler system that is not migrated forward automatically by the upgrade is that required for RADIUS authentication of Cisco NAC Profiler UI users. If the release 3.1.0 system is currently authenticating UI users via RADIUS, the parameters in the Cisco NAC Profiler configuration (RADIUS server DNS/IP address and shared secret) will have to be re-entered by the Administrator and saved to the configuration post completion of the upgrade to release 3.1.1.
For distributed Cisco NAC Profiler systems (for example, one or more NAC Collector appliance(s), upgrade the Cisco NAC Profiler Server appliance hosting the server module for the Cisco NAC Profiler system first before upgrading the NAC Collector appliance(s). The upgrade procedure for Cisco NAC Profiler appliances is dependent upon the operating mode: standalone or HA-pair. The procedures for upgrading systems in both operating modes are provided in the following sections.
Upgrading Standalone Cisco NAC Profiler Systems (Release 3.1.0 to 3.1.1-18)
Upgrading the Cisco NAC Profiler software on standalone release 3.1.0 systems to release 3.1.1-18 is a process that uses an upgrade script that determines the operating mode of the system and upgrades all installed components automatically as needed.
This upgrade requires a reboot of the appliance following the upgrade of installed components that occurs near the midpoint of the upgrade process. Following the reboot, the upgrade script is called again to complete the process. Perform the following steps to upgrade standalone Cisco NAC Profiler systems.
 |
Warning The reboot occurs before the upgrade is completed. Following the reboot, the upgrade must be continued as described in the following procedure.
|
Note Upgrading all-in-one or server only HA-pairs requires an HA-specific procedure, if you are upgrading an HA system proceed to Upgrading NAC Profiler Server HA Pairs (3.1.0 to 3.1.1-18).
Step 1 Back up the current database via the Utilities-> System Summary-> Backup Database button.
Step 2 Download the latest nac-profiler_upgrade-3.1.1-18-K9.zip upgrade package from the Cisco Secure Software website.
Tip After downloading this file from the Cisco Secure Software website, you can rename the file as desired. This procedure uses the release file name (nac-profiler_upgrade-3.1.1-18-K9.zip).
Step 1 SCP the nac-profiler_upgrade-3.1.1-18-K9.zip to the /home/beacon directory of the appliance to be upgraded.
Step 2 SSH to the system being upgraded, and elevate to root user using the command:
Step 3 Change directory (cd) to /home/beacon.
Step 4 Verify that the MD5 checksum of the upgrade package matches the checksum specified for the file on the Cisco Secure Software website. Use the following command to generate the checksum of the file on the target system, for example:
md5 nac-profiler_upgrade-3.1.1-18-K9.zip
This command calculates and displays the checksum of the file to the terminal on the appliance so it can be checked against the one displayed on the Cisco Secure Software website.
Step 5 Unzip the upgrade package, for example:
unzip nac-profiler_upgrade-3.1.1-18-K9.zip
This uncompresses the files required for upgrade, and creates a new subdirectory for /home/beacon (for example, named nac-profiler_upgrade-3.1.1-18).
Step 6 Change directory to the nac-profiler_upgrade-3.1.1-18 directory created when the upgrade package was unzipped, for example:
cd nac-profiler_upgrade-3.1.1-18
The directory should include a script named install.sh. Execute the upgrade script by entering the following command:
During the upgrade process, several messages may be sent to the terminal indicating progress of the upgrade as installed components are upgraded. When the update script completes the upgrading of the appliance OS, the appliance must be rebooted to restart the system utilizing the upgraded components. The following messages are displayed:
An intermediate reboot is required
Upon reboot, login in as the root user and re-run this upgrade script
Hit ENTER to reboot the appliance
Step 7 Press Enter to reboot the appliance. Wait for the reboot to complete then re-login to the appliance, and elevate to root access.
Step 8 Resume the upgrade scripts by calling the script in /home/beacon/nac-profiler_upgrade-3.1.1-18 again:
Step 9 The script will continue the upgrade process. At the completion of the upgrade script, verify the Cisco NAC Profiler software version of the appliance by observing the output of the command:
The output will include the full version of the Cisco NAC Profiler system including the build number (for example, Profiler-3.1.1_18), and should indicate the running status for the installed module(s) on the system.
Repeat steps 2 - 8 above on the other standalone Cisco NAC appliances in the system being upgraded to the selected 3.1.1 release.
Note When upgrading Cisco NAC Profiler Server systems integrated with Cisco NAC Appliance, the key-less SSH connection with the Cisco NAC Manager must be re-established after the upgrade to release 3.1.1.
Use the following command to re-establish the key-less SSH:
service profiler setupccakey
Failure to perform this step will result in the failure of NAC synchronization.
Upgrading NAC Profiler Server HA Pairs (3.1.0 to 3.1.1-18)
The procedure for upgrading the software on a HA-pair is performed on the secondary node in the pair first, and then on the primary. In the process of the upgrade, the system that was the secondary node prior to the upgrade will take over the functions of the primary node, similar to what would occur in the event of the failure of the primary.
|
Warning Upgrading the Cisco NAC Profiler software on a HA pair must be completed on both members of the pair sequentially in a single operation. Do not leave the pair with the first appliance upgraded and delay the upgrade of the other member of the pair as the Cisco NAC Profiler system will not be functional in this state.
|
Tip If it is desirable to return the HA pair back to its state previous to the upgrade, failover of the pair will be necessary to force the appliance that was primary node prior to the upgrade back to that state.
You can find the proper procedure for forcing an HA-pair to failover in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1, at: http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html
Complete the following procedures to upgrade the Cisco NAC Profiler software on a HA pair.
Step 1 Back up the current database via the Utilities-> System Summary-> Backup Database button on the primary appliance.
Step 2 Download the latest nac-profiler_upgrade-3.1.1-18-K9.zip upgrade package from the Cisco Secure Software site.
Tip After downloading this file from the Cisco Secure Software website, you can rename the file as desired. This procedure uses the release file name (nac-profiler_upgrade-3.1.1-18-K9.zip).
Tip SCP the upgrade package file to the /home/beacon directory of both members of the HA-pair.
Tip Use the eth0 interface IP addresses of both appliances in the pair, not the VIP when copying the upgrade package to the appliances, and when performing the upgrade.
Step 3 Determine which appliance is currently the secondary appliance in the pair using the procedure outlined in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1.
Step 4 SSH to the IP address of the eth0 interface on the secondary node in the pair, and change to the root user access using the su - command.
Step 5 Change directory to /home/beacon (cd /home/beacon), and verify the MD5 checksum of the upgrade package against the checksum specified for the file on the Cisco Secure Software website. Use the following command to generate the checksum of the file on the target system, for example:
md5 nac-profiler_upgrade-3.1.1-18-K9.zip
This command calculates and displays the checksum of the file to the terminal on the appliance so it can be checked against the one supplied with the file.
Step 6 Unzip the upgrade package (nac-profiler_upgrade-3.1.1-18-K9.zip), which uncompresses the files required for upgrade, and creates a new subdirectory (for example, named nac-profiler_upgrade-3.1.1-18) in the beacon/home directory.
Step 7 Change directory to the nac-profiler_upgrade-3.1.1-18 directory created when the upgrade package was unzipped.
The new directory will include a script named install.sh. Execute the upgrade script by entering the following command:
During the upgrade process, several messages may be sent to the terminal indicating the progress of the upgrade as installed components are upgraded. When the update script completes the upgrade of the appliance OS, the appliance must be rebooted to restart the system utilizing upgraded components. The following messages are displayed:
An intermediate reboot is required
Upon reboot, login in as the root user and re-run this upgrade script
Hit ENTER to reboot the appliance
Step 8 Press Enter to reboot the appliance. Wait for the reboot to complete, then re-login to the appliance, and change to the root user.
Step 9 Resume the upgrade scripts by calling the script in /home/beacon/nac-profiler_upgrade-3.1.1-18 again:
Step 10 The script continues the upgrade process to completion. At the completion of the upgrade script, verify the Cisco NAC Profiler software version of the secondary node by observing the output of the following command:
The output includes the full version of the Cisco NAC Profiler system including the build number (for example., Profiler-3.1.1_18), and should indicate the running status for the installed module(s) on the system. This completes the upgrade of the software on the original secondary appliance.
Step 11 Proceed with performing the upgrade process on the appliance that was primary node at the beginning of the upgrade procedure by repeating steps #5-10 (substituting primary for secondary).
The original primary node will become the secondary node during this process, initiated by running the upgrade script on that appliance. The secondary node at the beginning of the upgrade that was upgraded to release 3.1.1 in the previous step now becomes the primary node for the pair maintaining availability of the system.
Step 12 Verify the successful upgrade of the system by entering the service profiler status command. The output will include the current version of the Cisco NAC Profiler system, and should indicate the status of the installed module(s) on the system which is now the secondary node.
Once the second appliance has been successfully upgraded, both members of the HA-pair are now at the 3.1.1-18 release state.
Note When upgrading Cisco NAC Profiler Server systems integrated with Cisco NAC appliance, the key-less SSH connection with the Cisco NAC Manager must be re-established after the upgrade to 3.1.1. Use the command service profiler setupccakey to re-establish key-less SSH. Failure to perform this step will result in the failure of NAC synchronization.
Installing New/Upgrading Cisco NAC Profiler Collector Service on Cisco NAC Server
New installations or upgrades of the NAC Profiler Collector service on a Cisco NAC Server to version 3.1.1 is accomplished via a single RPM file (nac-collector-3.1.1-18-K9.rpm). This RPM file for the NAC Collector gets loaded onto the Cisco NAC Server (CAS) for upgrading the Collector component.
The Profiler Collector RPM is a complete package that can be used to upgrade an existing NAC Collector service on a Cisco NAC Server to version 3.1.1. This RPM can also be used for a new installation on a Cisco NAC Server that does not have the NAC Collector service running on it. Use the following steps to upgrade or install the NAC Collector service on a Cisco NAC Server.
Note When upgrading the Collector service only on a NAC Server via this process, the existing configuration of the Profiler Collector remains intact. For new installations, the Collector service must be provided an initial configuration via the NAC Server CLI, using the service collector config command. See "Installing and Performing an Initial Configuration" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1 for complete instructions on starting up NAC Profiler Collectors.
Note Cisco NAC Appliance releases are shipped with a default version of the NAC Collector version. When upgrading the NAC Server to a newer appliance release, the current version of the NAC Collector is replaced with the default version of the NAC Collector shipped with the Cisco NAC Appliance release. For example, if you are running NAC 4.7.2 and Profiler 3.1.1-18 and you upgrade to NAC 4.8.0, you need to manually re-install the NAC Collector release 3.1.1 and configure it following the NAC Server upgrade.
Step 1 Download the latest Profiler Collector RPM file (that is nac-collector-3.1.1-18-K9.rpm) from the Cisco NAC Profiler Version 3.1.1 location on Cisco Secure Software website.
Note Prior to downloading, take note of the MD5 value in the Details table of the Software Download screens.
Step 2 SCP the file to the /home/beacon directory of the NAC Server(s) to be upgraded.
Note If the NAC Server/Collector is implemented as an HA pair, copy the upgrade file to both NAC Server appliances in the pair using the eth0 IP address for each NAC Server. Do not use the Service IP address of the HA-NAC Server pair.
Step 3 Initiate an SSH session to the NAC Server being upgraded and login as the root user using the root password.
Step 4 Run the following command to verify the MD5 checksum of the upgrade file against the one provided on the Cisco Software Download site:
md5sum nac-collector-3.1.1-18-K9.rpm
Step 5 Run the RPM file by issuing the following command to install or upgrade the NAC Collector service on the appliance. For NAC Server HA pairs, execute this command on both NAC Servers in the pair:
rpm -Uhv nac-collector-3.1.1-18-K9.rpm
Step 6 The RPM completes and the command prompt returns when it has completed successfully.
Step 7 For newly installed NAC Profiler Collectors, see "Installing and Performing an Initial Configuration" in the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1 for complete instructions on starting up NAC Profiler Collectors at:
http://www.cisco.com/en/US/products/ps8464/products_installation_and_configuration_guides_list.html
When upgrading operational NAC Profiler Collectors, complete the remaining steps in this section to restart the NAC Collector services on the new software version using the existing configuration.
Step 8 Issue the following command to restart the Collector service on the NAC Server.
Step 9 Issue the `service collector status' command to verify the version and check the status of the NAC Profiler Collector components which should indicate a status of "Running", with the exception of the Server which indicates "Not Installed".
[root@bcas1 beacon]# service collector status
Version: Collector-3.1.1-18
For NAC Profiler Collectors running in HA mode on HA NAC Server pairs, Step 8 and Step 9 should be performed on both NAC Server appliances in the pair.
Step 10 Using the Cisco NAC Profiler UI, verify the upgraded Profiler Collectors show a status of "All Modules Running" in the System Status table of the Configuration tab.
Documentation Updates
Table 6 Updates to Release Notes for Cisco NAC Profiler, Release 3.1.1
Date
|
Description
|
November 16, 2011
|
•Added caveat CSCtu16631 to Open Caveats - Release 3.1.1-18. For details, see CSCtu16631
|
October 14, 2011
|
•Added caveat CSCts98131 to Open Caveats - Release 3.1.1-18. For details, see CSCts98131
|
March 24, 2011
|
•Added a note under Cisco NAC Profiler Lite section.
•Added new caveats (see Open Caveats - Release 3.1.1-18).
–CSCsl59431 (for details, see CSCsl59431).
–CSCtn17418 (for details, see CSCtn17418).
–CSCti16784 (for details, see CSCti16784).
–CSCti25311 (for details, see CSCti25311).
–CSCtn27257 (for details, see CSCtn27257).
–CSCsw30875 (for details, see CSCsw30875).
–CSCta97229 (for details, see CSCta97229).
–CSCsz73384 (for details, see CSCsz73384).
–CSCsy37696 (for details, see CSCsy37696).
–CSCsy40430 (for details, see CSCsy40430).
–CSCsv91750 (for details, see CSCsv91750).
–CSCsx42320 (for details, see CSCsx42320).
–CSCsy37162 (for details, see CSCsy37162).
–CSCsy84379 (for details, see CSCsy84379).
–CSCta83480 (for details, see CSCta83480).
•Added new caveats (see Open Caveats in Documentation - Release 3.1.1-18).
–CSCtl66972 (for details, see CSCtl66972).
–CSCtk99552 (for details, see CSCtk99552).
–CSCte93969 (for details, see CSCte93969).
–CSCta06865 (for details, see CSCta06865).
•Added new caveats (see Resolved Caveats - Release 3.1.1-18).
–CSCsw70560 (for details, see CSCsw70560).
–CSCtl94426 (for details, see CSCtl94426).
–CSCtl51096 (for details, see CSCtl51096).
|
February 11, 2011
|
•Added new caveat (see Open Caveats - Release 3.1.1-18).
–CSCtn17418 (for details, see CSCtn17418).
•Updated Product Change Information (see Product Change Information)
•Added new caveat (see Open Caveats - Release 3.1.1-18)
–CSCtn17418 (for details, see CSCtn17418)
|
|
November 26, 2010
|
•Added new caveats (see Open Caveats - Release 3.1.1-18).
–CSCtg62414 (for details, see CSCtg62414).
–CSCtg62424 (for details, see CSCtg62424).
|
September 23, 2010
|
Cisco NAC Profiler Release 3.1.1-18
•Renamed section "New Features and Enhancements" to "Enhancements" (see Enhancements in Cisco NAC Profiler Release 3.1.1).
•Changed caveat status to resolved for the following caveats (see Resolved Caveats - Release 3.1.1-18):
–CSCsy37604 (for details, see CSCsy37604).
–CSCsw97514 (for details, see CSCsw97514).
•Added new caveat (see Open Caveats - Release 3.1.1-18).
–CSCti28260 (for details, see CSCti28260).
|
August 17, 2010
|
Cisco NAC Profiler Release 3.1.1-18
|
Related Documentation
For the latest updates to Cisco NAC Profiler and Cisco NAC Appliance documentation on Cisco.com see: http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html, or simply http://www.cisco.com/go/nac/appliance:
•Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1
(http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/Profiler311I-C.html)
•Release Notes for Cisco NAC Profiler, Release 3.1.1
(http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/311/311rn.html)
•License and Documentation Guide for Cisco NAC Profiler, Release 3.1.1
(http://www.cisco.com/en/US/docs/security/nac/profiler/doc_roadmap/78-19566-01.html)
•Release Notes for Cisco NAC Appliance
(http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html)
•Cisco NAC Appliance Hardware Installation Guide
(http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/48/48hwinstal.html)
•Cisco NAC Appliance - Clean Access Server Configuration Guide
(http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/48cas-book.html)
•Cisco NAC Appliance - Clean Access Manager Configuration Guide
(http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book.html)
•Cisco NAC Appliance Service Contract / Licensing Support
(http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html)
•Regulatory Compliance and Safety Information for Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler
(http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/regulatory/compliance/csacsrcsi.html)
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the Related Documentation section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2010 Cisco Systems, Inc. All rights reserved.
Feedback
