Release Notes IBM(R) Tivoli(R) Identity Manager(R) CiscoSecure(R) ACS Agent Release Notes Agent Version: 4.6.5 Build: 4.6.1007 ADK: 4.80 Document Version: 4.6.0 Release Date: March 19, 2009 (C) Copyright International Business Machines Corporation 2000, 2009. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. ====================================================== CONTENTS ====================================================== 1. Preface 2. New Features 3. Closed Issues 4. Known Issues 5. Installation 6. Supported Platforms 7. Configuration Notes ====================================================== 1. PREFACE ====================================================== Welcome to Tivoli Identity Manager CiscoSecure ACS Agent Note: When viewing as text, set the font to monospace for better viewing of these Release Notes. ====================================================== 2. NEW FEATURES ====================================================== ID Description -- -------------- MR1127071926 Add support to TACACS+ attributes. (See "TACACS+ Support" section below for more information) MR0221052412 Support for ACS 4.0 N/A Support for Win 2003 MR0221052412 ODBC driver delimiter can be specified in the registry ====================================================== 3. CLOSED ISSUES ====================================================== PMR Description ------------- -------------- IZ44236 PMR 84521,122,000 ACS Adapter will crash if attributes are not sent with the provisioning request. PMR S17161 Agent may run out of memory waiting for the ITIM server to read Reconciliation results if connection to the ITIM server is lost. --- fixed in prior release -- IZ23888 55102,650,706 Installer copies accountactions.csv and schema.ini in Read-Only mode. N/A 35947,650,706 Improper value of erAccountStatus is fetched during recon IZ12342 36950,650,706 ACS ADAPTER: RECON APPENDING NEW LINE CHARACTERS TO ERACSWUF* ====================================================== 4. KNOWN ISSUES ====================================================== CMVC SPX# Description ------ ----- -------------- The agent does not support CiscoSecure ACS Appliance The agent does not support double-byte characters The agent does not support extended ACSII characters User's Disable/Enable status is not always in sync with ITIM and ACS. (See "7.2 User Enable Status Synchronization" below). 34201 --- Event Notification may fail when a new Group is Added on the resource if a full recon has not been run. (Issue in Agent Development Kit( ADK) 4.800) 46913 --- Add and modify actions do not support extended ACSII characters. 67095 --- If redundant fields are populated in the ITIM GUI or invalid data is entered into fields for a particular operation, then the operation may register as successful in ITIM, but the data may not be reflected in Cisco. Complete list is provided in Section 7.3 “ITIM GUI Limitations” 67095 --- ITIM Server will allow you to provision two accounts with the same user ID. However, Cisco enforces unique user IDs. Therefore, if a new account is provisioned through the ITIM GUI that has a duplicated user ID, then the existing account with that user ID is replaced by the new account details in Cisco. 67095 --- The list of available Authentication Types in ITIM may not all be available in Cisco. You need to check on your Cisco server what Password Authentication types are available (Based on the External databases that are configured) N/A --- Installer does not support Java 1.5.x versions ======================================================== 5. INSTALLATION ======================================================== For detailed installation instructions, please see the Installation Guide. NOTE: The agent must work in Single Thread mode. See the Installation Guide section "Changing Advance Settings" to set the agent to Single Thread mode. NOTE: The agent relies on CiscoSecure CSUtil.exe to perform reconciliation. The agent was tested only with CSUtil.exe version 1.20. ======================================================== 6. SUPPORTED PLATFORMS ======================================================== The Identity Manager Agent was built and tested on the following product versions. Identity Manager Server 4.6 Agent Installation Platform: Windows 2000 SP2, Windows 2003 SP1 Note: The agent was tested on the following ODBC drivers: W2000: 4.00.6200.00, ODBCJT32.DLL MS ODBC Driver pack 3.5 W2003: 4.00.6305.00, ODBCJT32.DLL MS Data Access Components (W2K3 SP1) ====================================================== 7. CONFIGURATION NOTES ====================================================== 7.1. Deployment Requirements ====================================== a. Windows 2000 SP 2 or above, Windows 2003 SP 1 or above b. The CiscoSecure ACS Agent must run on systems that are configured as a CiscoSecure Access Control Server 3.1, 3.2, 3.3, 4.0. 7.2. User Enable Status Synchronization ====================================== ACS User Enable status depends on three conditions: - manual setting, - expire due date excedeed, and - expire due unsucessful login number excedeed. The ACS account on ITIM server is represented only by a single attribute, "Account Disabled". -During attribute modification, this attribute is mapped to "manual enable" account. -During reconciliation, the "Account Disabled" attribute represents logical OR for all three of the ACS User Enable conditions above. This can have following effect: a) If ACS account was disabled due to date expiry, the account will not be enabled on ACS Server side, even if the ITIM server displays that account is enabled. The next reconciliation will correct this. b) If ACS account was disabled due to date expiry and a user modifies the date via ITIM, the account status on the ITIM server will still be disabled, even if it is enabled on the ACS Server. The next reconciliation will correct this. 7.3. ITIM GUI Limitations ====================================== Due to ITIM GUI limitations, the agent has the following constraints on the Account Form: Callback Settings Tab --------------------- If at some stage a "Callback number" has been set for a provisioned account, then even if "Callback" is changed to a different setting than Callback (using the settings e.g. "Use group setting") then the Callback number will not be set or cleared in Cisco. Clent IP Address Assignment Tab ------------------------------- If at some stage an "Assigned static IP address" or "Assigned by AAA client pool" has been set for a provisioned account, then if "Client IP Address Assignment" is set to a different setting, the corresponding value will not be set or cleared in Cisco. Max Sessions and Account Disable Tab ------------------------------------ Value of "Failed attempts exceed" can only be changed in Cisco if the corresponding options are selected for "Account Disable". Restrictions Tab ---------------- If data entered into the IP-based access restrictions table (under the Restrictions tab) is not in the form x,y,z then it will not be updated in Cisco, although the operation will appear successful on the ITIM side. A reconciliation will successfully update the data in ITIM to reflect exactly what is in Cisco. TACACS+ Support =============== Please Note: 1)Before running the adapter for TACACS+ attributes -- Enable TACACS+ in the Cisco ACS server. -- It is found that value of Value Flag in dump.txt may vary from installation to installation. Value Flga is used to distinguish "Use Separate Password" form "Use CiscoSecure PAP password" . For this purpose a new registry erTACACSValueFlag is added to the adapter's registry settings. The user should copy the value of Value Flag from dump.txt to erTACACSValueFlag. Run following commands from command prompt to create dump.txt net stop csauth \Utils\CSUtils.exe -d net start csauth notepad dump.txt Here