Release Notes for Cisco Context Directory Agent, Release 1.0

CSCty64187

Symptom Attempting to create a log backup file results in the following error message:

% ERROR: Bad hashed password.

Conditions This issue occurs when you attempt to create a log backup file with a hashed password. For example:

pmbu-ibf-pip10/admin# backup-logs aaa repository nfs password hash $1$Hzq51M3/$plfaaOB0PyW6Ia0UStvfo/

% ERROR: Bad hashed password.

Workaround Use a text (non hashed - plain) password.

CSCtx13593

Symptom Cannot install Cisco CDA application via network interfaces 2 or 3.

Conditions This issue occurs if the connectivity to the repository hosting the Cisco CDA application bundle is via network interfaces 2 or 3 of the machine. Fetching the file fails with a timeout.

Workaround Install the Cisco CDA application via network interfaces 0 or 1.

CSCtx13800

Symptom In Cisco CDA CLI, you cannot use % within a password.

Conditions This issue occurs when you attempt to set or change a password that contains the % character.

Workaround Use a password without %.

CSCtz47312

Symptom The Cisco CDA GUI may not reflect changes made to the administrator list in the other concurrent GUI sessions when clicking the Refresh icon.

Conditions When the administrator list is open in one Cisco CDA GUI session, and some change is made to the administrator list in another concurrent GUI session of the same Cisco CDA, clicking the refresh icon in the Cisco CDA GUI does not reflect those change in the administrator list.

Workaround Use the browser refresh button to refresh the display, or go to the Home page (Cisco CDA Dashboard) and then go back to the system administrators page.

CSCtw78043

Symptom DC status in the Cisco CDA Dashboard might show as down during the first few minutes after Cisco CDA is connected.

Conditions When CDA connects to the Active Directory DC, it retrieves login history from the DC. While history is being retrieved, the DC status might show as down. This may last for several minutes, depending on history size and system load.

Workaround The issue is transient and the DC status is updated as soon as history retrieval is complete. Click the refresh icon to update the display. Hence, the workaround provided here is not mandatory.

It is possible to avoid this issue by setting the following registry keys on the domain controller:

• HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32\ThreadingModel

Change the default value “Apartment” to “Free”.

On 64 bit Domain Controllers, the following key should also be similarly changed:

• HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32\ThreadingModel

Restart the WMI service on the DC for the changes to take effect.

CSCtx67710

Symptom Cisco CDA does not receive identity mappings from an Active Directory 2008R2 DC, even though the DC shows as connected, and the user login events show up in the DC security audit log.

Conditions This issue might occur under rare conditions. Clearing logs on the DC multiple times is one way to trigger the issue.

Workaround Restart the WMI service on the DC to restore normal operation of the system.

A Hotfix is available from Microsoft to address the root cause of this defect. The WMI process stops sending events to WMI clients from a Windows 7-based or Windows Server 2008 R2-based server, http://support.microsoft.com/kb/2705357

CSCud69408

CDA needs to support user with non-admin privileges when connecting to Windows Domain Controller. Refer to the Installation and Configuration Guide for Context Directory Agent, Release 1.0 for more information.

CSCud69418

CDA to support NTLMv2 for the connection with Windows Domain Controller.

CSCud69438

Log records are not displayed in the log table after CDA is installed on VMware.

CSCtz47312

Refresh in Administrators screen does not work.

CSCtz21543

Tool tips on mouse over for Green/Red status icons.

CSCum52734

Symptom

You cannot use SFTP protocol type when configuring repository via CLI on Cisco CDA 1.0, patch 2 due to security update applied in patch 2.

Conditions

This issue occurs when you try to configure repository using the SFTP: server protocol.

Workaround

Use other available repositories, such as FTP, NFS,TFTP, DISK.

CSCuj16952

CDA bundle compressed zip greater than 4GB fails

CSCue46013

Potential to gain shell with root privileges

CSCug29400

Potential to run arbitrary commands as root from CLI

CSCUI91348

CDA GUI is not usable in Chrome version 30 and Firefox 25

CSCUG77225

Populates mapping tables with non existent usernames

CSCuj16936

Certificate is invalid after one year, CDA self signed certificate expires after 1 year

CSCuj16989

Creating a bundle takes logs but not database itself

CSCuf93569

CDA establishes connection to remote site

CSCui21212

Mappings table is not populated in IE 7,8,9

CSCuj39335

Upgrade apache commons version

CSCuj38832

While expanding one of the fields, the table disappears

CSCuj41148

Please fix how CDA presents installed patches from GUI

CSCuj45367

GUI is vulnerable to XSS via User Supplied Input

CSCuj45353

Odd number of single quotes (‘) makes AD server list invisible

CSCuj63255

TCP vulnerability CVE-2011-3188

CSCuj63264

TCP vulnerability

CSCul80311

Help button is missing

CSCul41560

Client side filtering of various fields in the GUI is easily bypassed

CSCum28731

Show secret is not working with IE / FF

CSCuj45358

XSS vulnerability in CDA Mappings page

CSCuj45347

Proper role check not present for admin pages, allows priv. escalation

CSCul00096

Disk is full

CSCuo41459

Report domain status to consumer device as up if at least one DC in the domain is up

CSCum52734

Support SFTP repository

CSCun10631

CDA support for Windows Server 2012 R2

CSCuo01498

Get history only with success

CSCur84288

CVE-2014-4263 insufficient Diffie-Hellman public key validation

CSCuo61907

Upgrade commons-fileupload to version 1.3.1

CSCur36448

CDA does not accept user name with dollar sign ($) (not trailing)

CSCum30446

CDA user login expiration period - increase the value range to minimum 72 hours

CSCuq35289

Unable to accept user with apostrophe

CSCur56397

SSLv3 POODLE vulnerability

CSCur56385

Bash vulnerability fix (Shellshock)

CSCut61989

A delay in response from CDA is found when there are multiple requests sent by WSA devices in parallel.

CSCuw13663

CDA drops the request from Domain Controller if the Domain Controller does not reply back with the required data within the configured amount of time.

CSCve07323

Add support for Active Directory Server 2016

January 2019

Added “Resolved Caveats in Cisco Context Directory Agent Release 1.0, Patch 6” section

October 2015

Added “Resolved Caveats in Cisco Context Directory Agent Release 1.0, Patch 5” section

Dec 2014

Added “Resolved Caveats in Cisco Context Directory Agent Release 1.0, Patch 4” section

July 2014

Added “Resolved Caveats in Cisco Context Directory Agent Release 1.0, Patch 3” section

Jan 2014

Added/updated the following section:

• “Introduction” section
• “Important Notes” section
• “Resolved Caveats in Cisco Context Directory Agent Release 1.0, Patch 2” section
• “Open Caveats in Cisco Context Directory Agent Release 1.0, Patch 2” section

Feb 2013

Added “Resolved Caveats in Cisco Context Directory Agent Release 1.0 Patch 1” section

June 2012

Updated CSCtx67710

June 2012

Cisco Context Directory Agent, Release 1.0