AlterPath ACS Family Releases

AlterPath OnSite Release Notes

This document outlines the new features and bug fixes for AlterPath OnSite family of products (including BETA releases that are designated with a letter after the version number).

V_1.1.0 May/15/06 (official initial release; upgrade from v_1.0.0)

UPGRADING FROM VERSION 1.0.0

Before upgrading the OnSite running firmware version 1.0.0, a patch must be applied. A problem in the upgrade procedure was found that may cause loss of new files or permission. The patch will be available for downloading by way of FTP, from the same URL, as the new OnSite firmware. The upgrading steps are as follows:

Open a root shell session in the OnSite (ssh, telnet, or console).
Using FTP, download the file "patch_ons_v100.gz" from the Cyclades FTP site into the /tmp directory
Make /tmp the current directory (cd /tmp).
Decompress the file "patch_ons_v100.gz" (tar -tvzf patch_ons_v100.gz)
Execute the command /tmp/patch_ons_v100.sh
Open a admin WMI session and click "Management" in the top menu.
Click Firmware Upgrade in the left menu and enter all required data, then submit.
If a pop-up window appears with the message "[WARNING]There were errors when patching the configuration files.....", it means that changes made by Cyclades could not be merged because they conflict with changes done by the OnSite administrator. Before rebooting, the OnSite administrator should check to see if the changes made by Cyclades conflict or not. Normally, Cyclades adds comments describing new parameters.

a) New features

Security Enhancements

More control over the services that are active at any time;
Pre Defined Security Profiles";
Web Manager login page is redesigned for a "plain vanilla" screen featuring generic username and password fields;
A Security Advisory message alerts the root user of security impacts.

LAN Bonding (Active Backup only)

Achieves redundancy on the Ethernet devices;
The standard Ethernet interface and one PCMCIA card act as one unique interface, answering for the same IP address with the same MAC address;
No manual intervention is required when the primary connection is lost or recovered;
the failover is transparent and all connection sessions continue working with no interruption.

Display the MAC-48 address of the built-in Ethernet interface in the Information/General menu
Implement the PrintScreen menu key function for the OSD
Allow the internal modem (AUX ports) to be disabled in the WMI and from the CLI.
Support the Adaptive KVM feature (RDP)
Implemented ACS syslog message/SNMP trap on DCD functionality.
Implemented an ftp/tftp server on the OnSite. The ftp/tftp server are disabled by default.
Linux new command: sudo command allows users from the admin group to execute commands, utilities and edit configuration files registered into sudoers file for configuring ONS features.
Timezone Enhancements

The script set_timezone was removed from the image.
There is a new "Custom" option to the Timezone drop-down field on the Time/Date page. It allows the administrator to configure the following parameters :

Zone Label (for example: "Pacific")
Standard Time Acronym (for example: "PST")
GMT Off - The time in hours offset from GMT (plus or minus) to get the standard time in the target time zone
Daylight Saving Time Acronym (for example: "PDT")
Save time - The length of time added to local standard time to get daylight savings time in the target time zone
Start Date - The month, day and time when daylight savings starts in the target time zone
End Date - The month, day and time when daylight savinsg ends in the target time zone

One Time Password (OTP): A new authentication type for serial port access and for the dial-in modem PCMCIA card.
Active Directory (AD) and VeriSign two-factor Radius (LdapDownLocal-Radius) authentication: A new authentication type for access to serial port and to the box itself by way of SSH or Telnet. It will not work for any Web access.
To log on to an ACS, the user will need to be successfully authenticated on the AD server first (Windows Server 2003)and then on the VeriSign two-factor Radius server.
PPPD upgrade from 2.4.1 version to 2.4.3 version.

This version has support for Extensible Authentication Protocol (EAP) :

EAP MD5-Challenge method
EAP SRP-SHA1 method

The EAP is the default when no authentication method is configured. If having the peer authenticate itself is not required, the option "noauth" in the PPPD configuration will have to be included.

OpenSSH upgrade from 4.1p1 to 4.3.p1.

The following INFO syslog message is generated when one CAS session is established:

APPLICATION: User [<username>] connected to port [<number of serial port>] (ttyS<number of serial port>) via socket ssh

X.509 - support for X.509 certificates
the SSHD keys are generated in the first boot of this version (the SSHD will able to accept connetions after the generation of the keys).
If you use PuTTY, you need to upgrade its version to 0.58 (the PuTTY had one bug that was fixed in the current version).

Data Buffering Enhancements:

New parameter "sXX.data_buffering_sess" in the PortSlave configuration determines whether or not data is buffered when a user is connected to the port
New option for the "sXX.dont_show_dbmenu" parameter. When it is configured, the data buffering menu is not shown, but the data buffering file is displayed (if not empty) and the file is erased.

Group Authorization Enhancement: Retrieves "group" information from the authentication servers (TACACS+, RADIUS and LDAP) in order to perform a kind of "network-based" authorization.
Power Management Enhancements:

The admin can control the state of one group (multi-outlet device) as well as contolling the state of individual outlets in that group.This results in a better way to control and monitor the state of the outlets for such devices
In the Web interface, power management has been implemented in a new page called "Multi-Outlet Control" located under IPDU Power Mgmt.
In the command line interface, when the pm command is called without providing a parameter, the following menu appears (when a number is used as argument it will behave as it always has):

Exit
Individual ipdus
Multi-outlet devices
Info

IPMI Enhancements:

Management of IPMI devices is done using the ipmitool 1.6.0.
New page has been implemented in the Web interface. "IPMI Power Mgmt" is located in the Applications Menu.
The device configuration has been implemented in the CLI command.

Web Interface - new or changed pages

Ports Menu

Ports Statistics - Table where the columns represent the following fields: serial port number, serial port alias, baud rate, tx bytes (bytes sent), rx bytes (bytes received), frame (error), parity (error), and overrun (error).

Applications Menu

IPDU Multi-Outlet Ctrl - Manages groups of outlets (multi-outlet devices)
IPMI Power Mgmt. - Adds IPMI devices and manages them.
Connect - A pop-up window with 3.000 lines of scroll and with the Copy/Paste functionality

Network Menu

Syslog - Allows the admin to configure filters by level
PCMCIA Management in Configure Pop-up - Have added CDMA as card type

Help Buttons have been removed temporarily.

PortSlave - new protocols

Console (telnetSSH) - Allows the client to access the serial port using Telnet or SSH connection. For example, it allows any Telnet or SSH connection to access the serial port.
Bidirectional Telnet (dynamic mode) - Support for “socket_server” and “login” mode. When the enter key is typed on the terminal connected to the serial port, ACS presents the login banner and promptsthe user at the terminal. When idle, the ACS accepts Console(telnet).
generic_dial - Generic Dial Framework will control this port.

Upgrade of OpenSSL to 0.9.8

This product is not affected by the vulnerability "SSL 2.0 Rollback (CAN-2005-2969)"

Upgrade of ZLIB to 1.2.3 - Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2 (CAN-2005-1849).

Eliminates a potential security vulnerability when decoding invalid compressed data
Eliminates a potential security vulnerability when decoding specially crafted compressed data

Kerberos - Patch applied that fixes potential security vulnerability (CAN-2005-1689, VU#623332)
Have included support for the following PCMCIA cards:

Xircom-XE2000 10/100 Network PC Card Adaptor
Option Wireless-GlobeTrotter Universal Tri-band GPRS/GSM PC-Radio Card

Growell-iCARD800 CDMA 1XRTT GW-1031C

b) Bug fixes

All known bugs from previous version.
SSH connections to the box/unit are being dropped after one minute of idle (bug#5915)
The information in the Radius's configuration file (/etc/raddb/server file) is not enough to configure the server editing the file (bug#5414).
Web Interface:

Wizard mode: "Step 3 : Port Profile" does not have any way to enable the serial ports (bug#5854)
The limit for the LDAP server field was increased from 15 to 39 (bug#5612)
The NTP server field accepts only IP addresses (bug#5389)
The "IPDU Power Mgmt - Users Manager" screen crashes the Web Interface when there are too many users (bug#6211)
After the secure profile has been configured, the Access Tab shows Kerberos as selected in the Type field (bug#6256)
The hostname configuration is not working well (bug#6040).

Multiple-sessions (CAS profile)

All sessions are blocked when the TCP window is "0" for one session (bug#5994)
The menu is shown when it is configured as RW_session (bug#6245)

TIMEZONE: Issues occurring with the timezone configuration (bug#5416).
Kerberos Tickets with ts_menu is not working (bug#5922)
The change of an outlet's state is not being registered as a notification event (bug#6251)
DHCP active plus 1.) data buffering or 2.) DCD regards or 3.) multiple session: The run configuration drops all CAS sessions (bug#6271 and bug#6521)
CAS session: IPMI power menu gets stuck if an invalid option/choice is selected. (bug#5681)
If "regard DCD" is configured in serial port XX, the first attempt to access XX will always fail (bug#6133)
When using RSA SecurID server as the Radius server, "next tokencode" mode is no longer working (bug#5892)
During data transfer to a serial port using the ts_menu program, some data get lost (bug#6527).
SLIP protocol does not work (bug#6567)

c) Known Bugs

none

d) Change Log

PPP upgrade : The EAP is the default when no authentication method is configured. If you do not require the peer to authenticate itself, you need to include the option "noauth" in the PPPD configuration.
The script set_timezone was removed from the image.
The /etc/ssh/sshd_config file was changed to configure the parameter LoginGraceTime (the ACS disconnects after this time if the user has not successfully logged in) to 3m (three minutes). This is necessary for clients who use the RSA SecurID server as the Radius Server.
In the CLI, the label to configure the "sXX.syslog_sess" parameter was changed from "buffersyslogeverytime" to "buffersyslogonlynosession" to be consistent with the WebUI checkbox.

Configure the "sXX.syslog_sess" parameter using the following command:
cli>config physicalports ['all' | range] databuffering buffersyslogonlynosession ['yes' | 'no']

where: "yes" = The syslog message will be generate only when there is no connection to the port
"no" = The syslog message will be generated every time.

e) Warning

Support for RTS legacy half duplex will be obsolete in future versions. The values "rs232_half" and "rs232_half_cts" for the media parameter will not be supported in future versions.

V_1.0.0 Jun/13/05 (official initial release)
a) Bug fixes

N/A

b) Known Bugs

BTS #3946: OID value cannot be skipped when configuring SNMP v3 through OSD.
Workaround: use web interface to configure SNMP v3 with optional OID.
BTS #3623: Aux port configuration cannot be done through OSD.
Workaround: use web interface to configure auxports.
BTS #3941: Resetting KVM terminator while IP viewer is open locks up the web manager.
Workaround: close the IP viewer first before doing microcode reset.
BTS #3897: Same power outlet can be assigned to more than on KVM port.
BTS #3788: Physical insertion of PCMCIA card cannot be detected by card manager.
BTS #3901, #3928, #3929: IPDU power management shows wrong information when PM unit is removed.
Workaround: restart pmd process.
BTS #3884: Suspending zoom modem card causes kernel panic.
BTS #3692: The option –auth of ts_menu does not work properly.
BTS #3728: Port name length is not consistent between OSD and Web management interface.
BTS #3878: Help pages of “Microcode Reset” and “Microcode Upgrade” and “KVM User Status” pages contains invalid information.
BTS #3612: Syslog will show syntax error if invalid power management outlet is assigned to kvm port.
Workaround: assign port with valid outlet number.
BTS #3840: Syslog shows syntax error if dhcp is disabled, but no IP address is given to the box.
Workaround: assign a valid IP after dhcp is disabled.
BTS #3874: No horizontal scale in temperature history.
BTS #4057: When deleting an action in the terminal menu configuration of CLI, it causes segmentation fault.
BTS #4062: Date info is missing from OSD “System Info”.
BTS #3966: Changes made through WMI corrupt values in OSD configuration.
BTS #4049: There is no option to configure data buffering destination through CLI.
BTS #4055: “.” in the beginning of OID values cannot be read back correctly when editing.
BTS #4046: Duplicated power outlet numbers can be assigned to the serial port.
BTS #4060: Power outlet configuration assigned to KVM port is lost when reboot without PM connected.
BTS #4045: “reload” button in WebUI power management form does not work correctly.
BTS #4044: The power outlet configured through WebUI cannot be changed in OSD.
BTS #4058: “ACS” reference in the file /etc/hosts.lpd.
BTS #3723: Menush can not handle error input properly.