Not a user yet?
Log in Register for free Suggest a product
The manufacturer Cisco has not yet set up its devicebase profile. Content such as updates, compatibilities and support may only be maintained with a delay.
Update

The “show radius-servers” command was updated to display whether the setting is enabled or disabled.

Business 250 SeriesBusiness 250 Series
Cisco
Update from patrick-devicebaseUpdate from:
patrick-devicebase (expert)

Version 3.5.0.24

• This version is a maintenance release on top of CBS version 3.4.0.x.
• It includes new functionalities as specified below.

What's New in Release 3.5.0.24
This section details new features and modifications in this release compare to previous ones.
Current Release- Version 3.5.0.24
These Release Notes are for CBS Product Line Version 3.5.0.24 release. The CBS Product Line supports the
following Product lines: CBS250, CBS250-4X, CBS350, CBS350-4X (stacking) and 10-Gigabit CBS350
modules.

Device Vulnerability– Pre Version 3.5.0.x
RFC2869definesthat the Message-Authenticator attribute is mandatory for RADIUS exchanges that contain
an EAP-Messageattribute (type 79). On the CBS The following applications do not contain an EAP-Message
attribute, and are therefore vulnerable to this attack:
• Management Login access (AAA authentication)– which is always based on RADIUS (and not EAP).
• 8021.x MAC-based authentication (MAB) using the RADIUS authentication method (command dot1x
mac-auth RADIUS).
802.1x authentication and MAC-basedauthentication (MAB)usingtheEAPmethod(commanddot1xmac-auth
EAP–which is the default configuration), are not vulnerable to this attack. The RADIUS requests that in
these applications contain the EAP-Message attribute, and the device also verifies that the RADIUS responses
include this attribute and that it is valid.

Changes to the Device Behavior
To prevent the exploitation of vulnerabilities the following changes were implemented in the CBS 3.5.0.x
release. Their purpose is to ensure that the Message-Authenticator attribute is included in all RADIUS packets:
• The Message-Authenticator attribute is included in all RADIUS request packets– including AAA
authentication and 802.1x MAC-basedauthentication (MAB)usingtheRADIUSauthenticationmethod
• The Message-Authenticator attribute is included as the 1st attribute in the RADIUS request packet. This
is also implemented for 802.1x authentication and MAC-based authentication (MAB) using the EAP
method.
• Anewsettingwasaddedtothisrelease- Theuser candefine that the Message-Authenticator is mandatory
for all RADIUS responses and not only for RADIUS responses that contain the EAP-Message attribute.
RADIUSresponsesthatdonotinclude this attribute (or that the authenticator is not valid) will be dropped.
By default the Message-Authenticator is mandatory only for RADIUS responses that contain the
EAP-Message attribute

NewCLICommands
•ThefollowingCLIcommandwasaddedtothedevicetoenable/disablemandatoryMessage-Authenticator
attribute in all RADIUS responses: “radius-server force-message-authenticator host {ip-address |
hostname}”.
The default is disabled.
• The “show radius-servers” command was updated to display whether the setting is enabled or disabled.
For mode details on the usage of the commands, see the CBS 3.5 CLI guide.
This setting is not supported in the device GUI management interface

Changes in This Version Related to CBD
The following changes were added to this version:
• CBDnetwork Probe version that is upgraded to version 2.9.0.20240823.
• Added CBDprobe modeinformation to CLI Operational status field (“show cbd” command) and Probe
Status GUI field. The probe mode is relevant only when the probe is active. The following probe modes
are displayed.
• Probe Managed- The Probe performs network discovery and communicates directly with each
managed device on behalf of the Dashboard.
• Direct Managed- Direct managed devices will discover other devices in the broader network and
connect those devices to the Dashboard automatically than those devices become manageable.

Changes to the Password Complexity Settings
The following changes were made to existing passwords complexity settings:
Dictionary Words and Common Passwords
In the previous versions, when comparing the new passwords to the list of dictionary words and common
passwords, the configured password would be rejected also in the following cases:

  1. Theword in the list appears in any part of the password (beginning, middle, or end).
  2. Theword in the list appears in reverse order in the password.
  3. Theword in the list appears in the password in any case (lower or uppercase) combination.
  4. Whencomparing, the following letters are interchangeable: "$" for "s", "@" for "a", "0" for "o", "1" for
    "l", "!" for "i", "3" for "e", is not permitted. For example, Pa$$w0rd is not permitted.
    As of CBS version 3.5, the rules for comparison were narrowed as follows:
  5. Thenewpassword does not match and does not begin with a word included in the list (removed the
    “contained” requirement).
  6. Theword in the list appears in the password in any case (lower or uppercase) combination.
    All the other requirements were dropped

Sequential Characters Restriction
In the previous versions, when rejecting a password that contains more than 2 sequential characters, the
configured password would be rejected also in the following cases:

  1. Letters are case insensitive.
  2. Reverse sequence.
  3. Sequence that is created by replacing the following letters with symbols: "$" for "s", "@" for "a", "0" for
    "o", "1" for "l", "!" for "i", "3" for "e".
    As CBSversion 3.5, only the case insensitive requirement remains. The other requirements were dropped.
Version: 3.5.0.24* Link
More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Cisco Business 250 Series updates

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad