Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure ACS 4.1.3

  • Viewing Options

  • PDF (280.9 KB)
  • Feedback

Table Of Contents

Release Notes for Cisco Secure ACS 4.1.3

Contents

Introduction

New and Changed Information

Support for Microsoft Windows Server 2003 R2

Support for 3Com/USR VSAs

MAC and MAB Functionality Issues

Support for User-Defined Vendors Extended VSA ID

Use the CSUtil.ini file to Install User-Defined Vendor or VSA Data

Use the RDBMS Synchronization Action Codes to Install User-Defined Vendor or VSA Data

Configuring the Workstation Name For Windows Authentications

Windows Authentication Configuration Error Messages

Addition of the cisco-AVPair Attribute to the VOIP Accounting Report

Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database

Addition of Session IDs to the CSAuth Diagnostic Log

Description of Error Codes in the CSAuth Diagnostic Log

Line Numbers in Diagnostic Logs

Improved EAP Code Debug Messages

Product Documentation

Known Caveats in ACS for Windows and the Solution Engine 4.1.3

Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3

Installation Notes for ACS 4.1.3

Upgrade Path ACS 4.1.3 for Windows

System Requirements ACS 4.1.3 for Windows

Installing ACS 4.1.3 for Windows

Upgrade Path for ACS Solution Engine 4.1.3

Installing the ACS Solution Engine 4.1.3


Release Notes for Cisco Secure ACS 4.1.3


Revised: July 9, 2007, OL-12629-02

CDC Date: May 5, 2007

These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1.3. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.

Contents

These release notes contain:

Introduction

New and Changed Information

Product Documentation

Known Caveats in ACS for Windows and the Solution Engine 4.1.3

Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3

Installation Notes for ACS 4.1.3

Introduction

ACS 4.1.3 is a maintenance release for ACS 4.1 that consolidates ACS 4.1 customer patches and resolves other customer and internally found defects. ACS 4.1.3 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments.

This release includes:

ACS 4.1.3 software image.

Appliance upgrade CD for ACS Solution Engines 1111, 1112, 1113.

New and Changed Information

ACS 4.1.3 contains these new enhancements:

Support for Microsoft Windows Server 2003 R2

Support for 3Com/USR VSAs

MAC and MAB Functionality Issues

Support for User-Defined Vendors Extended VSA ID

Addition of the cisco-AVPair Attribute to the VOIP Accounting Report

Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database

Addition of Session IDs to the CSAuth Diagnostic Log

Description of Error Codes in the CSAuth Diagnostic Log

Improved EAP Code Debug Messages

Support for Microsoft Windows Server 2003 R2

ACS is supported on Windows Server 2003 R2.

Support for 3Com/USR VSAs

ACS now supports 3Com/USR VSAs. The 3Com/USR VSA format differs from other VSAs in that 3Com/USR VSAs have a 32-bit Extended Vendor-Type field and no length field.

The Authenticate Using drop-down list in the Network Configuration section of the ACS web interface now includes a new network device, RADIUS (3COMUSR).


Note 3Com/USR VSAs should be used for any device that uses these VSAs, not just the HiperARC cards.


Once you add the RADIUS (3COMUSR) to the Network Configuration section, it becomes available to the User Setup and Group Setup sections of the ACS web interface. These VSAs will also be available to the RADIUS accounting log. Use the Interface Configuration section to configure RADIUS (3COMUSR). For information on adding a network device, refer to the User Guide for Cisco Secure ACS 4.1.

MAC and MAB Functionality Issues

Cisco recommends that you apply patch 4.1.3.12.1 to ensure:

ACS 4.1 functionality for MAB.

ACS 4.0 functionality for MAC authentication.

After you apply the patch, if

Service-Type(6) = 10 and NAP is present, MAB is invoked.

Service-Type(6) = 10 and NAP is non-existent, MAC authentication is invoked.

This specification retains ACS 4.1 functionality for MAB and ACS 4.0 functionality for MAC authentication.

Support for User-Defined Vendors Extended VSA ID

In previous versions of ACS the vendor-specific attribute (VSA) ID length was restricted to one byte, the default value, and the VSA ID value could not be greater than 255. ACS 4.1.3 supports VSA ID lengths of 1, 2 or 4 bytes. In addition, customers can specify whether the VSA has an internal length field or not.

You can use CSUtil or RDBMS synchronization to install dictionary components for vendors that require extended VSA ID length.

Use the CSUtil.ini file to Install User-Defined Vendor or VSA Data

Use the CSUtil -addUDV option with the vendor .ini file to install VSA data for vendors that require extended VSA ID length. Table 1 contains two additional codes and definitions in the vendor .ini file used to modify the vendor configuration.

Table 1 CSUtil.ini file Options and Definitions for Vendor Configuration

Option
Value
Description

Need Internal Length

TRUE or FALSE

Sets the presence of Internal Length field in VSA. If not used, then the default is TRUE.

ID Length

1, 2 or 4 bytes.

Sets the Vendor-Specific Attribute (VSA) Type length in bytes. If not used, then the default is 1 byte.



Note ACS 4.1.3 supports hex-numbering for the VSA ID feature. Values starting with 0x are assumed to be hex values.


Use the following sample format of the vendor .ini file for setting the ID Length and VSA values. In this example,

Need Internal Length value is TRUE.

ID Length is two bytes

vendor VSA ID values are 264 and 0x109.

[User Defined Vendor]

Name=vendor-name

IETF Code=vendor-IETF-code

Need Internal Length = TRUE

ID Length=2

VSA 264=Ascend-Max-RTP-Delay

VSA 0x109= Ascend-RTP-Port-Range

[Ascend-Max-RTP-Delay]

Type=INTEGER

Profile=OUT

[Ascend-RTP-Port-Range]

Type=STRING

Profile=OUT

Use the RDBMS Synchronization Action Codes to Install User-Defined Vendor or VSA Data

Use the RDBMS Synchronization action codes to install VSA data for vendors that require extended VSA ID length. Table 2 contains two additional codes and definitions for modifying the vendor configuration.

Table 2 RDBMS Account Action Codes and Definition for Vendor Configuration

Action Code
Name
Required
Description

356

SET_VSA_ID_LEN

V1, V2

Sets the Vendor-Specific Attribute (VSA) Type length in bytes.

V1 contains the vendor IETF code.

V2 contains VSA-Type Length, which takes the values 1, 2 or 4.

357

SET_VSA_INTERNAL_LEN

V1, V2

Sets the presence of Internal Length field in VSA.

V1 contains the vendor IETF code.

V2 contains BOOL value.

1-(TRUE) if VSA requires the Internal Length field.

0-(FALSE) if the Internal Length field is not required.


Configuring the Workstation Name For Windows Authentications

You use ACS to define a custom workstation name when authenticating against Active Directory (AD). In previous versions of ACS, a workstation name of CISCO was used for authentications to AD. This enhancement allows multiple ACS deployments using a single AD tree.

The Windows External Database section of the ACS web interface now contains a new configuration section. You use the new configuration section to customize the workstation name.

To configure a workstation name:


Step 1 In the navigation bar, click External User Databases.

The External User Database page appears.

Step 2 Click Database Configuration.

The External User Database Configuration page appears.

Step 3 Click Windows Database.

The Windows Authentication Configuration page appears.

Step 4 Click Configure.

a. If you are running ACS for Windows, the Windows Authentication Configuration page appears.

b. If you are running the Solution Engine, click Windows Authentication Configuration. The Windows Authentication Configuration page appears

Step 5 Choose one of the options to configure a workstation name:

a. CISCOConfigures CISCO as the workstation name. This is the default.

b. LocalConfigures the local machine name as the workstation name. By default, ACS displays the local host name.

c. User defined workstation name—Specifies a name for the workstation. (Limit: 15 characters).


Note Ensure that all user accounts have login permission to the workstation.


Windows Authentication Configuration Error Messages

Table 3 lists the Windows Authentication Error Messages.

Table 3

Error Number
Description

1

Workstation name contains invalid characters. alpha-numerics are the only valid characters,


Windows Authentication Configuration Errors 

Addition of the cisco-AVPair Attribute to the VOIP Accounting Report

ACS has added the cisco-AVPair attribute to the VoIP Accounting Report.

To configure the VoIP Accounting Report:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page appears.

Step 2 Click VoIP Accounting Configuration.

The VoIP Accounting Configuration page appears.

Step 3 Configure the log.

Step 4 Click Submit.

Step 5 Restart ACS in System Configuration > Service Control to adopt the new settings.

Step 6 In the navigation bar, click System Configuration > Logging.

The Logging Configuration page appears.

Step 7 Click Configure next to the VoIP Accounting Column.

Step 8 Choose the cisco-AVPair attribute and move it to the Logged Attributes list.

Step 9 Click Submit.

The Logging Configuration page reappears.

Step 10 In the navigation bar, click Reports and Activity.

The Reports and Activity page appears.

Step 11 Click VoIP Accounting.

The VoIP Accounting report appears and displays the cisco-AVPair attribute.


Note Multiple Cisco-AVPair attributes values are concatenated in the VOIP Accounting report with a semi-colon.



Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database

You use ACS RADIUS server to send an access reject reply or discard the access-request. In some deployments, the ACS server might send an access reject or discards an access request. For example, in the event of an external ODBC database failure, ACS can deny the authentication (access reject), or not respond at all. Conversely, if ACS discards an access request the network access device that can fail over to another ACS server. A drawback to this approach is that discards can cause excessive network traffic and load on the network access devices as requests continue to travel from network access devices to the ACS servers.

To configure a RADIUS server:


Step 1 In the navigation bar, click External User Databases.

The External User Databases page appears.

Step 2 Click Database Configuration.

The External User Database Configuration page appears.

Step 3 Click External ODBC Database.

The CiscoSecure ODBC Authentication Configuration page appears.

Step 4 In the RADIUS behavior in the event of database failure section select one of the RADIUS server options, shown in Table 4.

Step 5 Click Submit.

Table 4

Option
Description

Send an access reject (your devices will stay with this RADIUS server).

The network access devices will retry the same RADIUS server and not fail over to another RADIUS server.

Discard the access request (your devices may try a different RADIUS server).

The network access devices will use the available RADIUS servers.


RADIUS Server Reject and Discard Request Options

Addition of Session IDs to the CSAuth Diagnostic Log

ACS supports a session ID parameter for the CSAuth diagnostic log. You can use a unique session ID to differentiate log threads in the CSAuth diagnostic logs.

Example 1 shows the session ID 1000 is processed by two different threads (2560, 2548) in the network model thread. You can filter the logs by session ID to restrict the output for each session.

Example 1 CSAuth Diagnostic Log with session ID

AUTH 09/08/2006 18:29:57 I 5081 2560 1000 Start RQ1040, client 1 (127.0.0.1) 
AUTH 09/08/2006 18:30:13 I 5094 2548 Worker 1 processing message 17. 
AUTH 09/08/2006 18:30:14 I 0991 2368 0000 pvNASMonitorThreadMain: start NM 
update ... 
AUTH 09/08/2006 18:30:14 I 1006 2368 0000 pvNASMonitorThreadMain: commit NM 
update ... 
AUTH 09/08/2006 18:30:14 I 5081 2560 1000 Done RQ1040, client 1, status 0 
AUTH 09/08/2006 18:30:14 I 1011 2368 0000 pvNASMonitorThreadMain: succeeded 
to commit NM update 
AUTH 09/08/2006 18:30:28 I 5081 2548 1000 Start RQ1012, client 2 (127.0.0.1) 
AUTH 09/08/2006 18:30:28 I 5081 2548 1000 Done RQ1012, client 2, status 0

Note The additional session ID field in the ACS diagnostic log involves minimal overhead: eight bytes per line for each authentication session.


Description of Error Codes in the CSAuth Diagnostic Log

The ACS 4.1.3 CSAuth diagnostic logs now display a description of client requests and responses. Previous versions of ACS used a numeric code for client requests and responses. The description is useful for locating client requests and responses in the CSAuth diagnostic logs.

Figure 1 contains two CSAuth diagnostic log examples. The first example represents an entry from previous versions of the CSAuth diagnostic log. The second example represents how this entry appears in the CSAuth 4.1.3 diagnostic log.

Example 2 shows that in the CSAuth diagnostic log:

UDB_AUTHENTICATE_USER replaces the RQ1026 request code shown in the first example.

UDB_CHALLENGE_REQUIRED replaces the 2046 status code shown in the first example.

Figure 1 CSAuth Diagnostic Log Entry

Example 1

AUTH 09/11/2006 09:55:27 I 5081 2512 Done RQ1026, client 50, status -2046 

Example 2 (with Descriptive text)

AUTH 09/11/2006 09:55:27 I 5081 2512 Done UDB_AUTHENTICATE_USER, client 50, status 
UDB_CHALLENGE_REQUIRED 

Table 5 and Table 6 list the descriptive text for requests and status that appear in the 4.1.3 CSAuth diagnostic logs.

Descriptive Request Text in the CSAuth Diagnostic Logs

Table 5 lists the descriptive text in the CSAuth diagnostic logs and the corresponding request code.

Table 5 Descriptive Request Text and Request Code  

Request Text
Request Code

UDB_BASE_CMD

1000

UDB_HAIL

1001

UDB_OPEN

1002

UDB_CLOSE

1003

UDB_GOODBYE

1004

UDB_PING

1005

UDB_REFRESH

1006

UDB_REFRESH_EX

1007

UDB_RESET_HOST_CACHE

1008

UDB_USER_ADD

1010

UDB_USER_REMOVE

1011

UDB_VALID_USER

1012

UDB_USER_ENUM_BY_GROUP

1013

UDB_CHANGE_PASSWORD

1014

UDB_SET_PASS_STATUS

1015

UDB_GET_PASS_STATUS

1016

UDB_USER_ENUM

1017

UDB_USER_GET_INFO

1018

UDB_USER_PAP_CHECK

1019

UDB_USER_PROF_ASSIGN

1020

UDB_USER_PROF_COUNT

1021

UDB_USER_PROF_GET

1022

UDB_USER_CHAP_CHECK

1023

UDB_USER_CHECK_EXPIRY

1024

UDB_USER_SET_INFO

1025

UDB_AUTHENTICATE_USER

1026

UDB_SEND_RESPONSE

1027

UDB_SET_PASSWORD

1028

UDB_USER_LOCN_CHECK

1029

UDB_SET_VALUE

1030

UDB_GET_VALUE

1031

UDB_GET_NEXT_VALUE

1032

UDB_DEL_VALUE

1033

UDB_FIND_VALUE

1034

UDB_GET_VALUE_BY_NAME

1035

UDB_LOG

1040

UDB_SET_APPDATA

1041

UDB_GET_APPDATA

1042

UDB_DEL_DB

1043

UDB_AVERT_LOG

1044

UDB_DIR_CREATE

1050

UDB_FILE_CREATE

1051

UDB_FILE_WRITE

1052

UDB_FILE_READ

1053

UDB_FILE_CLOSE

1054

UDB_FILE_EXISTS

1055

UDB_FILE_APPEND

1056

UDB_FILE_SET_PTR

1057

UDB_USER_LIST_ADD

1070

UDB_USER_LIST_DEL

1071

UDB_USER_LIST_GET

1072

UDB_USER_LIST_COUNT

1073

UDB_USER_LIST_UPDATE

1074

UDB_USER_ALIAS_SET

1080

UDB_USER_ALIAS_DEL

1081

UDB_USER_ALIAS_VALID

1082

UDB_START_TRANSACTION

1090

UDB_END_TRANSACTION

1091

UDB_KICK_SYNC_TX

1092

UDB_KICK_SYNC_RX

1093

UDB_EXCHANGE_SYNC_INFO

1094

UDB_AQUIRE_IP_ADDRESS

1095

UDB_VALIDATE_PASSWORD

1096

UDB_EXTRACT_AGING_DATA

1097

UDB_AUTH_FAILED

1098

UDB_RESET_USER_PASSWORD_AGING_DATA

1099

UDB_GET_AGING_INFO

1100

UDB_DO_BACKUP_NOW

1101

UDB_AQUIRE_CALLBACK

1102

UDB_GET_AGING_LIMIT

1103

UDB_PURGE_NAS

1104

UDB_SEND_FAKE_STOPS

1105

UDB_SERVICE_CONTROL

1106

UDB_RESET_GROUP

1107

UDB_SET_ENABLE_PASS_STATUS

1108

UDB_UPDATE_AGING_POLICY

1109

UDB_ADD_HOST

1110

UDB_DEL_HOST

1111

UDB_GET_HOST

1112

UDB_UPDATE_HOST

1113

UDB_ADD_PROXY

1114

UDB_DEL_PROXY

1115

UDB_ADD_PROXY_TARGET

1116

UDB_ADD_NDG

1117

UDB_DEL_NDG

1118

UDB_GET_NDG_ID

1119

UDB_SET_USER_FEATURE_FLAG

1120

UDB_GET_USER_COUNTER

1121

UDB_RESET_USER_COUNTER

1122

UDB_RESET_GROUP_USERS_COUNTER

1123

UDB_GET_FIRST_QUOTA_TYPE

1124

UDB_GET_NEXT_QUOTA_TYPE

1125

UDB_SET_QUOTA

1126

UDB_HAS_USER_QUOTA_EXHAUSTED

1127

UDB_SHARED_PROFILE

1128

UDB_ADD_UDV

1140

UDB_DEL_UDV

1141

UDB_GET_VID_FROM_IETF

1142

UDB_ADD_UDV_VSA

1143

UDB_ADD_UDV_VSA_ENUM

1144

UDB_ADD_UDV_VSA_PROFILE

1145

UDB_SET_REP_DIRTY_FLAG

1150

UDB_USER_COMMIT_NOW

1151

UDB_POLICY_CREATE_CONTEXT

1152

UDB_USER_REMOVE_DYNAMIC

1153


Table 6 lists the descriptive text in the CSAuth diagnostic logs and the corresponding status code.

Table 6 Descriptive Status Text and Request Code 

Status Description
Status Code

UDB_BASE_ERR

1000

UDB_DB_NOT_OPEN

1001

UDB_INVALID_ENTRY

1002

UDB_CANT_CREATE_MAP

1003

UDB_CANT_CREATE_VIEW

1004

UDB_CANT_OPEN_INDEX

1005

UDB_DB_IS_OPEN

1006

UDB_SIZE_MISMATCH

1007

UDB_CANT_OPEN_FILE

1008

UDB_CRC_FAILED

1009

UDB_CANT_INIT_INDEX

1010

UDB_INVALID_DATA

2011

UDB_CANT_GROW_FILE

1012

UDB_USER_INVALID

2013

UDB_DUPLICATE_NAME

1014

UDB_INVALID_PASSWORD

2015

UDB_IPC_DATA_INVALID

1016

UDB_FEATURE_NOT_READY

1017

UDB_SERVER_BUSY

1018

UDB_REGISTRY_READ_FAIL

1019

UDB_UNKNOWN_VARIABLE

2020

UDB_NO_FILE_HANDLES

1021

UDB_DIR_CREATE_FAILED

1022

UDB_FILE_WRITE_FAILED

1023

UDB_FILE_READ_FAILED

1024

UDB_INVALID_DIR_NAME

1025

UDB_INVALID_FILE_NAME

1026

UDB_MALLOC_FAIL

1027

UDB_INVALID_HANDLE

1028

UDB_USER_NOT_OWNER

1029

UDB_CANT_REBUILD_INDEX

1030

UDB_CANT_REMOVE_OLD_DB

1031

UDB_USER_REMOVED

2032

UDB_NO_VARIABLE

1033

UDB_PASSWORD_DISABLED

2034

UDB_FILE_SET_PTR_FAILED

1035

UDB_USER_LICENCE_LIMIT

1036

UDB_APP_NOT_LICENSED

1037

UDB_BAD_SECRET

1038

UDB_DB_VERSION_MISMATCH

1039

UDB_DIR_REMOVE_FAILED

1040

UDB_CANT_ASSIGN_PROFILE

1041

UDB_LOGGER_OFFLINE

1042

UDB_CANT_ACCESS_USERLIST

1043

UDB_SESSION_COUNT_EXCEEDED

2044

UDB_PASSWORD_REQUIRED

2045

UDB_CHALLENGE_REQUIRED

2046

UDB_NO_SESSION

1047

UDB_INTERNAL_ERROR

1048

UDB_BAD_TODDOW

2049

UDB_CANT_LOCK_RECORD

1050

UDB_NT_DIALIN_REQUIRED

2051

UDB_NT_PW_WRONG

2052

UDB_NT_AC_RESTRICTED

2053

UDB_NT_TOD_DOW

2054

UDB_NT_PW_EXPIRED

2055

UDB_NT_AC_DISABLED

2056

UDB_NT_BAD_WORKSTATION

2057

UDB_NT_UNKNOWN_ERR

1058

UDB_NT_PASS_CHANGE

2059

UDB_NT_NO_DOMAIN

2060

UDB_NT_AC_LOCKED

2061

UDB_NT_NO_BROWSER

2062

UDB_INVALID_CHAP_PW

2063

UDB_INVALID_ARAP_PW

2064

UDB_INVALID_TOKEN_PW

2065

UDB_INVALID_UNIX_PW

2066

UDB_TOKEN_SERVER_DOWN

1067

UDB_USER_CLI_FILTERED

2068

UDB_NO_SENDAUTH_PW

1069

UDB_NO_TOKENSRV

1070

UDB_NT_NO_LOGON_NOT_GRANTED

2071

UDB_CANT_START_TRANSACTION

1072

UDB_VARDB_NOT_OPEN

1073

UDB_NOT_IN_CACHE

1074

UDB_CANT_OPEN_ODBC_DB

1075

UDB_DLL_MISMATCH

1076

UDB_NOT_INSTALLED

1077

UDB_CHAP_ENFORCED

2078

UDB_ACCESS_DENIED

2079

UDB_REPLICATION_DENIED

1080

UDB_FAILED_TO_AQUIRE_IP_ADDR

1081

UDB_PASSWORD_DEAD

2082

UDB_PASSWORD_STATE_NOT_ACCESSIBLE

1083

UDB_PASSWORD_AGE_CHECK_FAILED

1084

UDB_NEW_PASSWORD_NOT_GOOD

2085

UDB_FAILED_TO_EXTRACT_DATA

1086

UDB_EXTERN_DB_ERROR

2087

UDB_BACKUP_FAILED_TO_START

1088

UDB_FAILED_TO_AQUIRE_CALLBACK

1089

UDB_FAILED_TO_PERFORM_SERVICE_OP

1090

UDB_TIME_OUT_WAITING_TO_START_AUTH

1091

UDB_AUTH_NOT_SUPPORTED_BY_EXT_DB

2092

UDB_CACHED_TOKEN_REJECTED

2093

UDB_TOKEN_PIN_CHANGED

2094

UDB_INVALID_MSCHAP_PW

2095

UDB_INVALID_EXT_CHAP_PW

2096

UDB_INVALID_EXT_ARAP_PW

2097

UDB_INVALID_EXT_MSCHAP_PW

2098

UDB_INVALID_EXT_USER

2099

UDB_NT_AC_EXPIRED

2100

UDB_AUTH_DENIED_DUE_TO_VOIP

2101

UDB_MALFORMED_USERNAME

2102

UDB_CANT_OPEN_HOST_DB

1103

UDB_CANT_OPEN_PROXY_DB

1104

UDB_CANT_OPEN_NDG_DB

1105

UDB_HOST_DB_FAILURE

1106

UDB_PROXY_DB_FAILURE

1107

UDB_NDG_DB_FAILURE

1108

UDB_INVALID_COUNTER_TYPE

1109

UDB_EXTERN_DB_TRANSIENT_ERROR

1110

UDB_INVALID_QUOTA_INDEX

1111

UDB_USAGE_QUOTA_EXCEEDED

2112

UDB_NT_CHANGE_PASS_FAILED

2113

UDB_CANT_LOAD_DLL

1114

UDB_EXTN_DLL_REJECTED

2115

UDB_INVALID_EXT_EAP_PW

2116

UDB_EAP_METHOD_NOT_SUPPORTED

2117

UDB_EAP_TLS_PASS_HS_USER_NOT_FOUND

2118

UDB_EAP_NO_MATCH_NAME_IN_CERT

2119

UDB_EAP_TLS_HANDSHAKE_FAILED

2120

UDB_EAP_IGNORE

2121

UDB_SUPPLIER_NOT_CONFIGURED

2122

UDB_UDV_CONFIG_ERROR

1123

UDB_USER_FOUND

2124

UDB_USER_NOT_FOUND

2125

UDB_EAP_FAILED

1126

UDB_MISSING_MPPE_DATA

2127

UDB_EAP_MACHINE_AUTH_DISABLED

2128

UDB_NT_NO_REMOTE_AGENT

2129

UDB_EAP_FAST_PAC_PROVISIONING

2130

UDB_EAP_FAST_USER_AND_IID_NOT_MATCH

2131

UDB_EAP_FAST_PAC_INVALID

2132

UDB_EAP_FAST_INBAND_NOT_ALLOWED

2133

UDB_EAP_FAST_INVALID_MASTER_KEY

2134

UDB_GROUP_DISABLED

2135

UDB_AVERT_NO_MAPPING

2136

UDB_EAP_PASSWORD_CHANGE_DISABLED

2137

UDB_AVERT_PROCEED_TO_UUP

2138

UDB_AVERT_LOCAL_POLICY_FAILED

2139

UDB_AVERT_EX_POLICY_FAILED

2140

UDB_AVERT_GENERAL_FAILURE

2141

UDB_ACCESS_DENIED_FAST_REC_NO_USER

2142

UDB_ACCESS_DENIED_MAR_RESTRICTION

2143

UDB_AVERT_UNKNOWN_ATTRIBUTE

2144

UDB_AUTH_PROTOCOL_NOT_ALLOWED

2145

UDB_EAP_FAST_ANON_INBAND_NOT_ALLOWED

2146

UDB_AUDIT_BAD_RESPONSE

2147

UDB_AUDIT_TOO_MANY_ROUND_TRIPS

2148

UDB_POSTURE_VALIDATION_FAILED

2149

UDB_MAC_AUTH_BYPASS_NOT_ALLOWED

2150

UDB_ACCESS_DENIED_NO_SERVICE

2151

UDB_AUTHORIZATION_REJECT

2152

UDB_PV_FAILED_NO_SERVICE

2153

UDB_LOCAL_USER_HAS_EXT_DB_AUTH

2154

UDB_SERVICE_EXT_DB_NOT_ALLOWED

2155

UDB_NT_LOGON_FAILURE

2156

UDB_MAC_AUTH_BYPASS_GROUP_DISABLE

2157

UDB_BADLY_FORMED_DACL_RQ

2158

UDB_INTERNAL_DACL_ERROR

2159

UDB_DACL_ASSIGN_ERROR

2160

UDB_INTERNAL_RAC_ERROR

2161

UDB_RAC_MISSING_ERROR

2162

UDB_AUDIT_RECIEVED_ERROR

2163

UDB_AUDIT_SERVER_UNREACHEABLE

2164

UDB_AUDIT_PARSE_ERROR

2165

UDB_EXT_POLICY_VER_ERROR

2166

UDB_EXT_POLICY_CONN_ERROR

2167

UDB_EXT_POLICY_AUTH_ERROR

2168

UDB_EXT_POLICY_TIMEOUT_ERROR

2169

UDB_ERR_PROFILE_TOO_BIG

1170

UDB_EXT_POLICY_CONN_ERROR_CA_UNKNOWN

2171

UDB_BASE_WARN

1000

UDB_ALREADY_OPEN

1001

UDB_PASSWORD_EXPIRED

1002

UDB_UNKNOWN_PASS_STATUS

1003

UDB_UDB_VALUE_OVERWRITE

1004

UDB_BUFFER_TOO_SMALL

1005

UDB_SIZE_SMALLER

1006

UDB_USER_NOT_ALIAS

1007

UDB_NO_MORE_QUOTA_TYPES

1008


Line Numbers in Diagnostic Logs

All ACS diagnostic log files now contain the correct line number of the source code that generated the error. In previous versions of ACS, the dzlog function contained the hard-coded source code line number which was populated to the ACS diagnostic log.

Improved EAP Code Debug Messages

All EAP debug messages are now reported to the CSAuth diagnostic log.

Product Documentation

Table 7 lists the product documentation for ACS 4.1.3.

Table 7 Product Documentation  

Document Title
Description

Documentation Guide for Cisco Secure ACS 4.1

Printed document with the product.

PDF on the product CD-ROM.

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_release_notes_list.html

Release Notes for Cisco Secure ACS 4.1

New features, documentation updates, and resolved problems. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.html

Product online help

Help topics for all pages in the ACS web interface. Choose an option from the ACS menu; the help appears in the right pane.

User Guide for Cisco Secure ACS 4.1

ACS functionality and procedures for using the ACS features. Available in the following formats:

By clicking Online Documentation in the ACS navigation menu. The user guide PDF is available on this page by clicking View PDF.

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1

Supported devices and firmware versions for all ACS features. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.html

Installation and User Guide for User Changeable Passwords 4.1

Installation and user guide for the user-changeable password add-on. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.html

Configuration Guide for Cisco Secure ACS 4.1.

Provides provide step-by-step instructions on how to configure and deploy ACS. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_installation_and_configuration_guides_list.html

Installation Guide for Cisco Secure ACS 4.1 Windows

Details on installation and upgrade of ACS software and post-installation tasks. Available in the following formats:

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/prod_installation_guides_list.html

Installation Guide for Cisco Secure ACS Solution Engine 4.1

Details on ACS SE 1112 and ACS SE 1113 hardware and hardware installation, and initial software configuration.

PDF on the ACS Recovery CD-ROM.

Available on Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html

Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1

Translated safety warnings and compliance information.

Printed document with the product.

PDF on the ACS Recovery CD-ROM.

Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html.

Installation and Configuration Guide for Cisco Secure ACS Remote Agents

Installation and configuration guide for ACS remote agents for remote logging.

PDF on the ACS Recovery CD-ROM.

Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
products_installation_and_configuration_guides_list.html


Known Caveats in ACS for Windows and the Solution Engine 4.1.3

Table 8 contains known caveats in ACS for Windows and the Solution Engine 4.1. 3.

Table 8 Known Caveats in ACS Windows and the Solution Engine 4.1.3

Bug ID
Summary
Explanation

CSCdv86708

DEL/HTTP Port Allocation is not replicated.

Symptom    Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround   .The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCeg52536

Failed PEAP authentication not shown up in ACS logs.

Symptom    PEAP-MS-CHAPv2 with Machine authentication. ACS does not show any failure in the logs nor sending a radius reject if a client machines which does not belong to the AD domain at all tries to authenticate. Looking in the auth.log, it shows correctly that windows authentication fails.

Workaround   None.

CSCeh52700

AD expired-user passed EAP-TLS authentication; should be rejected.

Symptom    EAP-TLS authentication will still pass for users in Active Directory even if their account has expired - no error is given from ACS.

Conditions   EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.

Workaround   None.

CSCeh86479

CSUtil import -85 errors to be changed to info msg-not error.

Symptom    The CSutil utility with the options -n, -g, and -u may print an ODBC error message similar to the following:

ODBC Error. Message=[Sybase][ODBC Driver][Adaptive 
Server Anywhere]Communication error, SqlState=08S01, 
NativeError=-85

Workaround   None. This would only happen when running csutil from Remote Services. This is really an informational message, and can be ignored.

CSCse25423

Bypass Info & extBDinfo fields in the passed\failed reports are empty.

Symptom    Bypass Info & extBDinfo fields in the passed authentication \failed attempts page in reports and activity are

Conditions   

1. Select the Bypass Info & extBDinfo attributes in logging page under system configuration page for both passed authentication \failed attempts.

2. Submit

3. Perform MAB request.

Workaround   None.

CSCsf11087

Cisco:PA: attributes not showing in Passed Auth rpt for Linux client.

Symptom    Cisco:PA attributes are not showing up in the Passed Authentication Report for a Linux client with CTA 2.1.0.10 installed. The attributes are showing up in the AUTH.log file and are showing up for a Win XP client on the same network.

Conditions   

1. In System Configuration > Logging > Passed Authentication select Cisco:PA attributes.

2. Click Submit.

3. Perform authentication using Linux client with CTA. 2.1.0.10

4. Check pass authentication log in reports and activity page.

Workaround   None.

CSCsf16737

CSAuth, CSAdmin, CSRadius, CSTacacs are not started up after reboot.

Symptom    After a system reboot, the following Services are not started up when Windows service, Windows Firewall/Internet Connection Sharing (ICS) is started:

CSAuth

CSRadius

CSTacacs

CSAdmin

Workaround   Disable Windows Service Windows Firewall/Internet Connection Sharing (ICS). To do so, Start > Run. Enter services.msc and press OK. In the Services dialog box, scroll to Windows Service Windows Firewall/Internet Connection Sharing (ICS). Right click, and select Properties. In the Startup type: box change Automatic to Disabled.

Note You can also manually start each service.

CSCsg02005

CSMon utilizes 100% CPU - while trying to communicate with SMTP Server.

Symptom    ACS hits 100% CPU load on CSMon.

Conditions   ACS or ACS-SE running 3.3.3.11 with e-mail notification on.

Workaround   Turn off e-mail notification.

CSCsg26367

Replication error on ACS 4.0. Slave does not apply changes.

Symptom    ACS 4.0.1(27) master is sending the changed files on the slave, only the skipped files are shown.

Logs confirm the reception of the files (RQ1051, RQ1052, RQ1054). CSMon kicks in after the configured replication timeout value (5 minute default), as configured, restarting the CSAuth service. So Slave is not showing the files that master says it has sent, then more or less hangs until restarted by CSMON. Master is not recovering from the loss of communication with slave:

AUTH 09/14/2006 00:22:48 E 1017 4268 Comms 
lib:Tcp_Connect: Failed to
connect to 172.29.128.133, sock error 10061 AUTH 
09/14/2006 00:22:48 E
1017 4268 Comms lib:Transport connect failed AUTH 
09/14/2006 00:22:48 E
1017 4268 Comms lib:Bad endpoint address
(0x00000000) trapped at
V:\ismg_israel_acs\Acs\EndPoint\Core\endpoint.c:1788

Conditions   Replications over a WAN connection.

Workaround   None. Logs show that when the replication is retried, it is usually successful.

CSCsg71852

ACS ignoring RADIUS request, may not be fixed.

Symptom    3750 Switch with NAC-802.1x authentications re-uses the same Radius ID for different users when ACS takes more time to reply for the original radius request.

Conditions   This behavior was observed in 12.2(25)SEE2.

Workaround   None.

CSCsg99626

CSDBSync crashes - faulting module odbc32.dll.

Symptom    CSDBSync crashes when enter CSDBSync.exe -run, and RDBMS sync doesn't occur. drwtsn32.log and user.dmp are generated.

Conditions   The customer executed the batch file like below:

It seemed CSDBSync didn't stop because there was no Service stop event in CSDBSync.log like below.


      CSDbSync 12/02/2006 23:30:41 A 0000 4460 
Transaction processing invoked manually
      CSDbSync 12/02/2006 23:30:47 A 0000 4828 
=============== Service started ================
 

Normally, the log is like below;

      CSDbSync 12/01/2006 23:30:40 A 0000 4700 Service 
stop requested   <<<HERE!
      CSDbSync 12/01/2006 23:30:43 A 0000 4164 
Transaction processing invoked manually
      CSDbSync 12/01/2006 23:30:51 A 0000 2160 
=============== Service started ================

Workaround   None.

CSCsh12148

Cannot reinstall CSA after removing it.

Symptom    This problem occurs only on the Quanta S27 appliance (1113) when trying to reinstall the CSA after removing it using the rollback function.The CSA rollback succeeds; but before the appliance reboots the following error appears: "The process cannot access the file because it is being used by another process." Then, after the appliance reboots, an error message appears when trying to reinstall CSA.

Workaround   None.

CSCsh29345

ACS 4.0 - Unable to delete server under Network Configuration.

Symptom    Unable to delete a ACS Server(s) from the Network Configuration > AAA Servers. After selecting the server to delete and then clicking on Delete > Apply, the ACS will respond with, "Are you sure you wish to delete this AAA Server?" If you select Yes, nothing happens.

Conditions   Saw this issue on a ACS Windows server running 4.0(1) Build 27. This issue was duplicated easily in the lab by restoring the customer database to an existing ACS server.

Workaround   Backup the customer database and send to DE. Delete the server manually with an external tool.

CSCsh48625

ACS radius error 2162 - switch isn't sent RAC/DACL client recvs token.

Symptom    ACS 4.0.1(27) was upgraded to 4.1.1.23 and none of the NAC features were imported. The network access profiles and posture validation rules missing from the previous version.

Conditions   Upgrade to 4.1.1.23 when NAP and Posture validation configured

Workaround   None.

CSCsh77806

EAP-TLS will fail authentication if name contains forward slash /.

Symptom    EAP-TLS users authenticating to ACS (and in turn to Active Directory) fail authentication if the Distinguished Name returned from the LDAP server contains a forward slash. Logs from the ACS will cite this as a permissions issue and do not make it clear that it's the format of the username at fault.

Conditions   Distinguished Name: CN=Lastname\, Firstname Department1/Department2,OU=.... but presumably will be seen in any instance in which the Distinguished Name contains a forwardslash. Windows Domain controllers will allow the forwardslash as a part of the username and do not appear to use an escape character prior to the forward slash (the above example does include an escape character prior to the comma). The issue is possibly a bug in Microsoft's handling of the forward slash character. Since this character is used as a separator in LDAP, the LDAP replies back should be padded with a backslash prior to the forward slash.

Workaround   Avoid use of forward slashes in user names authentication via EAP-TLS.

CSCsi42199

ACS 4.1 can fail to restore configuration on Windows 2003 R2.

Symptom    ACS may fail to shut down the csadmin service during a restore of an ACS database. Subsequent reboots of the ACS server will result in all ACS services failing to start.

Conditions   Issue has only been reproducible with:

Specific configurations

Windows 2003 R2

ACS 4.1.1.23 and subsequent codes

Workaround   Use Windows 2003 or Windows 2000 server rather than Windows 2003 R2. ACS Solution Engines are not affected by this issue.

CSCsi50359

Enable authentications are rejected with Internal Error message.

Symptom    Users on CatOS switches are denied enable authentication, even though they're entering the correct password. Login authentications work correctly.

Conditions   This has been observed on ACS 4.1.1(23). Other versions may be affected as well. The problem occurs when the users have TACACS+ Enable Control set to Use Group Level Setting.

Workaround   Configure the user to have a max privilege level setting under Max Privilege for any AAA Client.

CSCsi57134

QoS values incorrect for WLC

Symptom    QoS values incorrect on WLC after pushing override from ACS.

Workaround   .Obtain patch to update the values in ACS database.


Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3

Table 9 contains the resolved caveats for the ACS 4.1.3 release. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.

Table 9 Resolved Caveats in ACS Windows and the Solution Engine 4.1.3 

Bug ID
Summary

CSCeb43948

Could not generate valid Password with password length => 9.

CSCed45731

ACS logs should indicate level of logging.

CSCee65661

Need the NoCacheUser feature for unknown user policy.

CSCeh42116

EAP-TLS Machine Authentication fails when AD PDC emulator down.

CSCsd12551

IP pools disappear occasionally from Group Setup/Edit Settings.

CSCsd20149

After initial config from Recovery CD, no GUI access.

CSCsd63894

ACS does not respond with the same ip address for RADIUS.

CSCsd95346

VSA definition for Total Control HiperARC card accounting attributes.

CSCsd97599

After Replication the Dynamic user still added as user in Group-Setup.

CSCsd98589

Authentications fail when NIC reconnected after reboot.

CSCse49827

ACS Remote Agent fails users with too many groups.

CSCsf28775

Expired accounts are incorrectly reported.

CSCsf30675

Monitoring audit log messages contain empty value for the AAA-server attributes.

CSCsf98129

Client host name in ACS cannot be deleted.

CSCsg13994

Upgrade from 4.0.1.27 to 4.1.1.23, no feedback from NAC.

CSCsg14329

ACS 4.0 and semi-colon separator in cisco-av-pair RADIUS attributes.

CSCsg19044

ACS Syslog and ODBC configurations cannot display Trend Micro, McAfee, and Qualys in Reports and Activities.

CSCsg24465

Update OS to support Daylight Saving Time for the 2007 energy bill.

CSCsg32883

Feature: Authentications from ACS not hardcoded to workstation CISCO.

CSCsg37381

ACS authentication stops intermittently with - Unknown error code: -1018.

CSCsg62393

Wrong shared key, if device is added as tacacs and radius in same NDG.

CSCsg62438

ACS can not handle more than 4 EAP-Message attributes in radius request.

CSCsg62459

Unable to delete CA Cert from CA list.

CSCsg87232

Enhancement: Add Cisco-AvPair to VOIP accounting records.

CSCsg89656

CSAuth does not shutdown cleanly in some ACS 4.0 installs.

CSCsg96534

ACS support for Windows 2003 R2 needs clarification.

CSCsg97429

TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

CSCsg99542

Line number in ACS log files should be corrected.

CSCsh02206

Textual Commands and Error Codes enhancement.

CSCsh02215

Session Id to Diagnostic Logs.

CSCsh05964

ACS 4.1: Separate enable password fails when unix password type used.

CSCsh13994

ACS 4.1: Separate enable password fails when unix password type used.

CSCsh18732

Generic EAP code - debug messages should appear in release mode.

CSCsh18742

ACS should silently discard packet when external ODBC DB not available.

CSCsh21987

Feature: ACS should have ability to send access-reject to unknown EAP.

CSCsh24710

Shell Commands Authorization Set part of commands are effective.

CSCsh32888

Separate enable password does not work after ACS upgrade to 4.1.

CSCsh39305

Administrative access policy does not take effect after replication.

CSCsh43814

No users at IP x.x.x.x.

CSCsh48625

ACS radius error 2162 - switch isn't sent RAC/DACL client recvs token.

CSCsh62641

MAC authentication causes internal errors (radius-authentication).

CSCsh65197

CSAuth crashes when username has a comma.

CSCsh69160

EAP FAST1: ACS does not provide the supplicant with reason of rejection.

CSCsh74140

Loss of external database breaks NAD AAA redundancy concept.

CSCsh75933

EAP FAST configuration changes is not logged to Administrators report.

CSCsh77651

Anti-Virus is locking DB file.

CSCsh84447

Limited administrator sees first page empty if trying to list all users.

CSCsh87466

Authentication failure on first login after remote agent restart.

CSCsh89335

ACS EAP-FAST Replication fails generating server not responding error.

CSCsh91761

ACS: XSS vulnerability via search facility in online help.

CSCsi13371

Deleting the CRLs downloaded from the CDP in CRL folder - via ACS GUI.

CSCsi18979

ACS Windows and SE missing Juniper VSA.


Installation Notes for ACS 4.1.3

This section contains installation information for ACS 4.1.3.

Installing ACS 4.1.3 for Windows

System Requirements ACS 4.1.3 for Windows

Installing ACS 4.1.3 for Windows

Upgrade Path for ACS Solution Engine 4.1.3

Installing the ACS Solution Engine 4.1.3

Upgrade Path ACS 4.1.3 for Windows

Cisco tested the upgrade to ACS for Windows Server 4.1.3 from release 4.1.1.23. For ACS 4.1 upgrade paths, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.


Note ACS 4.1.3 is available only as an upgrade from ACS 4.1.1. You do not use a boot or installation CD to install ACS 4.1.3.



Note Cisco does not support the upgrade from ACS 4.1.2 to ACS 4.1.3.


System Requirements ACS 4.1.3 for Windows

The system requirements for ACS 4.1.3 are the same as for ACS 4.1. For information on supported operating systems and web browsers, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.

Installing ACS 4.1.3 for Windows

You must have ACS 4.1 installed before you install ACS 4.1.3. ACS 4.1.3 is available through the Cisco TAC only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.3 are the same as for ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.

Upgrade Path for ACS Solution Engine 4.1.3

Cisco tested the upgrade to ACS Solution Engine 4.1.3 from release 4.1. For ACS 4.1 upgrade paths, refer to the Installation Guide for Cisco Secure ACS Solution Engine 4.1.


Note You do not use a boot CD to install ACS 4.1.3. You must upgrade from ACS 4.1.1.23.


Installing the ACS Solution Engine 4.1.3

The 1113 Solution Engine has ACS 4.1 pre-installed. The ACS 4.1.3 Solution Engine upgrade package is available through the TAC only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.3 Solution Engine are the same as ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS Solution Engine 4.1.

Printed in the USA on recycled paper containing 10% postconsumer waste.