Release Notes for Cisco Secure ACS Express, 5.0 [Cisco Secure Access Control Server Express]

Table Of Contents

Release Notes for Cisco Secure ACS Express, 5.0

Contents

Introduction

Supported Protocols

Exceptions To TACACS+ Draft 1.78 Support

Installation Notes

Running the setup Program

Caveats

Related Documentation

Release Notes for Cisco Secure ACS Express, 5.0

Revised: March 18, 2008, OL-11674-02

CDC Date: October 29 2007

Cisco Secure ACS Express 5.0 (ACS Express) comprises a Linux appliance, the Cisco Application Deployment Engine (ADE) 1010, and the ACS Express server software. These release notes provide general information about ACS Express, known anomalies in this release, and related documentation.

Contents

This release note contains the following sections:

•Introduction

•Supported Protocols

•Installation Notes

•Running the setup Program

•Caveats

•Related Documentation

Introduction

Cisco Secure ACS Express (referred to as ACS Express from here on) is an easy to use access control server that operates as a centralized RADIUS and TACACS+ server. It extends access security by combining authentication and authorization within a centralized identity networking solution, allowing greater flexibility and user-productivity gains. ACS Express supports a broad variety of access connections, including wired and wireless LAN, firewalls, and VPNs.

ACS Express is an entry-level RADIUS AAA and TACACS+ server addressing the small-to-medium sized business (SMB) such as retail branches and enterprise branch market segments. ACS Express controls user and machine access to various networks including wireless, wired, and virtual private networks. ACS Express also controls administrative access to network devices using RADIUS and TACACS+. ACS Express ships as an appliance with easy-to-use management interfaces to facilitate deployment and configuration.

The primary function of ACS Express is to control user access and client machines requesting access to protected resources within a corporate network. ACS Express interacts with AAA-enabled network devices to authenticate a user or device and authorize the user or device with entitlements granted to the user or device.

ACS Express controls user and client access to an enterprise network by way of various transports including wireless, wired, and VPN (Network Access) using RADIUS. For network access, ACS Express and the AAA-enabled devices such as a Network Access Server (NAS) communicate using the RADIUS protocol. ACS Express supports various NASs including Cisco IOS/PIX devices, Cisco VPN concentrators, Cisco Airespace controllers, Cisco Aironet access points, Juniper and Microsoft devices, and any IETF RADIUS-compliant NAS. ACS Express supports various authentication methods including CHAP, PAP, MS-CHAPv2, EAP-TLS, PEAP, EAP-FASTv0, and LEAP.

After a NAS submits a user's credentials to ACS Express, it can validate them against various user databases. ACS Express can communicate with Active Directory, LDAP, and One-Time-Password user databases. ACS Express also provides its own user database to manage local users. During the credential validation process, the user database might return data describing a user's profile within an enterprise (such as a User Group). When using Active Directory, ACS Express can also process machine authentication requests and enforce that both the machine and user are successfully authenticated prior to gaining network access.

After the credentials are validated, ACS Express then determines the entitlements granted to the user. For network access, an entitlement is a RADIUS authentication response returned to the originating NAS. An administrator can define rules to determine the returned entitlements. Conditions for the rules might include a user's profile (user group), how (wireless, wired, or other) and when (time of day) a user attempts to access the enterprise network.

ACS Express also controls network administrator access to configure a network device (Device Administration Access). For device administration, ACS Express supports NASs that communicate using TACACS+ or RADIUS. Credential validation and entitlement determination are processed in the same manner as described for network access. Entitlements for device administration specify the maximum administrative privilege level allowed. Conditions for the rules might include a user's profile (user group), the device being configured, and when (time of day) a user attempts configure a network device.

ACS Express supports up to 50 NASs and is aimed at small-to-medium businesses requiring 350 or fewer successful user authentications per twenty-four hour period.

ACS Express is delivered as an appliance. You use the command line interface (CLI) to set up the ACS Express appliance. You use the GUI to configure the ACS Express server. ACS Express can be deployed in pairs where the configuration from the primary Express server is replicated to the secondary server.

Supported Protocols

ACS Express supports both Radius and TACACS+ protocols concurrently. ACS Express conforms to the latest TACACS+ specification (draft 1.78) from Cisco with some exceptions.

ACS Express conforms to the RADIUS protocol as defined in the draft of April 1997 and conforms substantially to the following Requests for Comments (RFCs):

•RFC 2138

•RFC 2139

•RFC 2284

•RFC 2865

•RFC 2866

•RFC 2867

•RFC 2868

•RFC 2869

The ports used for authentication and accounting have changed in RADIUS RFC documents. To support the older and newer RFCs, ACS Express accepts authentication requests on port 1645 and port 1812. For accounting, ACS accepts accounting packets on port 1646 and port 1813.

In addition to support for standard Internet Engineering Task Force (IETF) RADIUS attributes, ACS Express supports vendor-specific attributes (VSAs). The following VSAs are supported out of the box:

•Cisco IOS/PIX 6.0

•Cisco VPN 3000/ASA/PIX 7.x+

•Cisco VPN 5000

•Cisco Airespace

•Cisco Aironet

•Juniper

•Microsoft

ACS Express also enables you to add and modify VSAs from the vendors listed above. ACS Express supports up to additional 10 vendors. After a new RADIUS VSA is defined, you can use it as if it were a predefined ACS Express RADIUS VSA.

Exceptions To TACACS+ Draft 1.78 Support

The following lists exception to TACACS+ Draft 1.78 that are not supported in ACS Express 5.0.

•Command Authorization or command authorization sets are not supported.

•Only Service type shell is supported; different service types such as PPP, SLIP, ARAP, and EAP over TACACS+ are not supported.

•Only ASCII TACACS+ password type is supported. Other password types such as PAP, CHAP, and ARAP are not supported.

•TACACS+ password change sequence is only supported for local database and not for external databases like LDAP or Active Directory.

•Only TACACS+ attribute-value pairs, priv_lvl, timeout, idletime, service are supported. Attribute-value pairs such as acls, route, autocmd, and some others are not supported.

•TACACS+ Single-connection is not supported.

Installation Notes

The Cisco Secure ACS Express product comprises an appliance, the Cisco Application Deployment Engine (ADE) 1010, and the ACS Express server software. The software for ACS Express is already installed on the appliance.

This section provides an overview of installation tasks required to install the ACS Express appliance.

Step 1 Open the box and check the contents.

The package containing your ACS Express appliance includes the following:

•ACS Express appliance

•Hardware accessory kits

•Software accessory kits

•Rack mount kit

•Power cord

Step 2 Read Chapter 3 of the Installation and Setup Guide for Cisco Secure ACS Express and pay special attention to all safety guidelines.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/prepare.html

Step 3 Install the appliance in either a two-post or four-post rack, and complete the rest of the hardware installation.

See Chapter 4 of the Installation and Setup Guide for Cisco Secure ACS Express for more details about installing the ACS Express appliance.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/instll.html

Figure 1 shows the rear of the ACS Express appliance and the various cable connectors. Ensure that you connect the Ethernet cable to the NIC 1 connector (#6 in Figure 1).

Note Use the NIC 1 connector for your Ethernet connection. Using the NIC 2 port is not supported and attempting to use the NIC 2 connector will cause an unstable environment.

Figure 1 Cable Connectors on Rear of ACS Express Appliance

Table 1 describes the rear panel connectors called out in Figure 1:

Table 1 Cable Connectors on Rear of ACS Express Appliance

#

Connector

#

Connector

1

AC power connector

5

Video connector

2

Mouse

6

NIC 1 (10/100/1000 Mb) port

3

Keyboard

7

Unsupported NIC 2 port

4

Serial port

8

USB ports

After completing the hardware installation, you are ready to turn power on.

The first time you turn power on you must run the setup program. See Running the setup Program for more detailed information.

Running the setup Program

The setup program launches an interactive command-line interface (CLI) that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ACS Express server using the setup program.

After you turn on power to the ACS Express appliance and it boots up for the first time, a login prompt like the following displays on the console:
*************************************************
Please log in as setup to configure the appliance
*************************************************
localhost login: 
Enter setup at the login prompt to launch the setup program, and the ACS Express appliance will prompt you for the setup parameters. Table 2 lists and describes the setup program parameters. You must provide a response for each parameter before you advance to the next.

Table 2 Setup Command Parameters

Parameter

Description

Hostname

Hostname of the ACS Express server

IP Address

Must be a valid IP address

Network Mask

Must be a valid mask

Default Gateway IP

Must be a valid IP address

Domain Name

Domain name of the Valid IP Address server

DNS Server Address

Must be a valid IP address

Administrator Password

Must adhere to password policy for administrators

Time

Must be a valid time

Figure 2 provides an example of the setup program interaction. Entries in bold font are administrator entries.

Figure 2 Sample Output of setup Command
localhost.localdomain login: setup
Press 'Ctrl-C' to abort setup
Enter hostname[]: acsexpress1
Enter IP address[]: 209.165.200.225
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 209.165.200.1
Enter default DNS domain[]: yourcompany.com
Enter Primary nameserver[]: 209.165.200.254
Add/Edit another nameserver? Y/N : n
Enter username[admin]: admin
Enter password: 
Enter password again: 
Pinging the gateway...
Pinging the primary nameserver...
Do not use 'Ctrl-C' from this point on...
Note If you use CTRL-C to interrupt the setup program at this point, you might have to reimage the ACS Express appliance.
Appliance is configured
Installing applications...
Installing acsexpress ... 
Generating configuration...
Rebooting...
You can abort from setup by pressing CTRL-C. After providing the required input for each parameter, the new settings are applied. You can also use CTRL-C to abort from setup if you happen to enter an incorrect setting.

After you run the setup program and provide the initial settings, the ACS Express server reboots. After the ACS Express server reboots, use the username and password you entered during setup to log in.

Note After you complete the initial setup, it is no longer possible to re-run the setup program unless you reimage the ACS Express appliance using the recovery CD.

Caveats

Table 3 lists the known anomalies in ACS Express 5.0.
Table 3 Known Anomalies in ACS Express 5.0
Bug ID

Description

CSCsj09758

CN comparison fails with client certificate validation error when you use EAP-TLS authentication with a user having first and last name in Active Directory (AD).

Symptom: If the CN field in a client certificate does not match the user logon name in AD, EAP-TLS or PEAP-EAP-TLS authentication fails during client certificate validation.

Conditions: This occurs when a user's last name is included in Windows AD and you use EAP-TLS or PEAP-EAP-TLS authentication with only the CN comparison enabled on ACS Express.

Workaround: Configure the CA to use the logon name as CN field value in the client certificate, or enable both SAN and Binary comparisons on the ACS Express server.
CSCsj92018
A system error message occurs after you attempt to create, modify, or copy a TACACS+ Access Service.

Symptom: After creating, editing, or copying a TACACS+ Access Service, a system error message appears after you click Save. The error message looks like the following:
com.cisco.ar.api.ServerStateException: Server failed to start:
After this error, ACS Express might stop processing authentication requests.

Conditions: This occurs under normal operating conditions after you try to create, edit, or copy a TACACS+ Access Service and click Save.

Workaround: Restart the ACS Express server. From the ACS Express GUI, go to Reports & Troubleshooting > Process Status and click Restart ACS Express.
CSCsj96213
Doing partial replication and importing the configuration with the CLI command acsimport with the flushconfig option does not commit the transaction to the internal database.

Symptom: In a replicated configuration, the secondary will continue to synchronize after using acsimport to import a complete configuration with the flushconfig option. On the secondary, the acsxp_server.log file shows the following message:
acsxp/server Warning Server 0 Requesting resynchronization from Primary: Last Txn#61 
acsxp/server Info Server 0 Committing Replication of Transaction 62 with 4600 Elements. 
acsxp/server Error Server 0 Could not commit transaction to MCD. 
On the primary, the acsxp_server.log shows repeated synchronizations.

Conditions: This occurs in a replicated configuration when a read-write administrator imports a large configuration (over 4500 elements) using the CLI command acsimport with the flushconfig options.

Workaround: Do a full synchronization between the primary and secondary. On the primary or secondary, synchronize the server by clicking Synchronize Servers on the Replication window.
CSCsk40547

In a replicated configuration, the LDAP and OTP secondary IP addresses and the OTP shared secret changes replicated to the secondary do not take effect to authenticate clients on the ACS Express secondary server.

Symptom: In a replicated configuration, the configuration change with an additional LDAP or OTP primary or secondary server on the ACS Express primary will not be used for authentication of clients on the ACS Express secondary using partial replication. The settings appear to be correct.

Conditions: This occurs under normal operating conditions in a replicated configuration when using LDAP or OTP secondary servers.

Workaround: Perform a full synchronization between the primary and secondary if adding or changing the LDAP or OTP primary or secondary server. On the primary or secondary, synchronize the server by clicking Synchronize Servers on the Replication window.

CSCsk45083

Password expiration time on the Administrator windows is shown in Coordinated Universal Time (UTC).

Symptom: Password expiration set for Administrators using Password Policy on the Administrator window is in UTC and not the timezone configured on the appliance.

Conditions: This occurs under normal operating conditions.

Workaround: None; you will need to manually calculate the local time of password expiration based on the displayed UTC time.
CSCsk46864
When using acsimport or acsexport CLI commands an exception occurs when there is a backslash in the filename.

Symptom: An error message like the following appears when you use the CLI command acsexport:
Invalid number of arguements provided. Exported failed
An error message like the following appears when you use the CLI command acsimport:
Exception in thread "main" java.lang.IllegalArgumentException: parameter must not be null
Conditions: This occurs when using the CLI commands acsimport and acsexport with a backslash and a space (\ ) in the XML configuration filename.

Workaround: Do not use a backslash followed by a space in the name of the XML configuration file. Do not use redirects with acsexport or acsimport. You can use the backslash and space in the username, but not contiguously.
CSCsk47394

TACACS+ authentication fails when using LDAP when the username begins with the number sign (#).

Symptom: Authentication fails when using the Sun Java Directory LDAP server if the username begins with the number sign.

Conditions: This only occurs when using the Sun Java Directory LDAP. This problem does not occur with other LDAP servers.

Workaround: Either use a different LDAP server or do not create usernames with the # character at the beginning of the username.
CSCsk48511
Using the CLI to enter a hostname for OS syslog causes a problem when you click Save to change the logging level on the Server Logs window.

Symptom: When you click Save after changing the OS Logging settings under the Reports & Troubleshooting > Troubleshooting > Server Logs window with a hostname in the Syslog Server IP Address field, an error message like the following appears:
Enter a valid IPv4 address for Operating System Syslog Settings
Conditions: This occurs after a read-write administrator uses the CLI command logging hostname in configuration mode to configure a remote syslog server then updates the logging level for OS Logging on the Reports & Troubleshooting > Troubleshooting > Server Logs window.

Workaround: Use a valid IPv4 address instead of a hostname for the remote syslog server when using the CLI command logging in configuration mode or switching to a valid IPv4 address from the GUI's Server Logs window.
CSCsk58317

Partial Replication does not update the Default Rule for a TACACS+ Access Service.

Symptom: In a replicated configuration, changes to the Default Response for TACACS Access Services are not replicated to the secondary until after you click Synchronize Servers.

Condition: This limitation for Default Response of TACACS Access Services applies to configuration changes made from the GUI and when using the CLI command acsimport. Neither authentication rule nor GUI reflect any changes made to the TACACS+ Access Services until you click Synchronize Servers.

Workaround: Do a full synchronization between the primary and secondary. On the primary or secondary, synchronize the servers by clicking Synchronize Servers on the Replication window.
CSCsk66746
Entering the CLI command show version command as a read-only administrator causes an error.

Symptom: The CLI command show version does not display ACS Express version information and displays an error like the following:
Error: Must have admin privilege to run this script. Aborting.... 
Conditions: This occurs when a read-only administrator issues the CLI command show version.

Workaround: Use the CLI command show version as a read-write administrator.
Related Documentation

This section provides a list of the ACS Express product documentation with links to the online documentation.

You can find links to all ACS Express product documentation at the following URL:

http://www.cisco.com/en/US/products/ps8543/tsd_products_support_series_home.html

The following documents comprise the ACS Express documentation set and should be read in the following order:

•Quick Start and Documentation Guide for Cisco Secure ACS Express 5.0 (78-17961-02, this document)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/roadmap/xpguide.html

•Installation and Setup Guide for Cisco Secure ACS Express, 5.0 (OL-11671-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/install.html

The Installation and Setup Guide for Cisco Secure ACS Express is an online only document that provides information about how to set up the ACS Express appliance including location, internet connection, and initial configuration.

•User Guide for Cisco Secure ACS Express, 5.0 (OL-11672-02)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/users.html

The User Guide for Cisco Secure ACS Express is an online only document that provides information about how to use the ACS Express GUI and how to perform routine tasks associated with the features and functionality of Cisco ACS Express.

•Cisco Secure ACS Express Command Reference, 5.0 (OL-11673-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/command/reference/guide/cmdref.html

The Cisco Secure ACS Express Command Reference focuses on the following topics:

–Command-line interface configurations

–Command-line interface reference

Each topic provides a high-level summary of the tasks required for using the CLI in the Application Deployment Engine OS 1.0.1, and the procedures for performing these tasks.

•Troubleshooting Guide for Cisco Secure ACS Express, 5.0 (OL-14650-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/troubleshooting/guide/trouble.html

This guide provides information about troubleshooting strategies and shows example ACS Express logs with pointers to things to look for when experiencing difficulties.

•Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Express, 5.0 (OL-14842-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/devices/devices.html

This guide provides information about support device types and supported browsers.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007-2008 Cisco Systems, Inc. All rights reserved.

Cisco Secure Access Control Server Express

Release Notes for Cisco Secure ACS Express, 5.0

Hierarchical Navigation

Downloads

Table Of Contents

Release Notes for Cisco Secure ACS Express, 5.0

Contents

Introduction

Supported Protocols

Exceptions To TACACS+ Draft 1.78 Support

Installation Notes

Running the setup Program

Caveats

Related Documentation

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

© 2007-2008 Cisco Systems, Inc. All rights reserved.

Technology Trends