Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure ACS 4.1.2

 Feedback

Table Of Contents

Release Notes for Cisco Secure ACS 4.1.2

Contents

Introduction

New and Changed Information

RADIUS Key Wrap Extended to All EAP Protocols

Product Documentation

Known Caveats

Resolved Caveats

Installation Notes

Installation Notes for ACS 4.1.2 for Windows

Upgrade Path for ACS 4.1.2 for Windows

System Requirements for ACS 4.1.2 for Windows

Installing ACS 4.1.2 for Windows

Installation Notes for ACS 4.1.2 Solution Engine

Upgrade Path for ACS 4.1.2 Solution Engine

Installing ACS 4.1.2 Solution Engine

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco Secure ACS 4.1.2


Revised: June 07, 2007, OL-13026-01

CDC Date June 07, 2007

These release notes describe Cisco Secure Access Control Server (ACS) version 4.1.2. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.

Contents

Introduction

New and Changed Information

Product Documentation

Known Caveats

Resolved Caveats

Installation Notes

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

ACS 4.1.2 is a maintenance release for ACS 4.1 that consolidates ACS 4.1 customer patches, and resolves other customer and internally found defects. ACS 4.1.2 is available through the Cisco Technical Assistance Center (TAC) only for existing ACS software deployments.

This release includes the 4.1.2 software image.


Caution You cannot upgrade from ACS 4.1.3 to 4.1.2, or from 4.1.2 to 4.1.3, and you cannot downgrade from 4.1.2 to 4.1.1.

New and Changed Information

ACS 4.1.2 contains information for the enhancement—RADIUS Key Wrap Extended to All EAP Protocols.

RADIUS Key Wrap Extended to All EAP Protocols

RADIUS Key Wrap is extended to all EAP protocols; previously, RADIUS key wrap was available only for EAP-TLS.

In previous ACS releases the Allow RADIUS Key Wrap check box resides in the EAP-TLS section of the Network Access Profiles > Protocols page.

ACS 4.1.2 has moved the Allow RADIUS Key Wrap check box to the top of the EAP Configuration section, in the new Key-Wrap area.

Product Documentation

Table 1 lists the product documentation for ACS 4.1.2.

Table 1 Product Documentation 

Document Title
Description

Documentation Guide for Cisco Secure ACS 4.1

Printed document with the product.

PDF on the product CD-ROM.

Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_release_notes_list.html

Release Notes for Cisco Secure ACS 4.1

ACS 4.1 features, documentation updates, and resolved problems. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.html

Release Notes for Cisco Secure ACS 4.1.2

New features, documentation updates, and resolved problems. Available on Cisco.com:

http://www.cisco.com

Product online help

Help topics for all pages in the ACS web interface. Select an option from the ACS menu; the help appears in the right pane.

User Guide for Cisco Secure ACS 4.1

ACS functionality and procedures for using the ACS features. Available in the following formats:

By clicking Online Documentation in the ACS navigation menu. The user guide PDF is available on this page by clicking View PDF.

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1

Supported devices and firmware versions for all ACS features. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.html

Installation and User Guide for User Changeable Passwords 4.1

Installation and user guide for the user-changeable password add-on. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.html

Configuration Guide for Cisco Secure ACS 4.1.

Provides provide step-by-step instructions on how to configure and deploy ACS.

Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_installation_and_configuration_guides_list.html

Installation Guide for Cisco Secure ACS 4.1 Windows

Details on installation and upgrade of ACS software and post-installation tasks. Available in the following formats:

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/prod_installation_guides_list.html

Installation Guide for Cisco Secure ACS Solution Engine 4.1

Details on ACS SE 1112 and ACS SE 1113 hardware and hardware installation, and initial software configuration. Available in the following formats:

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html

Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1

Translated safety warnings and compliance information. Available in the following formats:

Printed document with the product.

PDF on the ACS Recovery CD-ROM.

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html.

Installation and Configuration Guide for Cisco Secure ACS Remote Agents

Installation and configuration guide for ACS remote agents for remote logging. Available in the following formats:

PDF on the ACS Recovery CD-ROM.

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
products_installation_and_configuration_guides_list.html


Known Caveats

Table 2 contains known caveats in ACS for Windows and Solution Engine 4.1.2. You can also use the Bug Toolkit to find open bugs.

Table 2 Known Caveats in ACS Windows and Solution Engine 4.1.2 

Bug ID
Summary
Explanation

CSCea91690

Event Viewer errors on startup/shutdown in .NET

Symptom    On Windows .Net Server 2003 shutdown and startup you may see errors that falsely indicate that Cisco Secure ACS service have failed. At startup, you may see a dialog box indicating that a service, such as CSLog, encountered a problem and needs to close. The same error logged to Event Viewer, as in the following example:

"Reporting queued error: faulting application CSLog.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000."

The problem is that in Windows Server 2003, the Service Manager queries the Cisco Secure ACS services status during startup and shutdown, but Cisco Secure ACS services may not have started yet or may have stopped already. Even though this is normal behavior for Cisco Secure ACS services, Windows perceives this as an error and logs it to the Event Viewer.

On startup, all errors from event viewer displayed to user, which is why, when users logs into Windows right after startup, they see errors from the previous login session.

This behaviour observed on Windows Server 2003 only.

Workaround   You can verify that Cisco Secure ACS services are running by using Control Panel.

CSCec72911

Win2003-password aging page display issue

Symptom    ACS is installed on Windows 2003 Server and Password Aging feature is enabled. Only the option "Generate greetings for successful logins" in Password Aging settings is checked. After pressing Submit or Submit + Restart ACS for the first time displays the valid error message: "Error: Generation of greetings on successful logins requires at least one password aging rule to be configured". But on the second press to one of these buttons page bwrong error "active canceled" or "the page connot be displayed" is shown.

Conditions   Occurs on after install and as long as no changes are performed. Occurs when managing ACS only on the local machine using IE 6.0.

Workaround   Restart ACS.

CSCee89510

dates are logged in local time instead of GMT

Symptom    NAC attributes that are in date format are in GMT timezone. When ACS logs these attributes, it converts them to ACS local timezone (the timezone of the ACS server).

Workaround   Configure ACS to use the GMT timezone.

CSCef85310

Group dACL is downloaded if Users dACL content is empty

Symptom    It is possible to define an ACL with an empty content. Following this defect, if a user with an empty ACL, belongs to a group on which a non-empty ACL is defined, authenticates, the ACL of the group is downloaded to the device, instead of the user's one. (While the user's dACL content is not empty, it is downloaded to the device, as it should).

Workaround   The workaround would be not to define an empty downloadable ACL.

CSCef96208

ACS reports incorrect privilege level

Symptom    ACS may report users with the incorrect authorized privilege level. In particular, when using TACACS+ user who are correctly being authenticated with a privilege level of 15 are being reported with a level of 1.

Workaround   The error is cosmetic, and there is no workaround

CSCeh13105

WinDB maps all other combinations instead of selected groups

Symptom    Mapping an AD group to an ACS group may fail. After configuring a map, the result may be that the AD group which was selected is now mapped to the "all other combinations" group instead of the intended group.

Workaround   Workaround is to delete the erroneous map and try the mapping again.

CSCeh52700

AD expired-user passed EAP-TLS authentication; should be rejected!

Symptom    EAP-TLS authentication will still pass for users in Active Directory even if their account has expired - no error is given from ACS.

Conditions   EAP-TLS authentication of users in Active Direcory running in Windows 2000 environment.

Conditions   None. Windows 2003 has introduced some new attributes that should help resolve this issue in future.

CSCeh60564

AD locked-out User passed EAP-TLS authentication, should be rejected!

Symptom    EAP-TLS authentication will still pass for users in Active Directory even if their account is locked-out. There is no error indication from ACS.

Conditions   EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.

Workaround   None. Windows 2003 has introduced some new attributes that should help resolve this issue in future.

CSCeh79954

EAP-TLS time of day restriction in AD doesn't fail user - authen succ

Symptom    EAP-TLS authentication of users in Windows Active Directory will still pass when a users time-of-day setting (located in AD) is outside the hours they are allowed - no error is given from ACS.

Conditions   EAP-TLS authentication of users in Active Directory running in Windows 2000 or 2003 environment.

Workaround   None.

CSCeh86479

CSUtil import -85 errors to be changed to info msg-not error

Symptom    The csutil utlity with the options -n, -g, and -u may print an ODBC error message similar to the following:

ODBC Error. Message=[Sybase][ODBC Driver][Adaptive Server Anywhere]Communication error, SqlState=08S01, NativeError=-85

Conditions   This would only happen when running csutil from Remote Services.

Workaround   This is really an informational message, and can be ignored.

CSCsb19051

TCP checksum error from CiscoSecure ACS Solution Engine 1111

A Cisco Secure Access Control Server Solution Engine (ACS SE) 1111 (CSACSE-1111-UP-K9) may generate transient TCP Checksum errors which may cause error logging on other devices in the network. In particular, Cisco switches would generate the following error message:

%IP-3-TCP_BADCKSUM:TCP bad checksum.

The cause of the error is the NIC Software Driver. Not every packet being transmitted will be affected. Given that TCP will retransmit any unacknowledged packet, the system will recover. Excessive logging of the error message within the network might occur. The problem only affects TCP packets; therefore, TACACS may be affected, while RADIUS will not. This problem might also occur on an ACS SE 1112 (Quanta).

Workaround   A temporary workaround is to reload the server; but, because the problem is transient, it will likely return within days or weeks. A patch is available from TAC, which will help to reduce the amount of errors; however, since this is a network configuration problem, it cannot resolve the problem completely. Contact your TAC representative for the appropriate TCP_checksum patch for your platform.

CSCsb27597

Limitation on the custom attributes (of 31k as CSAdmin indicates)

Symptom    In the T+ Settings per User/group Configuration page, which is accessed from the Interface Configuration page, if you add 1201st entry in the custom attribute field, the browser crashes. The custom attribute field is currently limited to 31KB (which is around 1200 attributes).

Workaround   None.

CSCsb93223

Policy created when template profile not added upon error

Symptom    If for any reason, when using the NAC 802.1x template, you cannot create a profile (for example, Global Authentication Setup is not configured properly), an internal posture validation policy is created in any case.

Workaround   None.

CSCsb95897

ACS cant display long list of Disabled accounts correctly

Symptom    The ACS web interface has problems in displaying disabled accounts lists if they contain several pages. Next is working as needed, but Previous is available only once.

Workaround   None.

CSCsc41638

ACS doesn't check if the CA certificate that issued to user exist in CTL

Symptom    A user who presents a certificate in EAP-TLS or EAP-FAST/EAP-TLS may be authenticated; even though the ACS machine no longer trusts the certificate issuer.

Workaround   Uncheck the CA certificate in question from the ACS web interface before removing the CA certificate from the machine storage.

CSCsc63854

ODBC Mapping exists after restoring image created on software

Symptom    After restoring the appliance image from the software version of ACS 4.0.1, there is still ODBC configuration in Unknown User Policy and in NAP/Authentication.

Workaround   None.

CSCsc77154

Proxy authentications fail when no DHCP is present at installation

Symptom    When an ACS appliance is installed where the IP configuration is manual (for example, no DHCP server), subsequent proxy authentications may fail.

The ACS Appliance will proxy the authentication packets to an incorrect ip address, while the proxy configuration still presents the default appliance name of deliverance1.

Workaround   

1. Verify that 'Distributed System Settings' is checked under Interface Configuration --> Advanced Options.

2. Remove DELIVERANCE1 from "Forward To" list box in "Network Configuration -> "Edit Default Proxy Distribution Entry"

3. Remove dummy server from "Network Configuration -> AAA Servers"

4. Reboot.

CSCsc90467

After Install from Recovery CD, no CLI access.

Symptom    This problem occurs on ACS SE 1111 (HP), when performing a full upgrade including appliance base image. When installing from the ACS SE 1111 (HP) Recovery CD, after installation completes, the ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback, which is normal system behavior. After this time, the CLI Initial Configuration screen should appear, but does not.

Conditions   On ACS SE 1111 (HP), when installing from the Recovery CD, when performing a full upgrade, including the appliance base image. Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.

Workaround   Switch off the appliance, and switch it on again.

CSCsd18172

After Installing Appliance the default windows IP remains in the AAA ser

Symptom    If the user does re-image from the ACS SE CD (quanta model 1112), they should NOT connect the device on the network during the installation. During installation, the configuration (such as hostname, IP) can be some bogus information. After the reboot, using console port to reset the hostname and IP address.

Workaround   Not connecting to the network will avoid this duplicate entries problem.

CSCsd88833

Manual setup of ip configuration failed, cli is not foolproof enough

Symptom    An ACS Appliance may not operate correctly after installation, if there were any problems or changes with the IP addressing. In particular, if there is no DHCP server, or the DHCP server is configured incorrectly, or if the installation occurs with the NIC disconnected.

Workaround   The only workaround may be to install the Appliance again, with the Ethernet0 NIC attached, and with a valid DHCP setting or (if there is no DHCP server) the correct IP address configured.

CSCsd91218

Appliance filter may not work if during initiate config set invalid ip

CSCsd93779

Backup every X minutes is not functioning for specific configuration

CSCsd94022

Shifting system clock forward disrupting scheduled backup proccess

CSCsd98589

authentications fail when NIC reconnected after reboot

Symptom    Authentications on an ACS Appliance may fail after the following sequence of events:

1. Disconnect the NIC cable from

2. reboot

3. reattach the NIC cable

Workaround   restart the services after the cable has been reconnected

CSCse01363

Appliance Configuration page is not replicated from Quanta 4.0.1.42

CSCse04125

SNMP ports in Appliance S27 can get wrong values

CSCse69819

Custom UDV, Replication don't replicate. Faiulre to create on secondary

Symptom    When try to create a custom UDV on a secondary ACS server, you get the message of: Vsa attribute [UDV-Vendor-Attribute] already defined by vsa vendor [UDV-Vendor]. Must be unique

Conditions   UDV was defined on primary and replication took place before the UDV was defined on the secondary.

Workaround   Un-install and Re-install ACS on the secondary add the UDV to the secondary and then start replication to the secondary.

CSCsf13603

Cisco-PEAP authentication against RSA API server provide an error msg

Symptom    Working with RSA API as the external DB, and trying to Auth using funk. The Supplicant is using CISCO - PEAP authentication. in the log the following lines appears:

AUTH 10/03/2006 16:20:00 I 0396 3396 External DB [SecurID.dll]: Response from user [rsauser] with state [0]

AUTH 10/03/2006 16:20:00 I 0396 3396 External DB [SecurID.dll]: NULL response supplied

AUTH 10/03/2006 16:20:00 I 0396 3396 External DB [SecurID.dll]: SecurID_AbortSession state [0]

AUTH 10/03/2006 16:20:00 E 0396 3396 External DB [SecurID.dll]: Invalid session state detected [0]

CSCsf16737

CSAuth/CSAdmin/CSRadius/CSTacacs are not started up after reboot

Symptom    After system reboot, the following Services are not started up when Windows service, "Windows Firewall/Internet Connection Sharing (ICS)" is started:

CSAuth

CSRadius

CSTacacs

CSAdmin

Workaround   Disable Windows Service "Windows Firewall/Internet Connection Sharing (ICS)" -> services.msc -> Right click and select properties of "Windows Firewall/Internet Connection Sharing (ICS)" -> Change "Startup type" to "Disbaled".

or

Workaround   Start them manually.

CSCsf25057

ACS support for TACACS single-connection

Symptom    ACS does not support the TACACS single-connect flag.

Workaround   None.

CSCsg19044

Acs syslog/ODBC configuration missing listing for trend, mcafee, qualys

Symptom    Under system configuration, logging configuration, configure failed attempts or passed attempts for syslog and ODBC. The attributes for trend, qualys and mcafee are not listed in either column but are listed under the CSV configuration.

Conditions   when adding 3rd vendors credentials using csutil -addAVP command, these credentials won't appear in syslog or odbc.

Workaround   None.

CSCsg24408

ACS Syslog facility needs to be configurable for localX, not fixed AUTH

Symptom    Currently ACS doesn't state what facility is used in the system specifications as far I as I have read into them. I had to trace the traffic coming from ACS that was destined for my syslog server on port 514 to determine what facility was being used.

Workaround   Setup syslog to except with AUTH and not a localX facility. Example: auth.debug /var/log/ACS1.txt.

CSCsg40727

ACS 4.0: RDMS fails account action 220 250 with Synchronization Partners

Symptom    - NDG is not getting added to "Synchronization Partners", but an additional (duplicated) entry is getting added to "primary" - AAA-Client may can't be deleted anymore afterwards

Conditions   Account-Action-File: SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status 1,0,testUser01,foobar,100,,foobar,,,26/08/1998 00:00,0,,,0 9,0,testUser09,foobar,100,,foobar,,,26/08/1998 00:00,0,,,0 10,0,testUser10,foobar,100,,foobar,,,26/08/1998 00:00,0,,,0 11,0,,foobar,170,,exec,,,,,,,0 12,0,,foobar,172,priv-lvl,exec,,15,,,,,0 13,0,,,220,chimpanzee070707,9.9.9.9,cisco,VENDOR_ID_CISCO_RADIUS,,,,,0 14,0,,,250,monkeycage,,,,,,,,0 15,0,,,252,chimpanzee070707,monkeycage,,,,,,,0

Workaround   None.

CSCsg56677

After upgrade re-authenticate EAP-FAST user with UPN or SAM format fails

Symptom    When authenticating user with SAM/UPN format (Domain\username or username@domain) on ACS 4.0.1.49 or ACS 4.1, it succeeds at the first time and also after trying to re-authenticate with the same PAC. However, if we try to upgrade ACS 4.0 (i.e. 4.0.1.27, 4.0.1.42/43/44) to build 4.0.1.49 or to ACS 4.1, we will see that the re-authentication (i.e. stateless session resume) will fail with the error - "Access denied:fast-reconnect was successful but user was not found in cache". This bug has the same behavior as describe in CSCsd82223, but after performing the above upgrade.

Workaround   

Case #1: Customers using Manual PAC provisioning. Advise a customer to reprovision PACs with correct usernames (i.e. usernames containing domains).

Case #2: Customers using Automatic PAC provisioning. Advise a customer to do the next workaround: 1. Set the next values for the EAP-FAST settings (see EAP-FAST Configuration page) : Active master key TTL = 1 hours Retired master key TTL = 2 hours Tunnel PAC TTL = 30 minutes Authorization PAC TTL = 10 minutes

Note

1. Active master and Retired master key TTLs are changed to force invalidation of PACs issued by ACS 4.0 (i.e. 4.0.1.27, 4.0.1.42/43/44).

2. Tunnel PAC and Authorization PAC TTLs are changed due to limitation that their values must be less then Active master and Retired master key TTLs.

3. IMPORTANT: When customer's environment contains several ACS servers, this change must be applied on ALL ACS servers configured as EAP-FAST master server and then this change should be replicated to corresponding slave ACS Servers. This change will lead to reprovisioning of ALL PACs. 2. It is safe to change these EAP-FAST settings back a day after this change was applied/replicated to ALL ACS servers in the customer's environment. The default values for them are: Active master key TTL = 1 months Retired master key TTL = 3 months Tunnel PAC TTL = 1 weeks Authorization PAC TTL = 1 hours.

CSCsg96534

ACS support for Windows 2003 R2 needs clarification.

Symptom    ACS 4.1 and previous releases have not been tested on Windows 2003 server R2. Authentication to ACS on this platform might have unpredictable results. The release notes and documentation might not make it clear that there is a distinction between Windows 2003 and Windows 2003 R2.

Conditions   Installation of ACS on Windows 2003 R2

Workaround   Use ACS on a supported platform that is specified in the release notes.

CSCsh42920

Online help has old Key Wrap functionality description.

Symptom    RADIUS Key Wrap was extended to all EAP protocols instead of only EAP-TLS.

Workaround   Refer to RADIUS Key Wrap Extended to All EAP Protocols for more information.

CSCsh77806

EAP-TLS will fail authentication if name contains forward slash /

Symptom    EAP-TLS users authenticating to ACS (and in turn to Active Directory) fail authentication if the Distinguished Name returned from the LDAP server contains a forward slash. Logs from the ACS will cite this as a permissions issue and do not make it clear that it's the format of the username at fault.

Conditions   Issue is seen in Distinguished names defined in the following format:

Distinguished Name: CN=Lastname\, Firstname Department1/Department2,OU=....

but presumably will be seen in any instance in which the Distinguished Name contains a forward slash. Windows Domain controllers will allow the forward slash as a part of the username and do not appear to use an escape character prior to the forward slash (the above example does include an escape character prior to the comma).

Workaround   Avoid use of forward slashes in user names authentication via EAP-TLS.

Further Problem Description:

Issue is possibly a bug in Microsoft's handling of the forward slash character. Since this character is used as a separator in LDAP, the LDAP replies back should be padded with a backslash prior to the forward slash.

CSCsh90602

MAB no more functional after installing accumulative patch 4.1.1.23.3

Symptom    After installing the Accumulative Patch 4.1.1.23.3 on ACS 4.1.1.23 the Mac Authentication Bypaas feature is no longer functional. The Failed Attempts.csv file shows the following error - Authentication protocol is not allowed for this network access profile.

Workaround   Cisco recommends that you apply patch 4.1.3.12.1 to ensure the correct MAB and MAC functionality.

Note This patch includes a fix for CSCsh62641: MAC authentication causes internal errors.

After you apply the patch, if:

Type(6) = 10 and NAP is present, MAB is invoked.

Service-Type(6) = 10 and NAP is non-existent, MAC authentication is invoked.

This correction retains the ACS 4.1 functionality for MAB and the ACS 4.0 functionality for MAC authentication.

CSCsh95071

Database replication does not propagate certain log settings

Symptom    After customizing the columns to log configuration on the primary, the corresponding settings are not replicated to the secondary servers.

Conditions   This has been observed on ACS SW version 4.1(1.23).

Workaround   Manually configure the columns to log information on the secondary servers.

CSCsi04187

ACS: MS-PEAP Machine authentication fails with host/<dns name> format

Symptom    PEAP MS-CHAP machine authentication will fail with machine not found if host/<dns name> format is sent from client. This only happens if the machine is authenticating to a domain forest that the ACS is not a member of.

Conditions   The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/<dns name> as the machine name format. You also have to be using PEAP MS-CHAPv2.

Workaround   If the supplicant has the option you can send the machine name in hos/<netbios> format. Many supplicants do not have this option.

CSCsi10581

CSlogagent application error/crashes

Symptom    ACS Remote Agent 4.1.1.23.

MS is faulting cslogagent.exe because of module msvcrt.dll.

Workaround   None

CSCsi13785

ACS won't replicate users previously set for dynamic mapping

Symptom    ACS Database replication may inappropriately flag users as "learned dynamically" and fail to replicate them in certain cases.

Conditions   This issue has been observed under the following circumstances:

Database for user points to external database (windows) and

Group for the user is set as dynamic, assigned by external authenticator

Database was upgraded from previous code in which we did replicate dynamic users (prior to ACS 4.0)

Conditions   Delete and recreate the affected users or Set the unknown user database to allow unknown users to authenticate to external databases.

CSCsi17499

Remote password change setting isn't replicated

Symptom    The setting of the remote password management feature, found under Local Password Management in the System Configuration tab, is not replicated from the primary ACS server to any of the secondaries.

Conditions   This has been observed on ACS 4.1(1.23) on both Windows and ACS SE appliances. Other versions may be affected also.

Workaround   Manually enable/disable the remote password management feature on the secondary server(s).

CSCsi50359

Enable authentications are rejected with Internal Error message

Symptom    Users on CatOS switches are denied enable authentication, even though they're entering the correct password. Login authentications work correctly.

Conditions   This has been observed on ACS 4.1.1(23). Other versions may be affected as well. The problem occurs when the users have "TACACS+ Enable Control" set to "Use Group Level Setting".

Workaround   Configure the user to have a max privilege level setting under "Max Privilege for any AAA Client"

CSCsi55085

ACS services not started after replicate/reboot on machine with dual cpu

Symptom    ACS services are not started when rebooting Secondary ACS machine within 30 minutes after the DB replication.

Conditions   After the DB replication between the Primary ACS and the Secondary ACS machines with dual processor, this issue is only seen when rebooting the Secondary ACS machine within 30 minutes.

Workaround   Not to reboot the Secondary ACS within 30 minutes after the DB replication.

CSCsi56892

'Logged Remotely' Radius Attribute not available for Remote Agent Log

Symptom    'Logged Remotely' Radius attribute is not available to be chosen in the Remote Logging section of Radius Accounting.

Conditions   This problem exists on appliances that are running 3.3.4.12 or 4.1.1.23.

Workaround   None at this time.

CSCsi60213

Last character of RADIUS IETF attr 81 is truncated

Symptom    Accounting reports show that the last character on VLAN id for 802.1x supplicants is truncated. The clients are placed on the correct VLAN, however.

Conditions   This has been observed on ACS 4.1.1(23), other versions may be affected as well.

Workaround   No workarounds are known at this time.

CSCsi62622

system replication partners table empty

Symptom    -ACS replication Master GUI is not visually populating the partner replication table with the slave hostname/IP address

Conditions   -Upon adding the host from the 'AAA server' left column to the 'replication' right column, then hitting submit, and subsequently returning to replication screen, the master ACS GUI does not visually save/keep-populated replication partner table -The replication data is successfully replicated to Slave, and cascaded to any subsequent slaves -Initial prognosis show this to be a cosmetic issue

Workaround   

1. Add hostname, ie. Flprdasaaa01, to replication partner table (right pane), hit 'submit' or 'replicate now'.

2. Upon return to replication table page, the right pane window might be empty. Add a second hostname, ie. Flprdasaaa02, hit submit

3. Upon next return to replication table page, hostname Flprdasaaa02, might/should be visible via GUI,

4. At this point, one should be able Add/Remove hostnames to the replication table pane accordingly

FURTHER PROBLEM DESCRIPTION:

-DE does not see the issue rectified in v4.1.1b23 patch 4.

CSCsi63656

Unknown Radius Token Server after replication.

Symptom    After replication users show up with a Database of 'Unknown Radius Token Server'.

Conditions   Occurs when multiple Radius Token Servers were created on the primary but only one was created on the secondary.

Workaround   There are two known workarounds for this problem.

1. Delete all Radius token servers from both ACS's. The re-create the Radius token server on each ACS. Note: This will require you to re associate all users with this token server.

2. Produce a package.cab from the primary ACS. Extract the files and edit the ACS.reg. In that file find the following section: [CiscoACS\Authenticators\Libraries\30] Under that you will have another section that has the same information but includes another two numbers after the 30. That will be the number of the slot that server is in. It starts with slot 00 being the first server in the list. If that number is 02 then it is in slot 3. So on the secondary ACS delete all radius token servers, then create two dummy radius token servers then the actual token server. After you create all of them you can delete the first two. Now your secondary server will have the radius token server in slot 02 also and your users will show up correctly.

CSCsi65427

ACS SE: Hostname greater then 15 characters locks out GUI and CLI

Symptom    After initial setup of the ACS Appliance the user is prompted to reboot the SE. After the reboot CLI and GUI access is lost and can not be regained with out reinstalling the SE.

Conditions   If a hostname is entered in the CLI initial setup greater then 15 characters, after the reboot the SE will not have GUI or CLI access.

Workaround   None, re-install the Appliance and enter a hostname that includes 15 characters or less.

CSCsi71613

Cannot login to UCP when password contains an '&' symbol

Symptom    If a user wants to change their password in UCP, but their current password contains an '&' in it, then the user will be unable to login to the UCP application to begin the password change process.

The error in the ACS logs shows:

AUTH 11/04/2007 11:27:52 E 2489 1180 Plain DB pass check for 30419 failed

Conditions   This has been seen in the ACS 3.3 line, and the ACS 4.1 line of code. It only happens when the user's password contains an '&' in it.

Workaround   The only workaround is to change the users password manually in the ACS Admin GUI, which users will not have access to, so it would fall to an administrator to change the users password instead of the end user themselves.

CSCsi78265

CSRadius mem leak when some MS RADIUS Attributes are selected in group

CSCsi82393

CiscoAAA Event ID 5 error in Windows Event Viewer|Applcaition log

Symptom    Event ID (5) in Source (CiscoAAA) error generated in MS Windows Application Event log on the primary ACS every time when ACSs is replicating its database.

Conditions   Primary/secondary ACSs for Windows configured for database replication.

Workaround   none.

CSCsi84005

During stresses of EAP-FAST(TLS/GTC inner)+LDAP on Dual CPU CSAuth crash


Resolved Caveats

Table 3 contains the resolved caveats for ACS 4.1.2. Check the Bug Toolkit on Cisco.com for any resolved bugs that might not appear here.

Table 3 Resolved Caveats in ACS Windows and Solution Engine 4.1.2 

Bug ID
Description

CSCse67259

Typo in "ACS has been tested on release 6.5" but the Rel is just 6.3.5.

CSCsg44419

CSAuth service does not start -if DNS is unavailable.

CSCsg97429

TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

CSCsh32888

Separate enable password does not work after ACS upgrade to 4.1.

CSCsh39771

ACS is unable to exit from restore process.

CSCsh42893

ACS GUI hangs and times out when service is restarted during stress.

CSCsh48625

ACS radius error 2162 - switch isn't sent RAC/DACL client recvs token.

CSCsh62641

MAC authentication causes internal errors.

CSCsh74140

Loss of ext. database breaks NAD AAA redundancy concept.

CSCsh77651

Anti Virus is locking DB file.

CSCsh87466

Authentication failure on first login after remote agent restart.

CSCsi03015

EAP-FAST(GTC) may grant access to AD user with empty username.

CSCsi25108

submit CRL with wrong URL causes CSAdmin become "IDLE" state.

CSCsi42315

CSRadius failed to release memory after stress stopped

CSCsi46668

User auth succeeds if <No Access> is defined for failed Machine Auth.

CSCsi47515

Multiple Testcases Cause CSLog Failures.


Installation Notes

This section contains installation information for ACS 4.1.2.

Installation Notes for ACS 4.1.2 for Windows

This section contains:

Upgrade Path for ACS 4.1.2 for Windows

System Requirements for ACS 4.1.2 for Windows

Installing ACS 4.1.2 for Windows

Upgrade Path for ACS 4.1.2 for Windows

Cisco tested the upgrade to ACS for Windows Server 4.1.2 from release 4.1. For ACS 4.1 updgrade paths, see the Installation Guide for Cisco Secure ACS for Windows 4.1.


Note Cisco does not support upgrade from 4.1.3 to 4.1.2 or upgrade from 4.1.2 to 4.1.3.


System Requirements for ACS 4.1.2 for Windows

The system requirements for ACS 4.1.2 are the same as for ACS 4.1. For information on supported operating systems and web browsers, see the Installation Guide for Cisco Secure ACS for Windows 4.1.

Installing ACS 4.1.2 for Windows

You must have ACS 4.1 installed before you install ACS 4.1.2. ACS 4.1.2 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.2 are the same as for ACS 4.1. For information about installing ACS, see the Installation Guide for Cisco Secure ACS for Windows 4.1.

Installation Notes for ACS 4.1.2 Solution Engine

This section contains:

Upgrade Path for ACS 4.1.2 Solution Engine

Installing ACS 4.1.2 Solution Engine

Upgrade Path for ACS 4.1.2 Solution Engine

Cisco tested the upgrade to ACS Solution Engine 4.1.2 from release 4.1. For ACS 4.1 upgrade paths, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.

Installing ACS 4.1.2 Solution Engine

ACS 4.1 is pre-installed on the 1113 appliance. The ACS 4.1.2 Solution Engine upgrade package is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.2 Solution Engine are the same as ACS 4.1. For information about installing ACS, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html