|
Table Of Contents
Release Notes for Cisco Secure ACS 4.1.3
Support for Microsoft Windows Server 2003 R2
MAC and MAB Functionality Issues
Support for User-Defined Vendors Extended VSA ID
Use the CSUtil.ini file to Install User-Defined Vendor or VSA Data
Use the RDBMS Synchronization Action Codes to Install User-Defined Vendor or VSA Data
Configuring the Workstation Name For Windows Authentications
Windows Authentication Configuration Error Messages
Addition of the cisco-AVPair Attribute to the VOIP Accounting Report
Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database
Addition of Session IDs to the CSAuth Diagnostic Log
Description of Error Codes in the CSAuth Diagnostic Log
Line Numbers in Diagnostic Logs
Improved EAP Code Debug Messages
Known Caveats in ACS for Windows and the Solution Engine 4.1.3
Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3
Installation Notes for ACS 4.1.3
Upgrade Path ACS 4.1.3 for Windows
System Requirements ACS 4.1.3 for Windows
Installing ACS 4.1.3 for Windows
Upgrade Path for ACS Solution Engine 4.1.3
Installing the ACS Solution Engine 4.1.3
Release Notes for Cisco Secure ACS 4.1.3
Revised: July 9, 2007, OL-12629-02CDC Date: May 5, 2007
These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1.3. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Contents
These release notes contain:
•Known Caveats in ACS for Windows and the Solution Engine 4.1.3
•Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3
•Installation Notes for ACS 4.1.3
Introduction
ACS 4.1.3 is a maintenance release for ACS 4.1 that consolidates ACS 4.1 customer patches and resolves other customer and internally found defects. ACS 4.1.3 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments.
This release includes:
•ACS 4.1.3 software image.
•Appliance upgrade CD for ACS Solution Engines 1111, 1112, 1113.
New and Changed Information
ACS 4.1.3 contains these new enhancements:
•Support for Microsoft Windows Server 2003 R2
•MAC and MAB Functionality Issues
•Support for User-Defined Vendors Extended VSA ID
•Addition of the cisco-AVPair Attribute to the VOIP Accounting Report
•Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database
•Addition of Session IDs to the CSAuth Diagnostic Log
•Description of Error Codes in the CSAuth Diagnostic Log
•Improved EAP Code Debug Messages
Support for Microsoft Windows Server 2003 R2
ACS is supported on Windows Server 2003 R2.
Support for 3Com/USR VSAs
ACS now supports 3Com/USR VSAs. The 3Com/USR VSA format differs from other VSAs in that 3Com/USR VSAs have a 32-bit Extended Vendor-Type field and no length field.
The Authenticate Using drop-down list in the Network Configuration section of the ACS web interface now includes a new network device, RADIUS (3COMUSR).
Note 3Com/USR VSAs should be used for any device that uses these VSAs, not just the HiperARC cards.
Once you add the RADIUS (3COMUSR) to the Network Configuration section, it becomes available to the User Setup and Group Setup sections of the ACS web interface. These VSAs will also be available to the RADIUS accounting log. Use the Interface Configuration section to configure RADIUS (3COMUSR). For information on adding a network device, refer to the User Guide for Cisco Secure ACS 4.1.
MAC and MAB Functionality Issues
Cisco recommends that you apply patch 4.1.3.12.1 to ensure:
•ACS 4.1 functionality for MAB.
•ACS 4.0 functionality for MAC authentication.
After you apply the patch, if
• Service-Type(6) = 10 and NAP is present, MAB is invoked.
•Service-Type(6) = 10 and NAP is non-existent, MAC authentication is invoked.
This specification retains ACS 4.1 functionality for MAB and ACS 4.0 functionality for MAC authentication.
Support for User-Defined Vendors Extended VSA ID
In previous versions of ACS the vendor-specific attribute (VSA) ID length was restricted to one byte, the default value, and the VSA ID value could not be greater than 255. ACS 4.1.3 supports VSA ID lengths of 1, 2 or 4 bytes. In addition, customers can specify whether the VSA has an internal length field or not.
You can use CSUtil or RDBMS synchronization to install dictionary components for vendors that require extended VSA ID length.
Use the CSUtil.ini file to Install User-Defined Vendor or VSA Data
Use the CSUtil -addUDV option with the vendor .ini file to install VSA data for vendors that require extended VSA ID length. Table 1 contains two additional codes and definitions in the vendor .ini file used to modify the vendor configuration.
Note ACS 4.1.3 supports hex-numbering for the VSA ID feature. Values starting with 0x are assumed to be hex values.
Use the following sample format of the vendor .ini file for setting the ID Length and VSA values. In this example,
•Need Internal Length value is TRUE.
•ID Length is two bytes
•vendor VSA ID values are 264 and 0x109.
[User Defined Vendor]
Name=vendor-name
IETF Code=vendor-IETF-code
Need Internal Length = TRUE
ID Length=2
VSA 264=Ascend-Max-RTP-Delay
VSA 0x109= Ascend-RTP-Port-Range
[Ascend-Max-RTP-Delay]
Type=INTEGER
Profile=OUT
[Ascend-RTP-Port-Range]
Type=STRING
Profile=OUT
Use the RDBMS Synchronization Action Codes to Install User-Defined Vendor or VSA Data
Use the RDBMS Synchronization action codes to install VSA data for vendors that require extended VSA ID length. Table 2 contains two additional codes and definitions for modifying the vendor configuration.
Configuring the Workstation Name For Windows Authentications
You use ACS to define a custom workstation name when authenticating against Active Directory (AD). In previous versions of ACS, a workstation name of CISCO was used for authentications to AD. This enhancement allows multiple ACS deployments using a single AD tree.
The Windows External Database section of the ACS web interface now contains a new configuration section. You use the new configuration section to customize the workstation name.
To configure a workstation name:
Step 1 In the navigation bar, click External User Databases.
The External User Database page appears.
Step 2 Click Database Configuration.
The External User Database Configuration page appears.
Step 3 Click Windows Database.
The Windows Authentication Configuration page appears.
Step 4 Click Configure.
a. If you are running ACS for Windows, the Windows Authentication Configuration page appears.
b. If you are running the Solution Engine, click Windows Authentication Configuration. The Windows Authentication Configuration page appears
Step 5 Choose one of the options to configure a workstation name:
a. CISCO—Configures CISCO as the workstation name. This is the default.
b. Local—Configures the local machine name as the workstation name. By default, ACS displays the local host name.
c. User defined workstation name—Specifies a name for the workstation. (Limit: 15 characters).
Note Ensure that all user accounts have login permission to the workstation.
Windows Authentication Configuration Error Messages
Table 3 lists the Windows Authentication Error Messages.
Table 3
Error Number Description1
Workstation name contains invalid characters. alpha-numerics are the only valid characters,
Windows Authentication Configuration Errors
Addition of the cisco-AVPair Attribute to the VOIP Accounting Report
ACS has added the cisco-AVPair attribute to the VoIP Accounting Report.
To configure the VoIP Accounting Report:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page appears.
Step 2 Click VoIP Accounting Configuration.
The VoIP Accounting Configuration page appears.
Step 3 Configure the log.
Step 4 Click Submit.
Step 5 Restart ACS in System Configuration > Service Control to adopt the new settings.
Step 6 In the navigation bar, click System Configuration > Logging.
The Logging Configuration page appears.
Step 7 Click Configure next to the VoIP Accounting Column.
Step 8 Choose the cisco-AVPair attribute and move it to the Logged Attributes list.
Step 9 Click Submit.
The Logging Configuration page reappears.
Step 10 In the navigation bar, click Reports and Activity.
The Reports and Activity page appears.
Step 11 Click VoIP Accounting.
The VoIP Accounting report appears and displays the cisco-AVPair attribute.
Note Multiple Cisco-AVPair attributes values are concatenated in the VOIP Accounting report with a semi-colon.
Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database
You use ACS RADIUS server to send an access reject reply or discard the access-request. In some deployments, the ACS server might send an access reject or discards an access request. For example, in the event of an external ODBC database failure, ACS can deny the authentication (access reject), or not respond at all. Conversely, if ACS discards an access request the network access device that can fail over to another ACS server. A drawback to this approach is that discards can cause excessive network traffic and load on the network access devices as requests continue to travel from network access devices to the ACS servers.
To configure a RADIUS server:
Step 1 In the navigation bar, click External User Databases.
The External User Databases page appears.
Step 2 Click Database Configuration.
The External User Database Configuration page appears.
Step 3 Click External ODBC Database.
The CiscoSecure ODBC Authentication Configuration page appears.
Step 4 In the RADIUS behavior in the event of database failure section select one of the RADIUS server options, shown in Table 4.
Step 5 Click Submit.
Table 4
RADIUS Server Reject and Discard Request Options
Addition of Session IDs to the CSAuth Diagnostic Log
ACS supports a session ID parameter for the CSAuth diagnostic log. You can use a unique session ID to differentiate log threads in the CSAuth diagnostic logs.
Example 1 shows the session ID 1000 is processed by two different threads (2560, 2548) in the network model thread. You can filter the logs by session ID to restrict the output for each session.
Example 1 CSAuth Diagnostic Log with session ID
AUTH 09/08/2006 18:29:57 I 5081 2560 1000 Start RQ1040, client 1 (127.0.0.1)
AUTH 09/08/2006 18:30:13 I 5094 2548 Worker 1 processing message 17.AUTH 09/08/2006 18:30:14 I 0991 2368 0000 pvNASMonitorThreadMain: start NMupdate ...AUTH 09/08/2006 18:30:14 I 1006 2368 0000 pvNASMonitorThreadMain: commit NMupdate ...AUTH 09/08/2006 18:30:14 I 5081 2560 1000 Done RQ1040, client 1, status 0
AUTH 09/08/2006 18:30:14 I 1011 2368 0000 pvNASMonitorThreadMain: succeededto commit NM updateAUTH 09/08/2006 18:30:28 I 5081 2548 1000 Start RQ1012, client 2 (127.0.0.1)
AUTH 09/08/2006 18:30:28 I 5081 2548 1000 Done RQ1012, client 2, status 0
Note The additional session ID field in the ACS diagnostic log involves minimal overhead: eight bytes per line for each authentication session.
Description of Error Codes in the CSAuth Diagnostic Log
The ACS 4.1.3 CSAuth diagnostic logs now display a description of client requests and responses. Previous versions of ACS used a numeric code for client requests and responses. The description is useful for locating client requests and responses in the CSAuth diagnostic logs.
Figure 1 contains two CSAuth diagnostic log examples. The first example represents an entry from previous versions of the CSAuth diagnostic log. The second example represents how this entry appears in the CSAuth 4.1.3 diagnostic log.
Example 2 shows that in the CSAuth diagnostic log:
•UDB_AUTHENTICATE_USER replaces the RQ1026 request code shown in the first example.
•UDB_CHALLENGE_REQUIRED replaces the 2046 status code shown in the first example.
Figure 1 CSAuth Diagnostic Log Entry
Example 1
AUTH 09/11/2006 09:55:27 I 5081 2512 Done RQ1026, client 50, status -2046Example 2 (with Descriptive text)
AUTH 09/11/2006 09:55:27 I 5081 2512 Done UDB_AUTHENTICATE_USER, client 50, status
UDB_CHALLENGE_REQUIRED
Table 5 and Table 6 list the descriptive text for requests and status that appear in the 4.1.3 CSAuth diagnostic logs.
Descriptive Request Text in the CSAuth Diagnostic Logs
Table 5 lists the descriptive text in the CSAuth diagnostic logs and the corresponding request code.
Table 6 lists the descriptive text in the CSAuth diagnostic logs and the corresponding status code.
Line Numbers in Diagnostic Logs
All ACS diagnostic log files now contain the correct line number of the source code that generated the error. In previous versions of ACS, the dzlog function contained the hard-coded source code line number which was populated to the ACS diagnostic log.
Improved EAP Code Debug Messages
All EAP debug messages are now reported to the CSAuth diagnostic log.
Product Documentation
Table 7 lists the product documentation for ACS 4.1.3.
Table 7 Product Documentation
Document Title DescriptionDocumentation Guide for Cisco Secure ACS 4.1
•Printed document with the product.
•PDF on the product CD-ROM.
•On Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_release_notes_list.htmlRelease Notes for Cisco Secure ACS 4.1
New features, documentation updates, and resolved problems. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.htmlProduct online help
Help topics for all pages in the ACS web interface. Choose an option from the ACS menu; the help appears in the right pane.
User Guide for Cisco Secure ACS 4.1
ACS functionality and procedures for using the ACS features. Available in the following formats:
•By clicking Online Documentation in the ACS navigation menu. The user guide PDF is available on this page by clicking View PDF.
•PDF on the ACS Recovery CD-ROM.
•On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.htmlSupported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1
Supported devices and firmware versions for all ACS features. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.htmlInstallation and User Guide for User Changeable Passwords 4.1
Installation and user guide for the user-changeable password add-on. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.htmlConfiguration Guide for Cisco Secure ACS 4.1.
Provides provide step-by-step instructions on how to configure and deploy ACS. Available on Cisco.com:
Installation Guide for Cisco Secure ACS 4.1 Windows
Details on installation and upgrade of ACS software and post-installation tasks. Available in the following formats:
•PDF on the ACS Recovery CD-ROM.
•On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/prod_installation_guides_list.htmlInstallation Guide for Cisco Secure ACS Solution Engine 4.1
Details on ACS SE 1112 and ACS SE 1113 hardware and hardware installation, and initial software configuration.
•PDF on the ACS Recovery CD-ROM.
•Available on Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.htmlRegulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1
Translated safety warnings and compliance information.
•Printed document with the product.
•PDF on the ACS Recovery CD-ROM.
•Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html.Installation and Configuration Guide for Cisco Secure ACS Remote Agents
Installation and configuration guide for ACS remote agents for remote logging.
•PDF on the ACS Recovery CD-ROM.
•Available on Cisco.com:
Known Caveats in ACS for Windows and the Solution Engine 4.1.3
Table 8 contains known caveats in ACS for Windows and the Solution Engine 4.1. 3.
Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3
Table 9 contains the resolved caveats for the ACS 4.1.3 release. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.
Installation Notes for ACS 4.1.3
This section contains installation information for ACS 4.1.3.
•Installing ACS 4.1.3 for Windows
•System Requirements ACS 4.1.3 for Windows
•Installing ACS 4.1.3 for Windows
•Upgrade Path for ACS Solution Engine 4.1.3
•Installing the ACS Solution Engine 4.1.3
Upgrade Path ACS 4.1.3 for Windows
Cisco tested the upgrade to ACS for Windows Server 4.1.3 from release 4.1.1.23. For ACS 4.1 upgrade paths, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.
Note ACS 4.1.3 is available only as an upgrade from ACS 4.1.1. You do not use a boot or installation CD to install ACS 4.1.3.
Note Cisco does not support the upgrade from ACS 4.1.2 to ACS 4.1.3.
System Requirements ACS 4.1.3 for Windows
The system requirements for ACS 4.1.3 are the same as for ACS 4.1. For information on supported operating systems and web browsers, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.
Installing ACS 4.1.3 for Windows
You must have ACS 4.1 installed before you install ACS 4.1.3. ACS 4.1.3 is available through the Cisco TAC only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.3 are the same as for ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.
Upgrade Path for ACS Solution Engine 4.1.3
Cisco tested the upgrade to ACS Solution Engine 4.1.3 from release 4.1. For ACS 4.1 upgrade paths, refer to the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Note You do not use a boot CD to install ACS 4.1.3. You must upgrade from ACS 4.1.1.23.
Installing the ACS Solution Engine 4.1.3
The 1113 Solution Engine has ACS 4.1 pre-installed. The ACS 4.1.3 Solution Engine upgrade package is available through the TAC only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.3 Solution Engine are the same as ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0704R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
Printed in the USA on recycled paper containing 10% postconsumer waste.