Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure ACS 4.1

 Feedback

Table Of Contents

Release Notes for Cisco Secure ACS 4.1

Contents

ACS New Features

Product Documentation

Security Advisory

Known Problems in ACS for Windows and the Solution Engine 4.1

Cisco AAA Client Problems

Known Microsoft Problems

Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails

Replication with Different Send and Receive Configurations

Problem with Accounting Records in the TACACS+ Administration Log

Known CLI Administrator Problem

Verifying the ACS Solution Engine CD Recovery Process

Known Caveats in ACS for Windows and the Solution Engine 4.1

Resolved Caveats in ACS for Windows and the Solution Engine 4.1

Known Caveats with ACS Solution Engine 4.1

Resolved Caveats in the ACS Solution Engine 4.1

ACS for Windows 4.1

System Requirements

Software Compatibility

Upgrading to a New Software Release

Installation Notes

Upgrade Paths

Supported Upgrades for ACS for Windows

Supported Migration Path for ACS for Windows

Unsupported Migration Path to ACS 4.1

Post-Upgrade Configuration

Upgrading From Version 3.3

Limitations and Restrictions

Interoperability Testing

ACS Solution Engine 4.1

New and Changed Information for the ACS Solution Engine 4.1

New Hotfixes in ACS SE 4.1

ACS Remote Agent for Windows

Installation Notes for the Solution Engine 4.1

Installing from ACS SE 1111 (HP) Recovery CD

Software Compatibility

Supported Upgrades for ACS SE

Supported Migrations for ACS SE

Tested Windows Security Patches for ACS Remote Agent and ACS for Windows

Documentation Updates

Changes

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Product Alerts and Field Notices

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Cisco Secure ACS 4.1


March 2007
Full Build Number: 4.1.1.23

These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.


Note The ACS release numbering system for software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 4.1.1.23. Elsewhere in this document where 4.1 is used, we are referring to 4.1.1. ACS major release numbering starts at 4.1.1, not 4.1.0. Use this information when working with your customer service representative.


Contents

These release notes provide information about:

ACS New Features

Product Documentation

Known Problems in ACS for Windows and the Solution Engine 4.1

Known Caveats in ACS for Windows and the Solution Engine 4.1

Resolved Caveats in ACS for Windows and the Solution Engine 4.1

Known Caveats with ACS Solution Engine 4.1

Resolved Caveats in the ACS Solution Engine 4.1

ACS for Windows 4.1

Limitations and Restrictions

ACS Solution Engine 4.1

New and Changed Information for the ACS Solution Engine 4.1

Installation Notes for the Solution Engine 4.1

Documentation Updates

Obtaining Documentation

Documentation Feedback

Cisco Product Security Overview

Product Alerts and Field Notices

Obtaining Additional Publications and Information

ACS New Features

ACS contains the following new and changed features:

Improved Compliance Support—This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance; for example, Sarbanes-Oxley (SOX). ACS includes the following capabilities for:

Authentication:

Forcing periodic change of administrator's password.

Applying password structure policy.

Forcing administrator's password change for inactive account.

Preventing the reuse of old password (password history).

Disabling administrator accounts for inactivity.

Disabling administrator accounts after failed logins.

Allowing ACS administrators to change their own passwords.

Audit and Reporting:

Logging all administrative actions via system logging (syslog), in addition to existing logging targets.

Controlling administrators' access to log file configuration to prevent specific audit logging from being disabled.

Adding new reports for administrators privileges.

Authorization: Providing a read-only privilege for users and groups.

External database support for MAC Authentication Bypass—The ability to maintain MAC address lists in an external LDAP server and map MAC addresses to user groups.

Improved diagnostics and error messages—Improved diagnostic information about certificate mismatches with HCAP and GAME servers. The raw dump of GAME and HCAP messages is in a readable format and the authentication failure codes are now more intuitive.

PEAP/EAP-TLS Support—The authenticator side of PEAP/EAP-TLS as a protocol enhancement is now included. ACS can now authenticate clients with PEAP by using EAP-TLS as the phase-two inner method, and enables certificate-based authentication to occur within a secure tunnel, encrypting identity information. Since EAP-TLS normally relies on client-side certificates for authentication, the PEAP tunnel will protect the client's certificate content.

Logging and Reporting Extensions—New internal mechanisms for logging now create consistent log levels and improved performance. ACS now supports syslog and the capability to log ACS messages to remote servers that support the syslog standard.

Multiple concurrent logging destinations—You can send Log data to multiple destinations simultaneously.

Enhanced remote agent support for logging—You can expose reports externally that were previously provided only locally, for files from previous versions; for example, sending audit reports to a remote agent on an appliance.

RADIUS AES Key Wrap FunctionalityThis feature supports a secure, certified mode of operation, notably in a Federal Information Processing Standard (FIPS)-compliant wireless solution. RADIUS Key Wrap support with EAP-TLS authentication in ACS, is another step toward satisfying the set of security requirements in practical, deployable, and interoperable secure solutions from Cisco Systems. AES replaces MD5 encryption.

Cisco NAC supportACS 4.1 acts as a policy decision point in NAC deployments. By using configurable policies, it evaluates and validates the credentials that it receives from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the network-access device: ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS patch level and antivirus DAT file version. ACS records the policy evaluation result for use with monitoring systems. Before granting network access, ACS 4.1 also allows third-party Audit Vendors to audit hosts without the appropriate agent technology. ACS policies can be extended with external policy servers to which ACS forwards posture credentials. For example, credentials specific to an antivirus vendor can be forwarded to the vendor's antivirus policy server, and audit policy requests can be forwarded to third-party audit products.

GAME Group Feedback—This feature provides the ability to authorize a host based on checking the device-type categorization returned from authentication as a user-group against an audit server.

Expanded agentless support—This feature adds support for auditing agentless hosts connected to a Layer 2 Network Access Device (NAD). The agentless host is admitted to a quarantined network where it can receive an IP address and only then instantiate the audit. When instantiated, the audit will continue as with a regular Layer 3 host.

Extended replication componentsImproved and enhanced replication components are now available. Administrators now can replicate:

Posture validation settings.

Additional logging attributes.

Audit support for MAC Authentication Bypass —Audit processing has been enhanced to include MAC Authentication Bypass (MAB). MAB enables double-checking an audit request against a MAC authentication policy and an Audit Policy, and combines the evaluation of these two policies.

Audit Verification of MAC Exceptions — You can apply MAC exceptions to Network Admission Control (NAC) audit requests. Dual verification of endpoints is then possible. You can check whether the user group (which signifies the device type) that the agentless request processing returns matches the device type that the audit server returns, and you can define a policy for handling mismatches.

Japanese Microsoft Windows Support—New support for the Japanese version of Microsoft Windows 2003 at the service pack level is available.The ACS web interface can run on browsers running the Japanese version of the Windows operating system. In addition, the ACS for Windows software can run on a Windows server running the Japanese version of the Windows operating system.


Note We do not support distributed ACS deployments in a Network Address Translation (NAT) environment.


Product Documentation

The following product documentation is available for ACS 4.1:

Table 1 Product Documentation  

Document Title
Description

Documentation Guide for Cisco Secure ACS 4.1

Printed document with the product.

PDF on the product CD-ROM.

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_release_notes_list.html

Orderable; see Obtaining Documentation.

Release Notes for Cisco Secure ACS 4.1

New features, documentation updates, and resolved problems. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.html

Product online help

Help topics for all pages in the ACS web interface. Select an option from the ACS menu; the help appears in the right pane.

User Guide for Cisco Secure ACS 4.1

ACS functionality and procedures for using the ACS features. Available in the following formats:

By clicking Online Documentation in the ACS navigation menu. The user guide PDF is available on this page by clicking View PDF.

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1

Supported devices and firmware versions for all ACS features. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.html

Installation and User Guide for User Changeable Passwords 4.1

Installation and user guide for the user-changeable password add-on. Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.html

Configuration Guide for Cisco Secure ACS 4.1.

Provides provide step-by-step instructions on how to configure and deploy ACS.

Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_installation_and_configuration_guides_list.html

Installation Guide for Cisco Secure ACS 4.1 Windows

Details on installation and upgrade of ACS software and post-installation tasks. Available in the following formats:

PDF on the ACS Recovery CD-ROM.

On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/prod_installation_guides_list.html

Installation Guide for Cisco Secure ACS Solution Engine 4.1

Details on ACS SE 1112 and ACS SE 1113 hardware and hardware installation, and initial software configuration.

PDF on the ACS Recovery CD-ROM.

Available on Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html

Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1

Translated safety warnings and compliance information.

Printed document with the product.

PDF on the ACS Recovery CD-ROM.

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html

Orderable; see Obtaining Documentation.

Installation and Configuration Guide for Cisco Secure ACS Remote Agents

Installation and configuration guide for ACS remote agents for remote logging.

PDF on the ACS Recovery CD-ROM.

Available on Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
products_installation_and_configuration_guides_list.html



Note Some of the preceding documents are in PDF format. You need the Adobe Acrobat Reader to open these files.


Security Advisory

Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at:

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Known Problems in ACS for Windows and the Solution Engine 4.1

The problems in this release are:

Cisco AAA Client Problems

Known Microsoft Problems

Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails

Replication with Different Send and Receive Configurations

Problem with Accounting Records in the TACACS+ Administration Log

Known CLI Administrator Problem

Verifying the ACS Solution Engine CD Recovery Process

Cisco AAA Client Problems

Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of ACS. You can access these release notes online at Cisco.com. For NAC-specific client problems, go to http://www.cisco.com/go/nac.

Known Microsoft Problems

Due to a defect in the Microsoft PEAP supplicant provided in the Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with ACS. Cisco has opened case SRX040922603052 with Microsoft on this issue. Customers who are affected by this problem should open a case with Microsoft and reference the Cisco case ID. Microsoft has prepared hotfix KB885453, which resolves the issue. The hotfix is available on the Microsoft website.


Note ACS for Windows only. When ACS runs on a domain controller and you need to authenticate users with a Windows user database, you must take additional configuration steps; see the Installation Guide for Cisco Secure ACS 4.1 Windows for post-installation steps regarding Windows NT LAN Manager (NTLM). A Microsoft hotfix may be required, depending on your configuration.


Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails

The upgrade from the trial version of ACS 4.1 to the ACS 4.1 FCS version fails after the evaluation period has expired. To prevent this:

1. Perform a system backup on the expired ACS trial version.

2. Retain the system backup dump file. The backup functionality in CSAuth remains operational.

3. Uninstall the trial version 3.

4. Install the unrestricted FCS version 4.

5. Restore the system backup dump file on the installed FCS version.


Note Note: The upgrade problem only applies to the software evaluation version of ACS 4.1.


Replication with Different Send and Receive Configurations

The user guide states that the primary ACS compares the list of database components that it is configured to send with the list of database components that the secondary ACS is configured to receive. If the secondary ACS is not configured to receive any of the components that the primary ACS is configured to send, the database replication fails.

This information is not correct (bug CSCsg93907).

The primary ACS first synchronizes with the secondary ACS, and sends only the components that the secondary ACS is configured to receive. The primary ACS does not send components that the secondary ACS is not configured to receive, even if you configure the primary ACS to send those components. Thus, database replication does not fail when different send and receive configurations exist on the primary and secondary ACS.

Problem with Accounting Records in the TACACS+ Administration Log

After upgrading to ACS 4.1, TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).

Command accounting is configured on the Network Access Server (NAS). No records are visible in the TACACS+ Administration log file after entering commands on the NAS. Debugs on the NAS show the records being sent, and they do arrive at the ACS server; but, the appropriate log file is not updated.

The patch information resolves this issue.

Click this link if you are using ACS for Windows: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des?psrtdcat20e2 and download:

ACS-4.1.1.23-CSTacacs-SW-CSCsg97429.zip

ACS-4.1.1.23-CSTacacs-SW-CSCsg97429-Readme.txt

Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:

applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip

Known CLI Administrator Problem

If you do not set up a GUI account for the CLI administrator by using the add-guiadmin command, then the CLI administrator will be unable to access the SE by using a web browser over the serial connection.

To add a GUI account that the CLI administrator can use, use the add-guiadmin command.

add-guiadmin [admin] [password]

Verifying the ACS Solution Engine CD Recovery Process

After you remove the recovery CD from the drive, and press Enter, the system reboots, and displays system version information. The ACS Solution Engine recovery process is complete and the Solution Engine is operational when the following information appears on your console.

Cisco Secure ACS: 4.1.1.16
Appliance Management Software: 4.1.1.16
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2:  (Patch: 4_0_1_543)
Status: Appliance is functioning properly

Note If only the login prompt appears you must reboot the Solution Engine.


For detailed information on the Solution Engine CD recovery process, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.

Known Caveats in ACS for Windows and the Solution Engine 4.1

Table 2 contains known caveats in ACS for Windows and the Solution Engine 4.1.

Table 2 Known Caveats in ACS Windows and the Solution Engine 4.1 

Bug ID
Summary
Explanation

CSCsc49673

UPGRADE:Add Filter aaa:service=ip_admission to Upgrade-Profile NAP.

Symptom    After upgrading from ACS 3.3 that included a NAC database, a profile is created with an authorization method: PEAP - posture only. This profile does not have a filter, which will cause all incoming authentications to fail; except from PEAP-POSTURE.

Workaround   Add a filter of Cisco-av-pair aaa:service = ip_admission to the Upgrade-Profile. The no-posture requests will be authenticated against the global settings configuration. (Check the Grant access using global configuration, when no profile matches option in the created profile.)

CSCsc43577

CSAdmin stalls and has a memory leak.

Symptom    CSAdmin consumes a large amount of memory (351 MB) when updating EAP-FAST inner method GTC to MSCHAPv2 by using the Network Access Profile page.

Workaround   Restart the CSAdmin service.

CSCsc41638

ACS does not check if the Certificate Authority (CA) certificate that was issued to a user exists in the certificate trust list (CTL).

Symptom    A user who presents a certificate in EAP-TLS or EAP-FAST/EAP-TLS may be authenticated; even though the ACS machine no longer trusts the certificate issuer.

Workaround   Uncheck the CA certificate from the ACS web interface before removing the CA certificate from the machine storage.

CSCsc32154

Upgrading from ACS 3.3 removed APT, SPT, and Reason from Logged Attributes.

If one or more of the APT, SPT, and Reason attributes were selected to be logged in the Failed or Passed reports in ACS 3.3, they will not appear in the Logged Attributes column after upgrading to ACS 4.1.

CSCsb95897

ACS cannot correctly display a list containing several pages of disabled accounts.

Symptom    The ACS web interface has problems displaying disabled accounts lists if they contain several pages. Next is working as needed; but, Previous is available only once.

Workaround   None.

CSCeh79954

EAP-TLS time-of-day restriction in Active Directory (AD) does not fail user; authentication succeeds.

Symptom    EAP-TLS authentication of users in Windows Active Directory will still pass when a user's time-of-day setting (located in AD) is outside the hours they are allowed. ACS does not generate an error.

Conditions   EAP-TLS authentication of users in Active Directory running in Windows 2000 or 2003 environment.

Workaround   None.

CSCeh68821

LDAP authentication passes after modifying the subtree node due to domain name (DN) caching.

Symptom    If you change the User Directory Subtree in the Common LDAP Configuration, users that already authenticated by using this Generic LDAP instance (External User Database) are not affected and will continue to pass authentication; even if users are no longer under the new User Directory Subtree. ACS does not perform a new search for the users because of the user-cached Distinguished Name.

Workaround   If you want to enforce a new search on the User Directory Subtree, delete the users from the ACS internal database.

CSCeh60564

An Active Directory locked-out user passed EAP-TLS authentication; should be rejected.

Symptom    EAP-TLS authentication will still pass for users in Active Directory; even if their account is locked out. ACS does not generate an error message.

Conditions   EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.

Workaround   None. Windows 2003 has introduced some new attributes that should help resolve this issue in the future.

CSCeh52700

An Active Directory expired-user passed EAP-TLS authentication; should be rejected.

Symptom    EAP-TLS authentication will still pass for users in the Active Directory; even if their account has expired. ACS does not generate an error message.

Workaround   If you want to use Active Directory to authenticate users with EAP-TLS when ACS runs on a member server, additional configuration is required. For more information, including steps for the additional configuration, see the Installation Guide for Cisco Secure ACS 4.1 Windows, Release 4.1 or the Installation Guide for Cisco Secure ACS Solution Engine 4.1.

CSCeh00074

GUI LDAP group mapping submission failure.

Symptom    When adding LDAP groups to be mapped to ACS groups, the Submit operation sometimes fails and an Empty list error message appears.

Conditions   This failure might occur when working on the ACS web interface from a remote machine (for example, with Terminal Services) or from other group mapping pages.

Workaround   Move to another window from the Group Mapping page, before you click Submit, or click on another frame in the ACS web interface.

CSCeg50237

Overinstall causes the added AVP Attributes to disappear.

Symptom    Adding AVP attributes and then performing an overinstall causes those attributes to disappear from the Log Attribute field.

Workaround   None.

CSCef96208

ACS reports incorrect privilege level.

Symptom    ACS may report users with the incorrect authorized privilege level. In particular, when using TACACS+, users who are correctly authenticated with a privilege level of 15 are reported with a level of 1.

Workaround   The error is cosmetic; there is no workaround.

CSCef85310

Group discretionary access control list (DACL) is downloaded if user's DACL content is empty.

Symptom    It is possible to define an ACL with empty content. Following this defect, if a user with an empty ACL belongs to a group on which a not empty ACL is defined authenticates, then the ACL of the group is downloaded to the device instead of the user's. (While the user's DACL content is not empty, it is downloaded to the device, as it should be).

Workaround   Do not define an empty downloadable ACL.

CSCef55730

ACS authorization passes even for a disabled user.

Symptom    The default administrative user account defined within the CiscoWorks local (user) database (and replicated within ACS TACACS+ user database) is granted access to all installed Management Center applications; even if the user account is disabled within ACS.

CSCef12461

ACS administrators are not restored, when on a large database, you restore a dump file on Windows 2000.

Symptom    When ACS contains a big database with 500 or more administrators, after restoring the dump file on Windows 2000, the ACS administrators are not restored.

Workaround   Manually create administrators after restore.

CSCee64596

During stress tests, ACS does not reduce the size of the CSAdmin file based on the Service Control settings.

Symptom    Intensive use of the Logged-In Users report may lead to significant memory utilization (140 MB) by the CSAdmin service.

Workaround   Restart the CSAdmin service.

CSCsb15116

The Apply and Restart button in the Network Access Profiles (NAP) page does not release the Network Access Filter (NAF) policy.

Symptom    When deleting a Network Access Filter, which is used in a Network Access Profile Setup Page, unexpected behavior (NAPs fail) may occur and authentication fails.

Workaround   Perform one of the following:

Before deleting a Network Access Filter, remove it from the relevant Network Access Profiles.

After deleting a Network Access Filter for each relevant Network Access Profile, click Submit (without performing changes) in the Profile Setup Page.

CSCsc57975

The database order inside a Network Access Profile may cause authentication to fail and an error message appears.

Symptom    When a user account in the Windows Active Directory has expired, the user may be authenticated in another external database, which is configured sequentially after the Windows database in the authentication settings in the matched NAP. If the user exists in another database, authentication is successful. If the user does not exist in another database, the error message CS user unknown (instead of Database account expired) appears.

Workaround   None.

CSCse03681

Entering a community string that begins or ends with a space does not result in an error message.

Symptom    Entering a community string that begins or ends with a space does not result in an error message. Instead, the ACS system deletes the space without informing the user.

Workaround   None.

CSCse01194

After system migration from ACS for Windows to the Solution Engine version on the ACS SE 1113, the existing HTTP configuration is not retained.

Symptom    If the master ACS system (ACS for Windows 4.0.1.27) is configured for certain HTTP settings (the port ranges are changed to 60000-60005) and the system is replicated to the ACS SE 1113 version (4.0.1.44), the specified HTTP configuration settings are not retained on the ACS SE 1113 installation.

Workaround   None.

CSCsc41860

CSAuth fails when you use CSUtil to delete more than 10,000 AAA clients concurrently.

Symptom    A large amount of (35K) AAA clients were imported to an ACS server. Then CSUtil import was used to delete 35,000 devices. After deleting the AAA clients, CSAuth failed.

Conditions   This defect can occur on a clean installation.

Workaround   When deleting a large number of AAA clients, you can use CSUtil to delete them in batches of up to 10,000 AAA clients concurrently.

CSCsb48683

Log and accounting file locking causes problems with backup software.

Symptom    ACS diagnostic and accounting log-file locking results in service problems when the directories are backed up by certain software applications (in reported case, Veritas software was used).

Workaround   Upgrade your backup software.

CSCec72911

Issue with Windows 2003 password-aging page.

Symptom    ACS is installed on Windows 2003 Server and the password-aging feature is enabled. Only the generate greetings for successful logins option in Password Aging settings is checked. After clicking Submit or Submit + Restart, ACS for the first time displays the valid error message: Error: Generation of greetings on successful logins requires at least one password aging rule to be configured. But, when you click one of these buttons a second time, the errors active canceled or the page cannot be displayed appear.

Conditions   Occurs after installing and as long as no changes are performed. Occurs when managing ACS only on the local machine by using Internet Explorer 6.0.

Workaround   Restart ACS.

CSCea91690

Event Viewer errors on startup and shutdown in .NET

Symptom    On Windows .NET Server 2003 or Windows 2003 Enterprise Edition shutdown and startup, you may see errors that falsely indicate that an ACS service have failed. At startup, you may see a dialog box that indicates that a service, such as CSLog, encountered a problem and will close. The same error logged to Event Viewer, as in:

Reporting queued error: faulting application 
CSLog.exe, version 0.0.0.0, faulting module 
unknown, version 0.0.0.0, fault address 0x00000000. 

In Windows Server 2003, the Service Manager queries the ACS services status during startup and shutdown; but ACS services might not have started yet or might have stopped already. Even though this is normal behavior for ACS services, Windows perceives error and logs it to the Event Viewer.

On startup, the user sees all errors from the Event Viewer, which is why, when users logs into Windows right after startup, they see errors from the previous login session.

This behavior is observed on Windows Server 2003 only.

Workaround   Verify that ACS services are running by using the Control Panel.

CSCsf13603

Cisco PEAP authentication against the RSA server with NEW PIN Mode fails.

Symptom    When you work with the RSA as the external database, and try to change the personal identification number (PIN) mode from the RSA Server, it forces the supplicant to add a new PIN. However, when the Supplicant adds a new PIN, ACS does not receive it and consequently the authentication fails.

CSCsg37711

CSAuth terminated: EAPFAST (all inner) Authentication and Posture

Symptom    The same IP address and user are processed simultaneously on 2 separate sessions.

CSCsg12943

CSAuth faulting application crashes and the network-access devices (NADs), show RADIUS_DEAD and is unable to authenticate any more ports.

Symptom    During stress testing, CSAuth crashes, and the network-access devices (NADs), also known as AAA clients, shows RADIUS_DEAD and is unable to authenticate any more ports.

Conditions   This is caused by clientless stress.

Workaround   None.

CSCsg44214

ACS is not sending external Posture Validation Servers (PVSs) to the Username server, causing no posture return.

The OfficeScan policy server requires a local account authentication before allowing access to PostureRequest.dll. The ACS server times out.

Workaround   None.

CSCsg40727

RDBMS fails account action 220 250 with synchronization partners.

Symptom    Network device groups (NDGs) are not getting added to synchronization partners, but an additional (duplicated) entry is getting added to primary. The AAA-Client cannot be deleted.

Workaround   Prevent the attempt to synchronize remote targets for specific device-type actions.

CSCsg56677

Reauthentication fails for an EAP-FAST user after you upgrade with User Principal Name (UPN) or Windows Security Account Manager (SAM) formats.

Symptom    When you attempt to upgrade ACS 4.0 to build 4.0.1.49 or to ACS 4.1, re-authentication fails with the error message:

Access denied:fast-reconnect was successful but user was not found in cache.

Workaround   There are two cases to review:

Case 1: Customers using Manual Protected Access Credentials (PAC) provisioning.

In this case you reprovision PACs with correct usernames (usernames containing domains).

Case 2: Customers using Automatic PAC provisioning.

In this case you set the values for the EAP-FAST settings on the EAP-FAST Configuration page:

Active master key TTL  = 1 hours
Retired master key TTL = 2 hours
Tunnel PAC TTL         = 30 minutes
Authorization PAC TTL  = 10 minutes

Note that the Active master and Retired master key times to live (TTLs) are changed to force invalidation of PACs issued by ACS 4.0 (4.0.1.27, 4.0.1.42/43/44).

Tunnel PAC and Authorization PAC TTLs are changed due to limitation that their values must be less than Active master and Retired master key TTLs.

Note When the customers environment contains several ACS servers, this change must be applied on ALL ACS servers configured as an EAP-FAST master server. This change should be replicated to corresponding slave ACS Servers. This change will lead to reprovisioning of ALL PACs.

You can change the EAP-FAST settings back a day after these change are applied and replicated to all ACS servers in the customer's environment. The default values are:

Active master key TTL  = 1 months
Retired master key TTL = 3 months
Tunnel PAC TTL         = 1 weeks
Authorization PAC TTL  = 1 hours

CSCsg74699

When you upgrade the AAA Client and Server configuration might be dropped due to DNS failure.

Symptom    ACS allows customers to enter AAA client or server using the host name. ACS stores the host name and resolves the IP address at startup.

Conditions   During an upgrade, if the DNS resolution of a hostname fails, that host configuration data is ignored and, following the upgrade the AAA client and server configuration, is missing for the host names that failed the DNS test.

Workaround   None.

CSCsg19044

ACS syslog and ODBC configuration is missing in the listing for Trend, McAfee, and Qualys.

Symptom    When you select System Configuration > Logging, configuration information is missing (failed attempts or passed attempts) for syslog and ODBC. The attributes for Trend, Qualys, and McAfee are not listed in either column; but are listed under the CSV configuration.

Workaround   None.

CSCsg16875

ACS sends an internal error when CSA is disabled and enabled.

Symptom    ACS 4.1 sends an internal error in the failed authorization logs when the CSA security level is changed from Medium to Off and then back to Medium.

Conditions   This defect occurred in an environment with CTA 2.1.18.0, the CTA 802.1x Wired Client, CSA 5.0.0.181, and ACS 4.1.

Workaround   Restart the ACS CSAuth service manually or wait for ACS to do it automatically.

CSCsb93223

An internal posture validation policy is created even though a template profile cannot be configured.

Symptom    An internal posture validation policy is created by using the NAC 802.1x template.

Conditions   All conditions. Occurs any time when using the NAC 802.1x template and you cannot create a profile (for example, Global Authentication Setup is not configured properly).

Workaround   None.

CSCsg24439

Required credentials are inconsistent for logging and behavior internally and externally.

Symptom    Credentials for Cisco:Host and Cisco:PA that are not selected as required credentials are still requested from CTA and are still evaluated.

Conditions   All conditions.

Workaround   None.

CSCsg39294

On the internal Posture Validation page, the policy details should be left-justified.

Symptom    The policy details column of the internal posture validation setup is centered so that you have to scroll over to see the column headings and action buttons. This text should be justified left to make it easier to view.

Workaround   Left-justify the text.

CSCsf28775

Expired accounts are incorrectly reported.

Symptom    After upgrading ACS from 3.3.3 to 4.0, accounts which have expired due to their user expiry configuration are not reported in the Disabled Accounts report.

Conditions   This problem has been observed on ACS 4.0 after an upgrade from 3.3.3. Upgrades from other versions might be affected as well.

Workaround   None.

CSCsf25057

ACS support for TACACS+ single-connection.

Symptom    ACS does not support the TACACS+ single-connect flag.

Conditions   ACS support for TACACS+ single-connection was intentionally removed to work with IOS, which does not correctly support the feature.

Workaround   None.

CSCsg24408

ACS syslog facility needs to be configurable for localX, not fixed AUTH.

Symptom    To determine which logging facility was being used you need to trace the traffic coming from ACS that was destined for the syslog server on port 514.

Workaround   Set up syslog to accept AUTH and not a localX facility. For example, auth.debug.

CSCsf16737

CSAuth, CSAdmin, CSRadius, CSTacacs are not started up after reboot.

Symptom    After a system reboot, the following Services are not started up when Windows service, Windows Firewall/Internet Connection Sharing (ICS) is started:

CSAuth

CSRadius

CSTacacs

CSAdmin

Workaround   Disable Windows Service Windows Firewall/Internet Connection Sharing (ICS). To do so, Start > Run. Enter services.msc and press OK. In the Services dialog box, scroll to Windows Service Windows Firewall/Internet Connection Sharing (ICS). Right click, and select Properties. In the Startup type: box change Automatic to Disabled.

Note You can also manually start each service.


Resolved Caveats in ACS for Windows and the Solution Engine 4.1

Table 3 contains the resolved caveats for the ACS 4.1 release. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.

Table 3 Resolved Caveats in ACS Windows and the Solution Engine 4.1 

Bug ID
Summary
Explanation

CSCsc43287

Replication: Administration Control > Access Policy. Port allocation not replicated.

The port allocation settings now enable replication. For detailed information see the User Guide for Cisco Secure ACS 4.1.

CSCsc41129

CSAuth experiences exceptions during EAP-TLS stress versus LDAP external database with a secure sockets layer (SSL) connections.

CSAuth no longer experiences exceptions or failures after stress testing EAP-TLS authentications with an LDAP external database and LDAP connections over SSL connections.

CSCsc39979

Update to NAP delete the external user in Logged All Users report.

External users related to the NAP are no longer deleted from the Logged All Users report.

CSCef85314

Group DACL is downloaded if user's content NAF is not suitable.

The ACL and NAF features works as desired as documented in the User Guide for Cisco Secure ACS 4.1.

CSCsc06942

Script interface fails the 1,000 bytes limit at the Layer 2 level.

This issue is relevant only for non fragmented messages in tunneled protocols (Microsoft PEAP, Cisco PEAP, and EAP-FAST). Unfragmented tunneled EAP messages should not exceed the total length of 1,002 bytes.

CSCsc00788

Password change is not supported in Generic Token Card (GTC) against a Windows database.

Password change is supported in EAP-GTC against a Windows database. You must perform the following steps to enable the password:

6. Mark the password in Windows as must change password at the next logon.

7. Run EAP-FAST with GTC as the inner method and ensure that the changed password works.

CSCsb25151

When a AAA client has multiple IP addresses, NAF for downloadable ACLs fail.

NAF for downloadable ACLs no longer fails for AAA clients.

CSCsa79327

Authentications fail for users whose passwords contain the Euro (symbol).

Authentication no longer fails for users that use the Euro (symbol) in their password.

CSCeh24979

Users fail to authenticate when upgrading and attempting to access an obsolete (no longer used) database.

Users now authenticate, when upgrading and attempting to access an obsolete database.

CSCeh10491

Authentication errors on timeout waiting for local logging.

Authentication errors due to timeout no longer occurs.

CSCeb78551

When handling an LEAP RADIUS proxy between a front-end ACS server and a back-end ACS server, problems arise if the configuration is not correct.

You must incorporate the required configuration settings to successfully use this feature.

For detailed information, see the User Guide for Cisco Secure ACS 4.1:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html

CSCsc69976

Local logging file size and days do not appear after change in GUI.

Local logging file size and days appear after a change in the GUI.

CSCsc27168

User authentication succeeds even though a database is not selected.

Before deleting the external database configuration, ensure that it is not used in any NAP.

CSCsb72286

ACS RADIUS proxy uses RADIUS 1645, not current 1812.

ACS is now able to work with different ports. ACS can now use its proxy capability for other AAA servers.

CSCeh37907

Duplicate IP addresses are assigned due to reordered Accounting Stop packets.

Duplicate IP addresses are no longer assigned.

CSCsc41673

CSAuth fails after importing an Airespace NAS.

This problem has been fixed in the most recent version of ACS.

CSCeh35121

Local logging stopped working after ODBC logging removed.

Local logging is successful after ODBC logging is removed.

CSCsc95237

ACS Services do not start after upgrading from 3.x to 4.1.1

A trailing space was found in the IP address for a particular network device. This caused the database conversion process to fail, which prevented ACS services from starting after the upgrade. Use the registry editor to remove the trailing space and ACS services will start after the upgrade.

CSCsc72958

ACS documentation does not indicate that IP NAR requires attribute 31.

The User Guide for Cisco Secure ACS 4.1 has been updated with the correct information:

http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html
.

CSCsf11031

Upgrading to ACS 4.1 from a patched ACS will not implement the Critical Logger.

You do not need the patch. The critical logging function is introduced in ACS 4.1. When you upgrade from ACS 4.0 to 4.1, the patch is canceled and the critical logger is enabled.

CSCeh54670

EAP-TLS Strip Domain Name check box has been removed in the 4.1 GUI.

This feature controlled whether ACS removes the domain name from a username that is derived from the Subject Alternative Name (SAN) field in an end-user certificate.

The Windows EAP Setting, EAP-TLS Strip Domain Name check box, has been removed from the version 4.1 GUI. In version, 4.1 the Active Directory (AD) search functionality enables you to authenticate a username.

CSCsc77190

The <no access> group does not prevent EAP-TLS user from accessing the network.

This problem has been fixed in the most recent version of ACS.

CSCsg02005

CSMon utilizes 100% of the CPU while trying to communicate with the SMTP Server.

This problem has been fixed in the most recent version of ACS.

CSCsb38899

Upgrade to 5.1(0.7) resets all tuned signatures to default settings.

This problem has been fixed in the most recent version of ACS.

CSCsc27158

A memory leak occurred during stress tests of PAP authentications with LDAP server (OpenLDAP) and legacy SSL enabled (cert7.db). For example, memory usage reached 100MB after ~1.5 million authentications.

This problem has been fixed in the most recent version of ACS.

CSCsc06942

Script interface fails the 1K limit at the Layer 2 level.

Workaround   This problem has been fixed in the most recent version of ACS.


Known Caveats with ACS Solution Engine 4.1

Table 4 contains the known caveats for ACS Solution Engine 4.1

Table 4 Known Caveats in ACS SE 4.1 

Bug ID
Summary
Explanation

CSCse01363

The appliance configuration page is not replicated when the system is migrated from the ACS SE 1112 device to the ACS SE 1113 device.

Symptom    Under certain conditions, the appliance configuration is not replicated when the system is migrated from the ACS SE 1112 to the ACS SE 1113.

Conditions   This occurs when a user:

1. On the Master ACS (Quanta 4.0.1.42), accesses the Appliance Configuration page from System Configuration.

2. Enables NTP Synchronization and adds an IP address to the NTP Server.

3. Enables the Cisco Security Agent.

4. Ensures that the SNMP Agent is enabled and changes the SNMP default Community and port, and then adds SNMP Agent Contact and Location.

5. Checks Accept SNMP packets from selected hosts and adds a host address.

6. Submits changes.

7. The ACS SE 1112 is replicated to the ACS SE 1113.

CSCse04125

SNMP ports on the ACS SE 1113 can be assigned incorrect values.

Symptom    No error message will appear if, on the ACS SE 1113, you:

Delete the default SNMP port value.

Add characters instead of numbers to the SNMP port value.

Add an SNMP port that the device is already using.

Symptom    On the ACS SE 1113, deleting the default SNMP port value, adding characters instead of numbers to the SNMP port value, adding a port number greater than 65536, or adding an SNMP port that the device already uses can be performed without the appearance of any error message. In the previous release (ACS 3.3.3), the error message The port number is in use or invalid appears.

Workaround   Enter a correct SNMP port number that the device is not already using.

CSCse08310

System performance is degraded when no dynamic users exist.

Symptom    If the ACS internal database is empty (contains no users) and the system is configured to use Remote Agent for AD authentication, it takes a long time for the system to stabilize. This system instability is more prevalent when more complicated authentication protocols are used, for example, MS-PEAP, EAP-TLS, or PAP.

CSCsd98589

When the Network Interface Card (NIC) is disconnected, authentication cannot be performed.

Symptom    Authentication fails if the NIC is disconnected from a previously configured and functioning appliance, the system is rebooted and restarted, and the NIC is reconnected.

Error messages similar to the following appear:

04/17/2006 22:01:52 Unknown NAS .. .10.56.60.115 
quanta-new-5 .. No .. .. (Unknown) 

Workaround   Restart CSAuth. Then choose System Configuration > Service Control and click the Restart button to restart CSLog, RADIUS, and TACACS+.

CSCsd94022

Setting the system clock forward disrupts a scheduled backup process.

Symptom    If the system clock is set forward, for example, from 16:00 to 16:58, and a scheduled backup is configured to run during a later time period, for example, from 17:00 to 18:00, the scheduled backup might take a long time to complete or might not occur. This condition can occur when the system time is changed because of the switch to Daylight Savings Time.

CSCsd92719

The NTP configuration is not restored after a system backup.

Symptom    When the ACS SE 1113 appliance is backed up, the NTP configuration is not retained.

CSCsd91218

Under certain conditions, when IP filtering is set during initial configuration, the specified IP filtering does not work.

Symptom    If, during an initial configuration, IP filtering is set and the specified IP addresses are incorrect or are used by another ACS SE 1113 device, and the ACS SE 1113 is rebooted, the specified devices do not work; even if they are set manually by using the set ip command.

CSCsd88833

Manual setup of IP configuration on the ACS SE 1113 appears to fail.

Symptom    On a newly installed ACS SE 1113 device, if you manually configure the IP configuration by using the set ip command, the output from the command does not show the specified configuration. However, entering a show ip command displays the correct configuration. For example, if a valid IP address is entered by using the set ip command, a message similar to the following appears:

Use Static IP Address [Yes]:
IP Address [0.0.0.0]: 10.56.60.114

However, entering a show ip command displays the correct IP address.

CSCsd20149

After initial configuration from the Recovery CD, there is no GUI access.

Symptom    This problem occurs on ACS SE 1111 (HP), when performing a full upgrade, including the appliance base image. After installing from the ACS SE 1111 (HP) Recovery CD, and initial configuration ends, you cannot access the web interface.


When you log in to CLI, the appliance status indicates that pfipmon not running.

Conditions   On ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image.

Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.

Workaround   Use the CLI command, reboot, to restart the appliance.

CSCsc63854

ODBC Mapping exists after restoring image created on software.

Symptom    After restoring the appliance image from the software version of ACS 4.0.1, the ODBC configuration still remains in Unknown User Policy and in NAP/Authentication.

Workaround: None.

CSCsc52381

ACS SE console access might not work if NTP synchronization is enabled.

Symptom    The login prompt might not appear on the CLI console after rebooting through the CLI or through the GUI; even if NTP synchronization is enabled and the NTP server address is set correctly.

Workaround: Disable NTP synchronization.

CSCsc03778

ACS SE replicated changes under Administration Control not enforced unless the user reboots.

Symptom    If you make a change in the Access Policy under Administration Control and then replicate the change to another appliance, the changes are not enforced on the receiving appliance.

Workaround: On the receiving (secondary) appliance:

Click Submit on the Access Policy page.

Reboot the secondary appliance.

CSCsb27597

Limitation on the custom attributes (of 31,000 as CSAdmin indicates).

Symptom    In the T+ Settings per User Group Configuration page, which is accessed from the Interface Configuration page, if you add the 1201st entry in the custom attribute field, the browser crashes.

The custom attribute field is currently limited to 31KB (approximately 1,200 attributes).

Workaround: None.

CSCsb19051

TCP checksum error from Cisco Secure ACS Solution Engine 1111.

Symptom    A Cisco Secure Access Control Server Solution Engine (ACS SE) 1111 (CSACSE-1111-UP-K9) might generate transient TCP Checksum errors, which might cause error logging on other devices in the network. In particular, Cisco switches would generate the following error message:
%IP-3-TCP_BADCKSUM:TCP bad checksum.

The cause of the error is the NIC Software Driver. Not every packet being transmitted will be affected. Given that TCP will retransmit any unacknowledged packet, the system will recover. Excessive logging of the error message within the network might occur. The problem only affects TCP packets; therefore, TACACS+ might be affected, while RADIUS will not.

This problem might also occur on an ACS SE 1112 (Quanta).

Workaround: A temporary workaround is to reload the server; but, because the problem is transient, it will likely return within days or weeks.

A patch is available from TAC, which will help to reduce the amount of errors; however, since this is a network-configuration problem, it cannot resolve the problem completely. Contact your TAC representative for the appropriate TCP_checksum patch for your platform.

CSCeh04327

SNMP get and get-next requests for host.hrSystemNumUsers return error.

Symptom    SNMP get and get-next requests for host.hrSystemNumUsers return Generic error.

Workaround: None.

CSCee89510

Dates are logged in local time instead of GMT.

Symptom    NAC attributes that are in date format are in GMT time zone. When ACS logs these attributes, it converts them to ACS local time zone of the server.

Workaround: Configure ACS to use the GMT time zone.

CSCsc90467

After Install from Recovery CD, no CLI access.

Symptom    This problem occurs on ACS SE 1111 (HP), when performing a full upgrade, including appliance base image. When installing from the ACS SE 1111 (HP) Recovery CD, after installation ends, the ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which no feedback appears onscreen, which is normal system behavior. After this time, the CLI Initial Configuration screen should appear, but does not.

Conditions   On ACS SE 1111 (HP), when installing from the Recovery CD, when performing a full upgrade, including the appliance base image.

Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.

Workaround   Switch off the appliance, and switch it on again.

CSCsd93779

When backup is set to run after a specified period, the backup does not run.

Symptom    When a database is loaded from the SE 1111 release and system backup is configure to run after a specified period, for example, every 15 minutes, the backup process does not run.

Workaround   None.


Resolved Caveats in the ACS Solution Engine 4.1

Table 5 contains the resolved caveats for ACS Solution Engine 4.1. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.

Table 5 Resolved Caveats in ACS Solution Engine 4.1 

Bug ID
Summary
Explanation

CSCse05463

The online documentation for the ACS SE 1113 states that the description field for a downloadable IP ACL can contain up to 30,000 characters.

The online documentation states that the description field for a downloadable IP ACL can only contain 1,006 characters.

CSCse05420

Adding an illegal backslash (\) to the downloadable Access Control List (DACL) causes an Error on page message to appear.

The online documentation states that the downloadable IP ACL name cannot contain a backslash (\); however, the system allows you to enter a backlash (\) in the DACL name. No specific error message appears; however, an Error on page message appears at the lower-left corner of the web page. This condition also occurs in the ACS for Windows 4.0 (4.0.1.27) release.

CSCsd93818

When the ACS SE 1113 appliance is restarted, the CSAdmin service does not restart.

The CSAdmin service restarts when the ACS SE 1113 appliance is restarted.

CSCsd92659

The description of the Shutdown button in the short help for the Solution Engine is incorrect.

The description of the Shutdown button in the short help has been corrected and updated for version 4.1.

The following message appears in the Short help:

To shut down the ACS Solution Engine, click Shutdown. After you click Shutdown, the following message appears: It is now safe to turn off the computer. Turn the machine's power switch off.

CSCeh17104

ACS Appliance: Certain hostname or administrator names cause losing access.

ACS does not allow you to use the same name for hostname and administrator name.

CSCsb83399

ACS SE should save the FTP settings during software upgrade.

ACS SE saves the FTP settings during a software upgrade.

CSCsc80481

Proxy distribution table prevents SNMP from working.

This problem has been fixed in the most recent version of ACS.


ACS for Windows 4.1

The following sections contain information specific to ACS for Windows 4.1.

System Requirements

System requirements are documented in the Installation Guide for Cisco Secure ACS 4.1 Windows. The following updates have been made to the ACS system requirements. ACS 4.1 supports:

Pentium dual-core processors. This support is with Intel but not Advanced Micro Devices (AMD).

VMware. ACS 4.1 was tested on the following VMWare platform:

VMWare ESX server 3.0.0

Processor—AMD Opteron Dual core

# of Virtual machines—4

Guest operating system—Windows 2003 Standard Edition

RAM for each guest operation system—3 GB


Note The Microsoft JVM is no longer supported. ACS 4.1 supports the Sun Java Run-time Environment (JRE) 1.4.2_04. This is an ACS for Windows web client requirement.



Note ACS is supported on Windows Server 2003 R2.


Software Compatibility

See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1 on Cisco.com.


Note The SafeWord Premier Access token servers version 3.1 and 3.2 are supported and have been tested. For additional information see the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1 on Cisco.com.


Upgrading to a New Software Release

For detailed instructions see Installation Guide for Cisco Secure ACS 4.1 Windows on Cisco.com. For upgrade paths, see Upgrade Paths.

Installation Notes

The following installation notes are important:

ACS will not install properly if a Sybase server is installed on the same machine.

Remote installations performed by using Windows Terminal Services have not been tested and are not supported. We recommend that you disable Terminal Services while performing any installation or upgrade. Virtual Network Computing (VNC) has been tested successfully.

Tested Windows Security Patches for ACS Remote Agent and ACS for Windows.

See the Installation Guide for Cisco Secure ACS 4.1 Windows for installation, upgrade, and uninstall instructions, as well as post-installation tasks. For post-installation tasks, see Post-Upgrade Configuration.

Upgrade Paths

This section describes the following ACS 4.1 upgrade and migration topics:

Supported Upgrades for ACS for Windows

Supported Migration Path for ACS for Windows

Unsupported Migration Path to ACS 4.1

Supported Upgrades for ACS for Windows

We tested upgrades to ACS for Windows Server 4.1 from releases 4.0.1, 3.3.4 and 3.3.3 directly, 3.3.2**, 3.3.1**, 3.2.3**, 3.2.2*, 3.2.1*, 3.1.2*, and 3.0.4*.

* You should first upgrade to Cisco Secure ACS for Windows Server, release 3.3.3 or 3.3.4.
** You should first upgrade to Cisco Secure ACS for Windows Server, release 3.3.3, 3.3.4, or 4.0.1.

After you upgrade to ACS release 3.3.3, 3.3.4, or 4.0.1, you can then upgrade to release 4.1.


Note If you are upgrading to ACS 3.3.3 and do not have access to that software, review the README text for details on the upgrade procedure.


Supported Migration Path for ACS for Windows

ACS has tested and supports the migration path from:

ACS 3.2.3 to ACS 3.3.3 to ACS 4.1.

ACS 3.3.3 to ACS 4.1.


Note ACS has also tested and supports the migration path from ACS 3.3.3 to ACS 4.0 to ACS 4.1.


Unsupported Migration Path to ACS 4.1

ACS does not support migration paths prior to ACS 3.2.3 This includes versions:

ACS 3.2.1

ACS 3.2.2


Note ACS does not support direct migration paths from ACS 3.3.1 and 3.3.2


Post-Upgrade Configuration

The following section contains information about post-upgrade configuration:

After upgrading to ACS 4.1, you might need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.1. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.

If you used ACS 3.x ODBC logging and upgraded to ACS 4.1, preserving your data, you must update the ODBC tables so that the SQL tables continue to work.

For details on how to complete post-installation tasks, see the Installation Guide for Cisco Secure ACS 4.1 Windows.

Upgrading From Version 3.3

When you upgrade from ACS 3.3 to ACS 4.1:

1. Local and external posture policies are automatically transformed.

2. A single Network Access Profile, (configured for NAC only) is created as a process of the upgrade.

3. Each instance of the selected ACS 4.0 Network Posture Validation Database will automatically be transformed into a posture validation rule. All the rules will be associated with the NAP that was created (in step 2). All PA message and URL redirects are mapped correspondingly.

4. A RADIUS Authorization Component will be created for each mapped group. ACS populates the RAC with all attributes that were configured in the user or group setup menus, except for the posture-token Cisco-av-pair. Since ACS dynamically generates the posture-token Cisco-av-pair attribute at runtime, manual configuration is unnecessary.

5. If you manually added posture validation attributes in ACS 4.0, they are added to the ACS version 4.1 posture dictionary during the upgrade.

Limitations and Restrictions

The following limitations and restrictions apply to ACS 4.1.

User/Machine Out-of-Band PAC Provisioning for EAP-FAST version 1a has not been tested. The Out-of-band provisioning feature was not tested since the MDC (Meetinghouse) supplicant does not support it. (CSCsb46242)

The TACACs+ and LEAP protocols for Network Access Profiles are not supported in ACS version 4.1.

Network device limitation supports up to 35,000 devices.

CSAuth experiences exceptions or failures in two cases:

After stress testing EAP-TLS authentications.

When one of external databases is a Generic LDAP using the legacy (cert7.db) secure socket layer (SSL) connection mode.

This problem does not occur if you use the new SSL option (Trusted Root CA), instead of the legacy option (cert7.db) on the Generic LDAP Configuration Options page in ACS. We strongly recommend that you do not use the legacy option; use only the new SSL option.

Interoperability Testing

ACS has not been tested for interoperability with other Cisco software. Other than for the software and operating system versions listed in this document, Cisco performed no interoperability testing. Using untested software with ACS may cause problems. For the best performance of ACS, Cisco recommends that you use the versions of software and operating systems in the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows on Cisco.com.

ACS Solution Engine 4.1

The following sections contain information specific to the ACS Solution Engine 4.1

New and Changed Information for the ACS Solution Engine 4.1

This section contains:

New Hotfixes in ACS SE 4.1

ACS Remote Agent for Windows

Installation Notes for the Solution Engine 4.1

New Hotfixes in ACS SE 4.1

The ACS SE base image contains the following Microsoft hotfixes:

KB822831—BUG: Driver installation program does not install device drivers.

KB823980—MS03-026: Buffer Overrun in RPC May Allow Code Execution.

KB824105—MS03-034: Flaw in NetBIOS could lead to information disclosure.

KB824146—MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs.

KB828028—MS04-007: An ASN.1 vulnerability could allow code execution.

KB828741—MS04-012: Cumulative Update for Microsoft RPC/DCOM.

KB835732—MS04-011: Security Update for Microsoft Windows.

KB893066—MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.

For more information about these hotfixes, see the Microsoft website.

ACS Remote Agent for Windows

Japanese Windows 2000 and Japanese Windows 2003 are supported on ACS Remote Agent for Windows.

Installation Notes for the Solution Engine 4.1

This section provides information about installing and upgrading ACS SE and ACS Remote Agents:

Installing from ACS SE 1111 (HP) Recovery CD

Software Compatibility

Supported Upgrades for ACS SE

Supported Migrations for ACS SE

Tested Windows Security Patches for ACS Remote Agent and ACS for Windows


Note You should only view ACS SE through a console by using a serial port. We do not recommend using a monitor via VGA port. If you use a monitor via VGA port, you will see Windows error messages when starting ACS SE. You can ignore these messages; rebooting is unnecessary.


Installing from ACS SE 1111 (HP) Recovery CD

When installing from the Recovery CD for ACS SE 1111 (HP), after installation ends,:

The ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which no feedback appears, which is normal system behavior. If, after about an hour, the CLI Initial Configuration screen does not appear, switch off the appliance, and switch it on again. Refer to CSCsc90467.

If you cannot access the web interface, use the CLI command, reboot, to restart the appliance. Refer to CSCsd20149.


Note The two previous problems occur only on ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image. If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.


Software Compatibility

See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1 on Cisco.com.

Supported Upgrades for ACS SE

We tested upgrades for the ACS Solution Engine from releases 3.3.3 to release 4.0.1, and 4.1 and from release 3.3.4 to release 4.1. To upgrade the Solution Engine from an earlier release (3.2.1, 3.2.2, 3.2.3, 3.3.1, and 3.3.2), you must first upgrade to either release 3.3.3 and then upgrade to release 4.0.1 or 4.1 or upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.

Supported Migrations for ACS SE

We support direct migration from ACS for Windows releases 3.3.3, 3.3.4 and 4.0.1 to release 4.1 of the ACS Solution Engine. To migrate from an earlier release of ACS for Windows (3.3.2, 3.3.1, 3.2.3, 3.2.2, 3.2.1, 3.1.2, and 3.0.4), you must either first upgrade to release 3.3.3, and then upgrade to release 4.0.1 or 4.1, or first upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.

Solaris Support for the Remote Agent

The Cisco Secure ACS Remote Agent for Solaris runs on Solaris 2.8.


Note The Solaris Remote Agent requires the libstdc++.so library (C++ runtime). Without this library, the Remote Agent is not operational. The default path is set in the environment variable LD_LIBRARY_PATH and the directory /router/lib.


Post-Upgrade Configuration

After upgrading to ACS 4.1, you might need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.0. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.

Tested Windows Security Patches for ACS Remote Agent and ACS for Windows

Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for ACS Remote Agent for Windows and ACS for Windows

Cisco experience has shown that these patches do not cause any problems with the operation of ACS Remote Agent for Windows and ACS for Windows. If the installation of one of these security patches does cause a problem with ACS, contact Cisco TAC and Cisco will resolve the problem as quickly as possible.

We tested the ACS Remote Agent for Windows and ACS for Windows with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:

819696

823182

823559

824105

824141

824146

825119

828028

828035

828741

832894

835732

837001

837009

839643

840374

We tested ACS with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:

329115

823182

823559

823980

824105

824141

824146

825119

826232

828035

828741

828749

835732

837001

839643

Documentation Updates

This section provides documentation updates.

Changes

Regulatory Compliance and Safety Information

In the printed and online version of the Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1, Statement 191—VCCI Class A Warning for Japan has been updated.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is created monthly and is released in the middle of the month. DVDs are available singly or by subscription. Registered Cisco.com users can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

Ordering Documentation

You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

If you do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Documentation Feedback

You can provide feedback about Cisco technical documentation on the Cisco Technical Support & Documentation site area by entering your comments in the feedback form available in every online document.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to do the following:

Report security vulnerabilities in Cisco products

Obtain assistance with security incidents that involve Cisco products

Register to receive security information from Cisco

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

For emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

For nonemergencies — psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532


Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked encryption key or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending any sensitive material.


Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.

To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do) Registered users can access the tool at this URL: https://www.cisco.com/web/siteassets/account/index.html

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification Tool to locate your product serial number before submitting a request for service online or by phone. You can access this tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing Cisco Product Identification Tool from the alphabetical list. This tool offers three search options: by product ID or model name; by tree view; or, for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.



Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the web page by holding down the Ctrl key while pressing F5.

To find technical information, narrow your search to look in technical documentation, not the entire Cisco.com website. On the Cisco.com home page, click the Advanced Search link under the Search box and then click the Technical Support & Documentation.radio button.

To provide feedback about the Cisco.com website or a particular technical document, click Contacts & Feedback at the top of any Cisco.com web page.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training, and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the magazine for Cisco networking professionals. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can subscribe to Packet magazine at this URL:

http://www.cisco.com/packet

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:

http://www.cisco.com/en/US/products/index.html

Networking Professionals Connection is an interactive website where networking professionals share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking