Table of ContentsRelease Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 3.0.2
Changes to CRYPTOCard Support
Limitations and Restrictions
Tested Certificate Servers
Tested Web Browser Versions
Tested Token Server Versions
Tested LDAP Server
Tested Novell NDS and Novell Clients
Tested Windows 2000 Service Packs
Tested Platforms for CiscoSecure Authentication Agent
Cisco VPN 3000 Concentrator
Cisco VPN 5000 Concentrator
Cisco Aironet Access Point
Cisco Catalyst Switches
Open Caveats—Version 3.0.2
Obtaining Technical Assistance
Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. A AAA client is any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS.
Cisco Secure ACS helps centralize access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the use of an external user database is optional, support for many popular user databases enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user databases.
Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000-series Concentrators, and Cisco VPN 5000-series Concentrators. It also supports third-party devices that can be configured with Terminal Access Controller Access Control System (TACACS+) or Remote Access Dial-In User Service (RADIUS) protocols. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment. For more information about support for TACACS+ and RADIUS in Cisco Secure ACS, see the Cisco Secure ACS for Windows 2000/NT Servers User Guide.
- 802.1x Support—Cisco Secure ACS support for 802.1x strengthens access control for switched LAN and wireless LAN users. 802.1x is a new access control standard proposed by the IEEE for managing port-level access control. 802.1x relies on Extensible Authentication Protocol (EAP), carried in RADIUS messages, to manage user authentication and authorization.
- EAP-MD5, EAP-TLS—In addition to supporting LEAP, Cisco Secure ACS supports EAP-MD5 and EAP-TLS authentication. EAP is an IETF RFC standard for carrying various authentication methods over any PPP connection. EAP-MD5 is a username/password method incorporating MD5 hashing for security. EAP-TLS is a method for authenticating both Cisco Secure ACS and users with X.509 digital certificates. This method also provides dynamic session key negotiation.
- Command Authorization Sets—Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
- MS CHAP version 2 Support and MS CHAP Password Aging Support—Cisco Secure ACS supports MS CHAP version 2. In addition, we added an MS CHAP-based password-aging feature which works with the Microsoft Dial-Up Networking client, the Cisco VPN client (version 3.0 or greater), and any desktop client that supports MS CHAP. This feature prompts a user to change his or her password after a login where the user password has expired. The MS CHAP-based password-aging feature supports users who authenticate with a Windows user database and is offered in addition to password aging supported by the CiscoSecure user database.
|Note Cisco VPN 3000-series Concentrators and Cisco IOS will support MS CHAP password aging in upcoming releases.|
- Per-User Access Control Lists (ACLs)—This feature allows administrators to define ACLs of any length for users or groups of users.
- Shared Network Access Restrictions (NARs)—The ability to name NARs simplifies the assignment of identical NARs to multiple users or groups of users.
- Wildcards in NARs—Cisco Secure ACS supports wildcards for designating end-user client IP addresses and ports in IP-based NARs. In CLI/DNIS-based NARs, Cisco Secure ACS supports wildcards for CLI and DNIS values. You can apply NARs to a single AAA client, a network device group, or all AAA clients. Wildcarding of AAA clients is supported by using the multiple devices per AAA client feature, described next.
- Multiple Devices per AAA Client Configuration—You can create single AAA client configurations that define a set of network devices that use the same shared key, authentication method, and logging/accounting parameters. Cisco Secure ACS enables you to provide multiple IP addresses, including the use of wildcards in IP addresses, when you configure a AAA client in the HTML interface.
- Multiple LDAP Lookups and LDAP Failover—Cisco Secure ACS enables you to create multiple LDAP external user database configurations. You can also define backup LDAP servers for use if a primary LDAP server is not available.
- User-Defined RADIUS Vendor-Specific Attributes (VSAs)—Cisco Secure ACS now supports user-defined inbound and outbound RADIUS VSAs.
- Improved User Documentation—We reorganized and heavily revised the online documentation and Cisco Secure ACS for Windows 2000/NT Servers Version 3.0 User Guide. We rewrote and expanded Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers. We heavily revised Web Server Installation for Cisco Secure ACS 3.0 for Windows 2000/NT User-Changeable Passwords.
Before Cisco Secure ACS 3.0.1, support for CRYPTOCard token servers used the vendor-proprietary interface provided with the CRYPTOCard token server. Beginning with Cisco Secure ACS 3.0.1, we support CRYPTOCard token servers using a standard RADIUS interface.
If you upgrade to Cisco Secure ACS 3.0 and had configured CRYPTOCard authentication in the previous installation of Cisco Secure ACS, the installation program prompts you for information about the CRYPTOCard RADIUS server. With this information, the installation program replaces the older CRYPTOCard configuration with a new one that uses the RADIUS interface of the CRYTPOCard easyRADIUS server. To use the RADIUS interface of the CRYPTOCard server, be sure the CRYPTOCard easyRADIUS server is installed on a CRYPTOCard Windows server. For more information about CRYPTOCard easyRADIUS, see CRYPTOCard documentation.
We successfully tested running Cisco Secure ACS and the CRYPTOCard easyRADIUS server on the same Windows server. Testing occurred on Windows NT 4.0 with Service Pack 6 and Windows 2000 with Service Pack 2. We used CRYPTOCard easyRADIUS server versions 5.0 and 5.1. However, we do not recommend that you run the CRYPTOCard easyRADIUS server on the same Windows server that runs Cisco Secure ACS. If you choose to do so, be sure that Cisco Secure ACS and CRYPTOCard easyRADIUS use different ports to receive RADIUS requests.
You can change the UDP ports used by the CRYPTOCard RADIUS server by editing its services file, usually located in c:\WINNT\system32\drivers\etc. For more information about the UDP ports used by the CRYPTOCard RADIUS server and how to change them, see your CRYPTOCard documentation.
The evaluation version of Cisco Secure ACS 3.0 provides full functionality for 90 days after the date of installation. This allows you to use all features of Cisco Secure ACS 3.0 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.0 will be available 30 days after the release of the commercial version of Cisco Secure ACS 3.0.
When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the administrative interface notifying you that your evaluation period has elapsed.
Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.0 online, use Part Number CSACS-3.0 at the following URL:
After purchasing a commercial version of Cisco Secure ACS 3.0, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.0, follow the instructions in Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.
Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.
- PassGo (formerly AXENT) Defender version 4.1.3
- Secure Computing SafeWord version 5.2
- RSA ACE/Server version 5.0 and ACE/Client version 1.1.2 for Windows 2000
- ActivCard Server 3.1
- Vasco Vacman Server 6.0.2
|Note Cisco Secure ACS 3.0.2 supports CRYPTOCard, ActivCard, and Vasco token servers using RADIUS.|
For information about CRYPTOCard support, see the "Changes to CRYPTOCard Support" section.
We used Netware 6.0 to test Novell NDS external user databases. We tested Cisco Secure ACS 3.0.2 with the Novell Requestor software found in Novell Client version 4.8.3 for Windows NT/2000. To authenticate users with a Novell NDS external user database, the Novell Requestor software must be installed on the Windows server that runs Cisco Secure ACS.
|Note Caveats are printed word-for-word as they appear in our caveat tracking system.|
- CSCdv63442: ODBC logging, Fractional truncation errors, not dropping connections
- CSCdv72785: Filter line is empty
- CSCdv75166: Radius accounting requests not validated fully as per RFC
- CSCdv89334: MSCHAP settings in NT/2000 Database configuration - not upgraded
- CSCdw04627: NULL response to AXENT challenge crashes CSAuth
- CSCdw07015: Class attribute missing from Radius Accounting section
- CSCdw11365: NULL password to Safeword crashes CSAuth
- CSCdw15116: ACS alters state attribute while passing it to easyRADIUS
- CSCdw15251: Certificate Setup Page - parsing certificate subject unadequate
- CSCdw22345: Replication fails on an upgraded ACS
- CSCdw27571: Global Authentication Configuration should be added as per adm privelege
- CSCdw29201: Distribution table and test accounts
- CSCdw31459: ODBC Authentication with CHAP/MSCHAP1/2 fails because of padding
- CSCdw34301: LDAP Group mapping reappears
- CSCdw40579: ACS 3.0 crash with Dr Watson Accounting request has no status type
- CSCdw42071: DB updates via RDBMS Sync do not cause replication
- CSCdw46931: ACS authenticates NDS expired/disabled users
- CSCdw50341: T+ enable partially broken for external db users
- CSCdw51174: Replication log message shows error on successful completion
- CSCdw52982: NAR doesnt match with wildcards in NAS definition
- CSCdw55453: NDS does not auth FQ usernames if they begin with . [dot]
- CSCdw55565: tacacs+ accounting is logged in tacacs+ administration logs
- CSCdw56666: EAP-TLS Certificate subject cn different than username
- CSCdw56671: EAP-TLS username in dotted format
- CSCdw63060: CSRadius fails to restart properly on Submit & Restart
- CSCdw66057: CryptoCard authentication fails - token-cacheing not functioning
- CSCdw78255: T+ crashes under load
- CSCdw79587: Bad TACACS+ Authorization packets cause CSLOG to spin
- CSCdw93069: Radius Proxy of accountint packets kill CSRadius
- CSCdx08524: Config tweaks to improve LEAP/EAP scalability
- CSCdx12381: Group names in ACS are disappearing intermittently
- CSCdx15267: Password change dynamically by the user doesnt cause DB replication
- CSCdx16853: Unable to clear account disable status with RDBMS synchronization
- CSCdx17622: sending crafted URL can cause CSADMIN to crash or exec user code
- CSCdx17689: unauthorized disclosure of data can be achieved using crafted URL
- CSCdx34079: voip accounting adds multiple user-name fields to reports
- CSCdx62520: When passwords are limited to alphanumeric , all CSMon tests fail
- CSCdx63893: LEAP problems due to AP out-of-sync packets
- CSCdx68751: External db lock prevents write to local log files
- CSCdx68848: CSUTIL add-nas do not flag replication of database
- CSCdx84564: Improve failed attempts message for invalid EAP request
- CSCdx85584: Large number of requests from unknown devices can slow server
- CSCdx85594: No Devices in Network Configuration after Replication
- CSCdx86614: CSMon should still monitor CSAuth during replication out
- CSCdx88709: Cross-Site Scripting to CSAdmin
- CSCdx88749: CSAdmin session is terminated while editing logging settings
- CSCdx88776: Shared Profile Components not upgraded
- CSCdx88809: Failed attempt of NDS cached user is logged incorrectly
- CSCdx90749: ODBC logging, Fractional truncation errors, not dropping connections
- CSCdx90751: NULL response to AXENT challenge crashes CSAuth
- CSCdx90752: NULL password to Safeword crashes CSAuth
- CSCdx90947: LDAP Group mapping reappears
- CSCdx93099: Automatic certificate enrollment is NOT functioning
- CSCdx94322: LEAP DLL rejecting users stopped AP failover
- CSCdx94441: Exception in CSRadius after DNIS/CLI check
- CSCdy00184: Change behaviour for times out pause notifications for CSMon
- CSCdy01340: user CLID gets truncated after exporting into 3.0
- CSCdy02612: DCS assignment policy per NDG works incorrectly
- CSCdy03581: T+ Hang when Varsdb breaks
- CSCdy03810: IP-based NAR with denied locations works incorrectly
- CSCdy07198: ACS does not accept a user with subject cn different from the accoun
- CSCdy09527: Replication of all selected components upon Replicate Now cmd
- CSCdy10640: CSMon should test varsdb as workaround for CSCdx12381
- CSCdy13048: No default radio button selected
- CSCdy13056: CSMon Test login process causes to a dirty flag to be set on
|Note Caveats are printed word-for-word as they appear in our bug tracking system.|
If Cisco Secure VPN Client version 1.1 is installed on the Windows NT 4.0 server on which you are installing Cisco Secure ACS, Cisco Secure ACS fails to install, with an error message about the following file:
Workaround/Solution: Cisco Secure ACS does not support this style of user name when authenticating against an external Windows 2000 server. Continue to prefix account names with the NT 4.0-style domain name.
- Dial-up clients only need to be able to connect to your network if you intend to support dial-up access. If not, this is not a requirement for installing Cisco Secure ACS.
- Only Cisco IOS devices need to be running Cisco IOS release 11.1 or later. Other devices, such as supported versions of the Cisco Aironet Access Point, do not need to be running Cisco IOS.
- The supported web browsers must also have a Java virtual machine installed in order to support the Cisco Secure ACS administration interface.
- CSCds90678: Failed to Edit TACACS+ (Cisco IOS) configuration
Failed to Edit TACACS+ (Cisco IOS)
A PPTP tunnel using a Cisco VPN 3000-series concentrator and MS-CHAP version 2 fails. The VPN concentrator indicates that authentication passed; however, tunnel establishment fails. When using the MS-CHAP version 1 method with the same configuration, tunnel establishment succeeds. When using the concentrator's internal user database with MS-CHAP version 2, tunnel establishment succeeds.
Setup two users at least on Cisco Secure ACS, one as a tunnel user and the others as the authenticated users. The tunnel user and its password should be the same as the tunnel group name on the concentrator and its password.
- In "IETF RADIUS Attributes" check the " Class" attribute and the following value should be entered in the text box: "ou=groupname;" where groupname is the name of the tunnel user name previously configured.
- In "Microsoft RADIUS Attributes", select the "[311\012] MS-CHAP-MPPE-Keys" check box.
- Add a group name similar to the tunnel users name, and in the "Cisco VPN 3000 Concentrator RADIUS Attributes" select the [3076\011] CVPN3000-Tunneling-Protocols check box and the [3076\020] CVPN3000-PPTP-Encryption check box.
- Select the [3076\011] CVPN3000-Tunneling-Protocols check box, then select PPTP from the corresponding list.
- Select the [3076\020] CVPN3000-PPTP-Encryption check box, then select 128-bit or lower from the corresponding list, according to the client encryption capability
During installation, if you use an IP address of 10.0.10.255 with a 23-bit subnet mask (255.254.0.0), the installation fails with an error message indicating that you cannot use a broadcast IP address.
Workaround/Solution: On the Cisco Secure ACS server, configure all Cisco Secure ACS services to run using a domain administrator account for the domain of which the server is a member. For more information about additional configuration required to run Cisco Secure ACS 3.0 on a Windows NT 4.0 member server, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.
If you use Netscape Navigator v.4.7 to access the HTML interface, adding an administrator to Cisco Secure ACS can cause 100% CPU utilization for over a minute. This in turn can cause the CSRadius service to pause until the browser resumes normal operation. The fault lies in the Netscape browser rather than Cisco Secure ACS.
Workaround/Solution: Once the 100% CPU utilization has begun, wait until browser operation returns to normal. This should be less than five minutes. To avoid the behavior altogether, use a tested version of Microsoft Internet Explorer. See the Tested Web Browsers section of the Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers
When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTMLin the browser interface.
Workaround/Solution: After renaming a user-defined attribute, restart all Cisco Secure ACS services from the Windows Control Panel. Once the services have been restarted, the CSV RADIUS Accounting configuration screen shows the renamed attributes and remembers their selection when the page is submitted.
Changes to user-defined fields in user records do not appear to replicate. After the user-defined fields are changed in the Interface Configuration section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the user-defined fields in the HTML interface.
Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.
In the System Configuration section, settings made on the VoIP Account Configuration page are not restored from backup. Neither are these settings preserved during reinstallation of Cisco Secure ACS 3.0 or upgrading to a later build of Cisco Secure ACS 3.0.
Customer is experiencing problems adding the user fields (3,4,5) to the RADIUS accounting file. When he renames these fields in the User Attributes in Interface Configuration, and then attempts to add them to the RADIUS Accounting log, the changes do not appear in the log.
An AAA server cannot be deleted from the "(Not Assigned) AAA Servers" table if the "Synchronize" table in the "Synchronization Partners" is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" is displayed.
Changes to the order of the Replication Partners, under Database Replication is not saved when submitting changes. When you get into the Database Replication window, the servers are shown in alphabetical order and not in the order desired. The database replication is also done in alphabetical order, so in the order shown by the GUI after submitting changes.
Authentication services CSRadius and CSTacacs might crash when ACS 220.127.116.11 is installed on windows 2000 with service pack 1 and when safeword is used on a seperate unix box. All users are safeword users.
This is correct behavior. The <Default> NDG corresponds to the "Not Assigned" NDG in Network Configuration. If the AAA client on which the user is attempting to issue commands is not in the "Not Assigned" NDG and there is no command authorization set that does apply to the AAA client, Cisco Secure ACS denies authorization for the command.
Workaround/Solution: If you intend to apply a command authorization set to all AAA clients, assign it once per every NDG rather than solely to the <Default> NDG. There is currently no single option that applies a command authorization set to all NDGs.
Cisco Secure ACS accepts empty and therefore invalid PIX ACLs. There are two ways this can occur. In the first, you can submit only a space in the PIX ACL. In the second, you can delete the contents of a previously submitted, valid PIX ACL and resubmit it successfully.
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
- Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
- Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
- Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
- Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R)