Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 2.5

 Feedback

Table of Contents

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers
Version 2.5

Contents
Introduction
Installation Notes
Limitations and Restrictions
Caveats
Documentation Updates
Related Documentation
Obtaining Documentation
Obtaining Technical Assistance

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers
Version 2.5


November 2000

These release notes pertain to Cisco Secure Access Control Server for Windows 2000/NT Servers (Cisco Secure ACS) Version 2.5.


Warning Please see the README file on the CD-ROM for late-breaking information.

Contents

Introduction

Cisco Secure ACS is network security software that helps you authenticate users by controlling dial-in access to a network access server (NAS) device, such as an access server, PIX Firewall, or router.

Cisco Secure ACS operates as a Windows NT or Windows 2000 service and controls the authentication, authorization, and accounting (AAA) of users accessing networks. Cisco Secure ACS operates with Windows NT Version 4.0 Server and Windows 2000 Server.

Cisco Secure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With Cisco Secure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of Cisco Secure ACS with the Windows NT and Windows 2000 operating systems enables companies to put to use the working knowledge gained from and the investment already made in building their Windows NT and Windows 2000 network.

For a list of new and changed features in Cisco Secure ACS 2.5, see Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," in Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide.

For the system requirements of Cisco Secure ACS 2.5, see Chapter 1, Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," in Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide.

Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide also provides detailed information about configuring and using Cisco Secure ACS. This guide is available via Cisco Connection Online or on the product CD-ROM.

Installation Notes

For information about installing Cisco Secure ACS, see the Installing Cisco Secure ACS 2.5 for Windows 2000/NT Server quick reference card.

Information regarding messages or warnings that may arise during installation can be found in the README file, located on the CD-ROM.

Limitations and Restrictions

The following topics are limitations and restrictions that apply to Cisco Secure ACS 2.5.

Supported Web Browser Versions

To administer all features included in Cisco Secure ACS 2.5, it is important that you use a supported web browser. Cisco Systems tested Cisco Secure ACS 2.5 using Microsoft Internet Explorer versions 5.0.x and 5.5, and Netscape Communicator versions 4.72, 4.73, and 4.75. Other versions of these browsers and web browsers by other manufacturers are not supported.

128-bit Encryption with Microsoft Dial-Up Networking

In order to implement 128-bit encryption, there are restrictions you need to be aware of. If users connect to your network with the Microsoft Dial-Up Network client and establish a virtual private network (VPN) tunnel using Point-to-Point Tunneling Protocol with Microsoft Point-to-Point Encryption, the NAS through which users connect to the network must be one of three types:

  • Cisco Secure PIX Firewall
  • Cisco Secure VPN 3000 Concentrator
  • Cisco IOS router, 7100 or 7200 series only

Both the NAS and the Microsoft Dial-Up Network client must have 128-bit encryption installed. For the Microsoft Dial-Up Network client, this requires the High Encryption pack. For users on Microsoft Windows 95/98/NT 4.0, install the 128-bit encryption package included with Internet Explorer 5.5. Internet Explorer is available at the following address:

http://www.microsoft.com/windows/ie/download/ie55.htm

For users on Microsoft Windows 2000, download the High Encryption pack for Windows 2000. The High Encryption pack is available at the following address:

http://www.microsoft.com/windows2000/downloads/recommended/encryption/

Windows 2000 Service Pack 1 Not Supported

While Cisco Secure ACS 2.5 does support Windows 2000 Server, Advanced Server, and Data Center (without Microsoft Clustering enabled), it does not support Service Pack 1 for Windows 2000. Do not install Service Pack 1 for Windows 2000 on your Cisco Secure ACS Windows 2000 server.

Supported Platforms for CiscoSecure Authentication Agent

The Cisco Secure ACS CiscoSecure Authentication Agent is supported only on the following client platform operating systems:

  • Windows 95 OSR1
  • Windows NT 4.0 Workstation with Service Pack 6a
  • Windows 98 Special Edition
  • Windows 2000 Server and Advanced Server (without Service Pack 1)
  • Windows Millennium Edition

Cisco Systems has not tested the CiscoSecure Authentication Agent on the following client platform operating systems:

  • Windows 95 OSR2
  • Windows 98 (non-Special Edition)
  • Windows 2000 Professional
  • Windows 2000 Data Center

Caveats

This section identifies caveats and issues for Cisco Secure ACS.

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following addresses:

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco IOS Releases 12.0 and 12.1

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120cavs/
index.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/
121cavs/index.htm

Open Caveats—Version 2.5

This section identifies known caveats and issues with Cisco Secure ACS 2.5.

  • CSCds15692: Installer replaces Cisco Secure VPN Client (1.1) DLL

If Cisco Secure VPN Client Version 1.1 is installed on the Windows NT 4.0 server on which you are installing Cisco Secure ACS, Cisco Secure ACS fails to install, with an error message about the following file:

NSLDAPSSL32V30.dll

This file is necessary for the VPN Client to work properly.

Workaround/Solution: Exit the Cisco Secure ACS installation, uninstall Cisco Secure VPN Client from the server, install Cisco Secure ACS 2.5, and then reinstall Cisco Secure VPN Client.

  • CSCds74060: AXENT token-card server integration fails

AXENT token-card server external user databases do not work with Cisco Secure ACS 2.5. This includes all versions of AXENT token-card servers.

Workaround/Solution: None at this time. Customers using AXENT token-card servers as external user databases with Cisco Secure ACS should not upgrade to Cisco Secure ACS 2.5.

  • CSCds47158: Upgrade from 2.4 to 2.5 results in only 100 groups available

After upgrading to Cisco Secure ACS 2.5, administrators are still only able to see 100 groups.

Workaround/Solution: This is expected behavior. By default, the additional 400 groups available in Cisco Secure ACS 2.5 are not added to the list of groups each administrator can configure.

To allow an administrator to configure the additional 400 groups, edit the administrator's privileges to permit the administrator to configure the additional groups.

  • CSCds64029: CCMP fails on Windows 2000 when Service Pack 1 is installed

If Service Pack 1 is installed on a Windows 2000 server running Cisco Secure ACS 2.5, CiscoSecure Control Message Protocol fails. This causes the User-Changeable Password feature to fail. Users will not receive notification of passwords that are about to expire and they will not receive notification from the CiscoSecure Authentication Agent.

Workaround/Solution: Do not apply Service Pack 1 to any Windows 2000 server running Cisco Secure ACS. If Service Pack 1 has already been installed, uninstall Service Pack 1. See Windows 2000 Service Pack 1 Not Supported.

  • CSCds63652: Ext. DB Group Mapping misreports SDI User profile

If Service Pack 1 is installed on a Windows 2000 server running Cisco Secure ACS 2.5, External Database Group Mapping incorrectly reports SDI user profiles. Some users whose accounts are maintained by an SDI token-card server appear in the wrong Cisco Secure ACS group.

Workaround/Solution: Cisco Secure ACS 2.5 does not support Service Pack 1 for Windows 2000.

To restore proper group mapping, uninstall Service Pack 1 from your Windows 2000 server. See Windows 2000 Service Pack 1 Not Supported.

  • CSCds63170: Netscape 4.76 does not work correctly in Windows 2000

With Netscape Communicator 4.76 on Windows 2000, clicking one of the green navigation buttons at the top of the Edit Group page causes Netscape 4.76 to wait indefinitely.

Workaround/Solution: Change the Windows application focus by opening a folder on the desktop. Netscape will immediately jump to the correct Cisco Secure ACS administrative web page. See Supported Web Browser Versions.

  • CSCds33765: When configuring NAS (IOS router), add local username and method

When you are configuring a Cisco IOS router to enable the AAA paradigm, there is always a slight risk that the administrative Telnet or console session may be lost. If an administrative Telnet or console session is lost while enabling the AAA paradigm on a Cisco IOS router, the administrator is locked out of the router.

Workaround/Solution: Enabling the AAA paradigm with the command aaa new-model on a Cisco IOS router has important ramifications that a user must be aware of when configuring these devices for the first time. At a minimum the following commands should be entered in the order shown:

[global configuration]
aaa new-model
username
username password password
aaa authentication login default local group [security protocol]

where username is the username is the username for the new local account and password is the password for the new local account.

Specifying the "local" method enables users to re-establish their Telnet or console session and use the locally defined authentication list to access the router once more. If not, physical access to the router is required (console session), with a minimum of having to perform a password recovery sequence. At worst, the entire configuration saved in NVRAM can be lost.

  • CSCds22861: GUI does not allow user to change RADIUS auth/acct ports

The user interface does not allow an administrator to change the default RADIUS authentication (1645) and accounting (1646) ports. Cisco IOS routers after versions 12.1(x) have changed their default behavior to reflect the new ports of 1812 for authentication and 1813 for accounting.

Workaround/Solution: Cisco Secure ACS now supports both pairs of ports for RADIUS authentication and accounting. Ports 1645 and 1812 are used for RADIUS authentication; ports 1646 and 1813, for RADIUS accounting.

If you need to use ports other than those currently supported by Cisco Secure ACS, you can change the ports used for RADIUS authentication and accounting by editing attribute values of the proper key in the Windows Registry. The ports are the AccountingPort and AuthenticationPort attributes of the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\CISCO\CiscoAAAv2.5\
CSRadius

After changing the port attribute values, restart the Cisco Secure ACS server.

  • CSCds14916: ACS fails to list Windows NT groups when PDC is down

If the active Primary Domain Controller (PDC) for a Windows NT domain is unavailable, you cannot use the Cisco Secure ACS administrative user interface to configure the group mappings for this domain.

Workaround/Solution: If the configuration changes are not vital, wait until the PDC becomes available again. Otherwise, promote a suitable Backup Domain Controller to the role of PDC.

  • CSCds44804: Windows 2000-style user@domain authentication not supported

Windows 2000 allows users to enter their username as username@domain-name. For example, fred@domain.com. This format is equivalent to entering the Windows NT 4.0 username of DOMAIN/fred.

Workaround/Solution: Cisco Secure ACS does not support this style of username when authenticating against an external Windows 2000 server. Continue to prefix account names with the NT 4.0-style domain name.

  • CSCds67703: New PIN mode not supported for some NASes

A few of the NASes supported by Cisco Secure ACS either do not support "new PIN mode" functionality or support it in a limited fashion. New PIN mode is when token-card users can be required to enter new PINs at login.

The following two types of NASes do not support new PIN mode functionality:

  • Cisco Secure VPN 3000 Concentrator
  • Cisco Secure PIX Firewall

Additionally, Cisco IOS routers can support new PIN mode functionality with specific configuration.

Workaround/Solution: There is no workaround if the NAS is a Cisco Secure VPN 3000 Concentrator or a Cisco Secure PIX Firewall.

For Cisco IOS routers, new PIN mode functionality is supported if the routers are configured as described here. The Microsoft DUN for token-card users must be configured to enable Bring up a terminal window after dialing. The Cisco IOS router through which users are accessing the network must be configured as follows:

aaa new-model
aaa authen login default local group [security protocol]
aaa authen ppp default if-needed group [security protocol]

Users would be presented with a terminal window in which they would change their PINs. After the PIN was reset, users could start a PPP session manually or a script could be configured to start PPP automatically.

  • CSCds68316: Sample Configuration chapter has incorrect examples depicted

The Sample Configurations chapter of the user guide has errors in examples depicted. In NAS Configuration under the Password Aging and User-Changeable Passwords Using CiscoSecure ACS with CAA section, the example is written with the assumption that IP address assignment for a dial-up user is assigned by the NAS itself, yet it does not give sufficient configuration for IP address assignment to be handled by the NAS.

The chapter also references Cisco IOS Release 11.5T, which does not exist.

Workaround/Solution: In order to depict accurately a configuration where the NAS handles IP address assignment, the NAS configuration example should have the following line in its global configuration section:

ip local pool setup_pool xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

where xxx.xxx.xxx.xxx is the starting IP address of the IP address range and yyy.yyy.yyy.yyy is the ending IP address of the IP address range. The IP address range defined should be a part of a subnet belonging to a routeable interface connected to the corporate network.

References to Cisco IOS Release 11.5T should refer to Cisco IOS Release 12.0.

Documentation Updates

The following sections describe updates to the published documentation for Cisco Secure ACS 2.5.

Changes to Online Documentation

In the "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers" chapter within the Online Documentation section of Cisco Secure ACS 2.5, the first note under "Software Requirements" now reads as follows:


Note   Cisco Secure ACS 2.5 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.5 is installed on a Member Server, the Member Server must be a member of its domain.

In the "User Databases" chapter within the Online Documentation section of Cisco Secure ACS 2.5, within the first paragraph after Figure 3-1, the word "exponentially" has been replaced with the word "logarithmically."

Changes to Cisco Secure ACS 2.5 for Windows 2000/NT
Servers User Guide

In Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," the first note on page 1-4 now reads as follows:


Note   Cisco Secure ACS 2.5 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.5 is installed on a Member Server, the Member Server must be a member of its domain.

In Chapter 3, "User Databases," on page 3-2, the word "exponentially" has been replaced with the word "logarithmically."

Changes to Read Me First: Cisco Secure ACS 2.5 for Windows 2000/NT Server Getting Started

The second paragraph under "Product Summary" on page 1 now reads as follows:

Cisco Secure ACS 2.5 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.5 is installed on a Member Server, the Member Server must be a member of its domain.

Related Documentation

The following documents directly support Cisco Secure ACS:

  • Cisco Secure Access Control Server for Windows 2000/NT Servers Version 2.5 User Guide
  • Installing Cisco Secure ACS 2.5 for Windows 2000/NT Server
  • Read Me First: Cisco Secure ACS 2.5 for Windows 2000/NT Server Getting Started
  • Web Server Installation for Cisco Secure ACS 2.5 for Windows 2000/NT User-changeable Passwords

In addition to these documents, online documentation is provided within the Cisco Secure ACS user interface. The entire Cisco Secure ACS documentation set is also available from the following address:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

  • Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

  • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

  • Nonregistered CCO users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:

http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

  • P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
  • P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website:

http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:

http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows:

  • P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.
  • P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.

This document is to be used in conjunction with the "Related Documentation" section.

AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, PIX, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.

All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0102R)

Copyright © 1999-2000, Cisco Systems, Inc.
All rights reserved.