Table of Contents
Release Notes for
CiscoSecure ACS 2.4(1) for Windows NT Server
Open Issues and Workarounds
VoIP Call Logging
Date Format in CSV Logs
ODBC Authentication and Oracle
Grant Dialin Permission to User
Advanced TACACS+ Settings
No AAA Server Selected Message
ODBC RADIUS Accounting
Max Sessions Limit
Unresponsive Administration Server
IP Pooling and Virtual Private Dialup Networks (VPDN)
Changed Passwords and SQL Servers
User Status Inconsistent
Single Connection Per User on PIX Firewall
User-Defined Field Name Not Showing After Replication
Network Access Server (NAS) Port Name Blank
Release Notes for
CiscoSecure ACS 2.4(1) for Windows NT Server
September 20, 1999
These release notes contain important information regarding CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS). For complete documentation on this product, refer to the following documents:
- CiscoSecure ACS 2.4 for Windows NT Server User Guide
- Quick Installation Card: CiscoSecure ACS 2.4 for Windows NT Server
- Read Me First: CiscoSecure ACS 2.4 for Windows NT Server Getting Started
- Quick Reference Card: Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords
- Release Notes for CiscoSecure ACS 2.4(1) for Windows NT Server
These release notes discuss the following topics:
The issues for CiscoSecure ACS 2.4 for Windows NT Server listed in this section remain open.
|Caution Always back up your data before you install CiscoSecure ACS 2.4 for Windows NT. Read the included PDF files for installation instructions and information for CiscoSecure ACS.|
- During installation, if you click Back, the data you just configured is lost. The workaround is to re-enter the data manually.
- If you are upgrading from CiscoSecure ACS 2.3 to CiscoSecure ACS 2.4, a message displays asking if you want to remove the PSAPI.DLL file. If you answer yes, installation fails. The workaround is to answer No to the prompt. If you accidentally answered yes, follow these steps:
Step 1 Copy PSAPI.DLL from another system.
Step 2 Run CLEAN.EXE.
Step 3 Run SETUP.EXE again. You might need to reload the data from backup.
- After upgrading, the administrator cannot edit user and group profiles through the web-based interface. The workaround is to click Administration Control > Session Policy > Allow automatic local login.
- A Dr. Watson error might appear when you are upgrading over an earlier version of CiscoSecure ACS. The workaround is to run CLEAN.EXE and re-run SETUP.EXE as described in the README.TXT file.
- Only the first stop of a Voice over IP (VoIP) call leg is logged in the comma-separated value (CSV) file. At this time there is no known workaround.
- After you change the date format, CiscoSecure ACS does not create a .CSV file for the existing logs with the new date format. The workaround is to import the .CSV file to a spreadsheet application and manually change the dates.
- ODBC Authentication does not work against an Oracle data source name (DSN). ODBC Authentication expects the called SQL procedures to return data in a record set, also known as Select procedures. Oracle returns data via procedure output parameters and does not work with the current dynamic link library (DLL). The workaround is to create a new external database, "ODBC Authentication for Oracle," that is the same as the existing DLL except that the results are collected from output parameters instead of row data.
- To use the Grant Dialin Permission to User feature, a two-way trust relationship must be established between the remote Windows NT domain and the CiscoSecure ACS for Windows NT server. This is a Windows NT issue. There is no workaround.
- When using Netscape Communicator 4.6 with CiscoSecure ACS for Windows NT, if a remote administrator clicks logout, Netscape's Smart Download window pops up and attempts to download a file. The administration session is never terminated. The workaround is to disable Smart Download or use IE or a different version of Netscape.
- Editing user/group profiles while using Netscape Navigator 4.08 or Netscape Communicator 4.61 produces a Dr. Watson for Netscape error. The workaround is to use Internet Explorer (IE) or a different version of Netscape.
- When using Internet Explorer (IE), after you click Submit in the User window, the window on the right displays a blank screen or an error message stating that the server is unreachable, because IE closes the connection to the server before the server can respond. The workaround is to click any of the main navigation buttons within 60 seconds. The window will be blank, but the user data will have been submitted successfully. Additionally, when using Windows NT 5.0 and Internet Explorer 5.x, the message
The page you want is not availabledisplays. The workaround is to click Try again.
- Some special characters, such as the umlaut, that should be valid cannot be used in usernames. This means that some external users may have user accounts created during authentication that cannot be edited using the web-based interface. The workaround is to not allow these characters in usernames.
- The Advanced TACACS+ Settings section always displays for cached unknown users even though the interface configuration is set to disable these displays. There is no workaround.
- When you add a new RDBMS Synchronization configuration and you click Synchronize now, the message No AAA server selected displays. The workaround is to click Submit before you click Synchronize now. The same issue applies to Database Replication and Unknown User Policy configuration.
- If tunnel attributes are selected in the ODBC RADIUS accounting log, the Show Create Table option does not create the type names. The workaround is to use a script similar to the following to create the type names:
CREATE TABLE radiusAccounting ( LoggedAt DATE NULL, User_Name VARCHAR(255) NULL, Acct_Output_Packets INTEGER NULL, Tunnel_Medium_Type , Tunnel_Client_Endpoint , Tunnel_Private_Group_ID , Tunnel_Client_Auth_ID , Tunnel_Server_Auth_ID )
- When the SafeWord Token Server is restarted, CiscoSecure ACS does not automatically reconnect to the SafeWord server for authentication. The Failed Attempts report displays the message
External DB reports error condition. The workaround is to restart the CSAuth and CSTacacs services.
- When Max Sessions are configured at the user level, users cannot log in in enable mode when the session limit is reached. Because the administrator logging in to the NAS usually telnets into it and then goes into the enable mode, the administrator might not be able to log in. The workaround is to configure Max Sessions at the group level instead of at the user level.
- The web-based administration server enters a state that causes the service to be unresponsive for certain functions and then hangs the web-admin service for the functions that previously worked. The workaround is to re-enter the address http://127.0.0.1:2002 or click the logout button (X) at the top right of the display. This will reset the browser.
- CSCdk87655 and CSCdk76477
- Releases of Cisco IOS software prior to Release 12.02 do not support the IP pooling feature of CiscoSecure ACS 2.4 for Windows NT with VPDN tunnels. As a result, duplicate IP addresses might be allocated. The workaround is to use Cisco IOS Release 12.02 or later or to use the IP pooling feature of the NAS if you are using VPDN.
- Changes to passwords made on the SQL server do not take effect immediately. This is an SQL issue that might cause security problems, because users can continue to log in using their old passwords until CSAuth is restarted. The workaround is to restart CSAuth after changing passwords on the SQL server.
- After a user account is disabled, Internet Explorer displays the user account status as disabled in the User Setup window but still shows it as enabled in the Group Setup window. The workaround is to restart Internet Explorer.
- CiscoSecure ACS 2.4 for Windows NT supports only a single connection per user when authenticating on a PIX firewall. This is an issue only for MaxSessions and the Reports and Activity: Logged-In Users window. The accounting logs correctly record the PIX accounting packets; the workaround is to use the accounting logs to track concurrent logins.
- User-defined field names do not appear in the Interface Configuration window of the replicated CiscoSecure ACS 2.4 for Windows NT immediately. The workaround is to restart CSAdmin after replication.
- If a user authenticates successfully but fails authorization, the NAS port name is blank in the Failed Attempts Log. There is no workaround at this time.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
- WWW: http://www.cisco.com
- WWW: http://www-europe.cisco.com
- WWW: http://www-china.cisco.com
- Telnet: cco.cisco.com
- Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact email@example.com. For additional information, contact firstname.lastname@example.org.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or email@example.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or firstname.lastname@example.org.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.