Guest

Cisco Secure Access Control Server for Windows

Release Notes for CiscoSecure ACS 2.3(1) for Windows NT Server

 Feedback

Table of Contents

Release Notes for
CiscoSecure ACS 2.3(1) for Windows NT Server

Contents
New Features
Corrections
Additions
Closed Issues
Open Issues and Workarounds
Cisco Connection Online
Documentation CD-ROM

Release Notes for
CiscoSecure ACS 2.3(1) for Windows NT Server

January 29, 1999

These release notes contain important information regarding CiscoSecure  ACS  2.3 for Windows  NT Server (CiscoSecure  ACS for Windows  NT). For complete documentation on this product, please refer to the following documents:

  • CiscoSecure  ACS  2.3 for Windows  NT Server User Guide

  • Quick Installation Card: CiscoSecure  ACS 2.3 for Windows  NT Server

  • Read Me First: CiscoSecure  ACS 2.3 for Windows  NT Server Getting Started

  • Quick Reference Card: Web Server Installation for CiscoSecure  ACS for Windows NT User-changeable Passwords

Contents

These release notes discuss the following topics:


New Features, page 2

Corrections, page 2

Additions, page 3

Closed Issues, page 4

Open Issues and Workarounds, page 5

Cisco Connection Online, page 7

Documentation CD-ROM, page 9

New Features

The following new features are included in this release of CiscoSecure  ACS for Windows  NT:

  • Password Aging

  • IP Pools

  • User-Changeable Passwords

  • Support for the Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP)

  • Support for Open Database Connectivity (ODBC)-compliant databases

  • Support for Microsoft's version of the Challenge Handshake Authentication Protocol (MS-CHAP)

  • Per-user Advanced Terminal Access Controller Access Control System (TACACS+) and/or Remote Access Dial-In User Service (RADIUS) attributes

  • Multilevel administration

  • CSMonitor service

  • ACS Backup and Restore

  • Ability to import password files from a UNIX-based device

  • Network Device Groups (NDGs)

  • Logging and Reporting enhancements

  • Ability to upgrade from all previous versions of CiscoSecure  ACS for Windows  NT

  • Support for RedCreek RADIUS

  • Support for the null password requirement of Voice over IP (VoIP)

See the readme.txt file and the online documentation for more information on the new features and enhancements made with this release.

Corrections

This section lists corrections to the CiscoSecure  ACS for Windows  NT product documentation.

  • Correction to the CiscoSecure  ACS  2.3 for Windows  NT Server User Guide:

Appendix E, page E-4---The -f option of CSUTIL.EXE is not included in this release of CiscoSecure  ACS  for Windows  NT. Please contact the Cisco Technical Assistance Center (TAC) for more information. See the "Cisco Connection Online" section for the instructions for contacting the TAC.
  • Quick Reference Card: Web Server Installation for CiscoSecure  ACS for Windows NT User-Changeable Passwords:

Section 3, Step 4:
  • Change both occurrences of InetPub\\ to InetPub\

  • Add the following bullet:

  • Virtual Directory Alias

/securecgi-bin

Additions

This section contains additions to the CiscoSecure  ACS for Windows  NT product documentation.

  • Before you install CiscoSecure  ACS for Windows  NT, make sure all other applications and windows are closed.

  • If you are using Security Dynamics, Inc. (SDI) for token authentication, Cisco recommends that you upgrade to ACE/Client version 4.2 and ACE/Server version 3.3.

  • If you have release 2.1 or 2.2 of CiscoSecure  ACS for Windows  NT installed with the automatic local login box unchecked, when you upgrade to release 2.3, this box will automatically be checked. This allows the administrator to access the Multi-Level Administration window.

ODBC Message During Installation

If a message displays during installation stating that The ODBC resource DLL filename is a different version than the ODBC file type and name, follow these steps:

Step 1 Exit the installation program.

Step 2 Run the ODBCDMIN.EXE file that is located in the SUPPORT\ODBC directory on the CiscoSecure  ACS  2.3 for Windows  NT Server CD-ROM. Running the ODBCDMIN.EXE file installs the ODBC 3.0 components.

Step 3 When you have finished installing these ODBC components, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure  ACS  2.3 for Windows  NT Server.

Installation Terminates Abnormally

If you get an error message during installation indicating that installation has failed, follow these steps:

Step 1 From the Windows Control Panel Add/Remove Programs window, select:

CiscoSecure ACS 2.3 for Windows NT

Step 2 Click Uninstall.

Step 3 When you have finished uninstalling, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure  ACS  for Windows  NT.

If Uninstall terminated abnormally or if installation still fails, follow these steps:

Step 1 From the SUPPORT\CLEAN directory, run CLEAN.EXE. This will uninstall CiscoSecure  ACS  2.3 for Windows  NT Server completely and clean up certain statements from the Windows NT Registry that prevent installation of CiscoSecure  ACS  for Windows  NT.

Step 2 When you have finished running CLEAN.EXE, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure  ACS  for Windows  NT.

Closed Issues

The following issues have been closed with this release of CiscoSecure  ACS for Windows  NT.

NDS Contexts

  • CSCdk03008

CSAuth now works correctly when large numbers of Novell Directory Services (NDS) contexts are used.

Special Characters in Usernames

  • CSCdk29369

To allow CiscoSecure  ACS for Windows  NT to retrieve dialed number identification service (DNIS)-based Virtual Private Dial-up Networking (VPDN) tunnel information, the colon (:) character is now allowed in usernames. Additionally, the backslash (\) character is now allowed so users can add domain\username.

Commas in Dial-Up (PPP/ARAP) Fields

  • CSCdk34978

The Dial-Up (PPP/ARAP) field can now contain a comma (,) character.

Minimum Password Length

  • CSCdk47135

You can now set a minimum password length.

Angle Brackets in Distribution Tables

  • CSCdk61376

The angle brackets (< >) characters can now be used in the Distribution Table list.

SDI Passcode Accepted Message

  • CSCdk75085

When used with SDI authentication, CiscoSecure  ACS for Windows  NT now passes the Passcode accepted message back to the user.

Open Issues and Workarounds

This section contains a partial list of the open issues for CiscoSecure  ACS  for Windows  NT.

HTML Interface Timeout with Netscape Communicator 4.01

  • CSCdj62066

With Netscape Communicator 4.01, when the Hypertext Markup Language (HTML) interface times out, a Java reconnect dialog box opens. However, clicking OK does not reestablish the session. The workaround is either to log in again or to use a different version of the browser.

Dragging Hyperlinks in Microsoft Internet Explorer 3.02

  • CSCdj63814

With Internet Explorer 3.02, when you drag any of the hyperlinks, the navigation bar is hidden, and an Internet Explorer message window opens. The workaround is either to use the browser's Back button or to use a different version of the browser.

Proxy with Dial-Up Networking

  • CSCdj67375

When performing Proxy and Windows  NT authentication with Windows Dial-Up Networking, CiscoSecure  ACS  for Windows  NT does not strip character strings located in the middle of usernames. For example, if the user ID is corporation@user1 and the domain is DOMAIN01, the authentication package is read as DOMAIN01\corporation@user1. CiscoSecure  ACS  for Windows  NT does not strip "corporation." The workaround is to place the character string to be stripped at the end of the user  ID.

Installing Internet Explorer when CiscoSecure  ACS for Windows  NT Is Already Installed

  • CSCdk12995

If CiscoSecure  ACS for Windows  NT is installed and you then install Internet Explorer, you must restart the system before CiscoSecure  ACS for Windows  NT services will start. The workaround is to install Internet Explorer before you install CiscoSecure  ACS for Windows  NT.

IP Pooling and VPDN

  • CSCdk87655 and CSCdk76477

Earlier releases of Cisco  IOS software do not support the IP pooling feature of CiscoSecure  ACS for Windows  NT with VPDN tunnels. As a result, duplicate IP addresses might be allocated. The workaround is to use Cisco  IOS Release 12.02 or later or to use the IP pooling feature of the NAS if you are using VPDN.

ODBC and SQL 6.5

  • CSCdk39343

There is an incompatibility issue with the ODBC Structured Query Language (SQL) version 6.5 drivers and CiscoSecure  ACS for Windows  NT. The workaround is to install the latest ODBC drivers before you install CiscoSecure  ACS for Windows  NT.

Changed Passwords and SQL Servers

  • CSCdk64286

Changes to passwords made on the SQL server do not take effect immediately. This is an SQL issue that might cause security problems, because users can continue to log in using their old passwords until CSAuth is restarted. The workaround is to restart CSAuth after changing passwords on the SQL server.

ODBC Authentication System DSN

  • CSCdk80413

If you are using the Microsoft Access ODBC drivers, the ODBC System Data Source Name (DSN) is not retained after reinstalling CiscoSecure  ACS  2.3 for Windows  NT Server. This issue does not arise if you are using SQL ODBC drivers. The workaround is to reinstall ODBC after you have installed CiscoSecure  ACS for Windows  NT.

User Status Inconsistent

  • CSCdk85593

After a user account is disabled, Internet Explorer displays the user account status as disabled in the User Setup window but still shows it as enabled in the Group Setup window. The workaround is to restart Internet Explorer.

Single Connection Per User on PIX Firewall

  • CSCdk86462

CiscoSecure  ACS for Windows  NT supports only a single connection per user when authenticating on a PIX firewall. This is an issue only for MaxSessions and the Reports and Activity: Logged-In Users window. The accounting logs correctly record the PIX accounting packets; the workaround is to use the accounting logs to track concurrent logins.

User-Defined Field Name Not Showing

  • CSCdk68592

User-defined field names do not appear in the Interface Configuration window of the replicated CiscoSecure  ACS for Windows  NT immediately. The workaround is to restart CSAdmin after replication.

NAS Port Name Blank

  • CSCdk89641

If a user authenticates but fails authorization, the NAS port name is blank in the Failed Attempts Log. There is no workaround at this time.

NAS Port Filter

  • CSCdk89755

The NAS Port filter does not work if the Port Name contains a forward slash (/) character. The workaround is to use port names that do not contain the / character.

MCIS Issues

The following issues have been found when MCIS is used with CiscoSecure  ACS for Windows  NT.

No Message When LDAP Server Stopped

  • CSCdk59031

After the LDAP server is stopped, any attempt to authenticate via the unknown user policy using LDAP will fail; however, CiscoSecure  ACS for Windows  NT does not issue an error message back to the NAS. There is no workaround at this time.

MCIS Account Status

  • CSCdk79761

If the MCIS account status is set to a value other than 1, the authentication failure is logged as Unknown. There is no workaround at this time.

MCIS Message

  • CSCdk77656

When accessing the External User Databases: Database Group Mapping: MCIS Configuration page, the following message displays: Define MCIS group set An error has occurred while processing the Authen DLL Configure Page because an error occurred in the DLL processing this request.
The workaround is to obtain the Active Directory Client software and install it on the CiscoSecure  ACS  for Windows  NT machine.

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.


Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800  553-2447, 408  526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800  553-6387, 408  526-7208, or cs-rep@cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.




Posted: Mon Feb 1 13:33:27 PST 1999
Posted: Mon Feb 1 13:33:27 PST 1999