Table of Contents
Release Notes for
CiscoSecure ACS 2.3(1) for Windows NT Server
Special Characters in Usernames
Commas in Dial-Up (PPP/ARAP) Fields
Minimum Password Length
Angle Brackets in Distribution Tables
SDI Passcode Accepted Message
Dragging Hyperlinks in Microsoft Internet Explorer 3.02
Proxy with Dial-Up Networking
Installing Internet Explorer when CiscoSecure ACS for Windows NT Is Already Installed
IP Pooling and VPDN
ODBC and SQL 6.5
Changed Passwords and SQL Servers
ODBC Authentication System DSN
User Status Inconsistent
Single Connection Per User on PIX Firewall
User-Defined Field Name Not Showing
NAS Port Name Blank
NAS Port Filter
Release Notes for
CiscoSecure ACS 2.3(1) for Windows NT Server
January 29, 1999
These release notes contain important information regarding CiscoSecure ACS 2.3 for Windows NT Server (CiscoSecure ACS for Windows NT). For complete documentation on this product, please refer to the following documents:
- CiscoSecure ACS 2.3 for Windows NT Server User Guide
- Quick Installation Card: CiscoSecure ACS 2.3 for Windows NT Server
- Read Me First: CiscoSecure ACS 2.3 for Windows NT Server Getting Started
- Quick Reference Card: Web Server Installation for CiscoSecure ACS for Windows NT User-changeable Passwords
These release notes discuss the following topics:
- New Features, page 2
- Corrections, page 2
- Additions, page 3
- Closed Issues, page 4
- Open Issues and Workarounds, page 5
- Cisco Connection Online, page 7
- Documentation CD-ROM, page 9
The following new features are included in this release of CiscoSecure ACS for Windows NT:
- Password Aging
- IP Pools
- User-Changeable Passwords
- Support for the Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP)
- Support for Open Database Connectivity (ODBC)-compliant databases
- Support for Microsoft's version of the Challenge Handshake Authentication Protocol (MS-CHAP)
- Per-user Advanced Terminal Access Controller Access Control System (TACACS+) and/or Remote Access Dial-In User Service (RADIUS) attributes
- Multilevel administration
- CSMonitor service
- ACS Backup and Restore
- Ability to import password files from a UNIX-based device
- Network Device Groups (NDGs)
- Logging and Reporting enhancements
- Ability to upgrade from all previous versions of CiscoSecure ACS for Windows NT
- Support for RedCreek RADIUS
- Support for the null password requirement of Voice over IP (VoIP)
See the readme.txt file and the online documentation for more information on the new features and enhancements made with this release.
This section lists corrections to the CiscoSecure ACS for Windows NT product documentation.
- Correction to the CiscoSecure ACS 2.3 for Windows NT Server User Guide:
- Appendix E, page E-4---The -f option of CSUTIL.EXE is not included in this release of CiscoSecure ACS for Windows NT. Please contact the Cisco Technical Assistance Center (TAC) for more information. See the "Cisco Connection Online" section for the instructions for contacting the TAC.
- Quick Reference Card: Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords:
- Section 3, Step 4:
- Change both occurrences of InetPub\\ to InetPub\
- Add the following bullet:
- Change both occurrences of InetPub\\ to InetPub\
- Virtual Directory Alias
This section contains additions to the CiscoSecure ACS for Windows NT product documentation.
- Before you install CiscoSecure ACS for Windows NT, make sure all other applications and windows are closed.
- If you are using Security Dynamics, Inc. (SDI) for token authentication, Cisco recommends that you upgrade to ACE/Client version 4.2 and ACE/Server version 3.3.
- If you have release 2.1 or 2.2 of CiscoSecure ACS for Windows NT installed with the automatic local login box unchecked, when you upgrade to release 2.3, this box will automatically be checked. This allows the administrator to access the Multi-Level Administration window.
If a message displays during installation stating that
The ODBC resource DLL filename
is a different version than the ODBC file type and name, follow these steps:
Step 1 Exit the installation program.
Step 2 Run the ODBCDMIN.EXE file that is located in the SUPPORT\ODBC directory on the CiscoSecure ACS 2.3 for Windows NT Server CD-ROM. Running the ODBCDMIN.EXE file installs the ODBC 3.0 components.
Step 3 When you have finished installing these ODBC components, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS 2.3 for Windows NT Server.
If you get an error message during installation indicating that installation has failed, follow these steps:
Step 1 From the Windows Control Panel Add/Remove Programs window, select:
CiscoSecure ACS 2.3 for Windows NT
Step 2 Click Uninstall.
Step 3 When you have finished uninstalling, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS for Windows NT.
If Uninstall terminated abnormally or if installation still fails, follow these steps:
Step 1 From the SUPPORT\CLEAN directory, run CLEAN.EXE. This will uninstall CiscoSecure ACS 2.3 for Windows NT Server completely and clean up certain statements from the Windows NT Registry that prevent installation of CiscoSecure ACS for Windows NT.
Step 2 When you have finished running CLEAN.EXE, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS for Windows NT.
The following issues have been closed with this release of CiscoSecure ACS for Windows NT.
- CSAuth now works correctly when large numbers of Novell Directory Services (NDS) contexts are used.
- To allow CiscoSecure ACS for Windows NT to retrieve dialed number identification service (DNIS)-based Virtual Private Dial-up Networking (VPDN) tunnel information, the colon (:) character is now allowed in usernames. Additionally, the backslash (\) character is now allowed so users can add domain\username.
- The Dial-Up (PPP/ARAP) field can now contain a comma (,) character.
- You can now set a minimum password length.
- The angle brackets (< >) characters can now be used in the Distribution Table list.
- When used with SDI authentication, CiscoSecure ACS for Windows NT now passes the
Passcode acceptedmessage back to the user.
This section contains a partial list of the open issues for CiscoSecure ACS for Windows NT.
With Netscape Communicator 4.01, when the Hypertext Markup Language (HTML) interface times out, a Java reconnect dialog box opens. However, clicking OK does not reestablish the session. The workaround is either to log in again or to use a different version of the browser.
With Internet Explorer 3.02, when you drag any of the hyperlinks, the navigation bar is hidden, and an Internet Explorer message window opens. The workaround is either to use the browser's Back button or to use a different version of the browser.
When performing Proxy and Windows NT authentication with Windows Dial-Up Networking, CiscoSecure ACS for Windows NT does not strip character strings located in the middle of usernames. For example, if the user ID is corporation@user1 and the domain is DOMAIN01, the authentication package is read as DOMAIN01\corporation@user1. CiscoSecure ACS for Windows NT does not strip "corporation." The workaround is to place the character string to be stripped at the end of the user ID.
If CiscoSecure ACS for Windows NT is installed and you then install Internet Explorer, you must restart the system before CiscoSecure ACS for Windows NT services will start. The workaround is to install Internet Explorer before you install CiscoSecure ACS for Windows NT.
- CSCdk87655 and CSCdk76477
- Earlier releases of Cisco IOS software do not support the IP pooling feature of CiscoSecure ACS for Windows NT with VPDN tunnels. As a result, duplicate IP addresses might be allocated. The workaround is to use Cisco IOS Release 12.02 or later or to use the IP pooling feature of the NAS if you are using VPDN.
- There is an incompatibility issue with the ODBC Structured Query Language (SQL) version 6.5 drivers and CiscoSecure ACS for Windows NT. The workaround is to install the latest ODBC drivers before you install CiscoSecure ACS for Windows NT.
- Changes to passwords made on the SQL server do not take effect immediately. This is an SQL issue that might cause security problems, because users can continue to log in using their old passwords until CSAuth is restarted. The workaround is to restart CSAuth after changing passwords on the SQL server.
- If you are using the Microsoft Access ODBC drivers, the ODBC System Data Source Name (DSN) is not retained after reinstalling CiscoSecure ACS 2.3 for Windows NT Server. This issue does not arise if you are using SQL ODBC drivers. The workaround is to reinstall ODBC after you have installed CiscoSecure ACS for Windows NT.
- After a user account is disabled, Internet Explorer displays the user account status as disabled in the User Setup window but still shows it as enabled in the Group Setup window. The workaround is to restart Internet Explorer.
- CiscoSecure ACS for Windows NT supports only a single connection per user when authenticating on a PIX firewall. This is an issue only for MaxSessions and the Reports and Activity: Logged-In Users window. The accounting logs correctly record the PIX accounting packets; the workaround is to use the accounting logs to track concurrent logins.
- User-defined field names do not appear in the Interface Configuration window of the replicated CiscoSecure ACS for Windows NT immediately. The workaround is to restart CSAdmin after replication.
- If a user authenticates but fails authorization, the NAS port name is blank in the Failed Attempts Log. There is no workaround at this time.
- The NAS Port filter does not work if the Port Name contains a forward slash (/) character. The workaround is to use port names that do not contain the / character.
The following issues have been found when MCIS is used with CiscoSecure ACS for Windows NT.
- After the LDAP server is stopped, any attempt to authenticate via the unknown user policy using LDAP will fail; however, CiscoSecure ACS for Windows NT does not issue an error message back to the NAS. There is no workaround at this time.
- If the MCIS account status is set to a value other than 1, the authentication failure is logged as Unknown. There is no workaround at this time.
- When accessing the External User Databases: Database Group Mapping: MCIS Configuration page, the following message displays:
Define MCIS group set An error has occurred while processing the Authen DLL Configure Page because an error occurred in the DLL processing this request.
- The workaround is to obtain the Active Directory Client software and install it on the CiscoSecure ACS for Windows NT machine.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
- WWW: http://www.cisco.com
- WWW: http://www-europe.cisco.com
- WWW: http://www-china.cisco.com
- Telnet: cco.cisco.com
- Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact firstname.lastname@example.org. For additional information, contact email@example.com.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or firstname.lastname@example.org. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or email@example.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Mon Feb 1 13:33:27 PST 1999