Table of Contents
Release Notes for
CiscoSecure ACS 2.3(2) for Windows NT Server
Microsoft Commercial Internet System (MCIS) Message
User Expiration Dates
CSDBSync Expiration Date
Incorrectly Formed Usernames
TACACS+ Single-Connect Timeout
User Expiration Time
Importing External Users
Lightweight Directory Access Protocol (LDAP) Port Numbers
Deleting Nonexistent Usernames
Re-adding Deleted Usernames
Dragging Hyperlinks in Microsoft Internet Explorer 3.02
Proxy with Dial-Up Networking
Installing Internet Explorer when CiscoSecure ACS 2.3(2) for Windows NT Is Already Installed
IP Pooling and Virtual Private Dialup Networks (VPDN)
Open Database Connectivity (ODBC) and Structured Query Language (SQL) 6.5
Changed Passwords and SQL Servers
ODBC Authentication System Data Source Name (DSN)
User Status Inconsistent
Single Connection Per User on PIX Firewall
User-Defined Field Name Not Showing
Network Access Server (NAS) Port Name Blank
NAS Port Filter
Release Notes for
CiscoSecure ACS 2.3(2) for Windows NT Server
March 29, 1999
These release notes contain important information regarding CiscoSecure ACS 2.3(2) for Windows NT Server (CiscoSecure ACS 2.3(2) for Windows NT). For complete documentation on this product, refer to the following documents:
- CiscoSecure ACS 2.3 for Windows NT Server User Guide
- Quick Installation Card: CiscoSecure ACS 2.3 for Windows NT Server
- Read Me First: CiscoSecure ACS 2.3 for Windows NT Server Getting Started
- Quick Reference Card: Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords
- Release Notes for CiscoSecure ACS 2.3(1) for Windows NT Server
These release notes discuss the following topics:
- Addition page 2
- Closed Issues page 2
- Open Issues and Workarounds page 4
- Cisco Connection Online page 7
- Documentation CD-ROM page 8
CiscoSecure ACS 2.3(2) for Windows NT operates properly with Windows NT Service Pack 4.
The following issues have been closed with this release of CiscoSecure ACS for Windows NT.
- Remote Access Dial-In User Service (RADIUS) accounting no longer has issues with unknown users.
- When accessing the External User Databases: Database Group Mapping: MCIS Configuration page, a new message displays when the Active Directory Client software is not installed on the CiscoSecure ACS for Windows NT machine.
- CSAdmin no longer hangs when an attempt is nade to restore backup from previous releases of CiscoSecure ACS 2.3(2) for Windows NT.
- Upper range check on user expiration dates is now performed.
- CSDBSync account expiration dates are now Year 2000 compliant.
- Incorrectly formed usernames are no longer treated as internal server errors.
- Terminal Access Controller Access Control System (TACACS+) single-connect timeout is now configurable.
- User expiration times are now evaluated as local time rather than Coordinated Universal Time (UTC).
- Password fields for imported external users are no longer empty.
- MCIS account-status failure is now logged correctly.
- Misconfigured LDAP port numbers now log in failed attempts correctly.
- CiscoSecure ACS for Windows NT now responds correctly if the LDAP server is stopped.
- CSAuth now continues to work when nonexistent usernames are deleted.
- Re-adding deleted usernames no longer affects user.dat.
The issues for CiscoSecure ACS for Windows NT listed in this section remain open.
- With Netscape Communicator 4.01, when the Hypertext Markup Language (HTML) interface times out, a Java reconnect dialog box opens. However, clicking OK does not reestablish the session. The workaround is either to log in again or to use a different version of the browser.
- With Internet Explorer 3.02, when you drag any of the hyperlinks, the navigation bar is hidden, and an Internet Explorer message window opens. The workaround is either to use the browser's Back button or to use a different version of the browser.
- When performing Proxy and Windows NT authentication with Windows Dial-Up Networking, CiscoSecure ACS for Windows NT does not strip character strings located in the middle of usernames. For example, if the user ID is corporation@user1 and the domain is DOMAIN01, the authentication package is read as DOMAIN01\corporation@user1. CiscoSecure ACS for Windows NT does not strip "corporation." The workaround is to place the character string to be stripped at the end of the user ID.
- If CiscoSecure ACS 2.3(2) for Windows NT is installed and you then install Internet Explorer, you must restart the system before CiscoSecure ACS 2.3(2) for Windows NT services will start. The workaround is to install Internet Explorer before you install CiscoSecure ACS 2.3(2) for Windows NT.
- CSCdk87655 and CSCdk76477
- Releases of Cisco IOS software prior to Release 12.02 do not support the IP pooling feature of CiscoSecure ACS 2.3(2) for Windows NT with VPDN tunnels. As a result, duplicate IP addresses might be allocated. The workaround is to use Cisco IOS Release 12.02 or later or to use the IP pooling feature of the NAS if you are using VPDN.
- There is an incompatibility issue with the ODBC SQL version 6.5 drivers and CiscoSecure ACS 2.3(2) for Windows NT. The workaround is to follow these steps:
Step 1 Stop all ODBC applications and services.
Step 2 Install the latest ODBC drivers.
Step 3 Install CiscoSecure ACS 2.3(2) for Windows NT.
Note If you do not follow these steps in order, there will be issues with partial ODBC installations and you will have to manually recover by deleting various ODBC dynamic link libraries (DLLs).
- Changes to passwords made on the SQL server do not take effect immediately. This is an SQL issue that might cause security problems, because users can continue to log in using their old passwords until CSAuth is restarted. The workaround is to restart CSAuth after changing passwords on the SQL server.
- If you are using the Microsoft Access ODBC drivers, the ODBC System Data Source Name (DSN) is not retained after reinstalling CiscoSecure ACS 2.3(2) for Windows NT Server. This issue does not arise if you are using SQL ODBC drivers. The workaround is to reinstall ODBC after you have installed CiscoSecure ACS 2.3(2) for Windows NT.
- After a user account is disabled, Internet Explorer displays the user account status as disabled in the User Setup window but still shows it as enabled in the Group Setup window. The workaround is to restart Internet Explorer.
- CiscoSecure ACS 2.3(2) for Windows NT supports only a single connection per user when authenticating on a PIX firewall. This is an issue only for MaxSessions and the Reports and Activity: Logged-In Users window. The accounting logs correctly record the PIX accounting packets; the workaround is to use the accounting logs to track concurrent logins.
- User-defined field names do not appear in the Interface Configuration window of the replicated CiscoSecure ACS 2.3(2) for Windows NT immediately. The workaround is to restart CSAdmin after replication.
- If a user authenticates successfully but fails authorization, the NAS port name is blank in the Failed Attempts Log. There is no workaround at this time.
- The NAS Port filter does not work if the Port Name contains a forward slash (/) character. The workaround is to use port names that do not contain the / character.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
- WWW: http://www.cisco.com
- WWW: http://www-europe.cisco.com
- WWW: http://www-china.cisco.com
- Telnet: cco.cisco.com
- Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact email@example.com. For additional information, contact firstname.lastname@example.org.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or email@example.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or firstname.lastname@example.org.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.