Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure ACS for Windows Server 3.1

 Feedback

Table Of Contents

Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.1

Contents

Introduction

Documentation Roadmap

New and Changed Features

Installation Notes

Changes to Token Server Support

Changes to CiscoSecure Database Replication

Changes to Inter-Cisco Secure ACS Communication

Evaluation Version

Purchasing the Commercial Version

Upgrading to the Commercial Version

Limitations and Restrictions

Interoperability Testing

Upgrade Testing

Upgrading from Windows NT 4.0

PEAP Limitations

EAP-TLS Authentication with Active Directory

Tested Certificate Servers

Tested Web Browser Versions

Tested Token Server Versions

Tested LDAP Server

Tested Novell NDS and Novell Clients

Tested Windows User Databases

Tested Windows 2000 Service Packs

Tested Platforms for CiscoSecure Authentication Agent

Caveats

Platform Caveats

Resolved Caveats—Version 3.1.1

Open Caveats—Version 3.1.1

Related Documentation

Obtaining Technical Assistance

Cisco Connection Online

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Documentation Feedback

Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.1


September 2002

These release notes pertain to Cisco Secure Access Control Server for Windows Server (Cisco Secure ACS) version 3.1.1.

Contents

Introduction

New and Changed Features

Installation Notes

Changes to Token Server Support

Changes to CiscoSecure Database Replication

Changes to Inter-Cisco Secure ACS Communication

Evaluation Version

Limitations and Restrictions

Caveats

Related Documentation

Obtaining Technical Assistance

Obtaining Technical Assistance

Introduction

Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. A AAA client is any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS. For a general description of Cisco Secure ACS and its features, see User Guide for Cisco Secure ACS for Windows Server.

Documentation Roadmap

With the exception of online documentation, all Cisco Secure ACS documentation is available in PDF format on the product CD. The documentation directory on the CD also contains a white paper about Cisco Secure ACS and related products and technologies.

Cisco Secure ACS documentation includes the following items:

Installation Guide for Cisco Secure ACS for Windows Server (DOC-7814713=)—Contains information and procedures required for installing Cisco Secure ACS.

User Guide for Cisco Secure ACS for Windows Server (DOC=7814696=)—Contains concepts about Cisco Secure ACS and procedures for using all Cisco Secure ACS features.

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords—Contains procedures for installing and using the User-Changeable Password utility for Cisco Secure ACS.

Online Documentation—In addition to the abbreviated help that appears adjacent to every page in the Cisco Secure ACS HTML interface, the online documentation contains the same information as User Guide for Cisco Secure ACS for Windows Server.

You can also access Cisco Secure ACS documentation on Cisco.com at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
index.htm

You can find other product literature, including white papers, data sheets, and product bulletins, at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml

New and Changed Features

We have added the following features to Cisco Secure ACS 3.1.1:

PEAP Support—PEAP provides stronger security, greater extensibility, and support for one-time token authentication and password aging. The goal of our PEAP implementation is to replace LEAP client/server user authentication services with the standards-based, non-proprietary PEAP protocol for wireless user authentication. PEAP provides enhanced security and richer extensibility of end-user databases than can be provided with LEAP.

SSL Support for Administrative Access—Administrative access to the Cisco Secure ACS HTML interface can be secured with SSL. This security enhancement provides both certificate-based server authentication and encrypted tunnel support so that administrative access is encrypted with SSL.

CHPASS Improvements—Cisco Secure ACS allows you to control whether network administrators can change passwords during Telnet sessions hosted by TACACS+ AAA clients.

Improved IP Pool Addressing—Cisco Secure ACS uses the IETF RADIUS Class attribute as an additional index for user sessions. This reduces the possibility of allocating an IP address that is already in use but incorrectly reported to Cisco Secure ACS as released.

Network Device Search—You can search for a configured network device based on the device name, IP address, type (AAA client or AAA server), and network device group. This feature is particularly useful if you are managing several network devices.

Improved PKI Support—During EAP-TLS authentication, Cisco Secure ACS can perform binary comparison of the certificate received from an end-user client to user certificates stored in LDAP directories.

EAP Proxy Enhancements—Cisco Secure ACS supports LEAP and EAP-TLS proxy to other RADIUS or external databases using EAP over standard RADIUS. Previous versions of Cisco Secure ACS relied on LEAP proxy using MSCHAP over RADIUS proxy, making it more difficult to scale over an extended range of external user databases.

Cisco Management Center Application Support—Cisco Secure ACS provides a consolidated administrative TACACS+ control framework for many Cisco security management tools, such as CiscoWorks VPN/Security Management Solution (VMS) and CiscoWorks Management Centers.

Installation Notes

For information about installing Cisco Secure ACS, see Installation Guide for Cisco Secure ACS for Windows Server, version 3.1.

Changes to Token Server Support

With the exception of RSA SecurID token servers, Cisco Secure ACS supports token servers using RADIUS. This is a change from earlier versions, which used vendor-proprietary interfaces for token servers. Beginning with Cisco Secure ACS 3.0.1, we supported CRYPTOCard token servers using a standard RADIUS interface. Cisco Secure ACS 3.1.1 extends the use of RADIUS to all token servers except RSA SecurID. For RSA SecurID, the vendor-proprietary interface is used.

If you upgrade to Cisco Secure ACS 3.1, the installation program may prompt you for information about token servers, depending on the version of Cisco Secure ACS you are upgrading from and the token server databases detected by the upgrade process.

If you are upgrading from Cisco Secure ACS 3.0, the installation program prompts you for information if you have one of these token servers:

SafeWord

PassGo (formerly Axent)

If you are upgrading from Cisco Secure ACS 2.6, the installation program prompts you for information if you have one of these token servers:

CRYPTOCard

SafeWord

PassGo

With this information, the installation program replaces the older token server configuration with a new one that uses the RADIUS interface of the token server. For more information about RADIUS support by your token server, see the applicable token server documentation.


Note If a RADIUS-based token server, such as CRYPTOCard, runs on the same computer as Cisco Secure ACS, make sure that the token server uses UDP ports different from the ports used by Cisco Secure ACS to receive RADIUS requests. For information about RADIUS ports used by Cisco Secure ACS, see User Guide for Cisco Secure ACS for Windows Server. For information about RADIUS ports used by a token server, see the applicable token server documentation.


Changes to CiscoSecure Database Replication

We enhanced the CiscoSecure Database Replication feature to require a handshake between primary and secondary Cisco Secure ACSes. The handshake is based upon the shared secret of the primary Cisco Secure ACS.

Each Cisco Secure ACS has a AAA Servers table that lists itself and the other Cisco Secure ACSes that it is configured to communicate with. Each entry in the AAA Servers table records a shared secret for the Cisco Secure ACS that the list entry represents. The shared secret for the primary Cisco Secure ACS is defined in the AAA Servers table entry that the primary Cisco Secure ACS has for itself.

Each secondary Cisco Secure ACS must have a AAA Servers table entry for the primary Cisco Secure ACS. The shared secret in that entry must be identical to the shared secret in the AAA Servers table entry that the primary Cisco Secure ACS has for itself. When this is true, replication succeeds.

If a secondary Cisco Secure ACS has a AAA Servers table entry for the primary Cisco Secure ACS and the shared secret in that entry does not match the shared secret that the primary Cisco Secure ACS records for itself, replication fails.


Note If you are upgrading to Cisco Secure ACS version 3.1 and you use CiscoSecure Database Replication, we recommend that you verify that primary Cisco Secure ACSes and all their secondary Cisco Secure ACSes record identical shared secrets for the primary Cisco Secure ACS.


For more information, see User Guide for Cisco Secure ACS for Windows Server.

Changes to Inter-Cisco Secure ACS Communication

We enhanced communications between Cisco Secure ACSes to use 128-bit encryption. This change has the following effects:

Remote logging with Cisco Secure ACS version 3.1 can only occur with other Cisco Secure ACSes that run version 3.1.

The only version of the web-based User-Changeable Passwords (UCP) application that works with Cisco Secure ACS version 3.1 is the version of UCP distributed with Cisco Secure ACS version 3.1. If you are upgrading to Cisco Secure ACS version 3.1 and you use UCP, you must upgrade UCP, too.

Evaluation Version

The evaluation version of Cisco Secure ACS 3.1 provides full functionality for 90 days after the date of installation. This allows you to use all features of Cisco Secure ACS 3.1 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.1 will be available within 30 days after the release of the commercial version of Cisco Secure ACS 3.1.

The evaluation version of Cisco Secure ACS 3.1 can be distinguished from the commercial version in the following ways:

The word "trial" appears in the title of the installation routine.

The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.

In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the HTML Cisco Secure ACS HTML interface notifying you that your evaluation period has elapsed.

Purchasing the Commercial Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.1 online, use Part Number CSACS-3.1-WIN-K9 at the following URL:

http://www.cisco.com/pcgi-bin/cm/welcome.pl

Upgrading to the Commercial Version

After purchasing a commercial version of Cisco Secure ACS 3.1, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.1, follow the instructions in Installation Guide for Cisco Secure ACS for Windows Server, version 3.1.

Limitations and Restrictions

The following limitations and restrictions apply to Cisco Secure ACS 3.1.1.

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.

Upgrade Testing

We tested upgrading to Cisco Secure ACS version 3.1.1 from the following previous versions:

Cisco Secure ACS version 3.0.2.5

Cisco Secure ACS version 3.0.1.40

Cisco Secure ACS version 2.6.4.

Upgrading from Windows NT 4.0

Cisco Secure ACS version 3.1 runs only on Windows 2000 Server (for operating system requirements, see Installation Guide for Cisco Secure ACS for Windows Server. If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. This is because the setup program for previous versions of Cisco Secure ACS detected which Windows operating system the computer used and customized Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.

For information about how to upgrade from Cisco Secure ACS on Windows NT 4.0, see Installation Guide for Cisco Secure ACS for Windows Server.

PEAP Limitations

The Cisco Secure ACS implementation of PEAP has the following limitations:

External Databases Only—PEAP only supports external user databases. The CiscoSecure user database cannot support PEAP authentication; therefore, only users who have an account in a supported external user database can authenticate with PEAP.

Unknown User Processing—Enabling unknown user processing is strictly required to support PEAP authentication. Cisco Secure ACS uses unknown user processing during phase 1 of PEAP authentication, when the username is not known to Cisco Secure ACS. For more information about the Unknown User Policy, see User Guide for Cisco Secure ACS for Windows Server.


Note Unknown user processing can introduce large latencies during authentication. Be sure to configure the Unknown User Policy page to account for this possibility. For more information, see User Guide for Cisco Secure ACS for Windows Server.


EAP-TLS Authentication with Active Directory

To perform EAP-TLS authentication using Active Directory as the external user database, Cisco Secure ACS must run on a domain controller. EAP-TLS authentication using Active Directory fails when Cisco Secure ACS runs on a member server.

Tested Certificate Servers

We used Microsoft CA certificate servers to test Cisco Secure ACS version 3.1.1.

Tested Web Browser Versions

To administer all features included in Cisco Secure ACS 3.1, we recommend that you use one of the following tested web browsers:

Microsoft Internet Explorer version 5.5 for Microsoft Windows

Microsoft Internet Explorer version 6.0 for Microsoft Windows

Netscape Communicator version 6.2.3 for Microsoft Windows


Note If you are using Netscape Communicator, see CSCdx79277: Netscape - no left hand splash buttons with https connectivity.


We did not test other versions of these browsers, nor did we test web browsers by other manufacturers.


Note To use a web browser to access the Cisco Secure ACS HTML interface, you must enable both Java and JavaScript in the browser. Also, the web browser must not be configured to use a proxy server.


Tested Token Server Versions

We tested Cisco Secure ACS version 3.1.1 with the following versions of the supported token servers.

ActivCard Server version 3.1

CRYPTOCard CRYPTOAdmin version 5.16

PassGo (formerly AXENT) Defender version 4.1.3

RSA ACE/Server version 5.0 and ACE/Client version 1.1.2 for Windows 2000

Secure Computing PremierAccess Server version 3.1

Vasco Vacman Server version 6.0.2


Note Cisco Secure ACS version 3.1.1 uses a RADIUS interface to support all token servers, with the exception of RSA ACE/Server. For more information, see Changes to Token Server Support.


Tested LDAP Server

We used Netscape iPlanet Directory Server version 5.1 and Windows 2000 Active Directory with Windows Service Pack 3 to test standard LDAP database support.

Tested Novell NDS and Novell Clients

We used Netware 6.0 to test Novell NDS external user databases. We tested Cisco Secure ACS version 3.1.1 with the Novell Requestor software found in Novell Client version 4.8.3 for Windows 2000. If you want to authenticate users with a Novell NDS external user database, you must install the Novell Requestor software on the computer that runs Cisco Secure ACS.

Tested Windows User Databases

We used Windows 2000 with Service Pack 3 and Windows NT 4.0 with Service Pack 6 to test Cisco Secure ACS version 3.1.1 for Windows authentication.

Tested Windows 2000 Service Packs

We tested Cisco Secure ACS version 3.1.1 with the English-language version of Windows 2000 Service Pack 3.

Tested Platforms for CiscoSecure Authentication Agent

For use with Cisco Secure ACS 3.1.1, we tested CiscoSecure Authentication Agent on the following client platform operating systems:

Windows 98

Windows 2000

We did not test the CiscoSecure Authentication Agent on the following client platform operating systems:

Windows 95

Windows NT 4.0

Caveats

This section identifies caveats and issues for Cisco Secure ACS.

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco BBSM

http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Resolved Caveats—Version 3.1.1


Note Caveats are printed word-for-word as they appear in our caveat tracking system.


CSCdy65014: CSauth lockup during replication

CSCdy50199: Restart condition for CSMon

CSCdy50140: ACS backup routine does not erase all temporary created files

CSCdy32890: Can not define multiple instances of cisco-ssg-control-info

CSCdy19385: Whitespace only entries in Groupmap javacontol hang browser

CSCdy18833: Auth. fails when ACS/NT 3.0 is auth. to Windows Active Directory

CSCdy16496: T+ Hang when Varsdb breaks

CSCdy16493: NDS does not auth FQ usernames if they begin with . [dot]

CSCdy15215: Character in hostname crashes ACS

CSCdy14582: Minimum account rights needed to start/stop CiscoSecure services

CSCdy11858: When passwords are limited to alphanumeric, all CSMon tests fail

CSCdy11740: Database replication partner order not saved

CSCdy11718: Unable to add renamed user-defined attributes ito Radius accounting

CSCdy02582: user CLID gets truncated after exporting into 3.0

CSCdx92037: Configuring CSNT to use port 2002 only results in gui lockout

CSCdx91072: ODBC Authentication with CHAP/MSCHAP1/2

CSCdx62520: When passwords are limited to alphanumeric, all CSMon tests fail

CSCdx29451: DB updates via RDBMS Sync do not cause replication

CSCdx29446: unauthorized disclosure of data can be achieved using crafted URL

CSCdx29403: CSRadius fails to restart properly on Submit & Restart

CSCdx29400: CSRadius fails to restart properly on Submit & Restart

CSCdx29389: NAR doesn't match with wildcards in NAS definition

CSCdx29383: ODBC Authentication with CHAP/MSCHAP1/2

CSCdx29378: Distribution table and test accounts

CSCdx29377: GlobalAuthenticationConfiguration should be added as per adm privelege

CSCdx29374: sending crafted URL can cause CSADMIN to crash or exec user code

CSCdx29372: Radius Proxy of accounting packets kill CSRadius

CSCdx29370: T+ crashes under load

CSCdx29368: ACS 3.0 crash with Dr Watson Accounting request has no status type

CSCdx21407: Allow anonymous administrator username and password for LDAP

CSCdx19053: User guide wrongly states that reboot.bat exists

CSCdx16701: CSNT variable lengths (groups, NASs restrictions, etc.) undocumented

CSCdw86405: ResetCounters and Quota assignment Action codes are swapped

CSCdw64726: Embedded Documentation on Replication Configuration vague

CSCdw51174: Replication log message shows error on successful completion

CSCdw48049: Docs need clarification regarding Windows authentication

CSCdw45665: Docs inaccurate and incomplete regarding max number of AAA clients

CSCdw27571: GlobalAuthenticationConfiguration should be added as per adm privele

CSCdw19605: ACS 2.6(3) stops authenticating under heavy load - NDS

CSCdw09587: acs with external database DB2,not send foreign IP

CSCdw07015: Class attribute missing from Radius Accounting section

CSCdv62731: Docs wrong about Domain List effect on failed Win DB logins

CSCdv47186: Unable to add renamed user-defined attribute ito Radius accounting

CSCdu39662: ERROR_EXPORT_DISK_TOO_LOW error when upgrading to CSNT 2.6

CSCdp40874: CSNT refuse/allow new behavior undocumented

Open Caveats—Version 3.1.1


Note Caveats are printed word-for-word as they appear in our bug tracking system.


This section identifies known caveats and issues with Cisco Secure ACS 3.1.1.

CSCdu33140: PPTP Tunnel with VPN3000 and MS-CHAP V2 method

A PPTP tunnel using a Cisco VPN 3000-series concentrator and MS-CHAP version 2 fails. The VPN concentrator indicates that authentication passed; however, tunnel establishment fails. When using the MS-CHAP version 1 method with the same configuration, tunnel establishment succeeds. When using the concentrator's internal user database with MS-CHAP version 2, tunnel establishment succeeds.

Workaround/Solution: There are few steps which needs to be filled when configuring Cisco Secure ACS to support PPTP Tunnel in MS-CHAP version 2 (and version 1) authentication methods:

Setup two users at least on Cisco Secure ACS, one as a tunnel user and the others as the authenticated users. The tunnel user and its password should be the same as the tunnel group name on the concentrator and its password.

The authenticated users must include the following settings in Cisco Secure ACS, as well:

In "IETF RADIUS Attributes" check the "[025] Class" attribute and the following value should be entered in the text box: "ou=groupname;" where groupname is the name of the tunnel user name previously configured.

In "Microsoft RADIUS Attributes", select the "[311\012] MS-CHAP-MPPE-Keys" check box.

Add a group name similar to the tunnel users name, and in the "Cisco VPN 3000 Concentrator RADIUS Attributes" select the [3076\011] CVPN3000-Tunneling-Protocols check box and the [3076\020] CVPN3000-PPTP-Encryption check box.

Select the [3076\011] CVPN3000-Tunneling-Protocols check box, then select PPTP from the corresponding list.

Select the [3076\020] CVPN3000-PPTP-Encryption check box, then select 128-bit or lower from the corresponding list, according to the client encryption capability

Use the Windows 2000 PPTP client and establish the PPTP tunnel via MS-CHAP V2 authentication method.

CSCdu48120: CSNT error occurred during the move data process

When Installing Cisco Secure ACS, you may see the following error:

An error occurred during the move data process: -115
 

followed by several other errors, such as:

Cannot run command D:\Program Files\CiscoSecureACS 
vx.x\UtilsCSUpdate -install CSAuth - The system cannot find the 
file specified
Cannot run command D:\Program Files\CiscoSecureACS 
vx.x\UtilsCSUpdate-install CSLog - The system cannot find the file 
specified
Cannot run command D:\Program Files\CiscoSecureACS 
vx.x\UtilsCSUpdate-install CSRadius - The system cannot find the 
file specified
 

Workaround/Solution: Delete pdh.dll from the Windows system32 directory, then restart the installation.

CSCdv35872: Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTMLin the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

CSCdv86707: User Data Field name is not replicated

Changes to user-defined fields in user records do not appear to replicate. After the user-defined fields are changed in the Interface Configuration section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the user-defined fields in the HTML interface.

Workaround/Solution: The changes to the user-defined fields do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdv86708: HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdv89331: VOIP Accounting Configuration - no upgrade, no backup & restore

In the System Configuration section, settings made on the VoIP Account Configuration page are not restored from backup. Neither are these settings preserved during reinstallation of Cisco Secure ACS 3.0 or upgrading to a later build of Cisco Secure ACS 3.0.

Workaround/Solution: Manually configure the VoIP Accounting Configuration page.

CSCdx56300: Certificates cant be found in OS storage

When using the "Use certificate from storage" option on the ACS Certificate Setup page in System Configuration, the error message "Cannot find certificate with specified common name in the ACS storage" occurs even though the server certificate was installed in the operating system local machine storage.

Workaround/Solution: To install a server certificate in local machine storage so that Cisco Secure ACS can find it, follow the instructions in "Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks", available at:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm

CSCdx66485: discrepancies with Logged-in users report for Aironet users

When a wireless user initially authenticates and the Cisco Aironet Access Point (AP) sends an accounting start packet to Cisco Secure ACS, the Logged-in Users report contains an entry for that user, provided that the AP sends correctly formatted accounting packets.

Later, when the AP reforms a re-key authentication, Cisco Secure ACS treats this authentication as a new authentication on the same AAA client IP/port as a "port re-use" and terminates the previous session state.

Because the AP does not send a new accounting start after a re-key, the user never reappears in the Logged-in User report.

Workaround/Solution: None at this time.

Cisco plans to add to Aironet the Service-Type RADIUS attribute in LEAP packets such that Service-Type = Login (1) is used for initial authentication and Service-Type = Authenticate only (8) is used for re-key authentication.

A future version of Cisco Secure ACS will multipart this attribute and behave accordingly to avoid the current problem.

CSCdx79277: Netscape - no left hand splash buttons with https connectivity

If you use implement HTTPS transport for access to the Cisco Secure ACS HTML interface and you use Netscape Communicator version 6.2.3 running on Windows 2000 Professional with Windows Service Pack 2, Cisco Secure ACS does not present the Navigation Bar that usually displays the section buttons on the left side of the page.

Workaround/Solution: The problem is caused by Netscape. If you implement HTTPS, use Microsoft Internet Explorer for Windows, version 5.5 or 6.0, to access the Cisco Secure ACS HTML interface.

CSCdx81108: LDAP registry error

If you have more than one external user database configuration for a given database type and you delete one of them, the Unknown User Policy may not be updated correctly. For example, you can configure multiple LDAP databases and add each one separately to the Unknown User Policy list. If you deleted one of the LDAP database configurations, the Unknown User Policy list may not accurately reflect the changes you've made.

Workaround/Solution: One of two workarounds can be selected to alleviate this bug:

Do not delete configurations, but rather, deselect them from the 'Unknown User Policy'

If a configuration is to be deleted, then delete all other configurations OF THE SAME TYPE, and re-apply the configurations which are to remain.

CSCdx81906: Unable to replicate to more than 20 partners

Customer has run into a limitation on replication partners of 20. You can configure more, but the 21st partner in the list but it will not work - the master will say that it's not responding.

Workaround/Solution: If you delete one of the servers higher up in the list, thus moving the problem server into slot number 20, replication works.

CSCdx87666: Axent Token not upgraded correctly

Upon upgrading to Cisco Secure ACS 3.1, a database configuration for an Axent token server remains without changing the name to PassGo as Axent is now known as. This old configuration remains in the Unknown User Policy and group mappings for it are also preserved using the old name.

Workaround/Solution: None. The name of a database configuration is arbitrary and has no impact upon the use of the database configuration. If having the name Axent is confusing, delete the database configuration and create a new PassGo database configuration with an acceptable name.

CSCdy00057: EAP-TLS Binary certificate comparison fails with Novell NDS

EAP-TLS Authentication fails when the external db is Novell NDS (Netware 6) and the comparison method is binary.

Workaround/Solution: For binary comparison, the user certificate must be stored in an attribute named "usercertificate". Configure Novell NDS to store user certificates in the "usercertificate" attribute. You cannot use the "usercertificate;binary" attribute instead.

CSCdy11747: deleted SPC remain configured in user/ group profiles

If a shared profile component is deleted, user and group profiles previously configured to use the deleted component still reference it, causing authorization failures.

Workaround/Solution: When you delete a shared profile component, such as a network access restriction, command authorization set, or downloadable PIX ACL, be sure that no user or group profiles reference the component you want to delete.

CSCdy11863: Invalid PIX ACL is accepted

Cisco Secure ACS accepts empty and therefore invalid PIX ACLs. There are two ways this can occur. In the first, you can submit only a space in the PIX ACL. In the second, you can delete the contents of a previously submitted, valid PIX ACL and resubmit it successfully.

Workaround/Solution: None at this time.

CSCdy14259: T+ ascii login doesn't work correctly with cryptocard

Users authenticating with CryptoCard incorrectly receive a password prompt in addition to the username, challenge, and response prompts.

Workaround/Solution: Users can enter any string at the password prompt and press Enter, then continue CryptoCard authentication normally.\

CSCdy30639: ACSNT rename of network device group problem with command set

Each time that you rename a "Network Device Group", the system is unable to keep track and to update the association that there is between the renamed group and the command set that is applied on that devices.

Workaround/Solution: You must manually delete the association between the old-named device group and the command set and add manually a new association with the renamed device group and the same command set.

CSCdy38832: List All Users/Group column value is 0 after restore/install wit

The group list in Group Setup has inaccurate numbers of users if you reload the internal user database using CSUtil.exe. This can also occur after upgrading if you preserve the existing configuration during the upgrade process.

Workaround/Solution: None.

CSCdy44924: MCIS Appears when upgrading from 2.6.4

While upgrading from 2.6.4, which supports MCIS as a user external repository, ACS 3.1 doesn't remove it from the External User Database Configuration.

It should remove it since 3.0.1, 3.0.2 and 3.1 does not support it.

Workaround/Solution: Manually delete any MCIS external user database configurations.

CSCdy44938: Activcard auth misbehavior via T+

The problem occurs for TACACS+ with ActivCard token server as an external user database. If the asynchronous (challenge/response) OTP authentication mode is used, and users enter a wrong response, they cannot authenticate for the next 2-3 minutes. Authentication requests are denied even if the correct credentials are entered.

Workaround/Solution: After several minutes users can authenticate with the right credentials.

CSCdy44940: OTP Password is echoed on T+ NAS

When using TACACS+ login and a static shell password prompt defined on "TACACS+ Shell configuration" for RADIUS OTP external databases the user OTP password (fixed or dynamic) is always echoed on TACACS+ AAA client input.

Workaround/Solution: None.

CSCdy44946: Safeword change password option not supported

Safeword PremierAccess server v.3.1 is tested as a Safeword OTP Server for ACS 3.1. When you create a fixed password user account on Safeword PremierAccess server v.3.1 there is a check box "User must change password with first login". If checked the user will be forced to change password next login. When ACS authenticates Safeword external user the option is not supported and user will be failed. This is true for RADIUS AAA clients and TACACS+ AAA clients.

Workaround/Solution: None.

CSCdy46284: Vasco auth misbehavior via T+

The problem occurs for TACACS+ with Vasco token server as an external user database. If the asynchronous (challenge/response) OTP authentication mode is used, and users enter a wrong response, they cannot authenticate for the next 2-3 minutes. Authentication requests are denied even if the correct credentials are entered.

Workaround/Solution: After several minutes users can authenticate with the right credentials.

CSCdy51214: fail to delete aaa server when its in sync table/aaa server side

A AAA server cannot be deleted from the "(Not Assigned) AAA Servers"

table in Network Configuration if the Synchronize"= list under Synchronization Partners on the RDBMS Synchronization Setup page is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" appears.

Workaround/Solution: Move any other AAA server to the Synchronize list, then delete the AAA server.

CSCdy59706: CAA messaging wont work with ppp callback and callin authentication

When having ppp callback and only callin is authenticated (ppp authentication pap chap callin), then messaging to the CAA client will fail with all aging rules selected in ACS.

This is a documentation bug, the above won't work without changes.

Workaround/Solution: Either remove the "callin" keyword to enable authentication for callin and callout (callback in this scenario), or disable callback altogether.

CSCdy64935: After editing CTL, restart message is not displayed

After administrator has changed the Certificate Trust List (CTL), the services must be restarted in order to adopt new settings. The standard ACS restart message must be displayed.

Workaround/Solution: After modifying the CTL, go to the Service Control page in System Configuration and click Restart.

Related Documentation

The following documents directly support Cisco Secure ACS:

User Guide for Cisco Secure ACS for Windows Server

Installation Guide for Cisco Secure ACS for Windows Server

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords

You can find other product literature, including white papers, data sheets, and product bulletins, at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml

In addition to these documents, online documentation is provided within the Cisco Secure ACS user interface. The entire Cisco Secure ACS documentation set is also available at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/

Obtaining Technical Assistance

Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.

Cisco Connection Online

Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.

You can access CCO in the following ways:

WWW: www.cisco.com

Telnet: cco.cisco.com

Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.

From North America, call 408 526-8070

From Europe, call 33 1 64 46 40 82

You can e-mail questions about using CCO to cco-team@cisco.com.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.

To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.

To contact by e-mail, use one of the following:

Language
E-mail Address

English

tac@cisco.com

Hanzi (Chinese)

chinese-tac@cisco.com

Kanji (Japanese)

japan-tac@cisco.com

Hangul (Korean)

korea-tac@cisco.com

Spanish

tac@cisco.com

Thai

thai-tac@cisco.com


In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate and value your comments.