Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure ACS for Windows 2000/NT Servers Version 3.0

 Feedback

Table of Contents

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 3.0
Contents
Introduction
New Features
Installation Notes
Changes to CRYPTOCard Support
Evaluation Version
Limitations and Restrictions
Caveats
Related Documentation
Obtaining Documentation
Obtaining Technical Assistance

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 3.0


March 2002

These release notes pertain to Cisco Secure Access Control Server for Windows 2000/NT Servers (Cisco Secure ACS) version 3.0.1.

Contents

Introduction

Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. A AAA client is any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS.

Cisco Secure ACS helps centralize access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the use of an external user database is optional, support for many popular user repository implementations enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user repositories.

Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000-series Concentrators, and Cisco VPN 5000-series Concentrators. It also supports third-party devices that can be configured with Terminal Access Controller Access Control System (TACACS+) or Remote Access Dial-In User Service (RADIUS) protocols. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment. For more information about support for TACACS+ and RADIUS in Cisco Secure ACS, see the Cisco Secure ACS for Windows 2000/NT Servers User Guide.

Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers provides information about the following subjects:

  • System requirements
  • Network requirements

Cisco Secure ACS for Windows 2000/NT Servers User Guide provides detailed information about configuring and using Cisco Secure ACS. This guide is available from Cisco.com or on the product CD.

New Features

We have added several major and minor features to Cisco Secure ACS.

Major Features

The major features added to Cisco Secure ACS are as follows:

  • 802.1x Support—Cisco Secure ACS support for 802.1x strengthens access control for switched LAN and wireless LAN users. 802.1x is a new access control standard proposed in the IEEE for managing port-level access control. 802.1x relies on Extensible Authentication Protocol (EAP), carried in RADIUS messages, to manage user authentication and authorization.
  • EAP-MD5, EAP-TLS—In addition to LEAP, Cisco Secure ACS supports EAP-MD5 and EAP-TLS authentication. EAP is an IETF RFC standard for carrying various authentication methods over any PPP connection. EAP-MD5 is a username/password method incorporating MD5 hashing for security. EAP-TLS is a method for authenticating both Cisco Secure ACS and users with X.509 digital certificates. This method also provides dynamic session key negotiation.
  • Command Authorization Sets—Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
  • MS CHAP version 2 Support and MS CHAP Password Aging Support—Cisco Secure ACS supports MS CHAP version 2. In addition, we added an MS CHAP-based password aging feature which works with the Microsoft Dial-Up Networking client, the Cisco VPN client (version 3.0 or greater), and any desktop client that supports MS CHAP. This feature prompts a user to change his or her password after a login where the user password has expired. The MS CHAP-based password-aging feature supports users who authenticate with a Windows user database and is offered in addition to password aging supported by the CiscoSecure user database.

Note    Cisco VPN 3000-series Concentrators and Cisco IOS will support MS CHAP password aging in upcoming releases. We plan to implement MS CHAP password aging in Cisco IOS using MS CHAP version 2.

Minor Features

The minor features added to Cisco Secure ACS are as follows:

  • Per-User Access Control Lists (ACLs)—This feature allows administrators to define ACLs of any length, for users or groups of users.
  • Shared Network Access Restrictions (NARs)—The ability to name NARs simplifies the assignment of identical NARs to multiple users or groups of users.
  • Wildcards in NARs—Cisco Secure ACS supports wildcards for designating end-user client IP addresses and ports in IP-based NARs. In CLI/DNIS-based NARs, Cisco Secure ACS supports wildcards for CLI and DNIS values. You can apply NARs to a single AAA client, a network device group, or all AAA clients. Wildcarding of AAA clients is supported by using the multiple devices per AAA client feature, described next.
  • Multiple Devices per AAA Client Configuration—You can create single AAA client configurations that define a set of network devices that use the same shared key, authentication method, logging/accounting parameters. Cisco Secure ACS enables you to provide multiple IP addresses when you configure a AAA client in the HTML interface, including the use of wildcards in IP addresses.
  • Multiple LDAP Lookups and LDAP Failover—Cisco Secure ACS enables you to create multiple LDAP external user database configurations. You can also define backup LDAP servers in the event that a primary LDAP server is not available.
  • User-Defined RADIUS Vendor-Specific Attributes (VSAs)—Cisco Secure ACS now supports user-defined inbound and outbound RADIUS VSAs.
  • Improved User Documentation—We reorganized and heavily revised the online documentation and Cisco Secure ACS for Windows 2000/NT Servers Version 3.0 User Guide. We rewrote and expanded Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers. We heavily revised Web Server Installation for Cisco Secure ACS 3.0 for Windows 2000/NT User-Changeable Passwords

To supplement the documentation, white papers addressing the use and deployment of various protocols and AAA clients are posted at the following location:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.

Installation Notes

For information about installing Cisco Secure ACS, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

Changes to CRYPTOCard Support

Before Cisco Secure ACS 3.0.1, support for CRYPTOCard token servers used the vendor-proprietary interface provided with the CRYPTOCard token server. Beginning with Cisco Secure ACS 3.0.1, we support CRYPTOCard token servers using a standard RADIUS interface.

If you upgrade to Cisco Secure ACS 3.0 and had configured CRYPTOCard authentication in the previous installation of Cisco Secure ACS, the installation program prompts you for information about the CRYPTOCard RADIUS server. With this information, the installation program replaces the older CRYPTOCard configuration with a new one that uses the RADIUS interface of the CRYTPOCard easyRADIUS server. To use the RADIUS interface of the CRYPTOCard server, be sure the CRYPTOCard easyRADIUS server is installed on a CRYPTOCard Windows server. For more information about CRYPTOCard easyRADIUS, see CRYPTOCard documentation.

We successfully tested running Cisco Secure ACS and the CRYPTOCard easyRADIUS server on the same Windows server. Testing occurred on Windows NT 4.0 with Service Pack 6 and Windows 2000 with Service Pack 2. We used versions 5.0 and 5.1 of the CRYPTOCard easyRADIUS server. However, we do not recommend that you run the CRYPTOCard easyRADIUS server on the same Windows server that runs Cisco Secure ACS. If you choose to do so, be sure that Cisco Secure ACS and CRYPTOCard easyRADIUS use different ports to receive RADIUS requests.

You can change the UDP ports used by the CRYPTOCard RADIUS server by editing its services file, usually located in c:\WINNT\system32\drivers\etc. For more information about the UDP ports used by the CRYPTOCard RADIUS server and how to change them, see your CRYPTOCard documentation.

Evaluation Version

The evaluation version of Cisco Secure ACS 3.0 provides full functionality for 90 days after the date of installation. This allows you to use all the features of Cisco Secure ACS 3.0 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.0 will be available 30 days after the release of the commercial version of Cisco Secure ACS 3.0.

The evaluation version of Cisco Secure ACS 3.0 can be distinguished from the commercial version in the following ways:

  • The word "trial" appears in the title of the installation routine.
  • The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.
  • In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the administrative interface notifying you that your evaluation period has elapsed.

Purchasing the Commercial Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the full, retail version of Cisco Secure ACS 3.0 online, use Part Number CSACS-3.0 at the following URL:

http://www.cisco.com/pcgi-bin/cm/welcome.pl

Upgrading to the Commercial Version

After purchasing a commercial version of Cisco Secure ACS 3.0, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.0, follow the instructions in Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

Limitations and Restrictions

The following topics are limitations and restrictions that apply to Cisco Secure ACS 3.0.

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.

Tested Certificate Servers

We tested EAP-TLS certificate requests using the following certificate servers:

  • Microsoft CA
  • VeriSign Onsite PKI

Tested Web Browser Versions

To administer all features included in Cisco Secure ACS 3.0.1, we recommend that you use a tested web browser. We tested Cisco Secure ACS 3.0.1 with the following web browsers:

  • Microsoft Internet Explorer version 5.0 for Microsoft Windows
  • Microsoft Internet Explorer version 5.5 for Microsoft Windows
  • Netscape Communicator version 4.76 for Microsoft Windows

We did not test other versions of these browsers, nor did we test web browsers by other manufacturers.

Tested Token Server Versions

We tested Cisco Secure ACS 3.0.1 with the following versions of the supported token servers.

  • AXENT Defender version 4.1.
  • Secure Computing SafeWord version 5.2.
  • RSA ACE/Server version 4.1 and ACE/Client version 1.1.1 for Windows NT 4.0
  • RSA ACE/Server version 5.0 and ACE/Client version 1.1.2 for Windows 2000

Cisco Secure ACS 3.0.1 supports CRYPTOCard, ActivCard, and Vasco token servers using a common RADIUS token server interface. We tested the common RADIUS token server interface using ActivCard Token Server version 3.1.

For information about CRYPTOCard support, see the "Changes to CRYPTOCard Support" section.

Tested LDAP Server

We tested standard LDAP database support using Netscape Directory Server version 4.1.

Tested Novell Clients

If you are using a Novell NDS database as an external user database, the Novell Requestor software must be installed on the Cisco Secure ACS server. We tested Cisco Secure ACS 3.0.1 with the Novell Requestor software found in Novell Client version 4.8 for Windows NT 4.0 and Windows 2000.

Tested Windows 2000 Service Packs

We tested Cisco Secure ACS 3.0.1 with the English-language versions of Windows 2000 Service Packs 1 and 2.

Tested Platforms for CiscoSecure Authentication Agent

For use with Cisco Secure ACS 3.0.1, we tested CiscoSecure Authentication Agent on the following client platform operating systems:

  • Windows 95
  • Windows 98

We did not test the CiscoSecure Authentication Agent on the following client platform operating systems:

  • Windows 2000
  • Windows NT 4.0

Caveats

This section identifies caveats and issues for Cisco Secure ACS.

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Resolved Caveats—Version 3.0.1

Caveats are printed word-for-word as they appear in our bug tracking system.

  • CSCdv61239: TACACS+ Command Accounting updates logged in user list
  • CSCdv42366: Documentation wrong about admin failed attempts feature
  • CSCdv41922: CSMon logs confusing message during replication
  • CSCdv25235: Replication occurs every other time regardless on need
  • CSCdv24984: / in port field of Network Access restriction breaks
  • CSCdu87549: Timeouts required for LDAP searches
  • CSCdu65240: Inter version replication failure error not logged
  • CSCdu65230: Cross version replication error not in docs
  • CSCdu65207: Windows DLL error logging inadequate
  • CSCdu65095: add Usage Quota w/ Netscape in Interface Config removes options
  • CSCdu63791: T+ enable partially broken for external db users
  • CSCdu61901: Cant add userID in lowercase after adding it in uppercase
  • CSCdu41846: Group map for LDAP fails with large numbers of groups
  • CSCdu37391: RDBMS Sync docs are incomplete
  • CSCdu36350: Documentation bug : LDAP and CHAP are not supported together
  • CSCdu02875: CSNT documentation incorrect
  • CSCdt91325: Delayed response to Safeword challenge crashes CSAuth
  • CSCdt75695: When upgrading from 2.4 to 2.6 it doesnot update safeword token dll
  • CSCdt73381: Set password source to External ODBC during RDBMS synchronization
  • CSCdt72305: EAP-Message still available for edit in group profile
  • CSCdt63400: CSNT port 2000 conflict with CCM
  • CSCds43324: NDGs should be definable within NARs rather than individual NAS
  • CSCdw22345: Replication fails on an upgraded ACS

Open Caveats—Version 3.0.1

This section identifies known caveats and issues with Cisco Secure ACS 3.0.1. Caveats are printed word-for-word as they appear in our bug tracking system.

  • CSCds14916: ACS fails to list Windows NT groups when PDC is down

If the active Primary Domain Controller (PDC) for a Windows NT domain is unavailable, you cannot use the Cisco Secure ACS administrative user interface to configure group mappings for this domain.

Workaround/Solution: If the configuration changes are not vital, wait until the PDC becomes available again. Otherwise, promote a suitable Backup Domain Controller to the role of PDC.

  • CSCds15692: Installer replaces Cisco Secure VPN Client (1.1) DLL

If Cisco Secure VPN Client version 1.1 is installed on the Windows NT 4.0 server on which you are installing Cisco Secure ACS, Cisco Secure ACS fails to install, with an error message about the following file:

NSLDAPSSL32V30.dll

This file is necessary for the VPN Client to work properly.

Workaround/Solution: Exit the Cisco Secure ACS installation, uninstall Cisco Secure VPN Client from the server, install Cisco Secure ACS, and then reinstall Cisco Secure VPN Client.

  • CSCds22861: GUI does not allow user to change RADIUS auth/acct ports

The user interface does not allow an administrator to change the default RADIUS authentication (1645) and accounting (1646) ports. Routers using Cisco IOS versions later than 12.1 have changed their default behavior to reflect the new ports of 1812 for authentication and 1813 for accounting.

Workaround/Solution: Cisco Secure ACS now supports both pairs of ports for RADIUS authentication and accounting. Ports 1645 and 1812 are used for RADIUS authentication; ports 1646 and 1813, for RADIUS accounting.

If you need to use ports other than those supported by Cisco Secure ACS, you can change the ports used for RADIUS authentication and accounting by editing attribute values of the proper key in the Windows Registry. The ports are the AccountingPort and AuthenticationPort attributes of the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\CISCO\CiscoAAAv2.5\
CSRadius

After changing the port attribute values, restart the Cisco Secure ACS server.

  • CSCds44804: Windows 2000-style user@domain authentication not supported

Windows 2000 allows users to enter their user names as username@domain-name. For example, fred@domain.com. This format is equivalent to entering the Windows NT 4.0 user name of DOMAIN/fred.

Workaround/Solution: Cisco Secure ACS does not support this style of user name when authenticating against an external Windows 2000 server. Continue to prefix account names with the NT 4.0-style domain name.

  • CSCds48020: Installation GUI Before You Begin check boxes are unclear

On the Before You Begin dialog box of the Cisco Secure ACS installation, the following three check box items could be misunderstood.

  • A dial-up client can successfully dial in to the network access server.
  • The network access server is running Cisco IOS release 11.1 or later.
  • Microsoft Internet Explorer v5.0 (or later) or Netscape Communicator v4.7 (or later) is installed on this Windows 2000/NT Server

Workaround/Solution: The three check box items are clarified below.

    • Dial-up clients only need to be able to connect to your network if you intend to support dial-up access. If not, this is not a requirement for installing Cisco Secure ACS.
    • Only Cisco IOS devices need to be running Cisco IOS release 11.1 or later. Other devices, such as supported versions of the Cisco Aironet Access Point, do not need to be running Cisco IOS.
    • The supported web browsers must also have a Java virtual machine installed in order to support the Cisco Secure ACS administration interface.
  • CSCds88673: Timeout issue for Aironet client causing authentication problem

Cisco Secure ACS pauses for several seconds before replying to a Cisco Aironet Access Point authentication request. This results in the Access Point resending its authentication request.

Workaround/Solution: None. Authentications for valid requests succeed after the delay.

  • CSCds90678: Failed to Edit TACACS+ (Cisco IOS) configuration

If you use Internet Explorer 5.5 or Netscape 4.7 and refresh or reload the frame when viewing Interface Configuration: TACACS+(Cisco IOS), you receive the following error message:

Vendor Config Edit Failed
-------------------------
Failed to Edit TACACS+ (Cisco IOS)
configuration
because -=+None+=-

Workaround/Solution: Click Interface Configuration: TACACS+(Cisco IOS) and continue editing the TACACS+ settings.

In Cisco Secure ACS 3.0, this behavior does not occur with Internet Explorer 5.5.

  • CSCdu33140: PPTP Tunnel with VPN3000 and MS-CHAP V2 method

A PPTP tunnel using a Cisco VPN 3000-series concentrator and MS-CHAP version 2 fails. The VPN concentrator indicates that authentication passed; however, tunnel establishment fails. When using the MS-CHAP version 1 method with the same configuration, tunnel establishment succeeds. When using the concentrator's internal user database with MS-CHAP version 2, tunnel establishment succeeds.

Workaround/Solution: There are few steps which needs to be filled when configuring Cisco Secure ACS to support PPTP Tunnel in MS-CHAP version 2 (and version 1) authentication methods:

Setup two users at least on Cisco Secure ACS, one as a tunnel user and the others as the authenticated users. The tunnel user and its password should be the same as the tunnel group name on the concentrator and its password.

The authenticated users must include the following settings in Cisco Secure ACS, as well:

  • In "IETF RADIUS Attributes" check the "[025] Class" attribute and the following value should be entered in the text box: "ou=groupname;" where groupname is the name of the tunnel user name previously configured.
  • In "Microsoft RADIUS Attributes", select the "[311\012] MS-CHAP-MPPE-Keys" check box.
  • Add a group name similar to the tunnel users name, and in the "Cisco VPN 3000 Concentrator RADIUS Attributes" select the [3076\011] CVPN3000-Tunneling-Protocols check box and the [3076\020] CVPN3000-PPTP-Encryption check box.
  • Select the [3076\011] CVPN3000-Tunneling-Protocols check box, then select PPTP from the corresponding list.
  • Select the [3076\020] CVPN3000-PPTP-Encryption check box, then select 128-bit or lower from the corresponding list, according to the client encryption capability

Use the Windows 2000 PPTP client and establish the PPTP tunnel via MS-CHAP V2 authentication method.

  • CSCdu40827: Passwords submitted with Netscape on Solaris dont work

Passwords get corrupted when submitted using Netscape on Solaris.

Workaround/Solution: Use a Windows version of the web browsers used to test Cisco Secure ACS.

  • CSCdu48120: CSNT error occurred during the move data process

When Installing Cisco Secure ACS, you may see the following error:

An error occurred during the move data process: -115
 

followed by several other errors, such as:

Cannot run command D:\Program Files\CiscoSecureACS vx.x\UtilsCSUpdate -install CSAuth - The system cannot find the file specified
Cannot run command D:\Program Files\CiscoSecureACS vx.x\UtilsCSUpdate-install CSLog - The system cannot find the file specified
Cannot run command D:\Program Files\CiscoSecureACS vx.x\UtilsCSUpdate-install CSRadius - The system cannot find the file specified
 

Workaround/Solution: Delete pdh.dll from the Windows system32 directory, then restart the installation.

  • CSCdu72474: Group Enable option for define max priv. on a per NDG basis

The "Define max Privilege on a per network device group basis" option of the Enable Options feature in Group Setup does not work if this option has not first been configured once in User Setup.

Workaround/Solution: Configure this feature for users first (rather than for a group). Then, reconfigure this feature for a group. After doing so, this feature works on a group level. All failed attempts are registered in the failed attempts log as "T+ enable privilege too low."

  • CSCdu76831: 255 IP address fails on installation

During installation, if you use an IP address of 10.0.10.255 with a 23-bit subnet mask (255.254.0.0), the installation fails with an error message indicating that you cannot use a broadcast IP address.

Workaround/Solution: During installation, enter any IP address not ending in 255. After installation, use the Cisco Secure ACS HTML interface to correct the IP address.

  • CSCdu84042: Win2k external database,W2K groups cant be seen

Windows 2000 groups for remote domains cannot be seen by Cisco Secure ACS running on a Windows NT 4.0 member server.

Workaround/Solution: On the Cisco Secure ACS server, configure all Cisco Secure ACS services to run using a domain administrator account for the domain of which the server is a member. For more information about additional configuration required to run Cisco Secure ACS 3.0 on a Windows NT 4.0 member server, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

The services associated with Cisco Secure ACS are:

    • CSAdmin
    • CSAuth
    • CSDBSync
    • CSLog
    • CSMon
    • CSTacacs
    • CSRadius
  • CSCdv29929: Add admin using Netscape causes 100%CPU

If you use Netscape Navigator v.4.7 to access the HTML interface, adding an administrator to Cisco Secure ACS can cause 100% CPU utilization for over a minute. This in turn can cause the CSRadius service to pause until the browser resumes normal operation. The fault lies in the Netscape browser rather than Cisco Secure ACS.

Workaround/Solution: Once the 100% CPU utilization has begun, wait until browser operation returns to normal. This should be less than five minutes. To avoid the behavior altogether, use a tested version of Microsoft Internet Explorer. See the Tested Web Browsers section of the Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers

  • CSCdv35872: Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTMLin the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

  • CSCdv47186: Unable to add renamed user-defined attributes ito Radius accounting

Customer is experiencing problems adding the user fields (3,4,5) to the RADIUS accounting file.

When he renames these fields in the User Attributes in Interface Configuration, and then attempts to add them to the RADIUS Accounting log, the changes do not appear in the log.

To reproduce this problem, follow these steps:

1. Change the names of Real Name, User field 2, User field 3, or any of the User Defined Fields in Interface Configuration.

2. In System Configuration, select Logging, and then select CSV Radius Accounting.

3. Add one (or more) of the changed fields to the right column.

4. Click Submit.

5. Select the CSV Radius Accounting log again.

6. The field you just moved to the right column will no longer be in the right column, but will appear in the left column once more.

Workaround/Solution: After renaming a user-defined attribute, restart all Cisco Secure ACS services from the Windows Control Panel. Once the services have been restarted, the CSV RADIUS Accounting configuration screen shows the renamed attributes and remembers their selection when the page is submitted.

  • CSCdv63442: ODBC logging, Fractional truncation errors, not dropping connections

When Cisco Secure ACS is configured to send ODBC logging to an MS SQL database, some accounting records are missing. Connections to the ODBC database are never closed, and eventually open connections can use up all the virtual memory on the server.

You can also see "Fractional Truncation" ODBC messages logged to the ACS_BASEDIR\CSLog\Logs\cslog.log file

Workaround/Solution: Cisco Secure ACS 3.0 partially resolves the undesired behavior. While fractional truncation may occur, the connection to the ODBC database is closed and reopened without adverse effect on virtual memory.

  • CSCdv85400: IP Address Recovery & Date Format Control - not backup/restore

In the System Configuration section, settings made on the IP Address Recovery page and the Date Format Control page are not restored from backup.

Workaround/Solution: Manually configure the IP Address Recovery and Date Format Control pages.

  • CSCdv85432: CSLog crashes when changing system logging

The CSLog service crashes when you modify ODBC logging configuration during ODBC logging operations.

Workaround/Solution: Do not change logging configuration while Cisco Secure ACS is authenticating users.

  • CSCdv86707: User Data Field name is not replicated

Changes to user-defined fields in user records do not appear to replicate. After the user-defined fields are changed in the Interface Configuration section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the user-defined fields in the HTML interface.

Workaround/Solution: The changes to the user-defined fields do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

  • CSCdv86708: HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

  • CSCdv89331: VOIP Accounting Configuration - no upgrade, no backup & restore

In the System Configuration section, settings made on the VoIP Account Configuration page are not restored from backup. Neither are these settings preserved during reinstallation of Cisco Secure ACS 3.0 or upgrading to a later build of Cisco Secure ACS 3.0.

Workaround/Solution: Manually configure the VoIP Accounting Configuration page.

  • CSCdv89334: MSCHAP settings in NT/2000 Database configuration - not upgraded

In the External User Databases section, settings on the MS-CHAP Settings table on the Windows NT/2000 User Database Configuration page are not preserved when reinstalling Cisco Secure ACS 3.0 or upgrading to a later build of Cisco Secure ACS 3.0.

Workaround/Solution: Reconfigure the MS-CHAP Settings table after reinstalling Cisco Secure ACS 3.0.

  • CSCdw03887: ACS communicates with win db even if ms-chap v1,2 disab

If neither MS-CHAP version is enabled in System Configuration and a user attempts to authenticate with MS-CHAP, Cisco Secure ACS attempts a PAP authentication using the Windows external user databases, which will fail and result in a failed login attempt. This can result in locked out users even though no MS-CHAP authentication using a Windows database is allowed.

Workaround/Solution: None at this time.

  • CSCdw04627: NULL response to AXENT challenge crashes CSAuth

If a user who usually authenticates with an AXENT token server receives a password challenge, leaves the password field blank, and presses Enter, the CSAuth service fails. The log for CSAuth contains entries similar to:

Start RQ1027, client 1 (127.0.0.1) Exception trapped at drive:\path\dzauth.c:2727 [Exception trapped on UDB_SEND_RESPONSE] Exception trapped at drive:\path\dzauth.c:1432 [Exception trapped in dzauth_worker_main] CSAuth server starting ============================== 

Workaround/Solution: Require AXENT users to supply the applicable response at every password challenge.

  • CSCdw07015: Class attribute missing from Radius Accounting section

Under the System Configuration - Logging - Radius Accounting section, the Class (IETF Radius attr. 25) attribute is missing from the list of available attributes.

Workaround/Solution: Edit the Registry key:

HKEYLOCALMACHINE/SOFTWARE/Cisco/CiscoAAAvM.m/Dictionaries/002/025

Change value "Profile" from "MULTI OUT" to "MULTI IN OUT".

Restart ALL services (i.e. needs manual re-start of admin from the Control Panel)

  • CSCdw55565: tacacs+ accounting is logged in tacacs+ administration logs

In CSNT 3.0, tacacs+ accounting packets are being logged in the tacacs+ administration logs instead of tacacs+ accounting logs for some devices such as the pix & switch.

Workaround/Solution: To make CSNT 3.0 work like previous versions, stop CSNT services, back up the registry, & run regedit to make the changes below:

HKEY_LOCAL_MACHINE\SOFTWARE\CiscoAAAv3.0\CSLOG\Loggers\CSV TACACS+ Accounting filter=preV3_tacacsAccountingFilter

HKEY_LOCAL_MACHINE\SOFTWARE\CiscoAAAv3.0\CSLOG\Loggers\CSV TACACS+ Administation=preV3_tacacsAdminFilter

Then restart the services.

Related Documentation

The following documents directly support Cisco Secure ACS:

  • Cisco Secure ACS for Windows 2000/NT Servers Version 3.0 User Guide
  • Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers
  • Web Server Installation for Cisco Secure ACS 3.0 for Windows 2000/NT User-Changeable Passwords

You can find other product literature, including white papers, data sheets, and product bulletins, at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.

In addition to these documents, online documentation is provided within the Cisco Secure ACS user interface. The entire Cisco Secure ACS documentation set is also available at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/

Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:

http://www.cisco.com

Translated documentation is available at the following URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

  • Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

  • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

  • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

  • Streamline business processes and improve productivity
  • Resolve technical issues with online support
  • Download and test software packages
  • Order Cisco learning materials and merchandise
  • Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

  • Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
  • Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
  • Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
  • Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:

http://www.cisco.com/register/

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.

This document is to be used in conjunction with the "Related Documentation" section.

CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R)

Copyright © 1999-2002, Cisco Systems, Inc.
All rights reserved.