Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 3.0.4

 Feedback

Table of Contents

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 3.0.4
Contents
Introduction
New Features
Installation Notes
Changes to CRYPTOCard Support
Evaluation Version
Limitations and Restrictions
Caveats
Related Documentation
Obtaining Documentation
Documentation Feedback
Obtaining Technical Assistance
Obtaining Additional Publications and Information

Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 3.0.4


October 2003

These release notes pertain to Cisco Secure Access Control Server for Windows 2000/NT Servers (Cisco Secure ACS) version 3.0.4.

Contents

Introduction

Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. A AAA client is any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS.

Cisco Secure ACS helps centralize access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although using an external user database is optional, Cisco Secure ACS supports many popular user databases, enabling companies to use the knowledge gained from and the investment already made in building their corporate user databases.

Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000-series Concentrators, and Cisco VPN 5000-series Concentrators. It also supports third-party devices that can be configured with Terminal Access Controller Access Control System (TACACS+) or Remote Access Dial-In User Service (RADIUS) protocols. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment. For more information about support for TACACS+ and RADIUS in Cisco Secure ACS, see the Cisco Secure ACS for Windows 2000/NT Servers User Guide.

Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers provides information about the following subjects:

  • System requirements
  • Network requirements

Cisco Secure ACS for Windows 2000/NT Servers User Guide provides detailed information about configuring and using Cisco Secure ACS. This guide is available from Cisco.com or on the product CD.

New Features

We have added several major and minor features to Cisco Secure ACS 3.0.

Major Features

The major features added to Cisco Secure ACS are as follows:

  • 802.1x Support—Cisco Secure ACS support for 802.1x strengthens access control for switched LAN and wireless LAN users. 802.1x is a new access control standard proposed by the IEEE for managing port-level access control. 802.1x relies on Extensible Authentication Protocol (EAP), carried in RADIUS messages, to manage user authentication and authorization.
  • EAP-MD5, EAP-TLS—In addition to supporting LEAP, Cisco Secure ACS supports EAP-MD5 and EAP-TLS authentication. EAP is an IETF RFC standard for carrying various authentication methods over any PPP connection. EAP-MD5 is a username and password method incorporating MD5 hashing for security. EAP-TLS is a method for authenticating both Cisco Secure ACS and users with X.509 digital certificates. This method also provides dynamic session key negotiation.
  • Command Authorization Sets—Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
  • MS CHAP version 2 Support and MS CHAP Password Aging Support—Cisco Secure ACS supports MS CHAP version 2. In addition, we added an MS CHAP-based password-aging feature which works with the Microsoft Dial-Up Networking client, the Cisco VPN client (version 3.0 or greater), and any desktop client that supports MS CHAP. This feature prompts a user to change his or her password after a login where the user password has expired. The MS CHAP-based password-aging feature supports users who authenticate with a Windows user database and is offered in addition to password aging supported by the CiscoSecure user database.

Note    Cisco VPN 3000-series Concentrators and Cisco IOS will support MS CHAP password aging in upcoming releases.

Minor Features

The minor features added to Cisco Secure ACS are as follows:

  • Per-User Access Control Lists (ACLs)—This feature allows administrators to define ACLs of any length for users or groups of users.
  • Shared Network Access Restrictions (NARs)—The ability to name NARs simplifies the assignment of identical NARs to multiple users or groups of users.
  • Wildcards in NARs—Cisco Secure ACS supports wildcards for designating end-user client IP addresses and ports in IP-based NARs. In CLI/DNIS-based NARs, Cisco Secure ACS supports wildcards for CLI and DNIS values. You can apply NARs to a single AAA client, a network device group, or all AAA clients. Wildcarding of AAA clients is supported by using the multiple devices per AAA client feature, described next.
  • Multiple Devices per AAA Client Configuration—You can create single AAA client configurations that define a set of network devices that use the same shared key, authentication method, and logging/accounting parameters. Cisco Secure ACS enables you to provide multiple IP addresses, including the use of wildcards in IP addresses, when you configure a AAA client in the HTML interface.
  • Multiple LDAP Lookups and LDAP Failover—Cisco Secure ACS enables you to create multiple LDAP external user database configurations. You can also define backup LDAP servers for use if a primary LDAP server is not available.
  • User-Defined RADIUS Vendor-Specific Attributes (VSAs)—Cisco Secure ACS now supports user-defined inbound and outbound RADIUS VSAs.
  • Improved User Documentation—We reorganized and heavily revised the online documentation and Cisco Secure ACS for Windows 2000/NT Servers Version 3.0 User Guide. We rewrote and expanded Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers. We heavily revised Web Server Installation for Cisco Secure ACS 3.0 for Windows 2000/NT User-Changeable Passwords.

To supplement the documentation, white papers about using and deploying various protocols and AAA clients are posted at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.

Installation Notes

For information about installing Cisco Secure ACS, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

Changes to CRYPTOCard Support

Before Cisco Secure ACS 3.0.1, support for CRYPTOCard token servers used the vendor-proprietary interface provided with the CRYPTOCard token server. Beginning with Cisco Secure ACS 3.0.1, we support CRYPTOCard token servers using a standard RADIUS interface.

If you upgrade to Cisco Secure ACS 3.0 and had configured CRYPTOCard authentication in the previous installation of Cisco Secure ACS, the installation program prompts you for information about the CRYPTOCard RADIUS server. With this information, the installation program replaces the older CRYPTOCard configuration with a new one that uses the RADIUS interface of the CRYTPOCard easyRADIUS server. To use the RADIUS interface of the CRYPTOCard server, be sure the CRYPTOCard easyRADIUS server is installed on a CRYPTOCard Windows server. For more information about CRYPTOCard easyRADIUS, see CRYPTOCard documentation.

We tested running Cisco Secure ACS and the CRYPTOCard easyRADIUS server on the same Windows server. Testing occurred on Windows NT 4.0 with Service Pack 6 and Windows 2000 with Service Pack 2. We used CRYPTOCard easyRADIUS server versions 5.0 and 5.1. However, we recommend that you do not run the CRYPTOCard easyRADIUS server on the same Windows server that runs Cisco Secure ACS. If you choose to do so, be sure that Cisco Secure ACS and CRYPTOCard easyRADIUS use different ports to receive RADIUS requests.

You can change the UDP ports used by the CRYPTOCard RADIUS server by editing its services file, usually located in c:\WINNT\system32\drivers\etc. For more information about the UDP ports used by the CRYPTOCard RADIUS server and how to change them, see your CRYPTOCard documentation.

Evaluation Version

The evaluation version of Cisco Secure ACS 3.0 provides full functionality for 90 days after the date of installation. This allows you to use all features of Cisco Secure ACS 3.0 while determining if it meets your needs. The evaluation version of Cisco Secure ACS 3.0 will be available 30 days after the release of the commercial version of Cisco Secure ACS 3.0.

You can distinguish the evaluation version of Cisco Secure ACS 3.0 from the commercial version in the following ways:

  • The word "trial" appears in the title of the installation routine.
  • The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.
  • In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the administrative interface notifying you that your evaluation period has elapsed.

Purchasing the Commercial Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.0 online, use Part Number CSACS-3.0 at the following URL:

http://www.cisco.com/pcgi-bin/cm/welcome.pl

Upgrading to the Commercial Version

After purchasing a commercial version of Cisco Secure ACS 3.0, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.0, follow the instructions in Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

Limitations and Restrictions

The following topics are limitations and restrictions that apply to Cisco Secure ACS 3.0.4.

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.

Upgrade Testing

We tested upgrading to Cisco Secure ACS 3.0.4 from Cisco Secure ACS 3.0.3.

Tested Certificate Servers

We used the version of Microsoft CA certificate server included with Windows 2000 Server to test EAP-TLS certificate requests.

Tested Web Browser Versions

To administer all features included in Cisco Secure ACS 3.0.4, we recommend that you use the English-language edition of Microsoft Internet Explorer version 6.0 SP1 for Microsoft Windows. For previous releases of Cisco Secure ACS 3.0, we also tested Netscape Communicator version 7.0 for Microsoft Windows; however we tested Cisco Secure ACS 3.0.4 solely with Microsoft Internet Explorer.

We did not test other versions of these browsers, nor did we test web browsers by other manufacturers.


Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:
  • Use an English-language version of a supported browser.
  • Enable Java.
  • Enable JavaScript.
  • Disable HTTP proxy.




Tested Token Servers

We tested the RADIUS token server external user database feature in Cisco Secure ACS version 3.0.4 using RSA ACE/Server version 5.0.

We tested Cisco Secure ACS version 3.0.2 with the following token server software:

  • PassGo (formerly AXENT) Defender version 4.1.3
  • Secure Computing SafeWord version 5.2
  • RSA ACE/Server version 5.0 and ACE/Client version 1.1.2 for Windows 2000
  • ActivCard Server 3.1
  • Vasco Vacman Server 6.0.2

  • Note   Cisco Secure ACS 3.0.2 supports CRYPTOCard, ActivCard, and Vasco token servers using RADIUS.

For information about CRYPTOCard support, see Changes to CRYPTOCard Support.

Tested LDAP Server

We used Netscape iPlanet Directory Server version 4.2 to test standard LDAP database support.

Tested Novell NDS and Novell Clients

Because we made no changes to Novell support, we did not conduct Novell testing with Cisco Secure ACS version 3.0.4. We tested Cisco Secure ACS version 3.0.2 with the following Novell software:

  • We used Netware 6.0 to test Novell NDS external user databases.
  • We tested Cisco Secure ACS 3.0.2 with the Novell Requestor software found in Novell Client version 4.8.3 for Windows NT/2000. To authenticate users with a Novell NDS external user database, the Novell Requestor software must be installed on the Windows server that runs Cisco Secure ACS.

Tested Windows 2000 Service Packs

We used Windows 2000 with Service Pack 4 and Windows NT 4.0 with Service Pack 6 to test Cisco Secure ACS version 3.0.4 for Windows authentication.


Note   Cisco Secure ACS only supports English language versions of Windows and its Service Packs.

Tested Platforms for CiscoSecure Authentication Agent

Because we made no changes to CiscoSecure Authentication Agent support, we did not conduct CiscoSecure Authentication Agent testing with Cisco Secure ACS version 3.0.4. With Cisco Secure ACS 3.0.2, we tested CiscoSecure Authentication Agent on the following client platform operating systems:

  • Windows 98
  • Windows 2000

We did not test the CiscoSecure Authentication Agent on the following client platform operating systems:

  • Windows 95
  • Windows NT 4.0

Caveats

This section identifies caveats and issues for Cisco Secure ACS.

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Resolved Caveats—Version 3.0.4


Note   Caveats are printed word-for-word as they appear in our caveat tracking system.

  • CSCdy00184: Change behaviour for times out pause notifications for CSMon
  • CSCdz67212: Incorrect reply message length is set for EAP re-sends
  • CSCea01192: SPC crash on open
  • CSCea03350: EAP identity request re-sends cause CSAuth to create new session
  • CSCea03361: CSAuth processes EAP out-of-sync messages instead of ignoring
  • CSCea03363: Torrent of EAP re-send messages can cause CSAuth to stuck
  • CSCea03369: CSAuth send EAP-TLS messages with incorrect EAP ident field
  • CSCea07381: Update VPN3K dictionary for v3.6
  • CSCea19930: Leak in CSAuth when using IP based NARs
  • CSCea35303: Change of NDG for NAS isnt applied until CSAuth is restarted manual
  • CSCea55509: T+ max threads default should be changed to 200. (registry)
  • CSCea55523: DEL/Buffer overflow in CSAdmin module can cause crash or hack
  • CSCea67788: Change of NDG for NAS isnt applied until CSAuth is restarted manual
  • CSCea75239: password expiry fails with acs 3.0.2 on memberserver
  • CSCea75306: Need to reboot ACS server before modified user detail are recognised
  • CSCea87621: Unknown user policy with ACE has returned inconsistent group inform
  • CSCeb63025: duplicate selections from pull down menu of downloadable acl
  • CSCeb63029: SPC names are limited to 31 characters in size
  • CSCeb63034: restarting the services does not unlock locked object
  • CSCeb64309: Network Model within ACS Registry grows in accounting
  • CSCeb77357: ACS strips off CN from DN for GroupObjectType
  • CSCeb84807: ACS strips off CN from DN for GroupObjectType
  • CSCec00119: SQL accounting causes cslog crash for Ascend acct packet >=529&<=535
  • CSCec00296: SQL accounting causes cslog crash for Ascend acct packet >=529&<=535
  • CSCec06797: Unable to properly re-order LDAP group mappings
  • CSCec12662: Unable to properly re-order LDAP group mappings

Resolved Caveats—Version 3.0.3

  • CSCdw79587: Bad TACACS+ Authorization packets cause CSLOG to spin
  • CSCdy15221: LDAP Group mapping disappears
  • CSCdy50194: Restart condition for CSMon
  • CSCdy65011: CSauth lockup during replication
  • CSCdy83340: enhancement request:CSDBsync -r should restore more info
  • CSCdy83399: Cannot restore 3.0(1) backup into 3.0(2)
  • CSCdz34158: resume install ends in err on not found files
  • CSCdz44076: CSRadius preventing wlan APs failing over

Resolved Caveats—Version 3.0.2

  • CSCdv63442: ODBC logging, Fractional truncation errors, not dropping connections
  • CSCdv72785: Filter line is empty
  • CSCdv75166: Radius accounting requests not validated fully as per RFC
  • CSCdv89334: MSCHAP settings in NT/2000 Database configuration - not upgraded
  • CSCdw04627: NULL response to AXENT challenge crashes CSAuth
  • CSCdw07015: Class attribute missing from Radius Accounting section
  • CSCdw11365: NULL password to Safeword crashes CSAuth
  • CSCdw15116: ACS alters state attribute while passing it to easyRADIUS
  • CSCdw15251: Certificate Setup Page - parsing certificate subject inadequate
  • CSCdw22345: Replication fails on an upgraded ACS
  • CSCdw27571: Global Authentication Configuration should be added as per adm privilege
  • CSCdw29201: Distribution table and test accounts
  • CSCdw31459: ODBC Authentication with CHAP/MSCHAP1/2 fails because of padding
  • CSCdw34301: LDAP Group mapping reappears
  • CSCdw40579: ACS 3.0 crash with Dr Watson Accounting request has no status type
  • CSCdw42071: DB updates via RDBMS Sync do not cause replication
  • CSCdw46931: ACS authenticates NDS expired/disabled users
  • CSCdw50341: T+ enable partially broken for external db users
  • CSCdw51174: Replication log message shows error on successful completion
  • CSCdw52982: NAR doesnt match with wildcards in NAS definition
  • CSCdw55453: NDS does not auth FQ usernames if they begin with . [dot]
  • CSCdw55565: tacacs+ accounting is logged in tacacs+ administration logs
  • CSCdw56666: EAP-TLS Certificate subject cn different than username
  • CSCdw56671: EAP-TLS username in dotted format
  • CSCdw63060: CSRadius fails to restart properly on Submit & Restart
  • CSCdw66057: CryptoCard authentication fails - token-cacheing not functioning
  • CSCdw78255: T+ crashes under load
  • CSCdw79587: Bad TACACS+ Authorization packets cause CSLOG to spin
  • CSCdw93069: Radius Proxy of accounting packets kill CSRadius
  • CSCdx08524: Config tweaks to improve LEAP/EAP scalability
  • CSCdx12381: Group names in ACS are disappearing intermittently
  • CSCdx15267: Password change dynamically by the user doesnt cause DB replication
  • CSCdx16853: Unable to clear account disable status with RDBMS synchronization
  • CSCdx17622: sending crafted URL can cause CSADMIN to crash or exec user code
  • CSCdx17689: unauthorized disclosure of data can be achieved using crafted URL
  • CSCdx34079: voip accounting adds multiple user-name fields to reports
  • CSCdx62520: When passwords are limited to alphanumeric, all CSMon tests fail
  • CSCdx63893: LEAP problems due to AP out-of-sync packets
  • CSCdx68751: External db lock prevents write to local log files
  • CSCdx68848: CSUTIL add-nas do not flag replication of database
  • CSCdx84564: Improve failed attempts message for invalid EAP request
  • CSCdx85584: Large number of requests from unknown devices can slow server
  • CSCdx85594: No Devices in Network Configuration after Replication
  • CSCdx86614: CSMon should still monitor CSAuth during replication out
  • CSCdx88709: Cross-Site Scripting to CSAdmin
  • CSCdx88749: CSAdmin session is terminated while editing logging settings
  • CSCdx88776: Shared Profile Components not upgraded
  • CSCdx88809: Failed attempt of NDS cached user is logged incorrectly
  • CSCdx90749: ODBC logging, Fractional truncation errors, not dropping connections
  • CSCdx90751: NULL response to AXENT challenge crashes CSAuth
  • CSCdx90752: NULL password to Safeword crashes CSAuth
  • CSCdx90947: LDAP Group mapping reappears
  • CSCdx93099: Automatic certificate enrollment is NOT functioning
  • CSCdx94322: LEAP DLL rejecting users stopped AP failover
  • CSCdx94441: Exception in CSRadius after DNIS/CLI check
  • CSCdy01340: user CLID gets truncated after exporting into 3.0
  • CSCdy02612: DCS assignment policy per NDG works incorrectly
  • CSCdy03581: T+ Hang when Varsdb breaks
  • CSCdy03810: IP-based NAR with denied locations works incorrectly
  • CSCdy07198: ACS does not accept a user with subject cn different from the account
  • CSCdy09527: Replication of all selected components upon Replicate Now cmd
  • CSCdy10640: CSMon should test varsdb as workaround for CSCdx12381
  • CSCdy13048: No default radio button selected
  • CSCdy13056: CSMon Test login process causes to a dirty flag to be set on

Resolved Caveats—Version 3.0.1

Caveats are printed word-for-word as they appear in our bug tracking system.

  • CSCdv61239: TACACS+ Command Accounting updates logged in user list
  • CSCdv42366: Documentation wrong about admin failed attempts feature
  • CSCdv41922: CSMon logs confusing message during replication
  • CSCdv25235: Replication occurs every other time regardless on need
  • CSCdv24984: / in port field of Network Access restriction breaks
  • CSCdu87549: Timeouts required for LDAP searches
  • CSCdu65240: Inter version replication failure error not logged
  • CSCdu65230: Cross version replication error not in docs
  • CSCdu65207: Windows DLL error logging inadequate
  • CSCdu65095: add Usage Quota w/ Netscape in Interface Config removes options
  • CSCdu63791: T+ enable partially broken for external db users
  • CSCdu61901: Cant add userID in lowercase after adding it in uppercase
  • CSCdu41846: Group map for LDAP fails with large numbers of groups
  • CSCdu37391: RDBMS Sync docs are incomplete
  • CSCdu36350: Documentation bug : LDAP and CHAP are not supported together
  • CSCdu02875: CSNT documentation incorrect
  • CSCdt91325: Delayed response to Safeword challenge crashes CSAuth
  • CSCdt75695: When upgrading from 2.4 to 2.6 it doesnot update safeword token dll
  • CSCdt73381: Set password source to External ODBC during RDBMS synchronization
  • CSCdt72305: EAP-Message still available for edit in group profile
  • CSCdt63400: CSNT port 2000 conflict with CCM
  • CSCds43324: NDGs should be definable within NARs rather than individual NAS
  • CSCdw22345: Replication fails on an upgraded ACS

Open Caveats—Version 3.0.4


Note   Caveats are printed word-for-word as they appear in our bug tracking system.

This section identifies known caveats and issues with Cisco Secure ACS 3.0.4.

  • CSCds90678: Failed to Edit TACACS+ (Cisco IOS) configuration

If you use Internet Explorer 5.5 or Netscape 4.7 and refresh or reload the frame when viewing Interface Configuration: TACACS+(Cisco IOS), you receive the following error message:

Vendor Config Edit Failed 
-------------------------
Failed to Edit TACACS+ (Cisco IOS) 
configuration 
because -=+None+=- 

Workaround/Solution: Click Interface Configuration: TACACS+(Cisco IOS) and continue editing the TACACS+ settings.

In Cisco Secure ACS 3.0, this behavior does not occur with Internet Explorer 5.5.

  • CSCdu33140: PPTP Tunnel with VPN3000 and MS-CHAP V2 method

A PPTP tunnel using a Cisco VPN 3000-series concentrator and MS-CHAP version 2 fails. The VPN concentrator indicates that authentication passed; however, tunnel establishment fails. When using the MS-CHAP version 1 method with the same configuration, tunnel establishment succeeds. When using the concentrator's internal user database with MS-CHAP version 2, tunnel establishment succeeds.

Workaround/Solution: There are few steps which needs to be filled when configuring Cisco Secure ACS to support PPTP Tunnel in MS-CHAP version 2 (and version 1) authentication methods:

Setup two users at least on Cisco Secure ACS, one as a tunnel user and the others as the authenticated users. The tunnel user and its password should be the same as the tunnel group name on the concentrator and its password.

The authenticated users must include the following settings in Cisco Secure ACS, as well:

  • In "IETF RADIUS Attributes" check the "[025] Class" attribute and the following value should be entered in the text box: "ou=groupname;" where groupname is the name of the tunnel user name previously configured.
  • In "Microsoft RADIUS Attributes", select the "[311\012] MS-CHAP-MPPE-Keys" check box.
  • Add a group name similar to the tunnel users name, and in the "Cisco VPN 3000 Concentrator RADIUS Attributes" select the [3076\011] CVPN3000-Tunneling-Protocols check box and the [3076\020] CVPN3000-PPTP-Encryption check box.
  • Select the [3076\011] CVPN3000-Tunneling-Protocols check box, then select PPTP from the corresponding list.
  • Select the [3076\020] CVPN3000-PPTP-Encryption check box, then select 128-bit or lower from the corresponding list, according to the client encryption capability

Use the Windows 2000 PPTP client and establish the PPTP tunnel via MS-CHAP V2 authentication method.

  • CSCdu48120: CSNT error occurred during the move data process

When Installing Cisco Secure ACS, you may see the following error:

An error occurred during the move data process: -115
 

followed by several other errors, such as:

Cannot run command D:\Program Files\CiscoSecureACS vx.x\UtilsCSUpdate -install CSAuth - The system cannot find the file specified
Cannot run command D:\Program Files\CiscoSecureACS vx.x\UtilsCSUpdate-install CSLog - The system cannot find the file specified
Cannot run command D:\Program Files\CiscoSecureACS vx.x\UtilsCSUpdate-install CSRadius - The system cannot find the file specified
 

Workaround/Solution: Delete pdh.dll from the Windows system32 directory, then restart the installation.

  • CSCdu84042: Win2k external database,W2K groups cant be seen

Windows 2000 groups for remote domains cannot be seen by Cisco Secure ACS running on a Windows NT 4.0 member server.

Workaround/Solution: On the Cisco Secure ACS server, configure all Cisco Secure ACS services to run using a domain administrator account for the domain of which the server is a member. For more information about additional configuration required to run Cisco Secure ACS 3.0 on a Windows NT 4.0 member server, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

The services associated with Cisco Secure ACS are:

    • CSAdmin
    • CSAuth
    • CSDBSync
    • CSLog
    • CSMon
    • CSTacacs
    • CSRadius
  • CSCdv29929: Add admin using Netscape causes 100%CPU

If you use Netscape Navigator v.4.7 to access the HTML interface, adding an administrator to Cisco Secure ACS can cause 100% CPU utilization for over a minute. This in turn can cause the CSRadius service to pause until the browser resumes normal operation. The fault lies in the Netscape browser rather than Cisco Secure ACS.

Workaround/Solution: Once the 100% CPU utilization has begun, wait until browser operation returns to normal. This should be less than five minutes. To avoid the behavior altogether, use a tested version of Microsoft Internet Explorer. See the Tested Web Browser Versions section of the Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers

  • CSCdv35872: Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTMLin the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

  • CSCdv47186: Unable to add renamed user-defined attributes ito Radius accounting

Customer is experiencing problems adding the user fields (3,4,5) to the RADIUS accounting file.

When he renames these fields in the User Attributes in Interface Configuration, and then attempts to add them to the RADIUS Accounting log, the changes do not appear in the log.

To reproduce this problem, follow these steps:

1. Change the names of Real Name, User field 2, User field 3, or any of the User Defined Fields in Interface Configuration.

2. In System Configuration, select Logging, and then select CSV Radius Accounting.

3. Add one (or more) of the changed fields to the right column.

4. Click Submit.

5. Select the CSV Radius Accounting log again.

6. The field you just moved to the right column will no longer be in the right column, but will appear in the left column once more.

Workaround/Solution: After renaming a user-defined attribute, restart all Cisco Secure ACS services from the Windows Control Panel. Once the services have been restarted, the CSV RADIUS Accounting configuration screen shows the renamed attributes and remembers their selection when the page is submitted.

  • CSCdv85400: IP Address Recovery & Date Format Control - not backup/restore

In the System Configuration section, settings made on the IP Address Recovery page and the Date Format Control page are not restored from backup.

Workaround/Solution: Manually configure the IP Address Recovery and Date Format Control pages.

  • CSCdv85432: CSLog crashes when changing system logging

The CSLog service crashes when you modify ODBC logging configuration during ODBC logging operations.

Workaround/Solution: Do not change logging configuration while Cisco Secure ACS is authenticating users.

  • CSCdv86707: User Data Field name is not replicated

Changes to user-defined fields in user records do not appear to replicate. After the user-defined fields are changed in the Interface Configuration section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the user-defined fields in the HTML interface.

Workaround/Solution: The changes to the user-defined fields do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

  • CSCdv86708: HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

  • CSCdv89331: VOIP Accounting Configuration - no upgrade, no backup & restore

In the System Configuration section, settings made on the VoIP Account Configuration page are not restored from backup. Neither are these settings preserved during reinstallation of Cisco Secure ACS 3.0 or upgrading to a later build of Cisco Secure ACS 3.0.

Workaround/Solution: Manually configure the VoIP Accounting Configuration page.

  • CSCdw19491: Unable to add renamed user-defined attributes ito Radius accounting

Customer is experiencing problems adding the user fields (3,4,5) to the RADIUS accounting file. When he renames these fields in the User Attributes in Interface Configuration, and then attempts to add them to the RADIUS Accounting log, the changes do not appear in the log.

To reproduce this problem, follow these steps:

1. Change the names of Real Name, User field 2, User field 3, or any of the User Defined Fields in Interface Configuration.

2. In System Configuration, select Logging, and then select CSV Radius Accounting.

3. Add one (or more) of the changed fields to the right column.

4. Click Submit.

5. Select the CSV Radius Accounting log again.

6. The field you just moved to the right column will no longer be in the right column, but will appear in the left column once more.

Workaround/Solution: After renaming a user-defined attribute, restart all Cisco Secure ACS services from the Windows Control Panel.

Once the services have been restarted, the CSV RADIUS Accounting configuration screen shows the renamed attributes and remembers their selection when the page is submitted.

  • CSCdw27562: AAA Servers not deleted if Sync Partners table is empty

An AAA server cannot be deleted from the "(Not Assigned) AAA Servers" table if the "Synchronize" table in the "Synchronization Partners" is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" is displayed.

Workaround/Solution: Move any AAA server to the Synchronize table, then delete the desired AAA server.

  • CSCdx15245: Database replication partner order not saved

Changes to the order of the Replication Partners, under Database Replication is not saved when submitting changes. When you get into the Database Replication window, the servers are shown in alphabetical order and not in the order desired. The database replication is also done in alphabetical order, so in the order shown by the GUI after submitting changes.

Workaround/Solution: There is no workaround.

  • CSCdx48265: Character in hostname crashes ACS

When the character \ is added in the AAA client name, eg: cis\co, ACS crashes.

Workaround/Solution: Do not use the backslash character in AAA client names.

  • CSCdx51442: cmd-agr=permit 0 in Command Author Set allows all arguments

After setting up command Authorization Sets in ACS 3.0, and specifying authorization for config-commands in NAS. Customer specifies to permit cmd=interface cmd-arg=permit FastEthernet 0

Issuing this config command fails as it expect the "0" as a separate argument. But after adding a cmd-arg="permit 0" all interface commands are allowed - not just on FastEthernet.

Workaround/Solution: None at this time.

  • CSCdx73692: csradius and cstacacs crash with safeword users on unix box

Authentication services CSRadius and CSTacacs might crash when ACS 2.6.3.2 is installed on windows 2000 with service pack 1 and when safeword is used on a separate unix box. All users are safeword users.

Workaround/Solution: None at this time. We tested Cisco Secure ACS 3.0 on Windows 2000 Server using an English-language version of Service Pack 2. Apply Service Pack 2 may alleviate the issue.

  • CSCdx81906: Unable to replicate to more than 20 partners

Customer has run into a limitation on replication partners of 20. You can configure more, but the 21st partner in the list but it will not work - the master will say that it's not responding.

Workaround/Solution: If you delete one of the servers higher up in the list, thus moving the problem server into slot number 20, replication works.

  • CSCdx89261: unable to delete NAS

Cannot delete the NAS. Giving the error:

Cannot delete AAA server, AAA server is a Synchronization Partner

Workaround/Solution: Need to go into the registry and delete the host.

  • CSCdy02612: DCS assignment policy per NDG works incorrectly

Command authorization appears to fail on all AAA clients when the applicable command authorization set is configured to be applied to the <Default> network device group (NDG).

This is correct behavior. The <Default> NDG corresponds to the "Not Assigned" NDG in Network Configuration. If the AAA client on which the user is attempting to issue commands is not in the "Not Assigned" NDG and there is no command authorization set that does apply to the AAA client, Cisco Secure ACS denies authorization for the command.

Workaround/Solution: If you intend to apply a command authorization set to all AAA clients, assign it once per every NDG rather than solely to the <Default> NDG. There is currently no single option that applies a command authorization set to all NDGs.

  • CSCdy07147: EAP-MD5 Fails when RADIUS (Cisco Aironet) as authenticator

EAP-MD5 Authentication fails when AAA Client use RADIUS (Cisco Aironet) as an authentication method.

Workaround/Solution: When RADIUS (IETF) is being used EAP-MD5 authentication operates properly.

  • CSCdy11863: Invalid PIX ACL is accepted

Cisco Secure ACS accepts empty and therefore invalid PIX ACLs. There are two ways this can occur. In the first, you can submit only a space in the PIX ACL. In the second, you can delete the contents of a previously submitted, valid PIX ACL and resubmit it successfully.

Workaround/Solution: None at this time.

  • CSCdy14259: T+ ascii login doesn't work correctly with cryptocard

Users authenticating with CryptoCard incorrectly receive a password prompt in addition to the username, challenge, and response prompts.

Workaround/Solution: Users can enter any string at the password prompt and press Enter, then continue CryptoCard authentication normally.

  • CSCdz10935: previous button disappears on use setup page of ACS

The "Previous" button disappears when using the User Setup page in the Cisco Secure ACS HTML interface.

Currently, Cisco Secure ACS cannot provide the ability to page backwards.

Workaround/Solution: Use the browser back button.

  • CSCdz27070: disc-cause attribute is wrong in Tacacs+ Acct logs

Cisco Secure ACS 2.6.4, 3.0.2, and 3.1.1 all log an incorrect value in TACACS+ Accounting for the "disc-cause" attribute. If you set up a PPP session to do an idle timeout, when it disconnects you will get "CLID-Authentication-Failure" in the TACACS+ Accounting log for "disc-cause" - but the TACACS+ documentation for IOS says that the value "4" is Idle timeout.

/en/US/docs/ios/12_2/security/configuration/guide/scftacat.html#20164

Workaround/Solution: None.

  • CSCdz35833: Clean doesn't clean/recognize all entries

If you attempt to upgrade to Cisco Secure ACS 3.0.3 from 3.0.2.5 and abort installation of 3.0.3 before it is complete, using the clean.exe application that comes with 3.0.2.5 does not remove all related file system directories or registry keys.

Workaround/Solution: Manually edit the registry to remove HKLM:SOFTWARE/Cisco/CiscoAAAv3.0 entries. Manually delete remaining Cisco Secure ACS 3.0 subdirectories.

  • CSCdz37379: Replication pre-checks incorrect in cascade

Occasionally updated components are not replicated to the third replication partner in a replication cascade. This happens because replication pre-checks on the second partner indicate incorrectly that outbound replication is not required for the third partner in the cascade. This occurs because the pre-checks performed by the second replication partner happen before replication is completed from the first replication partner.

Workaround/Solution: On the following replication cycle, the unreplicated component will be replicated from the second replication partner to the third replication partner.

  • CSCdz43939: change password fail in err709.In Auth log-err 1907L

This behavior occurs after upgrading Cisco Secure ACS from 3.0.2.5 to 3.0.3 and when Cisco Secure ACS is running on a member server. Users whose accounts reside in a Windows 2000 user database and whose accounts are configured to enforce a password change at next login are disconnected after providing the new password.

Workaround/Solution: None.

  • CSCdz45040: Password change for native trusted domain doesn't work

When Cisco Secure ACS authenticates a Windows 2000 user from native trusted domain, MS-CHAP password changing doesn't work even though authentication via MS-CHAPv2 works properly.

Workaround/Solution: None.

  • CSCdz45527: EAP-TLS fails to initiate after restore process

EAP-TLS Authentication fails after successful Restore process. Seems that the problem is related to Private Keys decryption failing after restore. The following error is presented in CSAuth log after a successful restore process:

"AUTH 12/01/2002 16:42:52 A 5020 0808 CSAuth server starting 
==============================
AUTH 12/01/2002 16:42:52 I 5021 0808 Base directory is C:\Program 
Files\CiscoSecure ACS v3.0\CSAuth
AUTH 12/01/2002 16:42:52 I 5022 0808 Log directory is C:\Program 
Files\CiscoSecure ACS v3.0\CSAuth\Logs
AUTH 12/01/2002 16:42:52 I 5023 0808 User directory is C:\Program 
Files\CiscoSecure ACS v3.0\CSAuth\Users
AUTH 12/01/2002 16:42:52 I 5024 0808 CSAuth version is 3.0(3.4)
AUTH 12/01/2002 16:42:52 A 5026 0808 Running as NT service.
AUTH 12/01/2002 16:42:52 I 5051 0808 Socket library initialised OK.
AUTH 12/01/2002 16:42:52 I 5055 0808 CSAuth port is 2000
AUTH 12/01/2002 16:42:52 I 5061 0808 File handle limit is 64
AUTH 12/01/2002 16:42:52 I 5065 0808 Will use 20 worker threads.
AUTH 12/01/2002 16:42:53 I 1116 0808 Started password aging module.
AUTH 12/01/2002 16:42:53 I 1126 0808 Started network model module.

AUTH 12/01/2002 16:42:53 A 0937 0808 Error at 
F:\ccData\snapViews\Build_View@ismg_israel_acs@ACS-sw-3.0.1-B-12
0-B-64\ismg_israel_acs\Acs\Crypto\decrypt.c line 79, CryptDecrypt failed 
(System Error 0x80090005)
AUTH 12/01/2002 16:42:53 A 0937 0808 Error at 
F:\ccData\snapViews\Build_View@ismg_israel_acs@ACS-sw-3.0.1-B-12
0-B-64\ismg_israel_acs\Acs\Crypto\decrypt.c line 238, 
Crypto_DecryptDataWithLocalKey failed

AUTH 12/01/2002 16:42:53 E 1153 0808 EAP-TLS init failed, can not load the 
private key from registry, verify t
hat ACS certificate is installed prperly
AUTH 12/01/2002 16:42:53 I 0312 0808 Varsdb:Kicking off 1 ODBC workers
AUTH 12/01/2002 16:42:53 I 0312 1036 Varsdb:GarbageCollectionThread starting...
AUTH 12/01/2002 16:42:53 I 0312 2384 Varsdb:OdbcWorkerThread starting...

The problem occurs when using restore from a dump file created during backup on other machine.

It also occurs when the dump file was backed up, ACS was uninstalled and then Installed and restored from a dump file.

Workaround/Solution: None at this time.

  • CSCdz56850: Black bar in page background on very large pages in GUI

In the web GUI a black bar can sometimes appear in the page background when the page being displayed is very large (such as a list of several hundred NAS entries in Network Configuration). This is purely cosmetic and will not affect the server functionality, although it may make it difficult to read some information. The location of the bar may not be consistent on all servers as it's location depends completely on how the browser renders the page.

Workaround: Rename the page_background.gif file so that it does not get displayed. This will make the top line of the page unreadable (where it says "Select" or "Help") but will eliminate the black bars in the page. The page_background.gif file is located under C:\Program Files\CiscoSecure ACS v3.x\CSAdmin\WWW\images by default.

  • CSCdz58988: Access Points dont failover to secondary ACS

After an ACS 3.0 server hangs (because of a hung/failed CSauth process) the WAPs trying to use this failed server should at some point timed out and failed over to another ACS server. This failover does not happen.

  • CSCea25090: Logged In User not showing after going into enable mode on router

With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.

  • CSCea39639: RDBMS sync randomly fails with ERROR Reason -No Error

Using MS-Text-Driver and accountaction.csv files to maintain user DB according: /en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007deac.html#2110

randomly skips or truncated data. Syntax of accountaction file is correct. Sometimes error message is logged like:

CSDbSync 03/07/2003 12:39:49 E 0000 2688 Error: host '<hostname>' Action failed (SI=44 A=176 UN='cisco123' GN='' AI='' VN='tcp/23' V1='permit' V2='10.1.1.1' V3='') Reason - No Error 

Re-running csdbsync (without changing accountaction.csv file) mostly solves this problem (correct imported, no error message on cli/logg-file). It also has happened during re-running, that csauth stopped and windows violation message box appeared.

  • CSCeb58021: Server Hello packet of TLS from ACS Server has garbage.

In RFC 2246, the Server Hello has 4 bytes of gmt_unix_time and 28 bytes of random data. But, Server Hello from CiscoSecureACS has 4 bytes of garbage(00 00 00 00), 4 bytes of gmt_unix_time and 24 bytes of random data. Some clients may fail in authentication.

Workaround: There is no workaround.

  • CSCeb58107: cisco-nas-port attribute should be included in VoIP accounting log

The cisco-nas-port attribute should be available in the VoIP accounting log.

  • CSCeb64302: Network Model within ACS Registry grows in accounting

Network Model within Registry grows and causes inconsistent behavior of AAA operations.

Conditions: The reason the Network Model is growing so large is that the packets do not have a traditional NAS-PORT value, and only in some cases do they contain the cisco VSA for nas-port (string version). Without a NAS-PORT the network model creates a port using the username.

Workaround: Apply fix

  • CSCeb69357: Psw change failed when no domain name provided

Password change fails for RADIUS-based MS-CHAP v2 password change when the username submitted is not domain qualified. This happens regardless of whether ACS is installed on a domain controller or member server. RADIUS-based MS-CHAP v2 password change is supported only with Windows external user databases.

Workaround: Require users to provide domain-qualified usernames at login.

  • CSCec30668: ACS replication causes AUTH services to stop on the primary

ACS server stops authenticating new requests when the ACS replication is initiated.

  • CSCec37012: Inconsistency in EAP-TLS stress authentications

When Cisco Secure ACS is performing EAP-TLS authentications under a heavy load, some sessions that should end based on timeout values are ended with an Access Reject message instead. Under a lighter load, Cisco Secure ACS correctly responds with timeout messages instead of Access Reject.

Workaround: If you use multiple Cisco Secure ACS servers, try to load balance peak authentication load. This can be done by configuring AAA clients to use different Cisco Secure ACS servers.

  • CSCec39523: Proxy ACS changes upper case letters to lower in username RADIUS att

Topology:

NAS--------proxy RADIUS ACS----------authenticating RADIUS server

Symptom: If the NAS is sending a username (IETF attribute 1) in a RADIUS access-request packet, which contains upper- and lower-case letters, the proxy ACS RADIUS will forward this access-request packet to the authenticating RADIUS server with all upper-case letters changed to lower-case letters

Conditions: - This is observed only when prefix stripping is configured on the proxy RADIUS ACS and the username contains the prefix to be stripped by the proxy RADIUS ACS. - This is not observed when suffix stripping or no stripping takes place.

Workaround: Do not use upper-case letters in the username attribute, when performing prefix stripping

  • CSCec46370: Group mapping misbehavior

When an external RADIUS database attempts to specify a user's group using Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair, and the group number specified is greater than 499, Cisco Secure ACS fails the user authentication and logs a seemingly unrelated error related to Group 100 and network access restrictions (even if no NARs are applied to the user).

RADIUS group specification requires that the assignment in the cisco-av-pairattribute use the following format:

ACS:CiscoSecure-Group-Id = N

where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user.

Workaround: Ensure that the external RADIUS server database only specifies a group number between 0 and 499.

  • CSCec54966: new VPN attributes disappear after restore an older version backup

After upgrading to 3.0.4, if you use a backup created by an older version of ACS, such as from 3.0.3, Cisco VPN 3000 RADIUS VSAs added in 3.0.4 disappear. The old backup file replaces the VSA configuration with a version that predates the addition of or changes to Cisco VPN 3000 VSAs 29, 61-68, and 75.

Workaround: Reinstall 3.0.4 and reconfigure the missing Cisco VPN 3000 RADIUS attributes.

  • CSCec57161: wrong ODBC logging causes major CSLog mem leak & stop local logging

Misconfigured ODBC logging creates errors in CSLog and can result in a memory leak.

Workaround: Configure ODBC logging correctly or disable ODBC logging.

Related Documentation

The following documents directly support Cisco Secure ACS:

  • Cisco Secure ACS for Windows 2000/NT Servers Version 3.0 User Guide
  • Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers
  • Web Server Installation for Cisco Secure ACS 3.0 for Windows 2000/NT User-Changeable Passwords

You can find other product literature, including white papers, data sheets, and product bulletins, at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.

In addition to these documents, online documentation is provided within the Cisco Secure ACS user interface. The entire Cisco Secure ACS documentation set is also available at the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_ launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

  • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

  • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac ) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool (http://www.cisco.com/tac/caseopen ) is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

  • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

  • Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced user will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

  • Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

  • iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

  • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_ protocol_journal.html

  • Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html

This document is to be used in conjunction with the documents listed in the Related Documentation section.


Copyright © 2003 Cisco Systems, Inc. All rights reserved.