Guest

Cisco Secure Access Control Server for Windows

Release Notes for Cisco Secure ACS for Windows Server 3.2.3

 Feedback

Table Of Contents

Release Notes for Cisco Secure ACS for Windows Server Version 3.2.3

New Features

Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software

Product Documentation

Related Documentation

Installation Notes

HTTPS Support Change and Management Center Applications

Changes to Token Server Support

Evaluation Version

Purchasing the Commercial Version

Upgrading to the Commercial Version

Limitations and Restrictions

Interoperability Testing

Supported Upgrade Versions

Supported Operating System

Supported Web Browsers

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Known and Resolved Problems

Cisco AAA Client Problems

Known Problems in Cisco Secure ACS Version 3.2.3

Resolved Problems in Cisco Secure ACS Version 3.2.3

Resolved Problems in Cisco Secure ACS Version 3.2.2

Resolved Problems in Cisco Secure ACS Version 3.2.1

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for Cisco Secure ACS for Windows Server Version 3.2.3


July 2005

These release notes pertain to Cisco Secure Access Control Server for Windows Server (Cisco Secure ACS) version 3.2.3.

These release notes provide:

New Features

Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software

Product Documentation

Related Documentation

Installation Notes

HTTPS Support Change and Management Center Applications

Changes to Token Server Support

Evaluation Version

Limitations and Restrictions

Interoperability Testing

Supported Upgrade Versions

Supported Operating System

Supported Web Browsers

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Known and Resolved Problems

Obtaining Documentation

Documentation Feedback

Obtaining Technical Assistance

Obtaining Additional Publications and Information

New Features

Cisco Secure ACS version 3.2.3 contains the following new features:

EAP Flexible Authentication via Secured Tunnel (EAP-FAST) authentication support—Cisco Secure ACS 3.2.3 supports the EAP-FAST protocol, a new authentication protocol that protects authentication in a TLS tunnel but does not require use of certificates, unlike PEAP.

Windows Server 2003 Enterprise Edition—You can install and operate Cisco Secure ACS 3.2.3 on Windows Server 2003 Enterprise Edition.


Note When running Cisco Secure ACS on Windows Server 2003, you may encounter event messages that falsely indicate that Cisco Secure ACS services have failed. This is issue is documented in bug CSCea91690. For more information about CSCea91690, see Table 3.


Machine Access Restrictions (MARs)—Cisco Secure ACS 3.2.3 includes MARs as an enhancement of Windows machine authentication. When Windows machine authentication is enabled, you can use MARs to control authorization of EAP-TLS and Microsoft PEAP users who authenticate with a Windows external user database. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and which you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.

Cisco Aironet AP EAP Request Timeout—Cisco Secure ACS 3.2.3 adds the ability to specify a timeout value that IOS-based Cisco Aironet Access Points use during EAP transactions with Cisco Secure ACS. This value applies only during the EAP transaction. This option is available on the Global Authentication Setup page in the System Configuration section of the HTML interface.

Cisco Secure ACS version 3.2 contains the following new features:

PEAP support for Microsoft Windows clients—Cisco Secure ACS 3.2 adds support for Microsoft PEAP supplicants available today for Windows 98, NT, 2000, and XP. The Microsoft PEAP supplicant supports client authentication by only MS-CHAPv2 compared to Cisco PEAP supplicant (available through Cisco Aironet wireless adapters) which supports client authentication by logon passwords or one-time passwords (OTPs). Unlike Microsoft PEAP supplicant, Cisco PEAP supplicant provides support for one-time token authentication and powerful extensibility of non-MSCHAP end-user databases such as LDAP, NDS, and ODBC. Cisco Secure ACS 3.2 allows selection of Microsoft PEAP and/or Cisco PEAP from its EAP Configuration page. PEAP is an Internet draft standard in the IETF PPP working group.

LDAP Multithreading—Cisco Secure ACS 3.2 can process multiple LDAP authentication requests in parallel as opposed to the sequential processing mechanism employed in pre-3.2 versions. This feature greatly improves Cisco Secure ACS performance in "task-hungry" configurations such as in wireless deployments.

EAP-TLS Enhancements—EAP-TLS enhancements in Cisco Secure ACS 3.2 further extend Cisco Secure ACS PKI capabilities. EAP-TLS authentication against ODBC user databases, and EAP-TLS silent session-resume support are among the newly added capabilities. Similarly to the PEAP silent session resume, EAP-TLS silent session resume prevents users from re-authenticating during a RADIUS session timeout. This is particularly advantageous in wireless applications where users are continually moving. The duration of the EAP-TLS silent session timeout is configurable from Cisco Secure ACS GUI.

Machine authentication support—Cisco Secure ACS 3.2 adds 802.1X machine authentication option using either PEAP with MSCHAPv2 implementation (PEAP-EAP-MSCHAPv2) or EAP-TLS. Machine authentication is used at boot time to authenticate and communicate with Windows Domain Controllers when connecting to 802.1X secure ports. Machine authentication allows pulling down machine group policies from Windows Active Directory independently of a subsequent interactive user authentication session.

EAP mixed configurations—Cisco Secure ACS 3.2 supports the following EAP types:

PEAP(EAP-GTC), which is Cisco PEAP

PEAP(EAP-MSCHAPv2), which is Microsoft PEAP

EAP-TLS

EAP-MD5

Cisco EAP Wireless, which is LEAP

Cisco Secure ACS 3.2 allows flexible EAP settings—One or several EAP types can be selected concurrently—enabling Cisco Secure ACS to intelligently process EAP authentications depending on the 802.1X supplicant.

Accounting support for Aironet—Cisco Secure ACS 3.2 supports user-based accounting from Cisco Aironet wireless Access Points when Cisco Secure ACS is configured to recognize them as RADIUS (Cisco Aironet) AAA clients.

Downloadable access control lists for VPN users—Cisco Secure ACS 3.2 extends per-user access control list support to Cisco VPN solutions (in addition to the current support for PIX Firewall solutions). With this option, administrators can define access control lists, for users of groups of users within the Cisco Secure ACS HTML interface.


Tip An easy way to distinguish whether a version of Cisco Secure ACS supports only Cisco PIX devices with downloadable ACLs is to determine the name of the downloadable ACL feature in the Shared Profile Components section of the Cisco Secure ACS HTML interface. In Cisco Secure ACS 3.0 and 3.1, that feature is named "Downloadable PIX ACLs", indicating the limitation of support to PIX devices. In Cisco Secure ACS 3.2, the corresponding feature is named "Downloadable IP ACLs", reflecting the expanded support.


Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software

IMPORTANTREAD CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.

By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.

1. ADDITIONAL LICENSE RESTRICTIONS.

Installation and Use. The Software components are provided to Customer solely to install, update, supplement, or replace existing functionality of the applicable Network Management Software product. Customer may install and use following Software component:

Access Control Server (ACS): May be installed on one (1) server in Customer's network management environment.

Reproduction and Distribution. Customer may not reproduce nor distribute software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

Please refer to the Cisco Systems, Inc. Software License Agreement.

Product Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 1 describes the product documentation that is available.

Table 1 Product Documentation 

Document Title
Available Formats

Release Notes for Cisco Secure ACS for Windows Server

Printed document that was included with the product.

PDF on the product CD-ROM.

On Cisco.com at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32

Installation Guide for Cisco Secure ACS for Windows Server

PDF on the product CD-ROM.

On Cisco.com at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32/win32sig.htm

Printed document available by order (part number DOC-7815570=).1

User Guide for Cisco Secure ACS for Windows Server

PDF on the product CD-ROM.

On Cisco.com at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32/user

Printed document available by order (part number DOC-7815571=). 1

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords

PDF on the product CD-ROM.

On Cisco.com at the following URL:

a. http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32/ucp.htm

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server

On Cisco.com at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32/2wn32sdt.htm

Recommended Resources for the Cisco Secure ACS User

On Cisco.com at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32/linksw32.htm

Online Documentation

In the Cisco Secure ACS HTML interface, click Online Documentation.

Online Help

In the Cisco Secure ACS HTML interface, online help appears in the right-hand frame when you are configuring a feature.

1 See the "Obtaining Documentation" section.


Related Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 2 describes a set of white papers about Cisco Secure ACS. All white papers are available on Cisco.com. To view them, go to the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.shtml

Table 2 Related Documentation 

Document Title
Description and Available Formats

Building a Scalable TACACS+ Device Management Framework

This document discusses the key benefits of and how to deploy Cisco Secure ACS Shell Authorization Command sets, which provide the facilities constructing a scalable network device management system using familiar and efficient TCP/IP protocols and utilities supported by Cisco devices.

Catalyst Switching and ACS Deployment Guide

This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and capabilities of Cisco Secure ACS.

Cisco Secure ACS for Windows vs. Cisco Secure ACS for UNIX

This bulletin compares the overall feature sets of Cisco Secure ACS for Windows and CiscoSecure ACS for UNIX. It also examines the advantages and disadvantages of both platforms and discusses issues related to migrating from the UNIX-based product to the Windows version.

Configuring LDAP

This document outlines deployment concepts for Cisco Secure ACS when authenticating users of a Lightweight Directory Access Protocol (LDAP) directory server, and describes how to use these concepts to configure Cisco Secure ACS.

Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment

This paper discusses guidelines for wireless network design and deployment with Cisco Secure ACS.

EAP-TLS Deployment Guide for Wireless LAN Networks

This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and then discusses deployment issues.

External ODBC Authentication

This paper presents concepts and configuration issues in deploying Cisco Secure ACS for Windows Server to authenticate users against an external open database connectivity (ODBC) database. This paper also describes configuring, testing, and troubleshooting a relational database management system (RDBMS) with ODBC and Cisco Secure ACS, and provides sample Structured Query Language (SQL) procedures.

Guidelines for Placing ACS in the Network

This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.

Initializing MC Authorization on ACS 3.1

This application note explains how to initialize Management Center authorization on Cisco Secure ACS.

Securing ACS Running on Microsoft Windows Platforms

This paper describes how the Cisco Secure ACS can be protected against the vulnerabilities of the Windows 2000 operating system and explains how to improve security on the computer running Cisco Secure ACS. It discusses making the system dedicated to Cisco Secure ACS, removing all unnecessary services, and other measures. It also discusses how to improve administrative security for Cisco Secure ACS through such methods as stronger passwords and controlled administrative access. This paper concludes with considerations of physical security for Cisco Secure ACS and its host.


Installation Notes

For information about installing Cisco Secure ACS, see Installation Guide for Cisco Secure ACS for Windows Server, version 3.2.

HTTPS Support Change and Management Center Applications

Cisco Secure ACS version 3.1 introduced support for HTTPS to protect administrative access to the HTML interface. In response to a problem discovered in Cisco Secure ACS 3.1 (see bug ID CSCea40150 in Table 6), Cisco Secure ACS does not allow HTTP and HTTPS to function simultaneously.

Multi-device management applications, such as Management Center for Firewalls, can be configured to use Cisco Secure ACS for authentication of administrators and authorization of their actions. Communication between early versions of multi-device management applications and Cisco Secure ACS requires HTTP. If you enable HTTPS in Cisco Secure ACS 3.2, communication between multi-device management applications and Cisco Secure ACS fails.

If you use Cisco Secure ACS with a multi-device management application that is not yet capable of HTTPS for communicating with Cisco Secure ACS, you must disable HTTPS in Cisco Secure ACS; otherwise, integration with Cisco Secure ACS fails.


Note Beginning with version 2.2 with Service Pack 2, CiscoWorks supports HTTPS; therefore, multi-device management applications using CiscoWorks 2.2 with Service Pack 2 or later can communicate with Cisco Secure ACS using HTTPS.


Changes to Token Server Support

Token server support in Cisco Secure ACS 3.2 is identical to that in Cisco Secure ACS 3.1; however, if you upgrade from Cisco Secure ACS 2.6 or Cisco Secure ACS 3.0 and you use token server databases, you should understand the changes to token server support that we began with Cisco Secure ACS 3.0 and completed in Cisco Secure ACS 3.1.

Beginning with Cisco Secure ACS 3.0, we supported CRYPTOCard token servers using a standard RADIUS interface. Cisco Secure ACS 3.1 extended the use of RADIUS to all token servers except RSA SecurID. For RSA SecurID, the vendor-proprietary interface is used.

If you upgrade to Cisco Secure ACS 3.2, the installation program may prompt you for information about token servers, depending on the version of Cisco Secure ACS you are upgrading from and the token server databases detected by the upgrade process.

If you are upgrading from Cisco Secure ACS 3.0, the installation program prompts you for information if you have one of these token servers:

SafeWord

PassGo (formerly Axent)

If you are upgrading from Cisco Secure ACS 2.6, the installation program prompts you for information if you have one of these token servers:

CRYPTOCard

SafeWord

PassGo

With this information, the installation program replaces the older token server configuration with a new one that uses the RADIUS interface of the token server. For more information about RADIUS support by your token server, see the applicable token server documentation.


Note If a RADIUS-based token server, such as CRYPTOCard, runs on the same computer as Cisco Secure ACS, make sure that the token server uses UDP ports different from the ports used by Cisco Secure ACS to receive RADIUS requests. For information about RADIUS ports used by Cisco Secure ACS, see User Guide for Cisco Secure ACS for Windows Server. For information about RADIUS ports used by a token server, see the applicable token server documentation.


Evaluation Version

The evaluation version of Cisco Secure ACS 3.2 provides full functionality for 90 days after the date of installation. This allows you to use all features of Cisco Secure ACS 3.2 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.2 will be available within 30 days after the release of the commercial version of Cisco Secure ACS 3.2.

The evaluation version of Cisco Secure ACS 3.2 can be distinguished from the commercial version in the following ways:

The word "trial" appears in the title of the installation routine.

The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.

In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the Cisco Secure ACS HTML interface notifying you that your evaluation period has elapsed.

Purchasing the Commercial Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.2 online, use the following URL:

http://www.cisco.com/pcgi-bin/cm/welcome.pl

Upgrading to the Commercial Version


Note To avoid the issue documented in CSCeb34179, we recommend upgrading to the commercial version before the 90-day evaluation period has passed. For more information about CSCeb34179, see Table 3.


After purchasing a commercial version of Cisco Secure ACS 3.2, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.2, follow the instructions in Installation Guide for Cisco Secure ACS for Windows Server, version 3.2.

Limitations and Restrictions

The following limitations and restrictions apply to Cisco Secure ACS 3.2.1.

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.

Supported Upgrade Versions

We support upgrading to Cisco Secure ACS 3.2.3 from the following previous versions:

Cisco Secure ACS 3.2.2

Cisco Secure ACS 3.2.1

Cisco Secure ACS 3.1.1

Cisco Secure ACS 3.0.4


Note To upgrade to version 3.2.3 from a version earlier than 3.0.4, upgrade to one of the supported upgrade versions, listed above, and then upgrade to Cisco Secure ACS 3.2.3.


Supported Operating System

Cisco Secure ACS for Windows Servers 3.2.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.

Windows 2000 Server, with Service Pack 4 installed

Windows 2000 Advanced Server, with the following conditions:

with Service Pack 4 installed

without features specific to Windows 2000 Advanced Server enabled

Windows Server 2003, Enterprise Edition

Windows Server 2003, Standard Edition


Note The following restrictions apply to support for Microsoft Windows operating systems:

Cisco Secure ACS for Windows Server is not designed to make use of the multi-processor feature of any supported operating system; however, we did test Cisco Secure ACS using dual-processor computers.

We cannot support Microsoft clustering service on any supported operating system.

Windows 2000 Datacenter Server is not a supported operating system.

When running Cisco Secure ACS on Windows Server 2003, you may encounter event messages that falsely indicate that Cisco Secure ACS services have failed. This issue is documented in bug CSCea91690. For more information about CSCea91690, see Table 3.


Tested Windows Security Patches

We tested Cisco Secure ACS for Windows Servers version 3.2.3 with the following Microsoft security patches installed:

MS03-026

MS03-039

MS03-041

MS03-042

MS03-043

MS03-044

MS03-045

Upgrading from Windows NT 4.0

If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. This is because the setup program for previous versions of Cisco Secure ACS detected which Windows operating system the computer used and customized Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.

We last published information about how to upgrade the operating system of the computer running Cisco Secure ACS to Windows 2000 in the documentation for Cisco Secure ACS 3.1. For more information, see Installation Guide for Cisco Secure ACS for Windows Server version 3.1, available at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
acs31/acsinst

Supported Web Browsers

To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:

Microsoft Internet Explorer for Microsoft Windows

Version 6.0

Service Pack 1

Sun Java Plug-in 1.4.2_04 or Microsoft Java Virtual Machine (JVM)


Note Microsoft does not include its JVM in Windows Server 2003. Instead, use the Sun Java Plug-in listed above. For more information about Microsoft plans regarding its JVM, see http://www.microsoft.com/mscorp/java/.


Netscape Communicator for Microsoft Windows

Version 7.0

Sun Java Plug-in 1.4.2_04

Netscape Communicator for Solaris 2.7

Version 7.0

Sun Java Plug-in 1.4.0_01

We do not support other versions of these browsers, nor do we test web browsers by other manufacturers.


Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:

Use an English-language version of a supported browser.

Enable Java (see the supported browser list above for JVM details).

Enable JavaScript.

Disable HTTP proxy.


Supported Platforms for CiscoSecure Authentication Agent

For use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2.1, we support CiscoSecure Authentication Agent on the following client platform operating systems:

Windows XP with Service Pack 1

Windows 2000 Professional with Service Pack 3

On the following client platform operating systems, we do not support the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2.1:

Windows 98

Windows 95

Windows NT 4.0

Other Supported Devices and Software

For information about supported Cisco devices, external user databases, and other software, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server Version 3.2. To see this document, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
acs32/2wn32sdt.htm

Known and Resolved Problems

This section contains information about the following topics:

Cisco AAA Client Problems

Known Problems in Cisco Secure ACS Version 3.2.3

Resolved Problems in Cisco Secure ACS Version 3.2.3

Resolved Problems in Cisco Secure ACS Version 3.2.2

Resolved Problems in Cisco Secure ACS Version 3.2.1

Cisco AAA Client Problems

Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco BBSM

http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Known Problems in Cisco Secure ACS Version 3.2.3

Table 3 describes problems known to exist in this release.


NoteA "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)

Bug summaries and explanations in Table 3 are printed word-for-word as they appear in our bug tracking system.


Table 3 Known Problems in Cisco Secure ACS for Windows Server, Version 3.2.3 

Bug ID
Summary
Explanation

CSCdv35872

Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTML in the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

CSCdv86708

HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdx19854

Memory check for certificates in https transport is required

When you select the "Use HTTPS Transport for Administration Access" check box on the Access Policy page and more than two HTTPS sessions are active, the following error is presented:

Can't initialize HTTPS transport: too many 
active HTTPS sessions 

SSL Admin design does not enforce a restriction that prevents the modification of Cisco Secure ACS certificates so that there are not more than two certificates in memory at once.

Instead Cisco Secure ACS prevents the initialization of HTTPS when more than two HTTPS sessions are in use.

Workaround/Solution: Reduce the number of concurrent administrative sessions to two or one before attempting to enable HTTPS using the new certificate.

CSCdy51214

fail to delete aaa server when its in sync table/aaa server side

A AAA server cannot be deleted from the "(Not Assigned) AAA Servers" table in Network Configuration if the Synchronize"= list under Synchronization Partners on the RDBMS Synchronization Setup page is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" appears.

Workaround/Solution: Move any other AAA server to the Synchronize list, then delete the AAA server.

CSCdy59706

CAA messaging wont work with ppp callback and callin authentication

When having ppp callback and only callin is authenticated (ppp authentication pap chap callin), then messaging to the CAA client will fail with all aging rules selected in ACS.

This is a documentation bug, the above won't work without changes.

Workaround/Solution: Either remove the "callin" keyword to enable authentication for callin and callout (callback in this scenario), or disable callback altogether.

CSCdz61464

Solaris Netscape 7.0 - Minor Features Failure

When the administrative browser is Netscape 7.0 on Solaris 8.0, some menus in the HTML interface for Cisco Secure ACS do not work properly.

Workaround/Solution: Use a supported Windows browser.

CSCdz61529

Netscape hangs on several times during login session on Solaris

When you use Netscape 7.0 to access the HTML interface of Cisco Secure ACS, the browser stops responding after you access the User Setup page or while trying to add a shared profile component.

Workaround/Solution: Use a supported Windows browser.

CSCdz61875

Configured Default Proxy Distribution Entry is not restored

If you configure the (Default) of "Proxy Distribution Table" in "Network Configuration" after backed up. Previously settings before backup are not restored. Example...

Change the configuration of "Send Accounting Information" in "Proxy Distribution Table" to "Local/Remote" from "Local".

Backup ACS Server

Change that value to "Local" from "Local/Remote".

Restore the ACS Server using backup data of 1:.

That value is restored as "Local" not "Local/Remote".

Workaround: There is no workaround.

CSCdz86955

Cannot remove shell authorization from groups display

Shell command authorization remains in the User Setup and Group Setup sections of the HTML interface, even after shell command authorization is disabled in Interface Configuration and the feature is not in use.

Workaround/Solution: None at this time.

CSCea25090

Logged In User not showing after going into enable mode on router

With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on Cisco Secure ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.

Cisco Secure ACS tracks user sessions by IP address and port number. When enable authentication succeeds, Cisco Secure ACS sees that the IP address and port number combination for the existing session have been reused and assumes that the accounting stop packet was not sent or was lost; therefore, the user session is removed from the Logged-In User report even though the session continues in enable mode.

Because the NAS cannot be configured to send new accounting start packets when the enable mode is entered, the Logged-In User report cannot correctly report the user session as ongoing.

Workaround: None.

CSCea50039

T+ authentication errors when stressing TACACS func.

Under heavy TACACS+ authentication load, Cisco Secure ACS incorrectly fails authentication for a very small number of TACACS+ authentication requests. In testing, less than one hundredth of one percent of TACACS+ authentication requests were incorrectly failed.

Workaround/Solution: If you have more than one Cisco Secure ACS server available for TACACS+ authentication, distribute TACACS+ authentication load as evenly as possible to all Cisco Secure ACS servers.

CSCea55457

Radius Attributes do not appear in user/group profile page

After you enable RADIUS attributes in the Interface Configuration section of the Cisco Secure ACS HTML interface, they do not appear or appear only partially in Group Setup or User Setup, as applicable.

Workaround/Solution: Restart the CSAdmin service.

CSCea67901

UCP has trouble with dots in usernames

When using the User changeable passwords utility to change the passwords for the usernames which contain dot (".") character, after clicking on one of the links on the top, the links at the top in the subsequent screen contain only the part of the username before the dot.

Workaround: edit the passwd.htm and result.htm files in the cgi-bin directory to comment out the table with the links - so that the users would not be able to get confused.

CSCea71759

Headline of UCP application stating Cisco Secure ACS

The web pages of the User-Changeable Passwords (UCP) utility have titles and headings that suggest that the user is logging into Cisco Secure ACS for an administrative session. This is not possible from UCP and the headings and titles are erroneous.

Workaround/Solution: Educate users about the function of UCP or modify the HTML file contents to change the misleading titles and headings.

CSCea74289

cascade replication due to user pass change-dont work

Cascading replication does not occur when the replication trigger is user password change and the primary Cisco Secure ACS is configured to perform replication manually.

Workaround/Solution: Use scheduled replication on the primary Cisco Secure ACS.

CSCea91690

Event Viewer errors on startup/shutdown in .NET

On Windows .Net Server 2003 shutdown and startup you may see errors that falsely indicate that Cisco Secure ACS service have failed. At startup, you may see a dialog box indicating that a service, such as CSLog, encountered a problem and needs to close. The same error logged to Event Viewer, as in the following example:

Reporting queued error: faulting 
application CSLog.exe, version 0.0.0.0, 
faulting module unknown, version 0.0.0.0, 
fault address 0x00000000. 

The problem is that in Windows Server 2003, the Service Manager queries the Cisco Secure ACS services status during startup and shutdown, but Cisco Secure ACS services may not have started yet or may have stopped already. Even though this is normal behavior for Cisco Secure ACS services, Windows perceives this as an error and logs it to the Event Viewer.

On startup, all errors from event viewer displayed to user, which is why, when users logs into Windows right after startup, they see errors from the previous login session.

This behaviour observed on Windows Server 2003 only.

Workaround: You can verify that Cisco Secure ACS services are running by using Control Panel.

CSCeb11691

SPC names are limited to 31 characters in size

SPC names are limited to 31 characters in size not 32 as the doc below specifies.

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/products_user_guide_chapter09186a00800
d9e6b.html

CSCeb15219

Couldnt add NAS filter by CSDdsync

When you attempt to add a network access restriction using RDBMS Synchronization, action code 122 "ADD_NAS_ACCESS_FILTER" doesn't work. When you use the UN variable, the error message "The named user variable cannot be found" is logged even though the user exists in the CiscoSecure user database.

Workaround/Solution: Synchronization with action code 122 succeeds after you manually select the "Define IP based access restrictions" option in user profile.

CSCeb16968

ACS shared profile components disappear after ACS upgrade

After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications, such as Management Center for Firewalls, fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.

Workaround/Solution: You must use CiscoWorks to re-register all MCs with Cisco Secure ACS.

Log into the CiscoWorks desktop with admin privileges.

Go to Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.

Go to VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then re-register all MCs.

Log out of CiscoWorks.

CSCeb23766

Inconsistency with ACS response if username contains invalid chars

Radius usernames entered with invalid characters results in the ACS server not sending any response at all. This can cause the NAS to fail over to the configured secondary authentication method which may not be desirable.

Workaround: At the present time, TACACS authentication does not appear to have this same problem.

CSCeb32885

schedule backup don't work properly

In the evaluation version of ACS 3.2 scheduled backups might not always operate. This has been observed when Cisco Secure ACS contained 60000 users and 1200 AAA Clients.

After a while scheduled backup resumed its proper operation and returned to normal. The reason is not clear, and requires further investigation.

Workaround: None.

CSCeb34179

CSRadius fail to stop when 90 days evaluation period is over

After the 90-day evaluation period had passed, the evaluation version of Cisco Secure ACS for Windows Server develops problems with the CSRadius service if a RADIUS request is received. The CSRadius service begins to stop but never successfully complete the stop process. The service status appears as "stopping". After this point, folders under the Cisco Secure ACS installation directory are locked and an upgrade to the commercial version cannot be completed. Neither can the trial version be successfully uninstalled.

Workaround/Solution: Reboot the server and uninstall or upgrade Cisco Secure ACS before a RADIUS request is received. To ensure that no RADIUS requests are received, consider taking the server off of the network long enough for the installation to succeed. As an alternative, you could change the IP address of the server to an address that RADIUS clients are not configured to send requests to.

CSCeb36966

large number Windows groups causes ACS GUI timeout

When there is a large number of Windows groups (this was observed with 25000), the ACS http GUI connection times out.

Workaround/Solution: Force the Windows server that Cisco Secure ACS uses to retrieve the groups to cache the groups locally. Go into Active Directory Users and Groups on the computer running Cisco Secure ACS for Windows Server. If you are using Cisco Secure ACS Solution Engine, go into Active Directory Users and Groups on the computer running the Cisco Secure Remote Agent for Windows, In Active Directory, view all the groups. In Cisco Secure ACS, configure the mappings. This works because the server has cached the information.

CSCeb43948

Could not generate valid Password with password length => 9

If, in System Configuration > Local Password Management, you configure Cisco Secure ACS to require user passwords to be nine or more characters in length, Cisco Secure ACS generates "Could not generate valid Password" messages in the logs for the CSMon service. The message appears on the schedule you define for CSMon to test services. This has been verified as a problem on 3.1 and 3.2. Earlier versions were not tested, but likely have the problem.

Workaround: None.

CSCeb45624

NAR does not work comma separated source address

The documentation and the short help pages in the browser indicate that you can specify multiple IP addresses separated by commas for a source IP in the IP-based NAR section. This is not true. Any attempt to actually do so will result in Cisco Secure ACS ignoring the NAR config for the telnet connections to a router. This has been verified in ACS 3.2 and ACS 3.1.

Workaround: Do not use commas to separate multiple IP addresses in NARs.

CSCeb51393

multi-admin needs to be able to add/edit/delete downloadable ACLs

With multi-administrator tries to add/edit/delete downloadable acl under the shared profile components, after the first admin submitted any changes, the other administrator's ACS session got locked up.

Workaround: There is no workaround. Administrators must inform each other when he/she is working on the downloadable ACLs.

CSCeb58107

cisco-nas-port attribute should be included in VoIP accounting log

The cisco-nas-port attribute should be available in the VoIP accounting log.

CSCeb62898

Group mapping ordering applet is not properly ordered

In a newly created Windows group mapping configuration, group mappings list in the wrong order.

Workaround: On the page for ordering group mappings, order the group mappings and click Submit. As additional mappings are added, they appear properly at the end of the list of mappings.

CSCeb63032

SPC names are limited to 31 characters in size

SPC names are limited to 31 characters in size not 32 as the doc below specifies Section from the following link below : Note The name of a PIX ACL may contain up to 32 characters. The name may contain spaces; but it may not contain leading, trailing, or multiple spaces, or the following characters: - [ ] / - http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html

CSCeb63188

database define with special chars permitted but unusable later

Symptom: ACS allows definition of a database with special characters in the name, like "Windows (test)" but on trying to actually use the database in the 'Selected Databases' column with 3.0.3 & 3.2, the error message is 'The selected DB search list is empty'. The software should not allow naming of a database when the name cannot be used.

Workaround: Do not use special characters in a database name.

CSCeb82133

PEAP re-keying type not logged to Failed log

CSCeb82136

ACL size 35K cannot be edited - The page cannot be displayed

If you create a downloadable ACL that is larger than 32KB (roughly 32,000 characters, including name and description), when you try to edit it later, the browser shows a "page cannot be displayed" error.

Workaround: Do not add or edit a downloadable ACL so that it is larger than 32KB.

CSCec00789

Calling-Station-ID attribute description inaccurate

In the user guide for Cisco Secure ACS, RADIUS IETF attribute 31, Called-Station-ID is inaccurately documented as only being supported for ISDN and modem calls for AS5200s. This is not true.

Cisco Secure ACS supports this attribute regardless of what type of AAA client sends it.

CSCec05303

VPN3000 downloadable ACL not working on upgraded ACS

If a previous version of ACS is upgraded to ACS 3.2, the Downloadable ACL feature will not work with a VPN3000 concentrator. It works fine on a new install. If the following registry key is added, it works. No values are required within the key:

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.2\CSRadius\ExtensionPoints\003\AssociateWithVendors\005]

CSCec06340

acs is miscalculating the user-password when proxying

Symptom: in such a topology:

nas---> acs1 proxy ----> radius b 

and when using the proxy distribution table to do the proxy.

When acs 3.1 and later is being used as a proxy server, when it re-calculates the user-password attribute in order to forward it to the end radius server, it miscalculates the user-password attribute. if the same pre-shared key is being used between acs1 and radius b, then in principal the same user-password should be calculated, but it's not and usually that user-password attribute gets same values as first couple of bytes of the original user-password while the rest are zeros.

This problem has been observed in acs 3.1 and 3.2 released versions. It also might be in 3.0.

This problem doesn't happen when proxying between 2 acs servers. it only happens between an acs server and some 3rd party server due to the way the password is calculated.

Workaround: instead of using proxy distribution table to do the proxy in acs 1, configure radius b as a "radius token server" in external databases, and configure unknown user policy on acs1 to check radius b. of course in that case on radius b you should configure acs 1 as a network device and give it the correct pre-shared secret configured in radius token server on acs1.

CSCec18522

PIX downloadable ACLs do not allow -; no pix object groups

The Cisco Secure ACS downloadable ACL feature does not allow hyphens, "-", in ACL definitions; however, the PIX Firewall access-list command has a "object-group" keyword. You cannot configure downloadable ACLs in Cisco Secure ACS using the object-group keyword.

Workaround: None at this time.

CSCec18573

Replication of VMS configurations requires restart of CSAdmin

VMS-specific attributes replicated to secondary Cisco Secure ACS are not available. This also prevents a CiscoWorks administrator from registering an application with the secondary Cisco Secure ACS.

Workaround: Restart the CSAdmin service. After this service is restarted, registration from CiscoWorks succeeds and the VMS configuration data replicated to the secondary Cisco Secure ACS is available in the HTML interface.

CSCec39523

Proxy ACS changes upper case letters to lower in username RADIUS att

Topology:

NAS--proxy RADIUS ACS--authenticating RADIUS server

Symptom: If the NAS is sending a username (IETF attribute 1) in a RADIUS acces-request packet, which contains upper- and lower-case letters, the proxy ACS RADIUS will forward this access-request packet to the authenticating RADIUS server with all upper-case letters changed to lower-case letters

Conditions:

This is observed only when prefix stripping is configured on the proxy RADIUS ACS and the username contains the prefix to be stripped by the proxy RADIUS ACS.

This is not observed when suffix stripping or no stripping takes place.

Workaround: Do not use upper-case letters in the username attribute, when performing prefix stripping

CSCec46370

Group mapping misbehavior

When an external RADIUS database attempts to specify a user's group using Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair, and the group number specified is "500", Cisco Secure ACS fails the user authentication and logs a seemingly unrelated error related to Group 100 and network access restrictions (even if no NARs are applied to the user). Specifying a group number larger than 500, such as 501, functions as expected, with the user assigned to the Default group.

RADIUS group specification requires that the assignment in the cisco-av-pairattribute use the following format:

ACS:CiscoSecure-Group-Id = N 

where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user.

Workaround: Ensure that the external RADIUS server database only specifies a group number between 0 and 499.

CSCec57161

wrong ODBC logging causes major CSLog mem leak & stop local logging

Misconfigured ODBC logging creates errors in CSLog and can result in a memory leak.

Workaround: Configure ODBC logging correctly or disable ODBC logging.

CSCec61110

authentications on secondary acs may fail after replication

Symptom: In environment where primary and secondary Cisco Secure ACS primary and secondary servers are kept in synch using the replication feature, user authentication may fail for users defined in an external database users and the Failed Attempts log will contain an "external DB not configured" error.

Conditions: This happens with certain external database types such as LDAP, NDS, and the various token server types. It can't happen with the Windows external DB. By configuring external databases in a different order on the primary and secondary Cisco Secure ACS servers, authentication fails on the secondary server for users defined in the databases configured in a different order. If external databases are configured in same order on primary and secondary servers, this does not happen. For example, if you configure two instances of LDAP external user databases on primary and secondary servers but configure them in different orders, after users are replicated, LDAP authentication attempts fail on the secondary server.

Workaround: For each database type involved in the problem, delete the external databases on all secondary servers and reconfigure them in the same order that they are defined on the primary server. If this fails, delete the affected external databases on the primary and secondary servers and reconfigure them.

CSCec63624

ACS 3.2 admin gui locks and displays action canceled message

If the Shell (exec) service is disabled in Interface Configuration > TACACS+ (Cisco IOS) and you attempt to access a group other than the default group, the Cisco Secure ACS HTML interface ends the administrative session.

Workaround: To start a new session, close the browser window, open a new browser window, and access the HTML interface again.

To permit access to groups other than the default group, enable the group-level Shell (exec) service in Interface Configuration > TACACS+ (Cisco IOS).

CSCec71687

need to change the source from which ACS reads certificate from stor

When you attempt to install a certificate from storage, Cisco Secure ACS expects to find the certificate in the Trusted Root Certification Authorities folder of the Local Computer Account certificates. If you have previously installed a certificate using the Cisco Secure ACS HTML interface, you cannot reinstall the certificate from storage.

Workaround: To reinstall from storage a certificate previously installed using the Cisco Secure ACS HTML interface, use the Microsoft Management Console to access the certificates for the local computer account and move the stored certificate from the ACS certificates folder you find it in to the Certificates folder under Trusted Root Certificate Authorities.

CSCec72911

2003-password aging page display issue

CSCec73065

csutil sometimes messes up SPC NARs

Symptom: In Cisco Secure ACS for Windows Server 3.2, if you re-initialize the internal database by doing "csutil -q -d -n -l" or if you dump your databases using "csutild -d" and rampart by doing "csutil -l", Network Access Restrictions defined in the Shared profile Component section of the HTML interface may lose all of the permitted/denied calling point entries.

Workaround: The problem is in the Description Edit box of Network Access Restriction page. This box must NOT contain any <Enter> symbols (<CR><LF> or hard-breaks), including at the end of the line.

Delete all hard-breaks from Description by pressing <Backspace>. Let the web browser automatically wrap lines. Do not attempt to force line breaks with returns.

CSCec89440

Unable to edit some of the disabled accounts

The Disabled Accounts report in the Reports and Activity section of the Cisco Secure ACS HTML interface can behave oddly when you access it using an administrator account that doesn't have access to all groups.

If a page of the Disabled Accounts report has users belonging to groups that the administrator cannot access, the report doesn't allow the administrator to move to the next page of the report.

If a user account is configured to be assigned a group by the group mapping feature, the user account appears on the Disabled Accounts report even though the administrator only has access to specific groups.

Workaround: Access the Disabled Accounts report with an administrative account that has permission to access all groups.

CSCed01640

Memory leak in CSAuth caused with Leap-Proxy scenario

When you use LEAP proxy with Cisco Secure ACS under stress, the CSAuth service uses additional system memory and does not release the memory when the stress is removed from the system.

Workaround: Restart the CSAuth service.

CSCed12218

User Usage Quotas -limit user x hours of online time

CSCed18334

CSDBSync logs become swollen with time

CSDBSync logs grow very large and contain many "WaitForMultipleObjects returned [-1]" messages. CPU usage may also be very high. The issue is likely caused by starting services in the wrong order. If this occur with Cisco Secure ACS for Windows Server rather than Cisco Secure ACS Solution Engine, the services that make up Cisco Secure ACS may be running as different user accounts rather than as the same user account for all Cisco Secure ACS services.

Workaround: If you are using Cisco Secure ACS for Windows Server, verify that all Cisco Secure ACS services are running as the same user account. To do so, go to Start > Settings > Control Panel > Administrative Tools > Services and view the properties of each Cisco Secure ACS service.

Reboot the Cisco Secure ACS server. When the server reboots, services automatically start in the correct order and the problem should abate.

CSCed30876

radius proxy does not return ietf attr when using ios radius

CSCed39208

VU: Unable to auto provision with long username

CSCed40111

Session ends before Session timeout value

CSCed42437

RADIUS Proxy with Cisco PEAP operates only with RADIUS Aironet

CSCed42439

Active Directory via LDAP - Group Mappings skip first group

When Active Directory is configured as Generic LDAP and group mappings are configured, the first group in the LDAP directory is skipped.

CSCed43496

acs 3.2 odbc fields limited to 50 characters

in acs if doing logging to odbc microsoft access, if an attribute's value is bigger than 50 characters, it's truncated to 50 characters.

Workarounds: none yet

CSCed59826

CSAdmin stops responding when editing java using netscape

CSCed61135

DOC - Certificate Signing Request for public CA

The Certificate Signing Request screen within ACS does not have fields required by public Certificate Authorities, but you can still obtain a proper CSR by using the following subject format:

CN=server.domain.com,c=US,S=State,L=City,o=Co
mpany, 
ou=Department

CSCed65806

no logging/wrong ODBC attr logging causes major performance issues

CSCed71133

All Other Combinations mapping ignored when group fetch fails

If the NT group fetch fails, ACS 3.2 will map a user to group 0 regardless of the setting of the All Other Combinations mapping.

Workaround: Fix the Microsoft permission problems that are causing the group fetch to fail. The user that runs the ACS services must have full read permission on any domain that ACS will be using for authentication.

CSCed77992

Action Code 211 doesnt return group settings to factory defaults

Action Code 211 doesn't work as documented.

Document states, this code "Resets a Group User record back to its original factory defaults". However some settings are not reset to factory defaults like Shell (exec) and No escape check boxes.

CSCed82937

Password attribute malformed to external RADIUS token database

When ACS receives a blank password from a user in an external RADIUS token database, it sends a malformed password attribute to the token RADIUS server - the attribute length is 2, but RFC 2865 dictates that the length will be between 18 to 130 characters, in multiples of 16.

CSCed92815

ACS Main page shows wrong copyright message - year 2003

Cisco Secure ACS Main 3.2.3 page shows a wrong Copyright message :

Copyright @2003 Cisco Systems, Inc. 

The correct copyright statement for Cisco Secure ACS 3.2.3

Copyright @2004 Cisco Systems, Inc

CSCin45582

VMS2.2-BT:Shared Profile components are not overwritten

If you re-register a Management Center application with Cisco Secure ACS, Cisco Secure ACS retains the authorization settings from the previous registration rather than replacing them with default authorization settings.

Workaround/Solution: None.


Resolved Problems in Cisco Secure ACS Version 3.2.3

Table 4 describes problems resolved in Cisco Secure ACS for Windows Server version 3.2.3.


Note Bug summaries in Table 4 are printed word-for-word as they appear in our bug tracking system.


Table 4 Resolved Problems in Cisco Secure ACS for Windows Server, Version 3.2.3 

Bug ID
Summary
Explanation

CSCeb58021

Server Hello packet of TLS from ACS Server has garbage.

Server Hello packet from Cisco Secure ACS contains properly formatted data.

CSCec19050

acs might crash due to misbehaviour under stress of endpoint.dll

Cisco Secure ACS behaves properly under stress.

CSCec61799

Even though the RDBMS synchronization succeeds, error says it did not.

Success of synchronization is recorded correctly.

CSCed01627

Protocol Error in Login

No protocol error occurs when you try to access the HTML interface.

CSCec88099

acs documentation not accurate with eap-tls with nds

Documentation accurately reflects the lack of EAP-TLS support with Novell NDS databases.

CSCed43590

ACS authentication to NDS fails intermittently

Authentication with Novell NDS databases functions properly.

CSCed51248

replication terminates after failing to replicate to a server

If replication to a secondary server fails, replication continues to next server in Replication Partners list.

CSCed52922

CSAUTH crash - EAP-TLS to LDAP, other db first in unknown policy

The CSAuth service reliably operates during EAP-TLS authentication to LDAP databases.

CSCed52949

EAP-GTC, two dbs in unknown user policy, group mappings ignored

Group mapping is applied properly.

CSCed56266

memory leak in csauth.exe

CSAuth.exe has no memory leak.

CSCed71962

MS-PEAP, cannot authenticate user.

Microsoft PEAP authentication operates as designed.

CSCed77664

MS-PEAP Chapv2 authentication is case sensitive

Case sensitivity is handled correctly.


Resolved Problems in Cisco Secure ACS Version 3.2.2

Table 5 describes problems resolved in Cisco Secure ACS for Windows Server version 3.2.2.


Note Bug summaries in Table 5 are printed word-for-word as they appear in our bug tracking system.


Table 5 Resolved Problems in Cisco Secure ACS for Windows Server, Version 3.2.2 

Bug ID
Summary
Explanation

CSCea87470

Unknown user policy with ACE has returned inconsistent group inform

Unknown user policy consistently maps users to the correct group.

CSCeb11686

restarting the services does not unlock locked object

Restarting services does unlock locked objects.

CSCeb47081

Using VOIP accounting with CID as user names cause to problem

The registry of the server no longer grows as a result of using the username in the CLID attribute.

CSCeb48341

duplicate selections from pull down menu of downloadable acl

Duplicate selections do not appear on list of downloadable ACLs.

CSCeb62893

T+ does not closes registry key, causes windows error 1450

Cisco Secure ACS closes the registry key properly, thus preventing the error.

CSCeb64302

Network Model within ACS Registry grows in accounting

Missing NAS-PORT values no longer causes application misbehavior.

CSCeb77357

ACS strips off CN from DN for GroupObjectType

Cisco Secure ACS correctly handles GroupObjectType. Groups list correctly when you configure LDAP group mapping.

CSCeb78279

ACS 3.2 is unable to authenticate users in external databases

Cisco Secure ACS authenticates consistently to external user databases.

CSCeb79925

Wrong log message when client rejects PEAP certificate

Cisco Secure ACS provides a more useful error message when a PEAP certificate is rejected.

CSCeb84808

ACS strips off CN from DN for GroupObjectType

Cisco Secure ACS correctly handles GroupObjectType. Groups list correctly when you configure LDAP group mapping.

CSCec00119

SQL accounting causes cslog crash for Ascend acct packet >=529&<=535

Cisco Secure ACS logs Ascend accounting packets reliably.

CSCec00298

SQL accounting causes cslog crash for Ascend acct packet >=529&<=535

Cisco Secure ACS logs Ascend accounting packets reliably.

CSCec06797

Unable to properly re-order LDAP group mappings

LDAP group mappings can be properly ordered

CSCec47715

Upgraded ACS 3.2 hangs when editing groups and users or replicating

The HTML interface operates as designed when the shell service is not enabled in the default group and when replication is occurring.

CSCec60586

No Action id available to set Per User Cant authorization

Action code 270 now supports the ability to set per-user command authorization.

CSCec60586

No Action id available to set Per User Cant authorization

Action code 270 now supports the ability to set per-user command authorization.

CSCec80834

ACS LDAP prefix or suffix is case sensitive

Cisco Secure ACS handles LDAP prefixes and suffixes in a case-insensitive manner.

CSCed13905

Admin SSL allowed without certificate from replication

On a secondary Cisco Secure ACS, replication will not enable SSL if certificate setup has not been performed on the secondary Cisco Secure ACS.


Resolved Problems in Cisco Secure ACS Version 3.2.1

Table 6 describes problems resolved in Cisco Secure ACS for Windows Server version 3.2.1.


Note Bug summaries in Table 6 are printed word-for-word as they appear in our bug tracking system.


Table 6 Resolved Problems in Cisco Secure ACS for Windows Server, Version 3.2.1 

Bug ID
Summary
Explanation

CSCdu33140

PPTP Tunnel with VPN3000 and MS-CHAP V2 method

A PPTP tunnel using a Cisco VPN 3000-series concentrator and MS-CHAP version 2 is created successfully.

CSCdu35333

CSNT should not require unique NAS&port values for ip pools

You can configure Cisco Secure ACS to use the username to identify sessions rather than unique port numbers.

CSCdx81906

Unable to replicate to more than 20 partners

The limitation of 20 replication partners no longer is true. You can configure Cisco Secure ACS to replicate to more than 20 other Cisco Secure ACSes.

CSCdy14259

TACACS+ ASCII login doesn't work correctly with CRYPTOCard

We successfully tested TACACS+ ASCII login with CRYPTOCard 5.32 in challenge response (async) mode. Settings in Cisco Secure ACS should be as follows:

"From Token Server (async tokens only)" check box should be selected

"Password" box should have a string in it.

Both settings are located under TACACS+ Shell Configuration on the CRYPTOCard Token Server Configuration page in the External User Database section.

CSCdz09728

RSA TACACS+ authentication failed after password changing

TACACS+ authentication using an RSA token server functions properly after password changes are applied.

CSCdz14051

wireless client cannot EAP login when max session limit is 1

Newer versions of Cisco Aironet include the RADIUS Service-Type attribute to distinguish between full login and rekey authentications. We used this change to enable Cisco Secure ACS to handle rekey authentications correctly.

CSCdz19494

Repeated LEAP auths from single client cause memory leak

We resolved the memory leak.

CSCdz27070

disc-cause attribute is wrong in Tacacs+ Acct logs

Cisco Secure ACS logs the correct value for TACACS+ idle timeout.

CSCdz87654

Authentication failure with dynamic mappings

Cisco Secure ACS correctly assigns users to the group designated in the user profile when group mapping for the user would otherwise assign the user to the No Access group.

CSCea19930

Leak in CSAuth when using IP based NARs

We resolved the memory leak.

CSCea35303

Change of NDG for NAS isn't applied until CSAuth is restarted manual

Changing NDGs for a AAA client no longer requires a restart of the CSAuth service.

CSCea40150

HTTPS Session to ACS Passes Username in Clear Text

Cisco Secure ACS establishes the SSL tunnel prior to submission of administrator name and password, preventing the administrator name from being sent in the clear.

CSCea54048

Password changing by UCP is not trigger for automatic DB replicate

Password changes made using a User-Changeable Password web page trigger database replication, when replication is correctly configured.


Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website ( http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool ( http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html