Guest

Cisco Secure Access Control Server Solution Engine

Release Notes for Cisco Secure ACS Appliance Version 3.2

 Feedback

Table Of Contents

Release Notes for Cisco Secure ACS Appliance Version 3.2

Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform

Product Documentation

Related Documentation

Installation Notes

Cisco Security Notices

HTTPS Support and Management Center Applications

Limitations and Restrictions

Supported Migration Versions

Supported Web Browsers

Supported Operating Systems for Remote Agent

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Known and Resolved Problems

Cisco AAA Client Problems

Known Problems in Cisco Secure ACS Version 3.2.1

Resolved Problems in Cisco Secure ACS Version 3.2.1

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information

Release Notes for Cisco Secure ACS Appliance Version 3.2


These release notes pertain to Cisco Secure Access Control Server Appliance (Cisco Secure ACS) version 3.2.1.

These release notes provide:

Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform

Product Documentation

Related Documentation

Installation Notes

Cisco Security Notices

HTTPS Support and Management Center Applications

Limitations and Restrictions

Supported Migration Versions

Supported Web Browsers

Supported Operating Systems for Remote Agent

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Known and Resolved Problems

Obtaining Documentation

Documentation Feedback

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform

IMPORTANTREAD CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.

By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.

1. ADDITIONAL LICENSE RESTRICTIONS.

Installation and Use. The Cisco Secure Access Control Server Software component of the Cisco 11XX Hardware Platform is pre-installed. CD's containing tools to restore this Software to the 11XX hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 11XX Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 11XX Hardware Platform.

Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Software updates and new version releases for the 11XX Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 11XX Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.

Reproduction and Distribution. Customer may not reproduce nor distribute software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

Please refer to the Cisco Systems, Inc. Software License Agreement.

Product Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 1 describes the product documentation that is available.

Table 1 Product Documentation 

Document Title
Available Formats

Release Notes for Cisco Secure ACS Appliance

Printed document that was included with the product.

PDF on the product CD-ROM.

On Cisco.com:

a. Log into Cisco.com.

b. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Technical Documentation > Release Notes .

Installation and Setup Guide for Cisco Secure ACS Appliance

PDF on the product CD-ROM.

On Cisco.com:

a. Log into Cisco.com.

b. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Technical Documentation > Installation Guides .

Printed document available by order (part number DOC-7814573=).1

User Guide for
Cisco Secure ACS Appliance

PDF on the product CD-ROM.

On Cisco.com:

a. Log into Cisco.com.

b. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Technical Documentation > User Guides.

Printed document available by order (part number DOC-7814698=). 1

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords

PDF on the product CD-ROM.

On Cisco.com:

a. Log into Cisco.com.

b. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Technical Documentation > Installation Guides.

Regulatory Compliance and Safety Information for Cisco Secure ACS Appliance

Printed document that was included with the product.

PDF on the product CD-ROM.

On Cisco.com:

a. Log into Cisco.com.

b. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Instructions and Guides > Regulatory Approvals and Compliance .

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Appliance

1. Log into Cisco.com.

2. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Technical Documentation > Device Support Tables.

Recommended Resources for the Cisco Secure ACS User

1. Log into Cisco.com.

2. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Solution Engine > Technical Documentation > Technical References.

Online Documentation

In the Cisco Secure ACS HTML interface, click Online Documentation.

1 See the "Obtaining Documentation" section.


Related Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 2 describes a set of white papers about Cisco Secure ACS for Windows Server; however, much of the information contained in these papers is applicable to Cisco Secure ACS Appliance. All white papers are available on Cisco.com. To view them:

1. Log into Cisco.com.

2. Select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server for Windows > Product Literature > White Papers.

Table 2 Related Documentation 

Document Title
Description and Available Formats

Building a Scalable TACACS+ Device Management Framework

This document discusses the key benefits of and how to deploy Cisco Secure ACS Shell Authorization Command sets, which provide the facilities for constructing a scalable network device management system using familiar and efficient TCP/IP protocols and utilities supported by Cisco devices.

Catalyst Switching and ACS Deployment Guide

This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and capabilities of Cisco Secure ACS.

Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment

This paper discusses guidelines for wireless network design and deployment with Cisco Secure ACS.

EAP-TLS Deployment Guide for Wireless LAN Networks

This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and then discusses deployment issues.

Guidelines for Placing ACS in the Network

This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.

Initializing MC Authorization on ACS 3.1

This application note explains how to initialize Management Center authorization on Cisco Secure ACS.


Installation Notes

For information about installing Cisco Secure ACS, see Installation and Setup Guide for Cisco Secure ACS Appliance, version 3.2.

Cisco Security Notices

The following two Cisco Security Notices are relevant to the Cisco Secure ACS Appliance:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/
products_tech_note09186a00801aedd6.shtml

http://www.cisco.com/en/US/products/sw/voicesw/ps556/
products_tech_note09186a00801b143a.shtml

We produced a patch for the Cisco Secure ACS Appliance that resolves the issues described in both Cisco Security Notices. The patch is available at the following site:

http://www.cisco.com/pcgi-bin/tablebuild.pl/solution_engine


Note You can apply the patch from the URL above by using the Appliance Upgrade Status page in the HTML interface or the download and upgrade commands at the console. For more information, refer to appliance upgrade procedures in User Guide for Cisco Secure ACS Appliance and Installation and Setup Guide for Cisco Secure ACS Appliance.


HTTPS Support and Management Center Applications

Cisco Secure ACS 3.2 does not allow HTTP and HTTPS to function simultaneously. Multi-device management applications, such as Management Center for Firewalls, can be configured to use Cisco Secure ACS for authentication of administrators and authorization of their actions. Communication between early versions of multi-device management applications and Cisco Secure ACS requires HTTP. If you enable HTTPS in Cisco Secure ACS 3.2, communication between multi-device management applications and Cisco Secure ACS fails.

If you use Cisco Secure ACS with a multi-device management application that is not yet capable of HTTPS for communicating with Cisco Secure ACS, you must disable HTTPS in Cisco Secure ACS; otherwise, integration with Cisco Secure ACS fails.


Note Beginning with version 2.2 with service pack 2, CiscoWorks supports HTTPS; therefore, multi-device management applications using CiscoWorks 2.2 with Service Pack 2 or later are designed to communicate with Cisco Secure ACS using HTTPS.


Limitations and Restrictions

The following limitations and restrictions apply to Cisco Secure ACS 3.2.1.

Supported Migration Versions

We support migrating from Cisco Secure ACS for Windows Server to Cisco Secure ACS Appliance 3.2.1 from Cisco Secure ACS for Windows Server 3.2.1. We do not support migration from other versions of Cisco Secure ACS for Windows Server.

Steps for performing a migration from Cisco Secure ACS for Windows Server to Cisco Secure ACS Appliance are documented in Installation Guide for Cisco Secure ACS for Windows Server, available at the following location:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guide09186a0080184928.html#10598

Supported Web Browsers

To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:

Microsoft Internet Explorer version 6.0 with Service Pack 1 for Microsoft Windows

Netscape Communicator version 7.0 for Microsoft Windows

Netscape Communicator version 7.0 for Solaris 2.7

We do not support other versions of these browsers, nor do we test web browsers by other manufacturers.


Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:

Use an English-language version of a supported browser.

Enable Java.

Enable JavaScript.

Disable HTTP proxy.


Supported Operating Systems for Remote Agent

Cisco Secure ACS 3.2 supports Cisco Secure ACS Remote Agent on Microsoft Windows 2000 and Solaris operating systems, as specified in the following two sections.

Windows Support for Remote Agent

The computer running Cisco Secure ACS Remote Agent for Windows must use an English-language version of one of the following operating systems:

Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed

Windows 2000 Advanced Server, with the following conditions:

with Service Pack 3 or Service Pack 4 installed

without Microsoft clustering service installed

without other features specific to Windows 2000 Advanced Server enabled


Note The following two limitations apply to support for Windows 2000:

We have not tested and cannot support the multi-processor feature of Windows 2000 Advanced Server.

Windows 2000 Datacenter Server is not a supported operating system.


Solaris Support for Remote Agent

The computer running Cisco Secure ACS Remote Agent for Solaris must use Solaris 2.8.

Supported Platforms for CiscoSecure Authentication Agent

For use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2.1, we support CiscoSecure Authentication Agent on the following client platform operating systems:

Windows XP with Service Pack 1

Windows 2000 Professional with Service Pack 3

On the following client platform operating systems, we do not support the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2.1:

Windows 98

Windows 95

Windows NT 4.0

Other Supported Devices and Software

For information about supported Cisco devices, external user databases, and other software, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Appliance Version 3.2. To see this document, log into Cisco.com and select Products & Services > Security and VPN Software  > Cisco Secure Access Control Server Appliance > Technical Documentation > Device Support Tables.

Known and Resolved Problems

This section contains information about the following topics:

Cisco AAA Client Problems

Known Problems in Cisco Secure ACS Version 3.2.1

Resolved Problems in Cisco Secure ACS Version 3.2.1

Cisco AAA Client Problems

Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco BBSM

http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Known Problems in Cisco Secure ACS Version 3.2.1

Table 3 describes problems known to exist in this release.


Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)


Table 3 Known Problems in Cisco Secure ACS Appliance, Version 3.2.1 

Bug ID
Summary
Explanation

CSCdv35872

Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTML in the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

CSCdv86707

User Data Field name is not replicated

Changes to user-defined fields in user records do not appear to replicate. After the user-defined fields are changed in the Interface Configuration section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the user-defined fields in the HTML interface.

Workaround/Solution: The changes to the user-defined fields do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdv86708

HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS, restart the CSAdmin service.

CSCdy51214

fail to delete aaa server when its in sync table/aaa server side

A AAA server cannot be deleted from the "(Not Assigned) AAA Servers" table in Network Configuration if the Synchronize"= list under Synchronization Partners on the RDBMS Synchronization Setup page is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" appears.

Workaround/Solution: Move any other AAA server to the Synchronize list, then delete the AAA server.

CSCdy59706

CAA messaging wont work with ppp callback and callin authentication

When having ppp callback and only callin is authenticated (ppp authentication pap chap callin), then messaging to the CAA client will fail with all aging rules selected in ACS.

This is a documentation bug, the above won't work without changes.

Workaround/Solution: Either remove the "callin" keyword to enable authentication for callin and callout (callback in this scenario), or disable callback altogether.

CSCdz30261

ACS doc does not have examples with product setups

ACS documentation does not have examples with product setups

Workaround: Locate deployment guides at http://www.cisco.com/warp/public/cc/pd/sqsw/sq/
tech/index.shtml
if there is one for the task in question.

CSCdx19854

Memory check for certificates in https transport is required

When you select the "Use HTTPS Transport for Administration Access" check box on the Access Policy page and more than two HTTPS sessions are active, the following error is presented:

Can't initialize HTTPS transport: too many active 
HTTPS sessions

SSL Admin design does not enforce a restriction that prevents the modification of Cisco Secure ACS certificates so that there are not more than two certificates in memory at once.

Instead Cisco Secure ACS prevents the initialization of HTTPS when more than two HTTPS sessions are in use.

Workaround/Solution: Reduce the number of concurrent administrative sessions to two or one before attempting to enable HTTPS using the new certificate.

CSCdz06719

Support cmd allows illegal values

On the Cisco Secure ACS Appliance command-line interface, the support command accepts illegal values at various prompts. For example, the "Enter FTP Server Hostname or IP Address" prompt accepts IP addresses that are not valid.

Workaround/Solution: Be careful to respond to prompts with valid responses. For guidance with the use of the support command and its prompts, see the "Obtaining Support Logs via the Serial Console" procedure in Installation and Setup Guide for Cisco Secure ACS Appliance.

CSCdz11061

RA logging configuration isnt updated till restart

When you modify the remote agent logging configuration using the HTML interface of the appliance that is the remote agent's configuration provider, the changes does not take effect until the remote agent is restarted.

Workaround/Solution: After making remote agent logging configuration changes in the HTML interface of the configuration provider, restart CSAgent on the computer running the remote agent.

CSCdz13771

err in csauth in every X min replication-certain flow

Replication fails in very particular circumstances:

Set replication frequency to once a minute

Turn off replication for a specific component, such as the user database.

Modify the database component that is not to be replicated, such as by adding a user.

Turn on replication for the specific component

Replication does not occur because Cisco Secure ACS does not perceive the database as having changed.

Workaround/Solution: Restart the CSAuth service.

CSCdz61454

FTP Restore button is not working on Solaris

When the administrative browser is Netscape 7.0 on Solaris 8.0, clicking the Restore button in the Cisco Secure ACS HTML interface has no effect.

Workaround/Solution: Use a supported Windows browser or, if you are using Cisco Secure ACS Appliance, use the restore command on the system console for the appliance.

CSCdz61464

Solaris Netscape 7.0 - Minor Features Failure

When the administrative browser is Netscape 7.0 on Solaris 8.0, some menus in the HTML interface for Cisco Secure ACS do not work properly.

Workaround/Solution: Use a supported Windows browser.

CSCdz61529

Netscape hangs on several times during login session on Solaris

When you use Netscape 7.0 to access the HTML interface of Cisco Secure ACS, the browser stops responding after you access the User Setup page or while trying to add a shared profile component.

Workaround/Solution: Use a supported Windows browser.

CSCdz73781

Netscape browser on WinNT pointing ACSAppliance is not stable

When you use Netscape 7.0 on Windows to access the HTML interface of Cisco Secure ACS, the browser may stop responding, often while using 99% of CPU time.

Workaround/Solution: Use Task Manager to stop Netscape. Use a supported Internet Explorer browser to access the HTML interface.

CSCdz74860

Cannot delete if Radius and AAA have same self IP

If you add a AAA server entry that is defined as a RADIUS server that has the same IP address as the AAA server entry that represents the Cisco Secure ACS itself, you cannot delete the new RADIUS server entry. Cisco Secure ACS appears to identify this second entry as its self-entry though it is not.

Workaround/Solution: None at this time.

CSCdz86955

Cannot remove shell authorization from groups display

Shell command authorization remains in the User Setup and Group Setup sections of the HTML interface, even after shell command authorization is disabled in Interface Configuration and the feature is not in use.

Workaround/Solution: None at this time.

CSCea00440

appliance name after install is DELIVERANCE1 always

In a Cisco Secure ACS appliance, the Proxy Distribution Table entry for the appliance is always named "deliverance1" rather than the hostname specified at initial setup or by using the set hostname command.

Workaround/Solution: Although you cannot change the name of the table entry, you can associate the table entry named "deliverance1" with the real name of the appliance. In Network Configuration, select the "(Default)" entry in the Proxy Distribution Table. In the AAA Servers list, select the hostname that you assigned to the appliance and move it to the Forward To list. Then select the "Submit + Restart" button.

CSCea28562

Restore deleted Self AAA Server

When you restore the system database for Cisco Secure ACS Appliance, the AAA Servers table entry that represents the appliance itself is deleted.

Workaround/Solution: Recreate the self entry manually after performing a system restoration.

CSCea50039

T+ authentication errors when stressing TACACS func.

Under heavy TACACS+ authentication load, Cisco Secure ACS incorrectly fails authentication for a very small number of TACACS+ authentication requests. In testing, less than one hundredth of one percent of TACACS+ authentication requests were incorrectly failed.

Workaround/Solution: If you have more than one Cisco Secure ACS server available for TACACS+ authentication, distribute TACACS+ authentication load as evenly as possible to all Cisco Secure ACS servers.

CSCea54336

restore process related issues from a dump file created by s/w backup

If you restore a Cisco Secure ACS Appliance database using a backup file created by Cisco Secure ACS for Windows Server, you may encounter one or more of the following issues:

Duplicate administrator names where one administrator is the console administrator and the other is added from the backup file.

The AAA Servers table entry for the appliance itself is deleted.

Entries in the Remote Agents table are deleted.

Subsequent attempts to restore the database using the same backup file fail.

Workaround/Solution: Restore the database from a backup created by a Cisco Secure ACS Appliance.

CSCea55457

Radius Attributes do not appear in user/group profile page

After you enable RADIUS attributes in the Interface Configuration section of the Cisco Secure ACS HTML interface, they do not appear or appear only partially in Group Setup or User Setup, as applicable.

Workaround/Solution: Restart the CSAdmin service.

CSCea60497

no msg in rdbms log on the sync partner about the sync operation

When a Cisco Secure ACS Appliance receives RDBMS Synchronization data from a primary ACS, the RDBMS Synchronization log on the secondary ACS does not record the synchronization event, regardless of success or failure.

Workaround/Solution: None at this time. You may be able to deduce when synchronization occurred and whether it succeeded by reading the synchronization logs and reviewing the RDBMS Synchronization configuration on the primary ACS.

CSCea62203

Resource Usage values in Support page are incorrect

System and service resource usage statistics presented on the Support page of a Cisco Secure ACS Appliance may not be accurate.

Workaround/Solution: None at this time.

CSCea66355

Login prompt displayed too early when upgrade via CLI

When you apply an upgrade to a Cisco Secure ACS appliance using the upgrade command at the serial console command prompt, you erroneously receive a Login prompt just before the appliance reboots itself.

Workaround/Solution: None. The appliance reboots after the Login prompt. After the reboot is complete, you can login normally.

CSCea71759

Headline of UCP application stating Cisco Secure ACS

The web pages of the User-Changeable Passwords (UCP) utility have titles and headings that suggest that the user is logging into Cisco Secure ACS for an administrative session. This is not possible from UCP and the headings and titles are erroneous.

Workaround/Solution: Educate users about the function of UCP or modify the HTML file contents to change the misleading titles and headings.

CSCea74269

CSAdmin issue when downloading upgrade via GUI and https is in use

If HTTPS is enabled for administrative access to the HTML interface, you cannot transfer an upgrade package to a Cisco Secure ACS appliance. The transfer fails with an "Action canceled" message.

Workaround/Solution: Temporarily disable HTTPS before transferring the upgrade package.

CSCea74289

cascade replication due to user pass change-dont work

Cascading replication does not occur when the replication trigger is user password change and the primary Cisco Secure ACS is configured to perform replication manually.

Workaround/Solution: Use scheduled replication on the primary Cisco Secure ACS.

CSCea87748

Downloadable ACLs deleted and downsized after backup via CLI

If your Cisco Secure ACS Appliance has downloadable ACLs defined that have more than approximately 31 kilobytes of text in them and you use the system console to backup and restore the database, the downloadable ACLs are truncated to approximately 31 kilobytes or are deleted entirely.

Workaround/Solution: Do not create downloadable ACLs that contain more than 30 kilobytes of data; or, if this is unavoidable, keep text file records of the ACLs so that, if a restoration performed from the system console is necessary, you can recreate the downloadable ACLs.

CSCeb00443

ODBC logging settings appear after restore/replication from SW

After replicating from Cisco Secure ACS for Windows Server to a Cisco Secure ACS appliance or after using a backup file from the Windows version to restore the appliance version, ODBC logging settings may appear on the Logging page of the System Configuration section of the appliance HTML interface. This is erroneous because the appliance version does not support ODBC logging.

Workaround/Solution: None at this time.

CSCeb11207

rdbms sync dont get the first line in action file

RDBMS Synchronization fails when accountactions.csv has data on its first line.

Workaround/Solution: The first line of accountactions.csv should either be blank or contain column titles.

CSCeb14972

appliance ip is 0.0.0.0 after recovery & upgrade

After you apply an upgrade to a Cisco Secure ACS appliance, a AAA client entry may appear in Network Configuration that has the same name as the appliance but has the IP address 0.0.0.0.

Workaround/Solution: Delete the AAA client entry erroneously created by the upgrade process.

CSCeb15110

appliance name doesn't appear in dist table, rdbms sync table

After you upgrade a Cisco Secure ACS appliance, the Proxy Distribution Table in Network Configuration may be missing the entry that represents the appliance itself. You may also notice that the appliance entry is missing from the Synchronization Partners table on the RDBMS Sychronization page.

Workaround/Solution: None at this time.

CSCeb16968

MC defined services doesn't function after upgrade

After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications, such as Management Center for Firewalls, fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.

Workaround/Solution: You must use CiscoWorks to re-register all MCs with Cisco Secure ACS.

Log into the CiscoWorks desktop with admin privileges.

Go to Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.

Go to VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then re-register all MCs.

Log out of CiscoWorks.

CSCeb21037

Windows Remote Agent un-install issue

Uninstalling Cisco Secure Remote Agent for Windows does not remove some subdirectories, such as those that contain log files.

Workaround/Solution: Manually delete the directories left by the uninstallation process.

CSCeb21053

rdbms sync on add nas-err on log while nas are been added

When you add a AAA client or AAA server to a Cisco Secure ACS appliance using RDBMS Synchronization, you may an error in the RDBMS Synchronization log that says the AAA client/Server was not added when in was added to the AAA client or AAA server tables in Network Configuration.

Workaround/Solution: None. You can confirm the addition of the AAA client or AAA server by viewing the AAA client and AAA server tables in the Network Configuration section of the HTML interface.

CSCeb21253

signature verification mechanism via GUI is not operating properly

When you apply an upgrade to an Cisco Secure ACS appliance using the HTML interface, Cisco Secure ACS incorrectly cannot verify the upgrade package. You receive the following confirmation prompt:

Upgrade package was not verified. Applying this 
upgrade package may corrupt the appliance. Continue 
at your own risk! Continue? ---y(yes), n(no)

Workaround/Solution: Use the serial console command line to apply the upgrade. The package verification functions properly from the command line. Once you have verified that the package is correct, you can safely use the HTML interface on other appliances you may need to upgrade.

CSCeb21358

CSLogAgent could not be started when certain acct attr is selected

When an "unknown" attribute is added to the logging configuration on the

"Remote Logging Agent CSV RADIUS Accounting File Configuration" page in a Cisco Secure ACS appliance, remote agents that use the appliance as a configuration provider have difficulties starting CSLogAgent.

Workaround/Solution: Remove any "unknown" attributes from the RADIUS Accounting log configuration in the Cisco Secure ACS HTML interface.

CSCeb36966

large number Windows groups causes ACS GUI timeout

When there is a large number of Windows groups (this was observed with 25000), the ACS http GUI connection times out.

Workaround/Solution: Force the Windows server that Cisco Secure ACS uses to retrieve the groups to cache the groups locally. Go into Active Directory Users and Groups on the computer running Cisco Secure ACS for Windows Server. If you are using Cisco Secure ACS Solution Engine, go into Active Directory Users and Groups on the computer running the Cisco Secure Remote Agent for Windows. In Active Directory, view all the groups. In Cisco Secure ACS, configure the mappings. This works because the server has cached the information.

CSCeb43948

Could not generate valid Password with password length => 9

If, in System Configuration > Local Password Management, you configure Cisco Secure ACS to require user passwords to be nine or more characters in length, Cisco Secure ACS generates "Could not generate valid Password" messages in the logs for the CSMon service. The message appears on the schedule you define for CSMon to test services. This has been verified as a problem on 3.1 and 3.2. Earlier versions were not tested, but likely have the problem.

Workaround: None.

CSCeb45624

NAR does not work comma separated source address

The documentation and the short help pages in the browser indicate that you can specify multiple IP addresses separated by commas for a source IP in the IP-based NAR section. This is not true. Any attempt to actually do so will result in Cisco Secure ACS ignoring the NAR config for the telnet connections to a router. This has been verified in ACS 3.2 and ACS 3.1.

Workaround: Do not use commas to separate multiple IP addresses in NARs.

CSCeb63188

database define with special chars permitted but unusable later

Symptom: ACS allows definition of a database with special characters in the name, like "Windows (test)" but on trying to actually use the database in the 'Selected Databases' column with 3.0.3 & 3.2, the error message is 'The selected DB search list is empty'. The software should not allow naming of a database when the name cannot be used.

Workaround: Do not use special characters in a database name.

CSCec00789

Calling-Station-ID attribute description inaccurate

In the user guide for Cisco Secure ACS, RADIUS IETF attribute 31, Called-Station-ID is inaccurately documented as only being supported for ISDN and modem calls for AS5200s. This is not true.

Cisco Secure ACS supports this attribute regardless of what type of AAA client sends it.

CSCec18522

PIX downloadable ACLs do not allow -; no pix object groups

The Cisco Secure ACS downloadable ACL feature does not allow hyphens, "-", in ACL definitions; however, the PIX Firewall access-list command has a "object-group" keyword. You cannot configure downloadable ACLs in Cisco Secure ACS using the object-group keyword.

Workaround: None at this time.

CSCec61110

authentications on secondary acs may fail after replication

Symptom: In environment where primary and secondary Cisco Secure ACS primary and secondary servers are kept in synch using the replication feature, user authentication may fail for users defined in an external database users and the Failed Attempts log will contain an "external DB not configured" error.

Conditions: This happens with certain external database types such as LDAP, NDS, and the various token server types. It can't happen with the Windows external DB. By configuring external databases in a different order on the primary and secondary Cisco Secure ACS servers, authentication fails on the secondary server for users defined in the databases configured in a different order. If external databases are configured in same order on primary and secondary servers, this does not happen. For example, if you configure two instances of LDAP external user databases on primary and secondary servers but configure them in different orders, after users are replicated, LDAP authentication attempts fail on the secondary server.

Workaround: For each database type involved in the problem, delete the external databases on all secondary servers and reconfigure them in the same order that they are defined on the primary server. If this fails, delete the affected external databases on the primary and secondary servers and reconfigure them.

CSCec63624

ACS 3.2 admin gui locks and displays action canceled message

If the Shell (exec) service is disabled in Interface Configuration > TACACS+ (Cisco IOS) and you attempt to access a group other than the default group, the Cisco Secure ACS HTML interface ends the administrative session.

Workaround: To start a new session, close the browser window, open a new browser window, and access the HTML interface again.

To permit access to groups other than the default group, enable the group-level Shell (exec) service in Interface Configuration > TACACS+ (Cisco IOS).

CSCed23602

Docs unclear about rack mounting parts and procedure

The Installation and Setup Guide for Cisco Secure ACS Appliance provides inadequate details about how to assemble the rack mounting kit. Terminology used to refer to the cable support bracket and the cable tray clamp should be clarified. The procedure needs to be revised to more clearly express how the cable support bracket and cable tray clamp should be attached to the appliance, the rails, and each other.

Workaround: For clarification, refer to the following information.

The rack mount kit has four parts. These include two rails, a cable support bracket, and a cable tray clamp. In the product packaging, the cable support bracket may be separated from the other three rack mounting kit parts; however, the cable support bracket is essential for proper rack mounting.

The cable support bracket is C-shaped and has a screw on one end and a metal tab on the other. The cable tray clamp has a black plastic clamp that slides open and closed.

As you face the appliance from the rear, the cable support bracket should be attached to the left side of the appliance. Its tab must be inserted in the slot in the upper left corner of the rear of the appliance. To do so, you MUST remove the appliance cover, taking the appropriate safety precautions outlined in the documentation. The right side of the of the cable support bracket screws into the appliance. The screw hole is located at the bottom edge of the appliance rear panel.

Do not attach the cable tray clamp directly to the appliance. Instead, attach it to the right, rear corner of the cable support bracket and to the rail on the right, using the screws built into the cable tray clamp. Again, directions are relative to facing the rear of the appliance.

Note If you attempt to attach the cable tray clamp directly to the appliance, the ports on the rear of the appliance may be partially blocked or more difficult to access.

CSCin45582

VMS2.2-BT:Shared Profile components are not overwritten

If you re-register a Management Center application with Cisco Secure ACS, Cisco Secure ACS retains the authorization settings from the previous registration rather than replacing them with default authorization settings.

Workaround/Solution: None.


Resolved Problems in Cisco Secure ACS Version 3.2.1

Table 4 describes problems resolved since the Beta release of Cisco Secure ACS Appliance, version 3.2.

Table 4 Resolved Problems in Cisco Secure ACS Appliance, Version 3.2.1 

Bug ID
Summary
Explanation

CSCdx66455

Search AAA clients, servers, Remote -> Network Devices

Network searches defined as limited to a particular device type only return devices of the type specified rather than all device types.

CSCdx66459

Help frame is not displayed in Search for Network Devices

Help displays for the network device search feature.

CSCdx66466

Remote Agents Help frame is not available

Help displays for the remote agent configuration pages.

CSCdx75501

Certificate pages on appliance should not prompt for files

Certificate configuration pages do not include controls for referring to certificate files by filename. A means of transferring certificates by FTP is provided.

CSCdz43066

Do default login/display username,password on unconfigured appliance

When you initially setup an appliance, the console login prompt tells you what the default administrator name and password are. After you have successfully configured a new administrator and password, the login prompt no longer displays the default administrator name and password.

CSCdz43505

Update description for allowing multiple DNS entries on CLI

The system console interface does indicate that multiple DNS entries are possible.

CSCdz47333

Replication changing name to deliverance1 after completing

Replication does not change the hostname of the appliance.

CSCdz47338

NTP Configuration excluded from the show command

The show command includes the command for configuring NTP.

CSCdz52415

Change order of initial configuration

During initial configuration of an appliance, IP configuration occurs before NTP configuration.

CSCdz61278

Reorder the initial configuration steps

During initial configuration of an appliance, IP configuration occurs before NTP configuration.

CSCdz61358

FTP backup to a Unix system failed

FTP backup to UNIX systems functions properly.

CSCdz64721

CLI help should also work with ? command

Entering a question mark ("?") at the system console prompt returns a list of available commands.

CSCdz64766

Time and Timeout setting are not displayed on Show command

The show command displays all available commands.


Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website ( http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool ( http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html