Table Of Contents
Release Notes for Cisco Secure ACS 4.1.4
Contents
Introduction
New and Changed Information
Temporary Elevated User Privileges
Object Identifier Check for EAP-TLS Authentication
Layer 2 Audit for Network Access Control
CSSupport Utility Added
UTF-8 Support
Add and Edit Devices Using the CSUtil Utility
Support for Microsoft Windows
Japanese Operating System Support
Multiprocessor Support
VMware ESX Server Support
Installation Notes
Installation Notes for ACS 4.1.4 for Windows
System Requirements for ACS 4.1.4 for Windows
Upgrade Paths to ACS 4.1.4 for Windows
Installing ACS 4.1.4 for Windows
Installation Notes for ACS 4.1.4 Solution Engine
Upgrade Paths to the ACS 4.1.4 Solution Engine
Installing the ACS Solution Engine 4.1.4
Known Caveats
Resolved Caveats
Documentation Updates
Changes
Domain Privileges for Windows 2003 Authentication
Supported ODBC Data Sources
Java Runtime Environment (JRE) Version
Update for LD_LIBRARY_PATH Environment Variable
CSUtil Example Returns Error Message
Modification to RADIUS Access Request/Reject Online Help
Remote Agent for Windows 4.1.4 Does Not Require Reboot
Terminal Services and Remote Desktop Not Supported on the Remote Agent
Bidirectional Logging
Cisco Secure Authentication Agent
Installing the Cisco Secure Authentication Agent
Omissions
Password Aging
DBSync Process Keeps Restarting
For ACS Replication, Server Information Must Match
Logging Configuration Update Restarts CSLog
Error Code Definitions
Incomplete accountActions Table
Machine Authentication Support in a Multi-Forest Environment
Installation of the Remote Agent
Agentless Host for L2 and L3
Product Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Secure ACS 4.1.4
Revised: April 17, 2008, OL-14207-02
These release notes describe changes in Cisco Secure Access Control Server (ACS) release 4.1.4 for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Contents
•Introduction
•New and Changed Information
•Installation Notes
•Known Caveats
•Resolved Caveats
•Documentation Updates
•Product Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
ACS 4.1.4 is a maintenance release for ACS 4.1 that resolves customer and internally found defects. You can upgrade from ACS 4.1, ACS 4.1.2 or 4.1.3 to ACS 4.1.4.
This release includes the:
•ACS 4.1.4 software image
•Appliance upgrade CD for Solution Engines 1111, 1112, 1113
New and Changed Information
New and changed information in release 4.1.4 includes:
•Temporary Elevated User Privileges
•Object Identifier Check for EAP-TLS Authentication
•Layer 2 Audit for Network Access Control
•CSSupport Utility Added
•UTF-8 Support
•Add and Edit Devices Using the CSUtil Utility
•Support for Microsoft Windows
•Japanese Operating System Support
•Multiprocessor Support
•VMware ESX Server Support
Temporary Elevated User Privileges
In previous releases, ACS restricted administrator privilege. The ACS User Setup page now supports the granting of administrator privileges to another user for a defined number of days, hours, and minutes. The process automatically grants and revokes privileges according to the administrator's configuration. This option is available on the User Setup page in the web interface.
Object Identifier Check for EAP-TLS Authentication
The Authentication page in Network Access Profiles (NAPs) now includes an object identifier (OID) check. An administrator can enter the OID in the NAP policy configuration. ACS checks the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match.
Note To use this feature you must enable a protocol that uses client-side certificates within Network Access Profiles. See the User Guide for Cisco Secure ACS 4.1 for information.
Layer 2 Audit for Network Access Control
ACS 4.1.4 adds support for the audit of agentless hosts connected to a Layer 2 (L2) Network Access Device (NAD). ACS first admits the device to a quarantined network, where the device can receive an IP address. The audit cannot begin until the device has received the IP address. When the audit begins, the audit is the same as an audit of a Layer 3 (L3) host. You can access this feature on the External Posture Validation Audit Setup page in the web interface.
The NAD must be preconfigured to learn the host's IP address. Then ACS responds to an initial access-request with a notification to the NAD to issue another access-request when the NAD has learned the IP address. If the NAD does not learn the host's IP address, ACS invokes a failure condition, and policy flow follows the audit fail-open policy. Using the audit fail-open policy, administrators can choose to reject the user, or assign a posture token and an optional user-group.
Audit policy can serve as a backup verification when MAC Authentication Bypass (MAB) fails. The audit policy tests whether MAB failed by applying policy conditions that test the ACS user group assigned to the current session. For example, you can test whether the user-group is equal to the user-group that MAB assigns to failed authentications, and, if so, only then continue the audit.
For configuration information, see Chapter 14, Network Access Profiles, in the User Guide for Cisco Secure Access Control Server.
CSSupport Utility Added
ACS for Windows now includes the CSSupport utility. To access the utility, choose System Configuration > Support in the web interface. The utility includes the same options that are currently available on the Solution Engine. Similarly, CSSupport on ACS for Windows can collect a user-configurable set of options and generate a package.cab file. The information in the file is collected from the machine that is running the web interface.
The options include collection of:
•User database
•Logs for a configurable number of days
•Diagnostic logs
Note If you choose diagnostic logs, the package.cab generation process restarts the ACS services. If you do not select diagnostic logs, ACS services do not restart.
UTF-8 Support
ACS now supports the use of UTF-8 (the 8-bit Universal Coded Character Set (UCS)/Unicode Transformation Format) for the username and password only when authenticating with Active Directory (AD). The UTF-8 format can preserve the full US-ASCII range, providing compatibility with the existing ASCII handling software. See RFC 3629 for more information.
Add and Edit Devices Using the CSUtil Utility
ACS now supports use of the CSUtil Import.txt file for adding and editing authentication, authorization, and accounting (AAA) devices. You can edit all attributes of the AAA devices, including the:
•IP address
•Shared secret
•Vendor
•Network device group
•Single connection
•Keepalive settings
Support for Microsoft Windows
ACS 4.1.4.13 supports the following versions of Microsoft Windows and Microsoft Windows Server:
•Microsoft Windows 2003 (Service Pack 2).
•Microsoft Windows Server:
–Microsoft Windows 2000 Server (English version only).
–Microsoft Windows 2000 Advanced Server (Service Pack 4) without features specific to Windows 2000 Advanced Server enabled or without Microsoft clustering service installed (English version only).
–Microsoft Windows Server 2003, Enterprise Edition or Standard Edition (Service Pack 1).
–Microsoft Windows Server 2003 R2 (Service Pack 2), which is new support in this release.
Japanese Operating System Support
ACS 4.1.4.13 supports the following versions of Japanese Windows 2003 Server:
•Japanese Windows 2003 Server, Service Pack 1.
•Japanese Windows 2003 Server, Service Pack 2, Enterprise Edition (or higher).
•Japanese Windows 2003 Server, Service Pack 2, R2, Enterprise Edition (or higher).
•Japanese Windows 2003 Server, Service Pack 2, Standard Edition (or higher).
•Japanese Windows 2003 Server, Service Pack 2, R2, Standard Edition (or higher).
Multiprocessor Support
ACS 4.1.4.13 adds multiprocessor support.
VMware ESX Server Support
ACS 4.1.4 has been tested on the VMware ESX server with the following configuration:
•VMWare ESX Server 3.0.0
•16 GB of RAM
•AMD Opteron Dual Core processor
•300 GB hard drive
•Four virtual machines
•Windows 2003 Standard Edition
•3 GB of RAM for the guest operating system
The following versions of VMware ESX are supported:
•ESX 3.0.x (tested)
•ESX 3.5.x (not tested)
•ESX 3.5i (not tested)
Installation Notes
This section contains:
•Installation Notes for ACS 4.1.4 for Windows
•Installation Notes for ACS 4.1.4 Solution Engine
Installation Notes for ACS 4.1.4 for Windows
This section contains information on system requirements and upgrades.
System Requirements for ACS 4.1.4 for Windows
The system requirements for ACS 4.1.4 are the same as the system requirements for ACS 4.1. For information on supported operating systems and web browsers, see the Installation Guide for Cisco Secure ACS for Windows 4.1.
Note ACS 4.1.4 adds support for Microsoft Windows Server 2003 R2 with SP 2.
Upgrade Paths to ACS 4.1.4 for Windows
Cisco supports the upgrade paths of versions:
•4.1 to 4.1.4
•4.1.2 to 4.1.4
•4.1.3 to 4.1.4
Note If you are running ACS 4.1.2, you should upgrade directly from 4.1.2 to 4.1.4. The upgrade from 4.1.2 to 4.1.3 is not supported.
For more information on ACS 4.1 upgrades, see the Installation Guide for Cisco Secure ACS for Windows 4.1.
Installing ACS 4.1.4 for Windows
You must have ACS 4.1 installed before you install ACS 4.1.4. ACS 4.1.4 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.4 are the same as for ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.
Installation Notes for ACS 4.1.4 Solution Engine
This section contains installation information for the ACS 4.1.4 Solution Engine (SE).
Upgrade Paths to the ACS 4.1.4 Solution Engine
Cisco supports the upgrade paths of versions:
•4.1 to 4.1.4
•4.1.2 to 4.1.4
•4.1.3 to 4.1.4
Note If you are running ACS 4.1.2, you should upgrade directly from 4.1.2 to 4.1.4. The upgrade from 4.1.2 to 4.1.3 is not supported.
For more information on ACS 4.1 upgrades, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Installing the ACS Solution Engine 4.1.4
ACS 4.1 is pre-installed on the 1113 appliance. The ACS 4.1.4 Solution Engine upgrade package is available through the TAC only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.4 Solution Engine are the same as ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Known Caveats
Table 1 contains known caveats in ACS for Windows and Solution Engine 4.1.4. You can also use the Bug Toolkit to find open bugs.
Table 1 Known Caveats in ACS Windows and Solution Engine 4.1.4
Bug ID
|
Summary
|
Explanation
|
CSCeb16956
|
Domain stripping fails if the username attribute is sent twice in RADIUS.
|
Symptom If username attribute is present twice (with same
username) in a radius request going to ACS windows 3.1, then
domain stripping of username found in the attribute will not occur.
Workaround Fix the NAS to send the username attribute only once as the second one is redundant.
|
CSCef96208
|
ACS reports an incorrect privilege level.
|
Symptom ACS may report users with an incorrect authorized
privilege level. In particular, when using TACACS, users who are
correctly being authenticated with a privilege level of 15 are being
reported with a level of 1.
Workaround The error is cosmetic, and there is no workaround.
|
CSCsb70717
|
Change Dr. Watson's log directory for CSSupport.
|
Symptom drwtsn32.log not getting added to Package.cab.
Conditions When C:\WINNT is not present drwtsn32.log will not get added to package.cab.
Workaround Create C:\WINNT if not present in C: drive.
|
CSCsb74346
|
Authorization of disabled user succeeds.
|
Symptom Disabling a user account in the ACS Internal Database
does not influence TACACS authorization requests related to the
user. In other words, TACACS authorization requests succeed if
they match user's TACACS settings, although the user's account is
disabled. TACACS authentication requests fail for such users as
expected.
Workaround None.
|
CSCsb95897
|
ACS cannot correctly display a long list of disabled accounts.
|
Symptom The ACS web interface has problems in displaying
disabled accounts lists if the lists contain several pages. The Next
button is working, but the Previous button is available only once.
Workaround None.
|
CSCsc81075
|
A Shell Command Authorization Set added to the Group using ODBC is not sorted.
|
Symptom Shell Command Authorization Set (SCAS) for Group is
not sorted when added via ODBC
Conditions Add a pre-existing SCAS to a pre-existing group via ODBC interface.
Example: SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status 1,0,,GroupName,271,shell,NDGTest-1,"AllAccess",,,,,,0 2,0,,GroupName,271,shell,NDGTest-2,"AllAccess",,,,,,0 3,0,,GroupName,271,shell,NDGTest-3,"AllAccess",,,,,,0 4,0,,GroupName,271,shell,NDGTest-4,"AllAccess",,,,,,0 5,0,,GroupName,271,shell,NDGTest-5,"AllAccess",,,,,,0 6,0,,GroupName,271,shell,NDGTest-6,"AllAccess",,,,,,0 7,0,,GroupName,271,shell,NDGTest-7,"AllAccess",,,,,,0 8,0,,GroupName,271,shell,NDGTest-8,"AllAccess",,,,,,0 9,0,,GroupName,271,shell,NDGTest-9,"AllAccess",,,,,,0 10,0,,GroupName,271,shell,NDGTest-10,"AllAccess",,,,,,0 Output to Group in UI will appear as: NDGTest9 AllAccess NDGTest7 AllAccess NDGTest5 AllAccess NDGTest3 AllAccess NDGTest1 AllAccess NDGTest2 AllAccess NDGTest4 AllAccess NDGTest6 AllAccess NDGTest8 AllAccess NDGTest10 AllAccess This is a cosmetic sorting issue; the SCAS still work as expected.
Workaround Manually add SCAS via UI.
|
CSCsc93204
|
E-mail notifications are not sent when CSAuth restarts.
|
Symptom Email notifications are sent when the CSAuth process is
stopped or suspended during various events. However, there is no
notice sent when CSAuth is restarted or resumed, necessitating the
system administrator to manually check for CSAuth status.
Conditions Email notifications are configured. This was observed on ACS 3.3.3(11).
Workaround None.
|
CSCsd01768
|
Appliance CLI reports Appliance upgrade in progress after an upgrade has finished.
|
Symptom Appliance shows upgrade in progress, after it has
finished:
CSAdmin running CSAuth running CSDbSync running CSLog running CSMon running CSRadius running CSTacacs running CSAgent running Appliance upgrade in progress..
Conditions Upgrade using the CLI.
Workaround Go to appliance upgrade page, and click submit, this would clear the upgrade flag.
|
CSCse23653
|
The first three characters of LDAP groups are missing.
|
Symptom All LDAP groups in any list boxes are displayed without
the first three characters of the name. LDAP groups are ordered by
the fourth and following characters.
Conditions The problem occurs anywhere the LDAP group is displayed.
Workaround The following steps might fix the problem:
1) Verify the "GroupObjectType" contains the correct value as defined on the LDAP server.
2) Remove any leading and trailing spaces in the "GroupObjectType" configuration field.
|
CSCse26754
|
ACS/ACSE Administration can implement limited session validation.
|
Symptom The attacks described in the report take advantage of a
weakness in the default configuration of the Cisco ACS. Cisco is
investigating this issue and further detail will be added to the Cisco
Security Response as it becomes available.
Workaround For details, see Cisco.com.
|
CSCsf11087
|
Cisco:PA: attributes arevnot showing in the Passed Auth report for the Linux client.
|
Symptom Cisco:PA attributes are not showing up in the Passed
Authentication Report for a Linux client with CTA 2.1.0.10
installed. The attributes are showing up in the auth.log file and are
showing up for a Win XP client on the same network.
Workaround In System Configuration > Logging > Passed Authentication, select Cisco:PA attributes click on Submit, which performs authentication using the Linux client with CTA 2.1.0.10 4. Then check the passed authentication log on Reports and Activity page.
|
CSCsf13603
|
Cisco-PEAP authentication against an RSA API server fails with an error message.
|
Symptom Cisco-PEAP authentication against RSA API server
provide and using FUNK as supplicant
Conditions Working with RSA API as the external DB, and trying to Auth using funk, fails with an error message
Workaround None.
|
CSCsf13615
|
Authentication with RSA using expired password is not logged.
|
Symptom Working with RSA as the external DB, login with user
with old password - nothing is recorded.
Conditions The Supplicant is using CISCO - PEAP authentication.
Workaround None.
|
CSCsf25057
|
ACS does not support TACACS single-connection.
|
Symptom ACS does not support the TACACS single-connect flag.
Workaround None.
|
CSCsf27581
|
RAC, User Group Any problem.
|
Symptom When the you select the User Group "ANY" in the
authorization section of the NAP, and you tell it to use a particular
RAC, it does not work.
Workaround User must be prevented from configuring this rule in the UI.
|
CSCsg07008
|
Incorrect error code is sent when the certificate has expired.
|
Symptom When ACS is configured for CRL checking and the CRL
has expired but the certificate is fine, ACS will send back to the
supplicant a TLS error code with a value of 45 (certificate_expired).
Conditions ACS should be sending a certificate_unknown (46) error code.
Workaround None.
|
CSCsg24486
|
Two TACACS+ new services with similar names have issues with data.
|
Symptom In Interface Configuration > TACACS (Cisco IOS), create
two new services with similar names. Entering data in one service
and saving the change will copy the same data to both services.
Conditions The new service names contain spaces.
Workaround Do not use spaces in service names.
|
CSCsg37180
|
ACS LDAP query size limit is 50000.
|
Symptom You use LDAP as an external user database and attempt
to edit the ACS group to LDAP group mapping. For example, when
you click Add Group, the web interface will respond with "LDAP
disconnected".
Conditions Your LDAP group list query response is larger than 50000 results.
Workaround Keep the number of groups under control.
|
CSCsg61729
|
ACS fails to find an issuer's certificate for a CRL list uploaded from a CDP.
|
Symptom In multi-tier certificate structures, ACS will sometimes
take the CRL pointer from the root certificate, even if the CRL URL
is configured to point to a different system.
Conditions This has been observed on ACS 3.3.3(11) and 4.0.1(27). Other versions may be affected as well.
Workaround None.
|
CSCsg71976
|
Invalid LDAP/SSL authentications with referrals hangs ACS.
|
Symptom Using ACS with LDAP/SSL configured as an external
user database, after one failed login attempt due to an invalid
username or password, ACS will then fail all subsequent login
attempts, valid or not. A reboot is required to get authentications
working again, but then the next invalid username or password will
again fail all further authentication attempts.
Conditions LDAP is the external user database, with the Use Secure Authentication checkbox checked to enable LDAP/SSL. The LDAP server must respond with referrals to other servers.
Workaround Unencrypted LDAP works. If LDAP/SSL must be used, configure the LDAP database to not reply with referrals. A reboot will get the authentications working again, until the next invalid username or password is issued.
|
CSCsh78523
|
Logged-In User entry disappears before the user has logged off.
|
Symptom Logged-In users disappear from Logged-In Users report.
Conditions The symptom occurs when authenticating users using "dot1x reauthentication".
Workaround None.
|
CSCsh89581
|
ACS Admin can become unresponsive under heavy load.
|
Symptom The ACS Administration web interface becomes
unresponsive after a period of time, requiring the service to be
restarted in order to allow administration of the ACS. This does not
affect user authentication to the ACS itself, which appears to
continue.
Conditions Seen in an environment in which LMS 2.6 is authenticating to an ACS appliance on 4.0.1.44 code. A patch was applied to the LMS server to insure sessions created by auto-refresh are also logged out, but issues with the CSAdmin service stopping continue. When the issue occurs, the CSAdmin logs appear not to be sending any further information until restart of the services. There is a high probability that the issue is related to load. In the environment in which the issue was seen, over 6000 administrative connections were made to CSAdmin (and logged out again) within 5 minutes by the LMS servers.
Workaround Restarting the ACS (for an ACS Solution Engine) or restarting the CSAdmin process (for ACS installed on Windows) allows access back into the ACS web interface for administration.
|
CSCsi05349
|
Columns of the failed attempts log are shifted and incorrect.
|
Symptom Columns of failed attempts log are shifted/incorrect The
authentication failure code show up under "Network Access Profile
Name" in the failed attempts log.
Workaround None.
|
CSCsi50359
|
Enable authentications from CatOS are rejected with an Internal Error message.
|
Symptom Users on CatOS switches are denied enable
authentication, even though they're entering the correct password.
Login authentications work correctly.
Conditions This has been observed on ACS 4.1.1(23). Other versions may be affected as well. The problem occurs when the users have "TACACS Enable Control" set to "Use Group Level Setting".
Workaround Configure the user to have a max privilege level setting under "Max Privilege for any AAA Client".
|
CSCsi55085
|
ACS services do not start after replicate and reboot on a machine with dual CPUs.
|
Symptom ACS services are not started when rebooting Secondary
ACS machine within 30 minutes after the database replication.
Conditions After the database replication between the primary ACS and the secondary ACS machines with dual processors, this issue is only seen when rebooting the secondary ACS machine within 30 minutes.
Workaround Do not reboot the secondary ACS within 30 minutes after the database replication.
|
CSCsi62622
|
The ystem replication partners table is empty.
|
Symptom ACS replication Master GUI is not visually populating
the partner replication table with the slave hostname/IP address.
Conditions Upon adding the host from the 'AAA server' left column to the 'replication' right column, then hitting submit, and subsequently returning to replication screen, the master ACS GUI does not visually save/keep-populated replication partner table -The replication data is successfully replicated to Slave, and cascaded to any subsequent slaves -Initial prognosis show this to be a cosmetic issue. DE does not see the issue rectified in v4.1.1b23 patch 4.
Workaround 1. Add hostname, that is, Flprdasaaa01, to replication partner table (right pane), hit 'submit' or 'replicate now'. 2. Upon return to replication table page, the right pane window might be empty. Add a second hostname, that is, Flprdasaaa02, hit submit 3. Upon next return to replication table page, hostname Flprdasaaa02, might/should be visible via GUI, 4. At this point, one should be able Add/Remove hostnames to the replication table pane accordingly.
|
CSCsi63656
|
Unknown Radius Token Server message after replication.
|
Symptom After replication users show up with a Database of
'Unknown Radius Token Server'.
Conditions Occurs when multiple Radius Token Servers were created on the primary but only one was created on the secondary.
Workaround There are two known workarounds for this problem. 1. Delete all Radius token servers from both ACS's. The re-create the Radius token server on each ACS. Note: This will require you to re associate all users with this token server. 2. Produce a package.cab from the primary ACS. Extract the files and edit the ACS.reg. In that file find the following section: [CiscoACS\Authenticators\Libraries\30] Under that you will have another section that has the same information but includes another two numbers after the 30. That will be the number of the slot that server is in. It starts with slot 00 being the first server in the list. If that number is 02 then it is in slot 3. So on the secondary ACS delete all radius token servers, then create two dummy radius token servers then the actual token server. After you create all of them you can delete the first two. Now your secondary server will have the radius token server in slot 02 also and your users will show up correctly.
|
CSCsi82393
|
CiscoAAA Event ID 5 error in the Windows Event Viewer Application log.
|
Symptom Event ID (5) in source (CiscoAAA) error generated in
Microsoft Windows Application Event log on the primary ACS
every time when ACS is replicating its database.
Conditions Primary/secondary ACSs for Windows configured for database replication.
Workaround None.
|
CSCsi90613
|
Error messages in the event log regarding the perfmon and ACS.
|
Symptom ACS 4.1.1.23 installed on Windows 2003 leaves
consistent error messages in the Event Log of the host OS.
Conditions The following error messages are seen in event logs:
App: E 'Thu May 03 06:58:25 2007': LoadPerf - " Installing the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section. " App: E 'Thu May 03 06:58:25 2007': LoadPerf - " Unable to update the performance counter strings of the 009 language ID. The Win32 status returned by the call is the first DWORD in Data section. " App: E 'Thu May 03 06:58:22 2007': LoadPerf - " Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section. " App: E 'Thu May 03 06:58:22 2007': LoadPerf - " Unable to update the performance counter strings of the 009 language ID. The Win32 status returned by the call is the first DWORD in Data section. "
Workaround This does not hamper the functionality of ACS, so no work around needed.
|
CSCsj03348
|
Pattern matching in shell command authorization sets.
|
Symptom Command authorization for commands without
arguments fails.
Conditions The permit statement is specified as "permit ^$" This has been observed on ACS 4.1.1, other versions may be affected as well.
Workaround Specify the permit statement as "permit <cr>".
|
CSCsj12604
|
When trying to bulk import, the ODBC operation fails.
|
Symptom We receive the following error messages failed to
add/update NAS [4].
Conditions When trying to bulk import ODBC using csutil, Operation failed.
Workaround Bring up the ODBC connection for the Sybase Adaptive Server Anywhere.
|
CSCsj14508
|
Some special characters in the FTP password are are not accepted.
|
Symptom Backups attempts fail with the FTP server reporting an
incorrect password.
Conditions This has been observed when the password contains @ characters on ACS 4.1.3. Other versions may be affected us well.
Workaround Use a password without @ characters.
|
CSCsj27387
|
Aire-WLAN-ID attribute should be changed back to IN OUT.
|
Symptom Aire-WLAN-ID variable not available for return.
Workaround Use NAR to limit access to WLAN by profile names / groups.
|
CSCsj60407
|
The ACS Backup filename is changed to uppercase letters.
|
Symptom The FTP filename created for backups should also
contain the hostname of the appliance. The part of the hostname
with the filename randomly changed to uppercase or lowercase
letters.
Conditions ACS for Windows and ACS Solution Engine on 4.1(1) Build 23.
Workaround None.
|
CSCsk06231
|
Renaming a NDG with the same name while changing case can cause devices to disappear.
|
Symptom If you rename a Network Device Group (NDG) to the
same name but different case, for example ABCDE to abcde then
the group and all of the devices within appear 'lost' in Network
Configuration page. If you do a device search they show up in the
search with the old upper-case NDG name. However, when you
click to view the device the NDG appears to be the previous NDG
in the list shown under Network Configuration.
Conditions Rename a Network Device Group (NDG) to the same name but use a different case, for example ABCDE to abcde.
Workaround None.
|
CSCsk25159
|
On ACS Upgrade, ACS returns a Dictionary Corruption CiscoACS\Dictionaries\005 error.
|
Symptom Service do not start after upgrade to 4.1.1.23 or 4.1.1.24
from 4.0.1.27. Error in the RDS.log shows: RDS 28/08/2007
09:29:33 P 0202 0700 Dictionary Config Error: Ignoring
unrecognised value 'Type' in key CiscoACS\Dictionaries\005 RDS
28/08/2007 09:29:33 P 0202 0700 Dictionary Memory Error:
dict_DictionaryInitCallback cannot parse dictionary configuration
Conditions Running ACS 4.0.1.27 and upgrading to 4.1.1.23 or 4.1.1.24. This happens in rare cases.
Workaround Call TAC and snd in your database backup, the dictionary can be repaired.
|
CSCsk27193
|
Cannot use <cr> while entering multiple MAC addresses.
|
Symptom Pressing "return" after each MAC address yields error
messages when clicking on the "Submit" button while defining
authentication configuration for Network Access Profiles Access
Policies.
Conditions This has been observed on ACS 4.1.1(23) using Internet Explorer 6.0 and JRE 1.5.
Workaround Separate MAC addresses with a comma (,), do not press "return" after the last MAC address has been entered.
|
CSCsk77632
|
cert7.db causes issues with TACACS+ services using LDAP.
|
Symptom The server has a problem with Tacacs authentications to
the back-end LDAP database. This will cause the Tacacs services to
shut down and authentications to stop.
Conditions Doing secure LDAP using cert7.db.
Workaround Change to SSL LDAP using CA cert instead of cert7.d.b
|
CSCsk89270
|
Extra certificates copied into ACS backup file.
|
Symptom Restoring a dump in a different machine than where it was
backed up and backing up it once again after modifying it may cause
the increase in size of the dump file.
Workaround None.
|
CSCsk93795
|
ACS 4.1 is sending invalid MS-CHAP-MPPE-Keys to PPTP client.
|
Symptom PPTP client connecting to a IOS router with Radius
authentication fails if "Required encryption" is selected. Radius
attributes are configured at the user level.
Conditions ACS returns "Invalid MPPE key length (11)" this should be (34) bytes. Those 11 bytes are: 0c (vendor-type 12) 0b (vendor-length = 11) and 41 75 74 6f 6d 61 74 69 63 (the word "Automatic"). Vendor-length must be 34 which is what IOS is looking for. So the ACS sending the wrong key length.
Workaround Use local authentication or "Optional encryption".
|
CSCsk94878
|
Windows password change does not work when the PDC Emulator is down.
|
Symptom Windows user fails to change Windows password when
PDC Emulator is down.
Conditions This symptom occurs even if the other Domain Controller is up for the same domain, and all of DCs are running as Native mode (W2K3 mode or W2K mode). User authentication can be successful with other DC even if PDC Emulator is down.
Workaround Not attempting the Windows password change when PDC Emulator is down.
|
CSCsl12657
|
Disabling password aging still retains Your password will expire in message.
|
Symptom If an administrator first enables password aging, then
disables it, the following text may be seen when users authenticate
against ACS: "Your password will expire in" (with no value).
Conditions Issue has been observed in the following ACS builds 4.0.1.27, 4.1.1.23, 4.1.3.12. It is possible it affects other versions as well.
Workaround Create a new group that doesn't have password aging configured and migrate users from the problematic group to the newly configured group.
|
CSCsl50122
|
ACS SE needs configurable RA timeout value.
|
Symptom This is a request to have a configurable timer added to the
ACS Appliance for how long it waits before timing out the Remote
Agent during group mapping. By default there is a 60 second timer
that the appliance will wait for the RA to return the group
information for mapping. If there are a large number of groups in
the AD environment (around 12,000) this timer is not high enough.
Conditions ACS SE running 4.1.1.23 or higher.
Workaround If group mapping times out, manual mappings can be used.
|
CSCsl62845
|
ACS Remote Agent logging date format is not identical to the date specified on the Appliance.
|
Symptom ACS Remote agent for windows logs with timestamps in
the format mm/dd/yyyy instead of dd/mm/yyyy unlike what is
configured on the Solution Engine ACS.
The remote agent should get the configuration from the configuration provider (ACS SE) and this is not happening. The date format is always mm/dd/yyyy instead of dd/mm/yyyy as specified on the Solution Engine.
Workaround None.
|
CSCsl70457
|
Some ACS SE 1113 Appliances ship with BIOS password.
|
Symptom Some ACS 1113 appliances that are shipping from RMA
depots are coming with a bootup password of 'acs1113' Appliance
comes with BIOS Password.
Workaround Enter the BIOS password of 'acs1113' on bootup.
|
CSCsl88008
|
The ACS web interface does not prevent the dynamic allocation of port 2002.
|
Symptom ACS doesn't prevent the dynamic allocation of port 2002
when a users logs in or LMS is used.
Workaround Login to ACS change the Administration Control, Access Policy, HTTP Port Allocation to: Restrict Administration Sessions to the following port range From Port 2003 to Port 65535.
|
CSCsl98198
|
Password replication fails with users imported from ACS Unix.
|
Symptom Password replication may intermittently fail from Master
to Slave. This deviation is seen in cases where users were imported
from ACS Unix using the import tool and RDBMS to migrate from
ACS UNIX. When this import is done it sets the user password
authentication type to "Imported Unix". There is a problem with the
way the password replication works for Unix Type passwords. The
password type can be seen in the GUI by looking at the User Screen
and then User Setup > Password Authentication. Users set to ACS
Internal Database, Windows Database or Generic LDAP should not
see this issue.
Conditions This issue was seen in ACS Appliance version: Release 4.1(1) Build 23 Patch 5.
Workaround Restart the replication partners. Further Problem Description: Customer has ACS configured to require password change every 30 days (approx). The customer engineer changes the passwords manually on the Master and then replicates the change to the other 4 ACS devices. Found that one user would only work in one Server. We think the replication worked, but it's almost like the change did not "take". The customer engineer has never seen evidence that the replication fails. He always does manual replications and the behavior or the result of that process never changes. No error messages are seen.
|
.
Resolved Caveats
Table 2 contains the resolved caveats for ACS 4.1.4. Check the Bug Toolkit on Cisco.com for any resolved caveats that might not appear here.
Table 2 Resolved Caveats in ACS Windows and Solution Engine 4.1.4
Bug ID
|
Description
|
CSCeb43302
|
WaitForMultipleObjects returned [-1] feeds up HDD, then system down.
|
CSCef85310
|
Group DACL is downloaded if Users dACL content is empty.
|
CSCeg52536
|
Failed PEAP authentication not shown up in ACS logs.
|
CSCeh00074
|
GUI/ LDAP group mapping submission failure.
|
CSCeh13105
|
WinDB maps all other combinations instead of selected groups.
|
CSCeh86479
|
CSUtil import -85 errors to be changed to info msg-not error.
|
CSCei01730
|
EAP-TLS authentication to the trusted DC doesnt succeeded.
|
CSCsb24849
|
ACS does not purge the AAA Client user information after Accounting On.
|
CSCsc71828
|
No space error and can't add inverted commas to the string fields ofSNMP.
|
CSCsd52663
|
Cross forest user/machine authentication does not work.
|
CSCsf07915
|
Memory leak while running CiscoPEAP with Active Directory.
|
CSCsf22420
|
ACS 3.3(3) CSR sent to TrustWise returns an error 0x3110.
|
CSCsf25881
|
Don't clear the certificate trust list when a new certificate is install.
|
CSCsg00942
|
UCP does not support special chars.
|
CSCsg12989
|
cannot enable CRL checking unless certificate is checked in CTL.
|
CSCsg14022
|
PPTP clients auth. using MSCHAP v2 stops passing traffic sporadically.
|
CSCsg14329
|
ACS 4.0 and semi-colon separator in cisco-av-pair RADIUS attributes.
|
CSCsg32655
|
MAB Request hangs when username attribute contains valid user in ACS DB.
|
CSCsg42483
|
No Access-Rejected is being sent by ACS when Cisco Peap TLS fails.
|
CSCsg50297
|
Session timeout with eap-fast.
|
CSCsg81886
|
CSACS is subject to multiple XSS vulnerabilities.
|
CSCsg83134
|
CSLog timeouts and performance degradation during RADIUS Accounting reqs.
|
CSCsg84315
|
CSACS admin users can get access to unprivileged web pages.
|
CSCsg88641
|
ACS SW/SE: Delete AAA server and Replication denied when rep to prev set.
|
CSCsg89042
|
Appliance upgrade via Gui requires additional step to release CLI.
|
CSCsh29345
|
ACS 4.0 - Unable to delete server under Network Configuration.
|
CSCsh42915
|
RDBMS synchronization using SQL MS intermittently fails.
|
CSCsh58091
|
Voice-over-Ip-Group sends password prompt when it should not.
|
CSCsh58656
|
ACS 4.0 - IETF atrribute 006 Administrative doesn't work for Group level.
|
CSCsh62641
|
MAC authentication causes internal errors.
|
CSCsh68129
|
No documentation for CSUpdate utility which is available in ACS 4.1.
|
CSCsh74704
|
Keep only the last ... files option for backup does not work.
|
CSCsh77806
|
EAP-TLS will fail authentication if name contains forwardslash /.
|
CSCsh79488
|
ACS logging configuration is not replicated.
|
CSCsh88934
|
Unknown NAS errors not reported in failed attempts in ACS 4.1.
|
CSCsh91209
|
ACS 4.X will fail to upgrade if DASL is greater than 32K.
|
CSCsh95071
|
Database replication does not propagate certain log settings.
|
CSCsh97121
|
NDG shared secret display issue.
|
CSCsi05807
|
Some services are stopped but not restarted when restart button pushed.
|
CSCsi06922
|
Replication log message says CSRadius and CSTacacs failed to start.
|
CSCsi08214
|
Wrong message when trying to upgrade not from ACS 4.1.1.
|
CSCsi13785
|
ACS won't replicate users previously set for dynamic mapping.
|
CSCsi16980
|
Tunnel-Server-Endpoint attribute field is truncated during logging.
|
CSCsi17499
|
Remote password change setting isn't replicated.
|
CSCsi20185
|
Incorrect message in CSAuth.log when binary comparison failed.
|
CSCsi20298
|
Free disk space in appliance incorrectly reported.
|
CSCsi24169
|
AAA Client IP Address field has no length checking.
|
CSCsi29212
|
For limitedAdministrator-List all users didnt work in case of more users.
|
CSCsi30860
|
CSAuth shows garbage characters while sending change password request.
|
CSCsi30990
|
Info messages are shown are errors for PEAP-TLS authentications.
|
CSCsi35892
|
Layer 2 Audit Feature for NAC.
|
CSCsi42315
|
CSRadius failed to release memory after stress stopped.
|
CSCsi43436
|
CSAuth takes max 5 seconds to auth when CSLog is slow or going down.
|
CSCsi46668
|
User auth succeeds if <No Access> is defined for failed Machine Auth.
|
CSCsi56204
|
ACS Fails on wired connection with a Fast Re-Connect error.
|
CSCsi56892
|
'Logged Remotely' Radius Attribute not available for Remote Agent Log.
|
CSCsi57134
|
QoS values incorrect for WLC.
|
CSCsi57155
|
Need to add cisco-av-pair 009\001 to WLC.
|
CSCsi57310
|
Disk Space reported incorrectly in appliance cli.
|
CSCsi59931
|
ACS error when mapping groups to Microsoft database.
|
CSCsi59997
|
Syslog/ODBC configuration missing for NetworkAccessProfle name.
|
CSCsi60213
|
Last character of RADIUS IETF attr 81 is truncated.
|
CSCsi62373
|
update ASA attribute IETF code 3076.
|
CSCsi65427
|
ACS SE: Hostname greater then 15 characters locks out GUI and CLI.
|
CSCsi68322
|
ACS Release 3.3(4) Build 12 cannot sort distribution entries in the prox.
|
CSCsi73324
|
add support for Tmp. elevated user_privilege.
|
CSCsi73330
|
CSUtil - for updating device.
|
CSCsi73334
|
OID check at the NAP level in the User Certificate for user authen.
|
CSCsi73372
|
support for PEAP-GTC machine auth with utf8 username & password.
|
CSCsi73392
|
CSSupport for SW GUI.
|
CSCsi73447
|
Support for Microsoft Windows Server 2003 R2 with SP2.
|
CSCsi78265
|
CSRadius mem leak when some MS RADIUS Attributes are selected in group.
|
CSCsi80174
|
When challenge is not provided-it should be logged to failed attemps.
|
CSCsi82620
|
Acs GUI displays Incorrect copyright.
|
CSCsi86114
|
Cslog restarts intermittently during stress test with remote logging.
|
CSCsi86304
|
ACS does not allow for a 64-character shared secret with AP.
|
CSCsi97449
|
RDBMS Sync needs to support VSA Type Length above 2 bytes.
|
CSCsi97551
|
Machine authentications fail with errors: 1213,20498 with AD API.
|
CSCsi97644
|
Support for utf-8 uname & password in EAP-FAST (GTC&MS-CHAPV2) with AD.
|
CSCsi99644
|
Custom role is not deleted when CiscoView is re-registered with ACS.
|
CSCsi99902
|
Administrators don't have privileges for Support page.
|
CSCsj03185
|
CSUtil is not importing UDV/VSA if the ID LENGTH=4.
|
CSCsj03359
|
Feature: machine authentcation GTC inner method.
|
CSCsj06122
|
ACS only log first instance of VSA under RADIUS attribute 26.
|
CSCsj07019
|
3Com/USR attr missing in the ODBC RADIUS acc config logged attr.
|
CSCsj07046
|
EAP-TLS authentications fail when user name is in DOMAIN\user format.
|
CSCsj12121
|
Expression matching for command authorization does not fully work in ACS.
|
CSCsj12509
|
NTlib should use IDirectorySearch handle in thread-safe manner.
|
CSCsj12651
|
Info message shown as error while doing eap-tls with OID enabled.
|
CSCsj12715
|
Time bound alternate Group does not take alternate group settings.
|
CSCsj12729
|
certOID in AUTHEN_EAP_STATE should be changed to array of pointers.
|
CSCsj12730
|
ACS checks for alternate group settings even though its disabled.
|
CSCsj12767
|
Time bound alternate Group does not store time(hours) correctly.
|
CSCsj12791
|
ACS accepts wrong formated OID.
|
CSCsj14075
|
GTC authentication failed with chinese password.
|
CSCsj14407
|
Admin Privilege is not given to selected user even during vocation time.
|
CSCsj15002
|
Reset current failed attempts count on submit is not working.
|
CSCsj16264
|
No proper validation check for EAP-TLS - OID.
|
CSCsj16936
|
RDBMS Synchronization accepts the UDV VSA ID greater than 4 byte.
|
CSCsj17742
|
elevated user privilege check moved to more appropriate place.
|
CSCsj25306
|
Evenafter disabling timebound alternate group-user has admin privilege.
|
CSCsj25552
|
Build 5 does not check user credentials for user authentications.
|
CSCsj26695
|
utf-8: machine authentication option to lsa is not passed properly.
|
CSCsj27202
|
ACS crashes when irrelevant url is given for Ext Post validation server.
|
CSCsj27212
|
Seconds to wait for L 2 audit shows -1 seconds as default.
|
CSCsj27331
|
Delete files older than x days options for Back Up does not work proper.
|
CSCsj32256
|
Permit/Denied for others TACACS+ default NAS is inverse in NARs.
|
CSCsj54389
|
Group mapping fails for domain local users.
|
CSCsj63992
|
CRL Issuer table is not displayed properly.
|
CSCsj70507
|
Few Services Logs Do Not Display ACS Version and Build Number.
|
CSCsj71737
|
ACS Appliance memory leak in CSMon.
|
CSCsj84279
|
ACS 4.1.3 Accounting Proxy doesn't work properly.
|
CSCsj85656
|
Regarding with CSCsh42915 RDBMS issue.
|
CSCsj87733
|
CRL page hangs when trying to auto enable link for ACSserver cert issuer.
|
CSCsj87749
|
Minor GUI Misalignment for the Temporary Elevated User Privilege Feature.
|
CSCsk02186
|
OIDS not replicated when OIDS are defined in NAP on ACS.
|
CSCsk12033
|
Replication might take long time to finish due to EventNotifier deadlock.
|
CSCsk20823
|
CSTacacs memory leak.
|
CSCsk50267
|
CSAuth crashes when EAP-FAST user and initiater IDs are different.
|
CSCsk53606
|
CSDbsync and CSlog shows unwanted log messages on Event Notifier.
|
CSCsk64715
|
Group mapping (NAP) replication fails with a timed replication.
|
CSCsk71372
|
Make 4.1.4 replication updates configurable.
|
CSCsk76343
|
'others' NAS is processed inversely by NAR when in an NDG.
|
CSCsk77023
|
MAB fails when MAC is in AD.
|
CSCsk88667
|
Provide option for both implicit AND and implicit OR for OID comparison.
|
CSCsl05805
|
Windows DB Group Mapping API need to be Configurable.
|
CSCsl09917
|
CSAuth restarts when machine auth user name is without domain info.
|
CSCsl13137
|
Upgradation of patch version failed in appliance.
|
CSCsl26045
|
Support for the New Venezuela Standard Time.
|
Documentation Updates
This section provides documentation updates, including:
•Changes
•Cisco Secure Authentication Agent
•Omissions
Changes
This section provides changes to the ACS user documentation.
Domain Privileges for Windows 2003 Authentication
ACS requires Domain Administrator privileges for the service account when authenticating against Windows 2003. Explanations now appear in the:
•Installation Guide for Cisco Secure ACS for Windows 4.0
•Installation Guide for Cisco Secure ACS for Windows 4.1
Supported ODBC Data Sources
In the User Guide for Cisco Secure ACS 4.1, Appendix F, "RDBMS Synchronization Import Definitions", in the section "Supported Versions for ODBC Data Sources (ACS for Windows)", the opening statement needs to be revised.
ACS supports any database that has been tested with ACS, and any database that is compliant with ODBC. The current information appears to restrict support to only certain versions of ODBC and MS-SQL.
Java Runtime Environment (JRE) Version
In Table 1-2, ACS for Windows Web Client Requirements, in the Installation Guide for Cisco Secure ACS for Windows 4.1, the minimum requirement for the JRE needs to change to the current minimum requirement, which is Sun JRE 1.5.x.
Update for LD_LIBRARY_PATH Environment Variable
In the section "Environment Variable Settings", in Installing Cisco Secure ACS Remote Agent for Solaris, the information on libstdc++.so is obsolete since Release 4.1.3. You no longer need to place libstdc++.so in the LD_LIBRARY_PATH environment variable.
CSUtil Example Returns Error Message
The csutil.exe -d -n -l example on page 8 in the User Guide for Cisco Secure ACS 4.1, Appendix D, "CSUtil Database Utility" returns an error message.
Modification to RADIUS Access Request/Reject Online Help
The information in the ACS online help at External User Database > Database Configuration > External ODBC Database > Configure, choose RADIUS behavior in the event of database failure. The second option should be "Discard the access request".
Remote Agent for Windows 4.1.4 Does Not Require Reboot
The Installation Guide for Cisco Secure ACS Solution Engine 4.1, steps 10 and 11 state that the you must reboot in order to complete the installation. However, the services restart automatically and you do not need to reboot the remote agent.
Terminal Services and Remote Desktop Not Supported on the Remote Agent
The Installation and Configuration Guide for Cisco Secure ACS Remote Agents 4.1 should include this information. Remote installations performed by using Windows Terminal Services or Remote Desktop (RDP) are not tested and are not supported. Do not install or upgrade over a remote connection using Terminal Services or RDP. We recommend that you disable Terminal Services and RDP while performing any installation or upgrade. Virtual Network Computing (VNC) has been successfully tested.
Bidirectional Logging
The User Guide for Cisco Secure ACS 4.1 should state that bi-directional remote logging should not be configured with ACS. For example, do not configure ACS_SERVER_1 to refer to ACS_SERVER_2 as remote logger and ACS_SERVER_2 to refer to ACS_SERVER_1 as remote logger.
Cisco Secure Authentication Agent
This section provides information about installing the CiscoSecure Authentication Agent, hereafter referred to as CAA.
Installing the Cisco Secure Authentication Agent
This section provides information about installing the CiscoSecure Authentication Agent Configurator Software in Microsoft Windows 95 or Windows NT 4.0, hereafter referred to as CAA.
Note This information is intended for the system administrator.
Extracting the CAA Configurator File
To launch the CAA Configuration self-extracting file:
Step 1 Download of the caaadmin.exe file (the self-extracting zip file).
Step 2 Locate the downloaded caaadmin.exe file and double-click it.
The WinZip self-extractor program launches automatically.
Step 3 Unzip the caa zip folder.
Once the unzip process is complete, the prompt displays:
Files have unzipped successfully.
Click Close, to exit the WinZip program.
Step 4 When the extraction process is complete; new installation files are created in the specified directory.
Note Be sure to read the readme.txt file for the most recent information on this product.
Installing the CAA Configurator
The administrator must install the CAA Configurator software for Windows 95 or Windows NT and, optionally install the CAA.
To install the CAA Configurator software:
Step 1 Locate the setup.exe file in the CAA directory.
To run the setup.exe file, double-click it.
Step 2 You are prompted to choose the destination location for the installation.
Note The default destination directory is C:\Program Files\CiscoSecureAACfg.
Step 3 To change the installation location, click the Browse button to choose the directory where the setup program installs the CAA Configurator and click Yes.
The CAA Configurator files are copied and you are prompted to launch the Configurator. If you are only using the Messaging Service feature (for example, to use the Password Aging feature), you do not have to run the CAA Configurator.
Click No, to use the default configuration file (default.caa).
Step 4 To create a new configuration file, click Yes. If you click No, the default.caa configuration file is automatically loaded.
If you have additional configuration files, you can choose one file to modify, or you can click Cancel to create a new configuration.
Step 5 If you choose the Simplified ISDN Token Authentication option, you must choose the Single or Double Authentication method.
Note The Messaging Service is a standalone feature at this time and is ignored if you use the Single or Double Authentication mode.
Step 6 Click Exit.
You are prompted to save the changes to the default.caa file.
Note We recommend you enter another name (for example, lsmith.caa, for the end user's username) for the .caa file.
Step 7 If you do not have a previous version of CAA installed on your PC, you are prompted to install it.
Click Yes, to continue with the installation; click No to exit
Step 8 If you click No, you can do a manual installation later. (See the next section for the manual installation
steps.)
Step 9 To provide users with disks containing the CAA software, copy the contents of Disk1 and Disk2 onto separate disks. Copy each user's configuration file (for example, lsmith.caa), onto Disk1. You can also create a new zip file to include Disk1, Disk2, and the specific user's .caa file, and, then e-mail the files to individual users.
Installing the CAA Software
To manually install the CAA software:
Step 1 Locate the directory Disk1 and run the setup.exe file.
Note The default location is C:\ProgramFiles\CiscoSecureAACfg\Program\Disk1.
You are prompted to choose the destination directory for the installation.
Note The default destination directory is C:\ProgramFiles\CiscoSecureAA.
Step 2 To change the installation location, click the Browse button to choose the directory where the setup program installs CAA.
Step 3 After you choose the directory, click Next to continue. You are prompted to choose the configuration file to use.
Note The default configuration file is default.caa. If more than one configuration file exists, no file name appears.
Step 4 To choose a configuration file, click the Browse button. You can choose to load the configuration file at startup. The CAA starts automatically when Windows 95 or Windows NT is boots. You are prompted to restart your computer.
Step 5 Click Yes, to restart your computer now. Click No, to restart your computer later.
Step 6 Click Finish.
The Installation process is completed.
Omissions
This section provides information that was omitted from the ACS user documentation.
Password Aging
In the User Guide for Cisco Secure ACS 3.1, in the section "Enabling Password Aging for the CiscoSecure User Database", the sequence of steps for changing a password for now includes further supplemental information.
To change your password for IOS:
Step 1 Open a Telnet window to the router that is running IOS.
Step 2 Enter your user name.
Step 3 When prompted, enter the old password and then enter the new password.
DBSync Process Keeps Restarting
ACS Troubleshooting needs to include a workaround for this problem.
Condition
When the CSAdmin service is started with a different Windows user than the CSDBSync service, the CSDBSync service keeps restarting and floods the log with the message "CSDbSync 08/31/2006 16:58:34 E 0000 5408 WaitForMultipleObjects returned [-1], error [6]".
Action
Run the CSAdmin and CSDBSync services as the same user.
For ACS Replication, Server Information Must Match
In the User Guide for Cisco Secure ACS 4.1, in the section "Replication Options", the information needs to include a note about matching server configurations. You must set the sending and receiving servers to replicate the Network Access Profile (NAP) information.
Because the network configuration and NAP configuration can overlap, both servers should be set to replicate only NAP information. For example, if the receiving server is set to receive both network configuration and NAP information, but the sending server is set to send only NAP information, then ACS replication will fail.
Logging Configuration Update Restarts CSLog
The "Logging and Reports" chapter in the User Guide for Cisco Secure ACS 4.1 needs additional information about logging configuration updates. When ACS updates the logging configuration, the CSLog process restarts.
Error Code Definitions
The Online Troubleshooting Guide needs to provide error code definitions. These definitions can be found on Microsoft.com.
Incomplete accountActions Table
In the User Guide for Cisco Secure ACS 4.1, Appendix F, the note preceding Table F-10 does not mention the Status (S) field. Although omitted in Table F-10, the accountActions table normally contains the Status field, which shows one of these values:
•0—Not Processed
•1—Done
•2—Failed
The Status value is normally zero (0).
Machine Authentication Support in a Multi-Forest Environment
ACS supports machine authentication in a multi-forest environment. Machine authentications succeed as long as an appropriate trust relationship exists between the primary ACS forest and the requested domain's forest. When a requested user's or machine's domain is part of trusted forest, machine authentication will succeed.
Installation of the Remote Agent
Remote installations performed by using Windows Terminal Services or Remote Desktop (RDP) are not tested and are not supported. Do not install or upgrade over a remote connection using Terminal Services or RDP. We recommend that you disable Terminal Services and RDP while performing any installation or upgrade. We have successfully tested Virtual Network Computing (VNC).
Agentless Host for L2 and L3
Note The Help link for in the online help for Agentless Host for L2 and L3 does not resolve.
This template is used for access requests from agentless hosts connected to an L2 Network Access Device (NAD). ACS first admits the device to a quarantine network where it can receive an IP address. Audit begins when the device has received an IP address. At this point, the audit is the same as an audit for an L3 host. The NAD must be configured to learn the host's IP address ahead of time. ACS responds to an initial Access-Request with a notification to the device to issue another request when it learns the IP address. If the NAD does not learn the host's IP address, ACS invokes a failure condition and policy flow falls over to Audit Fail-Open policy. The administrator can then choose to reject the user, or assign a posture token and an optional user group.
Table 3 describes the Profile Sample in the Agentless Host for L2 and L3 Sample Profile Template.
Table 3 Agentless Host for L2 and L3 Sample Profile Template
Section
|
Property
|
Value
|
NAP
|
Name
|
User configurable
|
Description
|
User configurable
|
Profile
|
NAF
|
N/A
|
Protocol
|
N/A
|
Advance filter
|
([006]Service-Type = 10) AND (not exist [26/9/1]cisco-av-pair aaa:service) AND (audit-session-id=^)
|
Credential Validation Database
|
N/A
|
Posture Validation
|
N/A
|
Authorization
|
Rules
|
User-group
|
System Posture Token
|
RAC
|
DACL
|
N/A
|
Healthy
|
NAC-SAMPLE-HEALTHY-L3-RAC
|
NAC_SAMPLE_HEALTHY_ACL
|
N/A
|
Quarantine
|
NAC-SAMPLE- QUARANTINE-L3-RAC
|
NAC_SAMPLE_ QUARANTINE_ACL
|
N/A
|
Transition
|
NAC-SAMPLE- TRANSITION-L3-RAC
|
NAC_SAMPLE_ TRANSITION_ACL
|
Default
|
Deny = unchecked
|
NAC-SAMPLE- QUARANTINE-L3-RAC
|
NAC_SAMPLE_ QUARANTINE_ACL
|
Include RADIUS attributes from user's group
|
Unchecked
|
Include RADIUS attributes from user record
|
Unchecked
|
Table 4 describes the Shared Profile Components in the Agentless Host for L2 and L3 Sample Profile Template.
Table 4 Shared Profile Components for Agentless Host for L3 and L3 Sample
Type
|
Object
|
Value
|
RADIUS Authorization Components
|
NAC-SAMPLE-TRANSITION-L3-RAC
|
[027] Session-Timeout = 60
[029] Termination-Action RADIUS-Request (1)
A Session-Timeout can be overwritten if hinted by an audit server
|
NAC-SAMPLE-HEALTHY-L3-RAC
|
[027]Session-Timeout = 36,000
[029] Termination-Action RADIUS-Request (1)
|
NAC-SAMPLE-QUARANTINE-L3-RAC
|
[027]Session-Timeout = 3,600
[029] Termination-Action RADIUS-Request (1)
|
Downloadable IP ACLs
|
|
ACL Content Name
|
Content
|
NAF
|
NAC-_SAMPLE-_TRANSITION-_ACL
|
L3-EXAMPLE
|
permit ip any any
|
(All-AAA-Clients)
|
NAC-_SAMPLE-_HEALTHY-_ACL
|
L3-EXAMPLE
|
permit ip any any
|
(All-AAA-Clients)
|
NAC_-SAMPLE-_QUARANTINE-_ACL
|
L3-EXAMPLE
|
permit ip any any
|
(All-AAA-Clients)
|
Product Documentation
Table 5 lists the product documentation that is associated with ACS 4.1.4.
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.