|
Table Of Contents
Release Notes for Cisco Secure ACS 4.1.4
Using ACS 4.1.4 in a FIPS 140-2-Compliant Mode
RADIUS Key Wrap Extended to All EAP Protocols
Temporary Elevated User Privileges
Object Identifier Check for EAP-TLS Authentication
Layer 2 Audit for Network Access Control
Add and Edit Devices Using the CSUtil Utility
Support for Microsoft Windows Server 2003 R2 with SP2
Installation Notes for ACS 4.1.4 for Windows
System Requirements for ACS 4.1.4 for Windows
Upgrade Paths to ACS 4.1.4 for Windows
Installing ACS 4.1.4 for Windows
Installation Notes for ACS 4.1.4 Solution Engine
Upgrade Paths to the ACS 4.1.4 Solution Engine
Installing the ACS Solution Engine 4.1.4
Domain Privileges for Windows 2003 Authentication
Java Runtime Environment (JRE) Version
Update for LD_LIBRARY_PATH Environment Variable
DBSync Process Keeps Restarting
For ACS Replication, Server Information Must Match
Logging Configuration Update Restarts CSLog
Support for Microsoft Windows Server Security Patches
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Secure ACS 4.1.4
Revised: June 10, 2008, OL-14207-03CDC Date August 23, 2007
These release notes describe changes in Cisco Secure Access Control Server (ACS) release 4.1.4 for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Cisco Secure ACS 4.1.4 is Federal Information Processing Standards (FIPS) 140-2-certified for Cisco Secure ACS FIPS module version 1.1—a software cryptographic library that provides cryptographic services to Cisco Secure ACS release 4.1.4.
Contents
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
ACS 4.1.4 is a maintenance release for ACS 4.1 that resolves customer and internally found defects, and includes the FIPS module. You can upgrade from ACS 4.1, ACS 4.1.2 or 4.1.3 to ACS 4.1.4.
This release includes the:
•ACS 4.1.4 software image
•Appliance upgrade CD for Solution Engines 1111, 1112, 1113
New and Changed Information
New and changed information in release 4.1.4 includes:
•Using ACS 4.1.4 in a FIPS 140-2-Compliant Mode
•RADIUS Key Wrap Extended to All EAP Protocols
•Temporary Elevated User Privileges
•Object Identifier Check for EAP-TLS Authentication
•Layer 2 Audit for Network Access Control
•Add and Edit Devices Using the CSUtil Utility
•Support for Microsoft Windows Server 2003 R2 with SP2
Using ACS 4.1.4 in a FIPS 140-2-Compliant Mode
This section describes how to use Cisco Secure ACS 4.1.4 in a FIPS 140-2-compliant mode:
•Follow the guidelines described in FIPS 140-2 Level 1 Security Policy for Cisco Secure ACS FIPS Module Version 1.1, at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp948.pdf, to operate your ACS in a FIPS-compliant mode.
•Use only FIPS 140-2 AAA clients in approved FIPS mode of operation. Refer to the client FIPS 140-2 Security Policy configuration guidelines found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp948.pdf for more information.
•Enable ACS logging; the default setting (Low) is acceptable. Refer to the User Guide for Cisco Secure ACS 4.1 for more information.
•Enable RADIUS Key Wrap in ACS; refer to RADIUS Key Wrap Extended to All EAP Protocols.
•AAA clients must use only EAP-TLS, EAP-FAST, or PEAP protocols for authentication, with key wrap.
Note ACS 4.1.4 conforms to FIPS 140-2 only when you use the allowed FIPS 140-2 compliant protocols. It is the network Administrator's (FIPS 140-2 Crypto Officer) responsibility to enforce this policy; ACS does not block you from using any protocol.
Note In EAP-FAST, do not use the out-of-band protected access credentials (PAC) provisioning.
AAA clients must support Authenticated Diffie-Hellman with SHA1 and AES, or RSA with SHA1 and AES for TLS negotiation.
Note For ACS 4.1.4 patch releases, ACS FIPS module v 1.1 is available up to version 4.1.4.13.8. From patch 9 onwards, ACS 4.1.4 is not FIPS compliant.
RADIUS Key Wrap Extended to All EAP Protocols
RADIUS Key Wrap is extended to all EAP protocols; previously, RADIUS key wrap was available only for EAP-TLS.
In previous ACS releases the Allow RADIUS Key Wrap check box resides in the EAP-TLS section of the Network Access Profiles > Protocols page.
ACS 4.1.4 has moved the Allow RADIUS Key Wrap check box to the top of the EAP Configuration section, in the new Key-Wrap area. You must use this option for EAP-TLS, EAP-FAST, and PEAP protocols when operating your ACS in a FIPS 140-2-compliant mode for authentication.
Temporary Elevated User Privileges
In previous releases, ACS restricted administrator privilege. The ACS User Setup page now supports granting administrator privileges to another user for a defined number of days, hours, and minutes. The process automatically grants and revokes privileges according to the administrator's configuration. This option is available on the User Setup page in the web interface.
Object Identifier Check for EAP-TLS Authentication
The Authentication page in Network Access Profiles (NAPs) now includes an object identifier (OID) check. An administrator can enter the OID in the NAP policy configuration. ACS checks the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match.
Note To use this feature you must enable a protocol that uses client-side certificates within Network Access Profiles. See the User Guide for Cisco Secure ACS 4.1 for information.
Layer 2 Audit for Network Access Control
ACS 4.1.4 adds support for the audit of agentless hosts connected to a Layer 2 (L2) Network Access Device (NAD). ACS first admits the device to a quarantined network, where the device can receive an IP address. The audit cannot begin until the device has received the IP address. When the audit begins, the audit is the same as an audit of a Layer 3 (L3) host. You can access this feature on the External Posture Validation Audit Setup page in the web interface.
The NAD must be preconfigured to learn the host's IP address. Then ACS responds to an initial access-request with a notification to the NAD to issue another access-request when the NAD has learned the IP address. If the NAD does not learn the host's IP address, ACS invokes a failure condition, and policy flow follows the audit fail-open policy. Using the audit fail-open policy, administrators can choose to reject the user, or assign a posture token and an optional user-group.
Audit policy can serve as a backup verification when MAC Authentication Bypass (MAB) fails. The audit policy tests whether MAB failed by applying policy conditions that test the ACS user group assigned to the current session. For example, you can test whether the user-group is equal to the user-group that MAB assigns to failed authentications, and, if so, only then continue the audit.
For configuration information, see Chapter 14, Network Access Profiles, in the User Guide for Cisco Secure Access Control Server.
CSSupport Utility Added
ACS for Windows now includes the CSSupport utility. To access the utility, choose System Configuration > Support in the web interface. The utility includes the same options that are currently available on the Solution Engine. Similarly, CSSupport on ACS for Windows can collect a user-configurable set of options and generate a package.cab file. The information in the file is collected from the machine that is running the web interface.
The options include collection of:
•User database
•Logs for a configurable number of days
•Diagnostic logs
Note If you choose diagnostic logs, the package.cab generation process restarts the ACS services. If you do not select diagnostic logs, ACS services do not restart.
UTF-8 Support
ACS now supports the use of UTF-8 (the 8-bit Universal Coded Character Set (UCS)/Unicode Transformation Format) for the username and password only when authenticating with Active Directory (AD). The UTF-8 format can preserve the full US-ASCII range, providing compatibility with the existing ASCII handling software. See RFC 3629 for more information.
Add and Edit Devices Using the CSUtil Utility
ACS now supports use of the CSUtil Import.txt file for adding and editing authentication, authorization, and accounting (AAA) devices. You can edit all attributes of the AAA devices, including the:
•IP address
•Shared secret
•Vendor
•Network device group
•Single connection
•Keepalive settings
Support for Microsoft Windows Server 2003 R2 with SP2
ACS release 4.1.4 adds support for the Microsoft Windows Server 2003 R2 Service Pack (SP) 2.
Installation Notes
This section contains:
•Installation Notes for ACS 4.1.4 for Windows
•Installation Notes for ACS 4.1.4 Solution Engine
Installation Notes for ACS 4.1.4 for Windows
This section contains information on system requirements and upgrades.
System Requirements for ACS 4.1.4 for Windows
The system requirements for ACS 4.1.4 are the same as the system requirements for ACS 4.1. For information on supported operating systems and web browsers, see the Installation Guide for Cisco Secure ACS for Windows 4.1.
Note ACS 4.1.4 adds support for Microsoft Windows Server 2003 R2 SP 2.
Upgrade Paths to ACS 4.1.4 for Windows
Cisco supports the upgrade paths of versions:
•4.1 to 4.1.4
•4.1.2 to 4.1.4
•4.1.3 to 4.1.4
Note If you are running ACS 4.1.2, you should upgrade directly from 4.1.2 to 4.1.4. The upgrade from 4.1.2 to 4.1.3 is not supported.
For more information on ACS 4.1 upgrades, see the Installation Guide for Cisco Secure ACS for Windows 4.1.
Installing ACS 4.1.4 for Windows
You must have ACS 4.1 installed before you install ACS 4.1.4. ACS 4.1.4 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.4 are the same as for ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS 4.1 Windows.
Installation Notes for ACS 4.1.4 Solution Engine
This section contains installation information for the ACS 4.1.4 Solution Engine (SE).
Upgrade Paths to the ACS 4.1.4 Solution Engine
Cisco supports the upgrade paths of versions:
•4.1 to 4.1.4
•4.1.2 to 4.1.4
•4.1.3 to 4.1.4
Note If you are running ACS 4.1.2, you should upgrade directly from 4.1.2 to 4.1.4. The upgrade from 4.1.2 to 4.1.3 is not supported.
For more information on ACS 4.1 upgrades, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Installing the ACS Solution Engine 4.1.4
ACS 4.1 is pre-installed on the 1113 appliance. The ACS 4.1.4 Solution Engine upgrade package is available through the TAC only for upgrading existing ACS software deployments. The installation instructions for ACS 4.1.4 Solution Engine are the same as ACS 4.1. For information about installing ACS, refer to the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Known Caveats
Table 1 contains known caveats in ACS for Windows and Solution Engine 4.1.4. You can also use the Bug Toolkit to find open bugs.
Resolved Caveats
Table 2 contains the resolved caveats for ACS 4.1.4. Check the Bug Toolkit on Cisco.com for any resolved caveats that might not appear here.
Documentation Updates
This section provides documentation updates.
Changes
This section provides changes to the ACS user documentation.
Domain Privileges for Windows 2003 Authentication
ACS requires Domain Administrator privileges for the service account when authenticating against Windows 2003. Explanations now appear in the:
•Installation Guide for Cisco Secure ACS for Windows 4.0
•Installation Guide for Cisco Secure ACS for Windows 4.1
Supported ODBC Data Sources
In the User Guide for Cisco Secure ACS 4.1, Appendix F, "RDBMS Synchronization Import Definitions", in the section "Supported Versions for ODBC Data Sources (ACS for Windows)", the opening statement needs to be revised.
ACS supports any database that has been tested with ACS, and any database that is compliant with ODBC. The current information appears to restrict support to only certain versions of ODBC and MS-SQL.
Java Runtime Environment (JRE) Version
In Table 1-2, ACS for Windows Web Client Requirements, in the Installation Guide for Cisco Secure ACS for Windows 4.1, the minimum requirement for the JRE needs to change to the current minimum requirement, which is Sun JRE 1.5.x.
Update for LD_LIBRARY_PATH Environment Variable
In the section "Environment Variable Settings", in Installing Cisco Secure ACS Remote Agent for Solaris, the information on libstdc++.so is obsolete since Release 4.1.3. You no longer need to place libstdc++.so in the LD_LIBRARY_PATH environment variable.
Omissions
This section provides information that was omitted from the ACS user documentation.
Password Aging
In the User Guide for Cisco Secure ACS 3.1, in the section "Enabling Password Aging for the CiscoSecure User Database", the sequence of steps for changing a password for now includes further supplemental information.
To change your password for IOS:
Step 1 Open a Telnet window to the router that is running IOS.
Step 2 Enter your user name.
Step 3 When prompted, enter the old password and then enter the new password.
DBSync Process Keeps Restarting
ACS Troubleshooting needs to include a workaround for this problem.
Condition
When the CSAdmin service is started with a different Windows user than the CSDBSync service, the CSDBSync service keeps restarting and floods the log with the message "CSDbSync 08/31/2006 16:58:34 E 0000 5408 WaitForMultipleObjects returned [-1], error [6]".
Action
Run the CSAdmin and CSDBSync services as the same user.
For ACS Replication, Server Information Must Match
In the User Guide for Cisco Secure ACS 4.1, in the section "Replication Options", the information needs to include a note about matching server configurations. You must set the sending and receiving servers to replicate the Network Access Profile (NAP) information.
Because the network configuration and NAP configuration can overlap, both servers should be set to replicate only NAP information. For example, if the receiving server is set to receive both network configuration and NAP information, but the sending server is set to send only NAP information, then ACS replication will fail.
Logging Configuration Update Restarts CSLog
The "Logging and Reports" chapter in the User Guide for Cisco Secure ACS 4.1 needs additional information about logging configuration updates. When ACS updates the logging configuration, the CSLog process restarts.
Support for Microsoft Windows Server Security Patches
In the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1, in the section "Tested Windows Security Patches", the initial note needs additional information. Patches that Microsoft released after the release of ACS 4.1 may not be supported. For information on recent patches, contact the TAC.
Product Documentation
Table 3 lists the product documentation that is associated with ACS 4.1.4.
Table 3 Product Documentation
Document Title DescriptionDocumentation Guide for Cisco Secure ACS 4.1
Describes product documentation:
•Printed document with the product.
•PDF on the product CD-ROM.
Available on Cisco.com:
•Windows—http://www.cisco.com/en/US/products/sw/secursw/
ps2086/products_documentation_roadmaps_list.html•Solution Engine—http://www.cisco.com/en/US/products/sw/
secursw/ps5338/products_documentation_roadmaps_list.htmlRelease Notes for Cisco Secure ACS 4.1
ACS 4.1 features, documentation updates, and resolved problems. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.htmlRelease Notes for Cisco Secure ACS 4.1.2
Release Notes for Cisco Secure ACS 4.1.3
Release Notes for Cisco Secure ACS 4.1.4
New features, documentation updates, and resolved problems since ACS 4.1. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.htmlProduct online help
Help topics for all pages in the ACS web interface. Select an option from the ACS menu; the help appears in the right pane.
User Guide for Cisco Secure ACS 4.1
ACS functionality and procedures for using the ACS features. Available in the following formats:
•By clicking Online Documentation in the ACS navigation menu. The user guide PDF is available on this page by clicking View PDF.
•PDF on the ACS Recovery CD-ROM.
Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
products_user_guide_list.htmlSupported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1
Supported devices and firmware versions for all ACS features. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.htmlInstallation and User Guide for User Changeable Passwords 4.1
Installation and user guide for the user-changeable password add-on. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.htmlConfiguration Guide for Cisco Secure ACS 4.1.
Provides provide step-by-step instructions on how to configure and deploy ACS. Available on Cisco.com:
Installation Guide for Cisco Secure ACS 4.1 Windows
Details on installation and upgrade of ACS software and post-installation tasks. Available as PDF on the ACS Recovery CD-ROM. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.htmlInstallation Guide for Cisco Secure ACS Solution Engine 4.1
Details on ACS SE 1112 and ACS SE 1113 hardware and hardware installation, and initial software configuration. Available as PDF on the ACS Recovery CD-ROM. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/prod_installation_guides_list.html
Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1
Translated safety warnings and compliance information. Available in the following formats:
•Printed document with the product.
•PDF on the ACS Recovery CD-ROM.
Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html.Installation and Configuration Guide for Cisco Secure ACS Remote Agents
Installation and configuration guide for ACS remote agents for remote logging. Available as PDF on the ACS Recovery CD-ROM. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/prod_installation_guides_list.html
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.