Table Of Contents
Release Notes for Cisco Secure ACS 4.1
Contents
ACS New Features
Product Documentation
Security Advisory
Known Problems in ACS for Windows and the Solution Engine 4.1
Cisco AAA Client Problems
Known Microsoft Problems
Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
Replication with Different Send and Receive Configurations
Problem with Accounting Records in the TACACS+ Administration Log
Known CLI Administrator Problem
Verifying the ACS Solution Engine CD Recovery Process
Known Caveats in ACS for Windows and the Solution Engine 4.1
Resolved Caveats in ACS for Windows and the Solution Engine 4.1
Known Caveats with ACS Solution Engine 4.1
Resolved Caveats in the ACS Solution Engine 4.1
ACS for Windows 4.1
System Requirements
Software Compatibility
Upgrading to a New Software Release
Installation Notes
Upgrade Paths
Supported Upgrades for ACS for Windows
Supported Migration Path for ACS for Windows
Unsupported Migration Path to ACS 4.1
Post-Upgrade Configuration
Upgrading From Version 3.3
Limitations and Restrictions
Interoperability Testing
ACS Solution Engine 4.1
New and Changed Information for the ACS Solution Engine 4.1
New Hotfixes in ACS SE 4.1
ACS Remote Agent for Windows
Installation Notes for the Solution Engine 4.1
Installing from ACS SE 1111 (HP) Recovery CD
Software Compatibility
Supported Upgrades for ACS SE
Supported Migrations for ACS SE
Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Documentation Updates
Changes
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS 4.1
March 2007
Full Build Number: 4.1.1.23
These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Note 
The ACS release numbering system for software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 4.1.1.23. Elsewhere in this document where 4.1 is used, we are referring to 4.1.1. ACS major release numbering starts at 4.1.1, not 4.1.0. Use this information when working with your customer service representative.
Contents
These release notes provide information about:
•ACS New Features
•Product Documentation
•Known Problems in ACS for Windows and the Solution Engine 4.1
•Known Caveats in ACS for Windows and the Solution Engine 4.1
•Resolved Caveats in ACS for Windows and the Solution Engine 4.1
•Known Caveats with ACS Solution Engine 4.1
•Resolved Caveats in the ACS Solution Engine 4.1
•ACS for Windows 4.1
•Limitations and Restrictions
•ACS Solution Engine 4.1
•New and Changed Information for the ACS Solution Engine 4.1
•Installation Notes for the Solution Engine 4.1
•Documentation Updates
•Obtaining Documentation
•Documentation Feedback
•Cisco Product Security Overview
•Product Alerts and Field Notices
•Obtaining Additional Publications and Information
ACS New Features
ACS contains the following new and changed features:
•Improved Compliance Support—This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance; for example, Sarbanes-Oxley (SOX). ACS includes the following capabilities for:
Authentication:
–Forcing periodic change of administrator's password.
–Applying password structure policy.
–Forcing administrator's password change for inactive account.
–Preventing the reuse of old password (password history).
–Disabling administrator accounts for inactivity.
–Disabling administrator accounts after failed logins.
–Allowing ACS administrators to change their own passwords.
Audit and Reporting:
–Logging all administrative actions via system logging (syslog), in addition to existing logging targets.
–Controlling administrators' access to log file configuration to prevent specific audit logging from being disabled.
–Adding new reports for administrators privileges.
Authorization: Providing a read-only privilege for users and groups.
•External database support for MAC Authentication Bypass—The ability to maintain MAC address lists in an external LDAP server and map MAC addresses to user groups.
•Improved diagnostics and error messages—Improved diagnostic information about certificate mismatches with HCAP and GAME servers. The raw dump of GAME and HCAP messages is in a readable format and the authentication failure codes are now more intuitive.
•PEAP/EAP-TLS Support—The authenticator side of PEAP/EAP-TLS as a protocol enhancement is now included. ACS can now authenticate clients with PEAP by using EAP-TLS as the phase-two inner method, and enables certificate-based authentication to occur within a secure tunnel, encrypting identity information. Since EAP-TLS normally relies on client-side certificates for authentication, the PEAP tunnel will protect the client's certificate content.
•Logging and Reporting Extensions—New internal mechanisms for logging now create consistent log levels and improved performance. ACS now supports syslog and the capability to log ACS messages to remote servers that support the syslog standard.
•Multiple concurrent logging destinations—You can send Log data to multiple destinations simultaneously.
•Enhanced remote agent support for logging—You can expose reports externally that were previously provided only locally, for files from previous versions; for example, sending audit reports to a remote agent on an appliance.
•RADIUS AES Key Wrap Functionality—This feature supports a secure, certified mode of operation, notably in a Federal Information Processing Standard (FIPS)-compliant wireless solution. RADIUS Key Wrap support with EAP-TLS authentication in ACS, is another step toward satisfying the set of security requirements in practical, deployable, and interoperable secure solutions from Cisco Systems. AES replaces MD5 encryption.
•Cisco NAC support—ACS 4.1 acts as a policy decision point in NAC deployments. By using configurable policies, it evaluates and validates the credentials that it receives from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the network-access device: ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS patch level and antivirus DAT file version. ACS records the policy evaluation result for use with monitoring systems. Before granting network access, ACS 4.1 also allows third-party Audit Vendors to audit hosts without the appropriate agent technology. ACS policies can be extended with external policy servers to which ACS forwards posture credentials. For example, credentials specific to an antivirus vendor can be forwarded to the vendor's antivirus policy server, and audit policy requests can be forwarded to third-party audit products.
–GAME Group Feedback—This feature provides the ability to authorize a host based on checking the device-type categorization returned from authentication as a user-group against an audit server.
–Expanded agentless support—This feature adds support for auditing agentless hosts connected to a Layer 2 Network Access Device (NAD). The agentless host is admitted to a quarantined network where it can receive an IP address and only then instantiate the audit. When instantiated, the audit will continue as with a regular Layer 3 host.
•Extended replication components—Improved and enhanced replication components are now available. Administrators now can replicate:
–Posture validation settings.
–Additional logging attributes.
•Audit support for MAC Authentication Bypass —Audit processing has been enhanced to include MAC Authentication Bypass (MAB). MAB enables double-checking an audit request against a MAC authentication policy and an Audit Policy, and combines the evaluation of these two policies.
•Audit Verification of MAC Exceptions — You can apply MAC exceptions to Network Admission Control (NAC) audit requests. Dual verification of endpoints is then possible. You can check whether the user group (which signifies the device type) that the agentless request processing returns matches the device type that the audit server returns, and you can define a policy for handling mismatches.
•Japanese Microsoft Windows Support—New support for the Japanese version of Microsoft Windows 2003 at the service pack level is available.The ACS web interface can run on browsers running the Japanese version of the Windows operating system. In addition, the ACS for Windows software can run on a Windows server running the Japanese version of the Windows operating system.
Note We do not support distributed ACS deployments in a Network Address Translation (NAT) environment.
Product Documentation
The following product documentation is available for ACS 4.1:
Note Some of the preceding documents are in PDF format. You need the Adobe Acrobat Reader to open these files.
Security Advisory
Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Known Problems in ACS for Windows and the Solution Engine 4.1
The problems in this release are:
•Cisco AAA Client Problems
•Known Microsoft Problems
•Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
•Replication with Different Send and Receive Configurations
•Problem with Accounting Records in the TACACS+ Administration Log
•Known CLI Administrator Problem
•Verifying the ACS Solution Engine CD Recovery Process
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of ACS. You can access these release notes online at Cisco.com. For NAC-specific client problems, go to http://www.cisco.com/go/nac.
Known Microsoft Problems
Due to a defect in the Microsoft PEAP supplicant provided in the Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with ACS. Cisco has opened case SRX040922603052 with Microsoft on this issue. Customers who are affected by this problem should open a case with Microsoft and reference the Cisco case ID. Microsoft has prepared hotfix KB885453, which resolves the issue. The hotfix is available on the Microsoft website.
Note ACS for Windows only. When ACS runs on a domain controller and you need to authenticate users with a Windows user database, you must take additional configuration steps; see the Installation Guide for Cisco Secure ACS 4.1 Windows for post-installation steps regarding Windows NT LAN Manager (NTLM). A Microsoft hotfix may be required, depending on your configuration.
Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
The upgrade from the trial version of ACS 4.1 to the ACS 4.1 FCS version fails after the evaluation period has expired. To prevent this:
1. Perform a system backup on the expired ACS trial version.
2. Retain the system backup dump file. The backup functionality in CSAuth remains operational.
3. Uninstall the trial version 3.
4. Install the unrestricted FCS version 4.
5. Restore the system backup dump file on the installed FCS version.
Note Note: The upgrade problem only applies to the software evaluation version of ACS 4.1.
Replication with Different Send and Receive Configurations
The user guide states that the primary ACS compares the list of database components that it is configured to send with the list of database components that the secondary ACS is configured to receive. If the secondary ACS is not configured to receive any of the components that the primary ACS is configured to send, the database replication fails.
This information is not correct (bug CSCsg93907).
The primary ACS first synchronizes with the secondary ACS, and sends only the components that the secondary ACS is configured to receive. The primary ACS does not send components that the secondary ACS is not configured to receive, even if you configure the primary ACS to send those components. Thus, database replication does not fail when different send and receive configurations exist on the primary and secondary ACS.
Problem with Accounting Records in the TACACS+ Administration Log
After upgrading to ACS 4.1, TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).
Command accounting is configured on the Network Access Server (NAS). No records are visible in the TACACS+ Administration log file after entering commands on the NAS. Debugs on the NAS show the records being sent, and they do arrive at the ACS server; but, the appropriate log file is not updated.
The patch information resolves this issue.
Click this link if you are using ACS for Windows: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des?psrtdcat20e2 and download:
•ACS-4.1.1.23-CSTacacs-SW-CSCsg97429.zip
•ACS-4.1.1.23-CSTacacs-SW-CSCsg97429-Readme.txt
Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip
Known CLI Administrator Problem
If you do not set up a GUI account for the CLI administrator by using the add-guiadmin command, then the CLI administrator will be unable to access the SE by using a web browser over the serial connection.
To add a GUI account that the CLI administrator can use, use the add-guiadmin command.
add-guiadmin [admin] [password]
Verifying the ACS Solution Engine CD Recovery Process
After you remove the recovery CD from the drive, and press Enter, the system reboots, and displays system version information. The ACS Solution Engine recovery process is complete and the Solution Engine is operational when the following information appears on your console.
Cisco Secure ACS: 4.1.1.16
Appliance Management Software: 4.1.1.16
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Status: Appliance is functioning properly
Note If only the login prompt appears you must reboot the Solution Engine.
For detailed information on the Solution Engine CD recovery process, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Known Caveats in ACS for Windows and the Solution Engine 4.1
Table 2 contains known caveats in ACS for Windows and the Solution Engine 4.1.
Table 2 Known Caveats in ACS Windows and the Solution Engine 4.1
Bug ID
|
Summary
|
Explanation
|
CSCsc49673
|
UPGRADE:Add Filter aaa:service=ip_admission to Upgrade-Profile NAP.
|
Symptom After upgrading from ACS 3.3 that included a NAC
database, a profile is created with an authorization method:
PEAP - posture only. This profile does not have a filter, which
will cause all incoming authentications to fail; except from
PEAP-POSTURE.
Workaround Add a filter of Cisco-av-pair aaa:service = ip_admission to the Upgrade-Profile. The no-posture requests will be authenticated against the global settings configuration. (Check the Grant access using global configuration, when no profile matches option in the created profile.)
|
CSCsc43577
|
CSAdmin stalls and has a memory leak.
|
Symptom CSAdmin consumes a large amount of memory (351
MB) when updating EAP-FAST inner method GTC to
MSCHAPv2 by using the Network Access Profile page.
Workaround Restart the CSAdmin service.
|
CSCsc41638
|
ACS does not check if the Certificate Authority (CA) certificate that was issued to a user exists in the certificate trust list (CTL).
|
Symptom A user who presents a certificate in EAP-TLS or
EAP-FAST/EAP-TLS may be authenticated; even though the
ACS machine no longer trusts the certificate issuer.
Workaround Uncheck the CA certificate from the ACS web interface before removing the CA certificate from the machine storage.
|
CSCsc32154
|
Upgrading from ACS 3.3 removed APT, SPT, and Reason from Logged Attributes.
|
If one or more of the APT, SPT, and Reason attributes were selected to be logged in the Failed or Passed reports in ACS 3.3, they will not appear in the Logged Attributes column after upgrading to ACS 4.1.
|
CSCsb95897
|
ACS cannot correctly display a list containing several pages of disabled accounts.
|
Symptom The ACS web interface has problems displaying
disabled accounts lists if they contain several pages. Next is
working as needed; but, Previous is available only once.
Workaround None.
|
CSCeh79954
|
EAP-TLS time-of-day restriction in Active Directory (AD) does not fail user; authentication succeeds.
|
Symptom EAP-TLS authentication of users in Windows Active
Directory will still pass when a user's time-of-day setting
(located in AD) is outside the hours they are allowed. ACS does
not generate an error.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 or 2003 environment.
Workaround None.
|
CSCeh68821
|
LDAP authentication passes after modifying the subtree node due to domain name (DN) caching.
|
Symptom If you change the User Directory Subtree in the
Common LDAP Configuration, users that already authenticated
by using this Generic LDAP instance (External User Database)
are not affected and will continue to pass authentication; even
if users are no longer under the new User Directory Subtree.
ACS does not perform a new search for the users because of the
user-cached Distinguished Name.
Workaround If you want to enforce a new search on the User Directory Subtree, delete the users from the ACS internal database.
|
CSCeh60564
|
An Active Directory locked-out user passed EAP-TLS authentication; should be rejected.
|
Symptom EAP-TLS authentication will still pass for users in
Active Directory; even if their account is locked out. ACS does
not generate an error message.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.
Workaround None. Windows 2003 has introduced some new attributes that should help resolve this issue in the future.
|
CSCeh52700
|
An Active Directory expired-user passed EAP-TLS authentication; should be rejected.
|
Symptom EAP-TLS authentication will still pass for users in the
Active Directory; even if their account has expired. ACS does
not generate an error message.
Workaround If you want to use Active Directory to authenticate users with EAP-TLS when ACS runs on a member server, additional configuration is required. For more information, including steps for the additional configuration, see the Installation Guide for Cisco Secure ACS 4.1 Windows, Release 4.1 or the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
|
CSCeh00074
|
GUI LDAP group mapping submission failure.
|
Symptom When adding LDAP groups to be mapped to ACS
groups, the Submit operation sometimes fails and an Empty
list error message appears.
Conditions This failure might occur when working on the ACS web interface from a remote machine (for example, with Terminal Services) or from other group mapping pages.
Workaround Move to another window from the Group Mapping page, before you click Submit, or click on another frame in the ACS web interface.
|
CSCeg50237
|
Overinstall causes the added AVP Attributes to disappear.
|
Symptom Adding AVP attributes and then performing an
overinstall causes those attributes to disappear from the Log
Attribute field.
Workaround None.
|
CSCef96208
|
ACS reports incorrect privilege level.
|
Symptom ACS may report users with the incorrect authorized
privilege level. In particular, when using TACACS+, users who
are correctly authenticated with a privilege level of 15 are
reported with a level of 1.
Workaround The error is cosmetic; there is no workaround.
|
CSCef85310
|
Group discretionary access control list (DACL) is downloaded if user's DACL content is empty.
|
Symptom It is possible to define an ACL with empty content.
Following this defect, if a user with an empty ACL belongs to
a group on which a not empty ACL is defined authenticates,
then the ACL of the group is downloaded to the device instead
of the user's. (While the user's DACL content is not empty, it is
downloaded to the device, as it should be).
Workaround Do not define an empty downloadable ACL.
|
CSCef55730
|
ACS authorization passes even for a disabled user.
|
Symptom The default administrative user account defined
within the CiscoWorks local (user) database (and replicated
within ACS TACACS+ user database) is granted access to all
installed Management Center applications; even if the user
account is disabled within ACS.
|
CSCef12461
|
ACS administrators are not restored, when on a large database, you restore a dump file on Windows 2000.
|
Symptom When ACS contains a big database with 500 or more
administrators, after restoring the dump file on Windows 2000,
the ACS administrators are not restored.
Workaround Manually create administrators after restore.
|
CSCee64596
|
During stress tests, ACS does not reduce the size of the CSAdmin file based on the Service Control settings.
|
Symptom Intensive use of the Logged-In Users report may lead
to significant memory utilization (140 MB) by the CSAdmin
service.
Workaround Restart the CSAdmin service.
|
CSCsb15116
|
The Apply and Restart button in the Network Access Profiles (NAP) page does not release the Network Access Filter (NAF) policy.
|
Symptom When deleting a Network Access Filter, which is used
in a Network Access Profile Setup Page, unexpected behavior
(NAPs fail) may occur and authentication fails.
Workaround Perform one of the following:
•Before deleting a Network Access Filter, remove it from the relevant Network Access Profiles.
•After deleting a Network Access Filter for each relevant Network Access Profile, click Submit (without performing changes) in the Profile Setup Page.
|
CSCsc57975
|
The database order inside a Network Access Profile may cause authentication to fail and an error message appears.
|
Symptom When a user account in the Windows Active
Directory has expired, the user may be authenticated in another
external database, which is configured sequentially after the
Windows database in the authentication settings in the matched
NAP. If the user exists in another database, authentication is
successful. If the user does not exist in another database, the
error message CS user unknown (instead of Database
account expired) appears.
Workaround None.
|
CSCse03681
|
Entering a community string that begins or ends with a space does not result in an error message.
|
Symptom Entering a community string that begins or ends with
a space does not result in an error message. Instead, the ACS
system deletes the space without informing the user.
Workaround None.
|
CSCse01194
|
After system migration from ACS for Windows to the Solution Engine version on the ACS SE 1113, the existing HTTP configuration is not retained.
|
Symptom If the master ACS system (ACS for Windows
4.0.1.27) is configured for certain HTTP settings (the port
ranges are changed to 60000-60005) and the system is
replicated to the ACS SE 1113 version (4.0.1.44), the specified
HTTP configuration settings are not retained on the ACS SE
1113 installation.
Workaround None.
|
CSCsc41860
|
CSAuth fails when you use CSUtil to delete more than 10,000 AAA clients concurrently.
|
Symptom A large amount of (35K) AAA clients were imported
to an ACS server. Then CSUtil import was used to delete
35,000 devices. After deleting the AAA clients, CSAuth failed.
Conditions This defect can occur on a clean installation.
Workaround When deleting a large number of AAA clients, you can use CSUtil to delete them in batches of up to 10,000 AAA clients concurrently.
|
CSCsb48683
|
Log and accounting file locking causes problems with backup software.
|
Symptom ACS diagnostic and accounting log-file locking
results in service problems when the directories are backed up
by certain software applications (in reported case, Veritas
software was used).
Workaround Upgrade your backup software.
|
CSCec72911
|
Issue with Windows 2003 password-aging page.
|
Symptom ACS is installed on Windows 2003 Server and the
password-aging feature is enabled. Only the generate
greetings for successful logins option in Password Aging
settings is checked. After clicking Submit or Submit +
Restart, ACS for the first time displays the valid error
message: Error: Generation of greetings on successful
logins requires at least one password aging rule to be
configured. But, when you click one of these buttons a second
time, the errors active canceled or the page cannot be
displayed appear.
Conditions Occurs after installing and as long as no changes are performed. Occurs when managing ACS only on the local machine by using Internet Explorer 6.0.
Workaround Restart ACS.
|
CSCea91690
|
Event Viewer errors on startup and shutdown in .NET
|
Symptom On Windows .NET Server 2003 or Windows 2003
Enterprise Edition shutdown and startup, you may see errors
that falsely indicate that an ACS service have failed. At startup,
you may see a dialog box that indicates that a service, such as
CSLog, encountered a problem and will close. The same error
logged to Event Viewer, as in:
Reporting queued error: faulting application
CSLog.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.
In Windows Server 2003, the Service Manager queries the ACS services status during startup and shutdown; but ACS services might not have started yet or might have stopped already. Even though this is normal behavior for ACS services, Windows perceives error and logs it to the Event Viewer.
On startup, the user sees all errors from the Event Viewer, which is why, when users logs into Windows right after startup, they see errors from the previous login session.
This behavior is observed on Windows Server 2003 only.
Workaround Verify that ACS services are running by using the Control Panel.
|
CSCsf13603
|
Cisco PEAP authentication against the RSA server with NEW PIN Mode fails.
|
Symptom When you work with the RSA as the external
database, and try to change the personal identification number
(PIN) mode from the RSA Server, it forces the supplicant to add
a new PIN. However, when the Supplicant adds a new PIN,
ACS does not receive it and consequently the authentication
fails.
|
CSCsg37711
|
CSAuth terminated: EAPFAST (all inner) Authentication and Posture
|
Symptom The same IP address and user are processed
simultaneously on 2 separate sessions.
|
CSCsg12943
|
CSAuth faulting application crashes and the network-access devices (NADs), show RADIUS_DEAD and is unable to authenticate any more ports.
|
Symptom During stress testing, CSAuth crashes, and the
network-access devices (NADs), also known as AAA clients,
shows RADIUS_DEAD and is unable to authenticate any more
ports.
Conditions This is caused by clientless stress.
Workaround None.
|
CSCsg44214
|
ACS is not sending external Posture Validation Servers (PVSs) to the Username server, causing no posture return.
|
The OfficeScan policy server requires a local account authentication before allowing access to PostureRequest.dll. The ACS server times out.
Workaround None.
|
CSCsg40727
|
RDBMS fails account action 220 250 with synchronization partners.
|
Symptom Network device groups (NDGs) are not getting added
to synchronization partners, but an additional (duplicated)
entry is getting added to primary. The AAA-Client cannot be
deleted.
Workaround Prevent the attempt to synchronize remote targets for specific device-type actions.
|
CSCsg56677
|
Reauthentication fails for an EAP-FAST user after you upgrade with User Principal Name (UPN) or Windows Security Account Manager (SAM) formats.
|
Symptom When you attempt to upgrade ACS 4.0 to build
4.0.1.49 or to ACS 4.1, re-authentication fails with the error
message:
Access denied:fast-reconnect was successful
but user was not found in cache.
Workaround There are two cases to review:
Case 1: Customers using Manual Protected Access Credentials (PAC) provisioning.
In this case you reprovision PACs with correct usernames (usernames containing domains).
Case 2: Customers using Automatic PAC provisioning.
In this case you set the values for the EAP-FAST settings on the EAP-FAST Configuration page:
Active master key TTL = 1 hours
Retired master key TTL = 2 hours
Tunnel PAC TTL = 30 minutes
Authorization PAC TTL = 10 minutes
Note that the Active master and Retired master key times to live (TTLs) are changed to force invalidation of PACs issued by ACS 4.0 (4.0.1.27, 4.0.1.42/43/44).
Tunnel PAC and Authorization PAC TTLs are changed due to limitation that their values must be less than Active master and Retired master key TTLs.
Note When the customers environment contains several ACS servers, this change must be applied on ALL ACS servers configured as an EAP-FAST master server. This change should be replicated to corresponding slave ACS Servers. This change will lead to reprovisioning of ALL PACs.
You can change the EAP-FAST settings back a day after these change are applied and replicated to all ACS servers in the customer's environment. The default values are:
Active master key TTL = 1 months
Retired master key TTL = 3 months
Authorization PAC TTL = 1 hours
|
CSCsg74699
|
When you upgrade the AAA Client and Server configuration might be dropped due to DNS failure.
|
Symptom ACS allows customers to enter AAA client or server
using the host name. ACS stores the host name and resolves the
IP address at startup.
Conditions During an upgrade, if the DNS resolution of a hostname fails, that host configuration data is ignored and, following the upgrade the AAA client and server configuration, is missing for the host names that failed the DNS test.
Workaround None.
|
CSCsg19044
|
ACS syslog and ODBC configuration is missing in the listing for Trend, McAfee, and Qualys.
|
Symptom When you select System Configuration > Logging,
configuration information is missing (failed attempts or passed
attempts) for syslog and ODBC. The attributes for Trend,
Qualys, and McAfee are not listed in either column; but are
listed under the CSV configuration.
Workaround None.
|
CSCsg16875
|
ACS sends an internal error when CSA is disabled and enabled.
|
Symptom ACS 4.1 sends an internal error in the failed
authorization logs when the CSA security level is changed from
Medium to Off and then back to Medium.
Conditions This defect occurred in an environment with CTA 2.1.18.0, the CTA 802.1x Wired Client, CSA 5.0.0.181, and ACS 4.1.
Workaround Restart the ACS CSAuth service manually or wait for ACS to do it automatically.
|
CSCsb93223
|
An internal posture validation policy is created even though a template profile cannot be configured.
|
Symptom An internal posture validation policy is created by
using the NAC 802.1x template.
Conditions All conditions. Occurs any time when using the NAC 802.1x template and you cannot create a profile (for example, Global Authentication Setup is not configured properly).
Workaround None.
|
CSCsg24439
|
Required credentials are inconsistent for logging and behavior internally and externally.
|
Symptom Credentials for Cisco:Host and Cisco:PA that are not
selected as required credentials are still requested from CTA
and are still evaluated.
Conditions All conditions.
Workaround None.
|
CSCsg39294
|
On the internal Posture Validation page, the policy details should be left-justified.
|
Symptom The policy details column of the internal posture
validation setup is centered so that you have to scroll over to see
the column headings and action buttons. This text should be
justified left to make it easier to view.
Workaround Left-justify the text.
|
CSCsf28775
|
Expired accounts are incorrectly reported.
|
Symptom After upgrading ACS from 3.3.3 to 4.0, accounts
which have expired due to their user expiry configuration are
not reported in the Disabled Accounts report.
Conditions This problem has been observed on ACS 4.0 after an upgrade from 3.3.3. Upgrades from other versions might be affected as well.
Workaround None.
|
CSCsf25057
|
ACS support for TACACS+ single-connection.
|
Symptom ACS does not support the TACACS+ single-connect
flag.
Conditions ACS support for TACACS+ single-connection was intentionally removed to work with IOS, which does not correctly support the feature.
Workaround None.
|
CSCsg24408
|
ACS syslog facility needs to be configurable for localX, not fixed AUTH.
|
Symptom To determine which logging facility was being used
you need to trace the traffic coming from ACS that was
destined for the syslog server on port 514.
Workaround Set up syslog to accept AUTH and not a localX facility. For example, auth.debug.
|
CSCsf16737
|
CSAuth, CSAdmin, CSRadius, CSTacacs are not started up after reboot.
|
Symptom After a system reboot, the following Services are not
started up when Windows service, Windows Firewall/Internet
Connection Sharing (ICS) is started:
•CSAuth
•CSRadius
•CSTacacs
•CSAdmin
Workaround Disable Windows Service Windows Firewall/Internet Connection Sharing (ICS). To do so, Start > Run. Enter services.msc and press OK. In the Services dialog box, scroll to Windows Service Windows Firewall/Internet Connection Sharing (ICS). Right click, and select Properties. In the Startup type: box change Automatic to Disabled.
Note You can also manually start each service.
|
Resolved Caveats in ACS for Windows and the Solution Engine 4.1
Table 3 contains the resolved caveats for the ACS 4.1 release. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.
Table 3 Resolved Caveats in ACS Windows and the Solution Engine 4.1
Bug ID
|
Summary
|
Explanation
|
CSCsc43287
|
Replication: Administration Control > Access Policy. Port allocation not replicated.
|
The port allocation settings now enable replication. For detailed information see the User Guide for Cisco Secure ACS 4.1.
|
CSCsc41129
|
CSAuth experiences exceptions during EAP-TLS stress versus LDAP external database with a secure sockets layer (SSL) connections.
|
CSAuth no longer experiences exceptions or failures after stress testing EAP-TLS authentications with an LDAP external database and LDAP connections over SSL connections.
|
CSCsc39979
|
Update to NAP delete the external user in Logged All Users report.
|
External users related to the NAP are no longer deleted from the Logged All Users report.
|
CSCef85314
|
Group DACL is downloaded if user's content NAF is not suitable.
|
The ACL and NAF features works as desired as documented in the User Guide for Cisco Secure ACS 4.1.
|
CSCsc06942
|
Script interface fails the 1,000 bytes limit at the Layer 2 level.
|
This issue is relevant only for non fragmented messages in tunneled protocols (Microsoft PEAP, Cisco PEAP, and EAP-FAST). Unfragmented tunneled EAP messages should not exceed the total length of 1,002 bytes.
|
CSCsc00788
|
Password change is not supported in Generic Token Card (GTC) against a Windows database.
|
Password change is supported in EAP-GTC against a Windows database. You must perform the following steps to enable the password:
6. Mark the password in Windows as must change password at the next logon.
7. Run EAP-FAST with GTC as the inner method and ensure that the changed password works.
|
CSCsb25151
|
When a AAA client has multiple IP addresses, NAF for downloadable ACLs fail.
|
NAF for downloadable ACLs no longer fails for AAA clients.
|
CSCsa79327
|
Authentications fail for users whose passwords contain the Euro (symbol).
|
Authentication no longer fails for users that use the Euro (symbol) in their password.
|
CSCeh24979
|
Users fail to authenticate when upgrading and attempting to access an obsolete (no longer used) database.
|
Users now authenticate, when upgrading and attempting to access an obsolete database.
|
CSCeh10491
|
Authentication errors on timeout waiting for local logging.
|
Authentication errors due to timeout no longer occurs.
|
CSCeb78551
|
When handling an LEAP RADIUS proxy between a front-end ACS server and a back-end ACS server, problems arise if the configuration is not correct.
|
You must incorporate the required configuration settings to successfully use this feature.
For detailed information, see the User Guide for Cisco Secure ACS 4.1:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html
|
CSCsc69976
|
Local logging file size and days do not appear after change in GUI.
|
Local logging file size and days appear after a change in the GUI.
|
CSCsc27168
|
User authentication succeeds even though a database is not selected.
|
Before deleting the external database configuration, ensure that it is not used in any NAP.
|
CSCsb72286
|
ACS RADIUS proxy uses RADIUS 1645, not current 1812.
|
ACS is now able to work with different ports. ACS can now use its proxy capability for other AAA servers.
|
CSCeh37907
|
Duplicate IP addresses are assigned due to reordered Accounting Stop packets.
|
Duplicate IP addresses are no longer assigned.
|
CSCsc41673
|
CSAuth fails after importing an Airespace NAS.
|
This problem has been fixed in the most recent version of ACS.
|
CSCeh35121
|
Local logging stopped working after ODBC logging removed.
|
Local logging is successful after ODBC logging is removed.
|
CSCsc95237
|
ACS Services do not start after upgrading from 3.x to 4.1.1
|
A trailing space was found in the IP address for a particular network device. This caused the database conversion process to fail, which prevented ACS services from starting after the upgrade. Use the registry editor to remove the trailing space and ACS services will start after the upgrade.
|
CSCsc72958
|
ACS documentation does not indicate that IP NAR requires attribute 31.
|
The User Guide for Cisco Secure ACS 4.1 has been updated with the correct information:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html.
|
CSCsf11031
|
Upgrading to ACS 4.1 from a patched ACS will not implement the Critical Logger.
|
You do not need the patch. The critical logging function is introduced in ACS 4.1. When you upgrade from ACS 4.0 to 4.1, the patch is canceled and the critical logger is enabled.
|
CSCeh54670
|
EAP-TLS Strip Domain Name check box has been removed in the 4.1 GUI.
This feature controlled whether ACS removes the domain name from a username that is derived from the Subject Alternative Name (SAN) field in an end-user certificate.
|
The Windows EAP Setting, EAP-TLS Strip Domain Name check box, has been removed from the version 4.1 GUI. In version, 4.1 the Active Directory (AD) search functionality enables you to authenticate a username.
|
CSCsc77190
|
The <no access> group does not prevent EAP-TLS user from accessing the network.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsg02005
|
CSMon utilizes 100% of the CPU while trying to communicate with the SMTP Server.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsb38899
|
Upgrade to 5.1(0.7) resets all tuned signatures to default settings.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsc27158
|
A memory leak occurred during stress tests of PAP authentications with LDAP server (OpenLDAP) and legacy SSL enabled (cert7.db). For example, memory usage reached 100MB after ~1.5 million authentications.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsc06942
|
Script interface fails the 1K limit at the Layer 2 level.
|
Workaround This problem has been fixed in the most recent version of ACS.
|
Known Caveats with ACS Solution Engine 4.1
Table 4 contains the known caveats for ACS Solution Engine 4.1
Table 4 Known Caveats in ACS SE 4.1
Bug ID
|
Summary
|
Explanation
|
CSCse01363
|
The appliance configuration page is not replicated when the system is migrated from the ACS SE 1112 device to the ACS SE 1113 device.
|
Symptom Under certain conditions, the appliance
configuration is not replicated when the system is
migrated from the ACS SE 1112 to the ACS SE 1113.
Conditions This occurs when a user:
1. On the Master ACS (Quanta 4.0.1.42), accesses the Appliance Configuration page from System Configuration.
2. Enables NTP Synchronization and adds an IP address to the NTP Server.
3. Enables the Cisco Security Agent.
4. Ensures that the SNMP Agent is enabled and changes the SNMP default Community and port, and then adds SNMP Agent Contact and Location.
5. Checks Accept SNMP packets from selected hosts and adds a host address.
6. Submits changes.
7. The ACS SE 1112 is replicated to the ACS SE 1113.
|
CSCse04125
|
SNMP ports on the ACS SE 1113 can be assigned incorrect values.
|
Symptom No error message will appear if, on the ACS
SE 1113, you:
•Delete the default SNMP port value.
•Add characters instead of numbers to the SNMP port value.
•Add an SNMP port that the device is already using.
Symptom On the ACS SE 1113, deleting the default
SNMP port value, adding characters instead of numbers
to the SNMP port value, adding a port number greater
than 65536, or adding an SNMP port that the device
already uses can be performed without the appearance
of any error message. In the previous release (ACS
3.3.3), the error message The port number is in
use or invalid appears.
Workaround Enter a correct SNMP port number that the device is not already using.
|
CSCse08310
|
System performance is degraded when no dynamic users exist.
|
Symptom If the ACS internal database is empty
(contains no users) and the system is configured to use
Remote Agent for AD authentication, it takes a long
time for the system to stabilize. This system instability
is more prevalent when more complicated
authentication protocols are used, for example,
MS-PEAP, EAP-TLS, or PAP.
|
CSCsd98589
|
When the Network Interface Card (NIC) is disconnected, authentication cannot be performed.
|
Symptom Authentication fails if the NIC is disconnected
from a previously configured and functioning
appliance, the system is rebooted and restarted, and the
NIC is reconnected.
Error messages similar to the following appear:
04/17/2006 22:01:52 Unknown NAS .. .10.56.60.115
quanta-new-5 .. No .. .. (Unknown)
Workaround Restart CSAuth. Then choose System Configuration > Service Control and click the Restart button to restart CSLog, RADIUS, and TACACS+.
|
CSCsd94022
|
Setting the system clock forward disrupts a scheduled backup process.
|
Symptom If the system clock is set forward, for
example, from 16:00 to 16:58, and a scheduled backup
is configured to run during a later time period, for
example, from 17:00 to 18:00, the scheduled backup
might take a long time to complete or might not occur.
This condition can occur when the system time is
changed because of the switch to Daylight Savings
Time.
|
CSCsd92719
|
The NTP configuration is not restored after a system backup.
|
Symptom When the ACS SE 1113 appliance is backed
up, the NTP configuration is not retained.
|
CSCsd91218
|
Under certain conditions, when IP filtering is set during initial configuration, the specified IP filtering does not work.
|
Symptom If, during an initial configuration, IP filtering
is set and the specified IP addresses are incorrect or are
used by another ACS SE 1113 device, and the ACS SE
1113 is rebooted, the specified devices do not work;
even if they are set manually by using the set ip
command.
|
CSCsd88833
|
Manual setup of IP configuration on the ACS SE 1113 appears to fail.
|
Symptom On a newly installed ACS SE 1113 device, if
you manually configure the IP configuration by using
the set ip command, the output from the command does
not show the specified configuration. However, entering
a show ip command displays the correct configuration.
For example, if a valid IP address is entered by using the
set ip command, a message similar to the following
appears:
Use Static IP Address [Yes]:
IP Address [0.0.0.0]: 10.56.60.114
However, entering a show ip command displays the correct IP address.
|
CSCsd20149
|
After initial configuration from the Recovery CD, there is no GUI access.
|
Symptom This problem occurs on ACS SE 1111 (HP),
when performing a full upgrade, including the appliance
base image. After installing from the ACS SE 1111 (HP)
Recovery CD, and initial configuration ends, you
cannot access the web interface.
When you log in to CLI, the appliance status indicates that pfipmon not running.
Conditions On ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Use the CLI command, reboot, to restart the appliance.
|
CSCsc63854
|
ODBC Mapping exists after restoring image created on software.
|
Symptom After restoring the appliance image from the
software version of ACS 4.0.1, the ODBC configuration
still remains in Unknown User Policy and in
NAP/Authentication.
Workaround: None.
|
CSCsc52381
|
ACS SE console access might not work if NTP synchronization is enabled.
|
Symptom The login prompt might not appear on the CLI
console after rebooting through the CLI or through the
GUI; even if NTP synchronization is enabled and the
NTP server address is set correctly.
Workaround: Disable NTP synchronization.
|
CSCsc03778
|
ACS SE replicated changes under Administration Control not enforced unless the user reboots.
|
Symptom If you make a change in the Access Policy
under Administration Control and then replicate the
change to another appliance, the changes are not
enforced on the receiving appliance.
Workaround: On the receiving (secondary) appliance:
•Click Submit on the Access Policy page.
•Reboot the secondary appliance.
|
CSCsb27597
|
Limitation on the custom attributes (of 31,000 as CSAdmin indicates).
|
Symptom In the T+ Settings per User Group
Configuration page, which is accessed from the
Interface Configuration page, if you add the 1201st
entry in the custom attribute field, the browser crashes.
The custom attribute field is currently limited to 31KB (approximately 1,200 attributes).
Workaround: None.
|
CSCsb19051
|
TCP checksum error from Cisco Secure ACS Solution Engine 1111.
|
Symptom A Cisco Secure Access Control Server
Solution Engine (ACS SE) 1111
(CSACSE-1111-UP-K9) might generate transient TCP
Checksum errors, which might cause error logging on
other devices in the network. In particular, Cisco
switches would generate the following error message:
%IP-3-TCP_BADCKSUM:TCP bad checksum.
The cause of the error is the NIC Software Driver. Not every packet being transmitted will be affected. Given that TCP will retransmit any unacknowledged packet, the system will recover. Excessive logging of the error message within the network might occur. The problem only affects TCP packets; therefore, TACACS+ might be affected, while RADIUS will not.
This problem might also occur on an ACS SE 1112 (Quanta).
Workaround: A temporary workaround is to reload the server; but, because the problem is transient, it will likely return within days or weeks.
A patch is available from TAC, which will help to reduce the amount of errors; however, since this is a network-configuration problem, it cannot resolve the problem completely. Contact your TAC representative for the appropriate TCP_checksum patch for your platform.
|
CSCeh04327
|
SNMP get and get-next requests for host.hrSystemNumUsers return error.
|
Symptom SNMP get and get-next requests for
host.hrSystemNumUsers return Generic error.
Workaround: None.
|
CSCee89510
|
Dates are logged in local time instead of GMT.
|
Symptom NAC attributes that are in date format are in
GMT time zone. When ACS logs these attributes, it
converts them to ACS local time zone of the server.
Workaround: Configure ACS to use the GMT time zone.
|
CSCsc90467
|
After Install from Recovery CD, no CLI access.
|
Symptom This problem occurs on ACS SE 1111 (HP),
when performing a full upgrade, including appliance
base image. When installing from the ACS SE 1111
(HP) Recovery CD, after installation ends, the ACS SE
reboots, performs some configurations, and reboots
again. The configurations that occur after the first
reboot take a significant amount of time, during which
no feedback appears onscreen, which is normal system
behavior. After this time, the CLI Initial Configuration
screen should appear, but does not.
Conditions On ACS SE 1111 (HP), when installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Switch off the appliance, and switch it on again.
|
CSCsd93779
|
When backup is set to run after a specified period, the backup does not run.
|
Symptom When a database is loaded from the SE 1111
release and system backup is configure to run after a
specified period, for example, every 15 minutes, the
backup process does not run.
Workaround None.
|
Resolved Caveats in the ACS Solution Engine 4.1
Table 5 contains the resolved caveats for ACS Solution Engine 4.1. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.
Table 5 Resolved Caveats in ACS Solution Engine 4.1
Bug ID
|
Summary
|
Explanation
|
CSCse05463
|
The online documentation for the ACS SE 1113 states that the description field for a downloadable IP ACL can contain up to 30,000 characters.
|
The online documentation states that the description field for a downloadable IP ACL can only contain 1,006 characters.
|
CSCse05420
|
Adding an illegal backslash (\) to the downloadable Access Control List (DACL) causes an Error on page message to appear.
|
The online documentation states that the downloadable IP ACL name cannot contain a backslash (\); however, the system allows you to enter a backlash (\) in the DACL name. No specific error message appears; however, an Error on page message appears at the lower-left corner of the web page. This condition also occurs in the ACS for Windows 4.0 (4.0.1.27) release.
|
CSCsd93818
|
When the ACS SE 1113 appliance is restarted, the CSAdmin service does not restart.
|
The CSAdmin service restarts when the ACS SE 1113 appliance is restarted.
|
CSCsd92659
|
The description of the Shutdown button in the short help for the Solution Engine is incorrect.
|
The description of the Shutdown button in the short help has been corrected and updated for version 4.1.
The following message appears in the Short help:
To shut down the ACS Solution Engine, click Shutdown. After you click Shutdown, the following message appears: It is now safe to turn off the computer. Turn the machine's power switch off.
|
CSCeh17104
|
ACS Appliance: Certain hostname or administrator names cause losing access.
|
ACS does not allow you to use the same name for hostname and administrator name.
|
CSCsb83399
|
ACS SE should save the FTP settings during software upgrade.
|
ACS SE saves the FTP settings during a software upgrade.
|
CSCsc80481
|
Proxy distribution table prevents SNMP from working.
|
This problem has been fixed in the most recent version of ACS.
|
ACS for Windows 4.1
The following sections contain information specific to ACS for Windows 4.1.
System Requirements
System requirements are documented in the Installation Guide for Cisco Secure ACS 4.1 Windows. The following updates have been made to the ACS system requirements. ACS 4.1 supports:
•Pentium dual-core processors. This support is with Intel but not Advanced Micro Devices (AMD).
•VMware. ACS 4.1 was tested on the following VMWare platform:
–VMWare ESX server 3.0.0
–Processor—AMD Opteron Dual core
–# of Virtual machines—4
–Guest operating system—Windows 2003 Standard Edition
–RAM for each guest operation system—3 GB
Note The Microsoft JVM is no longer supported. ACS 4.1 supports the Sun Java Run-time Environment (JRE) 1.4.2_04. This is an ACS for Windows web client requirement.
Note ACS is supported on Windows Server 2003 R2.
Software Compatibility
See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1 on Cisco.com.
Note The SafeWord Premier Access token servers version 3.1 and 3.2 are supported and have been tested. For additional information see the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1 on Cisco.com.
Upgrading to a New Software Release
For detailed instructions see Installation Guide for Cisco Secure ACS 4.1 Windows on Cisco.com. For upgrade paths, see Upgrade Paths.
Installation Notes
The following installation notes are important:
•ACS will not install properly if a Sybase server is installed on the same machine.
•Remote installations performed by using Windows Terminal Services have not been tested and are not supported. We recommend that you disable Terminal Services while performing any installation or upgrade. Virtual Network Computing (VNC) has been tested successfully.
•Tested Windows Security Patches for ACS Remote Agent and ACS for Windows.
See the Installation Guide for Cisco Secure ACS 4.1 Windows for installation, upgrade, and uninstall instructions, as well as post-installation tasks. For post-installation tasks, see Post-Upgrade Configuration.
Upgrade Paths
This section describes the following ACS 4.1 upgrade and migration topics:
•Supported Upgrades for ACS for Windows
•Supported Migration Path for ACS for Windows
•Unsupported Migration Path to ACS 4.1
Supported Upgrades for ACS for Windows
We tested upgrades to ACS for Windows Server 4.1 from releases 4.0.1, 3.3.4 and 3.3.3 directly, 3.3.2**, 3.3.1**, 3.2.3**, 3.2.2*, 3.2.1*, 3.1.2*, and 3.0.4*.
* You should first upgrade to Cisco Secure ACS for Windows Server, release 3.3.3 or 3.3.4.
** You should first upgrade to Cisco Secure ACS for Windows Server, release 3.3.3, 3.3.4, or 4.0.1.
After you upgrade to ACS release 3.3.3, 3.3.4, or 4.0.1, you can then upgrade to release 4.1.
Note If you are upgrading to ACS 3.3.3 and do not have access to that software, review the README text for details on the upgrade procedure.
Supported Migration Path for ACS for Windows
ACS has tested and supports the migration path from:
•ACS 3.2.3 to ACS 3.3.3 to ACS 4.1.
•ACS 3.3.3 to ACS 4.1.
Note ACS has also tested and supports the migration path from ACS 3.3.3 to ACS 4.0 to ACS 4.1.
Unsupported Migration Path to ACS 4.1
ACS does not support migration paths prior to ACS 3.2.3 This includes versions:
•ACS 3.2.1
•ACS 3.2.2
Note ACS does not support direct migration paths from ACS 3.3.1 and 3.3.2
Post-Upgrade Configuration
The following section contains information about post-upgrade configuration:
•After upgrading to ACS 4.1, you might need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.1. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.
•If you used ACS 3.x ODBC logging and upgraded to ACS 4.1, preserving your data, you must update the ODBC tables so that the SQL tables continue to work.
For details on how to complete post-installation tasks, see the Installation Guide for Cisco Secure ACS 4.1 Windows.
Upgrading From Version 3.3
When you upgrade from ACS 3.3 to ACS 4.1:
1. Local and external posture policies are automatically transformed.
2. A single Network Access Profile, (configured for NAC only) is created as a process of the upgrade.
3. Each instance of the selected ACS 4.0 Network Posture Validation Database will automatically be transformed into a posture validation rule. All the rules will be associated with the NAP that was created (in step 2). All PA message and URL redirects are mapped correspondingly.
4. A RADIUS Authorization Component will be created for each mapped group. ACS populates the RAC with all attributes that were configured in the user or group setup menus, except for the posture-token Cisco-av-pair. Since ACS dynamically generates the posture-token Cisco-av-pair attribute at runtime, manual configuration is unnecessary.
5. If you manually added posture validation attributes in ACS 4.0, they are added to the ACS version 4.1 posture dictionary during the upgrade.
Limitations and Restrictions
The following limitations and restrictions apply to ACS 4.1.
•User/Machine Out-of-Band PAC Provisioning for EAP-FAST version 1a has not been tested. The Out-of-band provisioning feature was not tested since the MDC (Meetinghouse) supplicant does not support it. (CSCsb46242)
•The TACACs+ and LEAP protocols for Network Access Profiles are not supported in ACS version 4.1.
•Network device limitation supports up to 35,000 devices.
•CSAuth experiences exceptions or failures in two cases:
–After stress testing EAP-TLS authentications.
–When one of external databases is a Generic LDAP using the legacy (cert7.db) secure socket layer (SSL) connection mode.
This problem does not occur if you use the new SSL option (Trusted Root CA), instead of the legacy option (cert7.db) on the Generic LDAP Configuration Options page in ACS. We strongly recommend that you do not use the legacy option; use only the new SSL option.
Interoperability Testing
ACS has not been tested for interoperability with other Cisco software. Other than for the software and operating system versions listed in this document, Cisco performed no interoperability testing. Using untested software with ACS may cause problems. For the best performance of ACS, Cisco recommends that you use the versions of software and operating systems in the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows on Cisco.com.
ACS Solution Engine 4.1
The following sections contain information specific to the ACS Solution Engine 4.1
New and Changed Information for the ACS Solution Engine 4.1
This section contains:
•New Hotfixes in ACS SE 4.1
•ACS Remote Agent for Windows
•Installation Notes for the Solution Engine 4.1
New Hotfixes in ACS SE 4.1
The ACS SE base image contains the following Microsoft hotfixes:
•KB822831—BUG: Driver installation program does not install device drivers.
•KB823980—MS03-026: Buffer Overrun in RPC May Allow Code Execution.
•KB824105—MS03-034: Flaw in NetBIOS could lead to information disclosure.
•KB824146—MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs.
•KB828028—MS04-007: An ASN.1 vulnerability could allow code execution.
•KB828741—MS04-012: Cumulative Update for Microsoft RPC/DCOM.
•KB835732—MS04-011: Security Update for Microsoft Windows.
•KB893066—MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
For more information about these hotfixes, see the Microsoft website.
ACS Remote Agent for Windows
Japanese Windows 2000 and Japanese Windows 2003 are supported on ACS Remote Agent for Windows.
Installation Notes for the Solution Engine 4.1
This section provides information about installing and upgrading ACS SE and ACS Remote Agents:
•Installing from ACS SE 1111 (HP) Recovery CD
•Software Compatibility
•Supported Upgrades for ACS SE
•Supported Migrations for ACS SE
•Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Note You should only view ACS SE through a console by using a serial port. We do not recommend using a monitor via VGA port. If you use a monitor via VGA port, you will see Windows error messages when starting ACS SE. You can ignore these messages; rebooting is unnecessary.
Installing from ACS SE 1111 (HP) Recovery CD
When installing from the Recovery CD for ACS SE 1111 (HP), after installation ends,:
•The ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which no feedback appears, which is normal system behavior. If, after about an hour, the CLI Initial Configuration screen does not appear, switch off the appliance, and switch it on again. Refer to CSCsc90467.
•If you cannot access the web interface, use the CLI command, reboot, to restart the appliance. Refer to CSCsd20149.
Note The two previous problems occur only on ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image. If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Software Compatibility
See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1 on Cisco.com.
Supported Upgrades for ACS SE
We tested upgrades for the ACS Solution Engine from releases 3.3.3 to release 4.0.1, and 4.1 and from release 3.3.4 to release 4.1. To upgrade the Solution Engine from an earlier release (3.2.1, 3.2.2, 3.2.3, 3.3.1, and 3.3.2), you must first upgrade to either release 3.3.3 and then upgrade to release 4.0.1 or 4.1 or upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Supported Migrations for ACS SE
We support direct migration from ACS for Windows releases 3.3.3, 3.3.4 and 4.0.1 to release 4.1 of the ACS Solution Engine. To migrate from an earlier release of ACS for Windows (3.3.2, 3.3.1, 3.2.3, 3.2.2, 3.2.1, 3.1.2, and 3.0.4), you must either first upgrade to release 3.3.3, and then upgrade to release 4.0.1 or 4.1, or first upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Solaris Support for the Remote Agent
The Cisco Secure ACS Remote Agent for Solaris runs on Solaris 2.8.
Note The Solaris Remote Agent requires the libstdc++.so library (C++ runtime). Without this library, the Remote Agent is not operational. The default path is set in the environment variable LD_LIBRARY_PATH and the directory /router/lib.
Post-Upgrade Configuration
After upgrading to ACS 4.1, you might need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.0. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.
Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for ACS Remote Agent for Windows and ACS for Windows
Cisco experience has shown that these patches do not cause any problems with the operation of ACS Remote Agent for Windows and ACS for Windows. If the installation of one of these security patches does cause a problem with ACS, contact Cisco TAC and Cisco will resolve the problem as quickly as possible.
We tested the ACS Remote Agent for Windows and ACS for Windows with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:
•819696
•823182
•823559
•824105
•824141
•824146
•825119
•828028
•828035
•828741
•832894
•835732
•837001
•837009
•839643
•840374
We tested ACS with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:
•329115
•823182
•823559
•823980
•824105
•824141
•824146
•825119
•826232
•828035
•828741
•828749
•835732
•837001
•839643
Documentation Updates
This section provides documentation updates.
Changes
Regulatory Compliance and Safety Information
In the printed and online version of the Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1, Statement 191—VCCI Class A Warning for Japan has been updated.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
The Product Documentation DVD is created monthly and is released in the middle of the month. DVDs are available singly or by subscription. Registered Cisco.com users can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
Ordering Documentation
You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
If you do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Documentation Feedback
You can provide feedback about Cisco technical documentation on the Cisco Technical Support & Documentation site area by entering your comments in the feedback form available in every online document.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to do the following:
•Report security vulnerabilities in Cisco products
•Obtain assistance with security incidents that involve Cisco products
•Register to receive security information from Cisco
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
•For emergencies only — security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•For nonemergencies — psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
•1 877 228-7302
•1 408 525-6532
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Never use a revoked encryption key or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending any sensitive material.
Product Alerts and Field Notices
Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.
To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do) Registered users can access the tool at this URL: https://www.cisco.com/web/siteassets/account/index.html
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification Tool to locate your product serial number before submitting a request for service online or by phone. You can access this tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing Cisco Product Identification Tool from the alphabetical list. This tool offers three search options: by product ID or model name; by tree view; or, for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Tip Displaying and Searching on Cisco.com
If you suspect that the browser is not refreshing a web page, force the browser to update the web page by holding down the Ctrl key while pressing F5.
To find technical information, narrow your search to look in technical documentation, not the entire Cisco.com website. On the Cisco.com home page, click the Advanced Search link under the Search box and then click the Technical Support & Documentation.radio button.
To provide feedback about the Cisco.com website or a particular technical document, click Contacts & Feedback at the top of any Cisco.com web page.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—An existing network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of the network is impaired while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:
http://www.cisco.com/go/guide
•Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•Cisco Press publishes a wide range of general networking, training, and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the magazine for Cisco networking professionals. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can subscribe to Packet magazine at this URL:
http://www.cisco.com/packet
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:
http://www.cisco.com/en/US/products/index.html
•Networking Professionals Connection is an interactive website where networking professionals share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
Feedback
