[an error occurred while processing this directive]

Cisco Secure Access Control Server for Windows

Release Notes for CiscoSecure ACS 2.4(1) for Windows NT Server


Table of Contents

Release Notes for
CiscoSecure ACS 2.4(1) for Windows NT Server

Release Notes for
CiscoSecure ACS 2.4(1) for Windows NT Server

September 20, 1999

These release notes contain important information regarding CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS). For complete documentation on this product, refer to the following documents:

  • CiscoSecure ACS 2.4 for Windows NT Server User Guide

  • Quick Installation Card: CiscoSecure ACS 2.4 for Windows NT Server

  • Read Me First: CiscoSecure ACS 2.4 for Windows NT Server Getting Started

  • Quick Reference Card: Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords

  • Release Notes for CiscoSecure ACS 2.4(1) for Windows NT Server


These release notes discuss the following topics:

Contents      1

Open Issues and Workarounds      2

Cisco Connection Online      6

Documentation CD-ROM      7

Open Issues and Workarounds

The issues for CiscoSecure ACS 2.4 for Windows NT Server listed in this section remain open.

Installation and Upgrading

Caution Always back up your data before you install CiscoSecure ACS 2.4 for Windows NT. Read the included PDF files for installation instructions and information for CiscoSecure ACS.
  • CSCdm92865

During installation, if you click Back, the data you just configured is lost. The workaround is to re-enter the data manually.
  • CSCdm91495

If you are upgrading from CiscoSecure ACS 2.3 to CiscoSecure ACS 2.4, a message displays asking if you want to remove the PSAPI.DLL file. If you answer yes, installation fails. The workaround is to answer No to the prompt. If you accidentally answered yes, follow these steps:

Step 1 Copy PSAPI.DLL from another system.

Step 2 Run CLEAN.EXE.

Step 3 Run SETUP.EXE again. You might need to reload the data from backup.

  • CSCdp00197

After upgrading, the administrator cannot edit user and group profiles through the web-based interface. The workaround is to click Administration Control > Session Policy > Allow automatic local login.
  • CSCdm48134

A Dr. Watson error might appear when you are upgrading over an earlier version of CiscoSecure ACS. The workaround is to run CLEAN.EXE and re-run SETUP.EXE as described in the README.TXT file.

VoIP Call Logging

  • CSCdp00830

Only the first stop of a Voice over IP (VoIP) call leg is logged in the comma-separated value (CSV) file. At this time there is no known workaround.

Date Format in CSV Logs

  • CSCdm61772

After you change the date format, CiscoSecure ACS does not create a .CSV file for the existing logs with the new date format. The workaround is to import the .CSV file to a spreadsheet application and manually change the dates.

ODBC Authentication and Oracle

  • CSCdm90513

ODBC Authentication does not work against an Oracle data source name (DSN). ODBC Authentication expects the called SQL procedures to return data in a record set, also known as Select procedures. Oracle returns data via procedure output parameters and does not work with the current dynamic link library (DLL). The workaround is to create a new external database, "ODBC Authentication for Oracle," that is the same as the existing DLL except that the results are collected from output parameters instead of row data.

Grant Dialin Permission to User

  • CSCdp01784

To use the Grant Dialin Permission to User feature, a two-way trust relationship must be established between the remote Windows NT domain and the CiscoSecure ACS for Windows NT server. This is a Windows NT issue. There is no workaround.

Browser Issues

  • CSCdm67486

When using Netscape Communicator 4.6 with CiscoSecure ACS for Windows NT, if a remote administrator clicks logout, Netscape's Smart Download window pops up and attempts to download a file. The administration session is never terminated. The workaround is to disable Smart Download or use IE or a different version of Netscape.
  • CSCdm72261

Editing user/group profiles while using Netscape Navigator 4.08 or Netscape Communicator 4.61 produces a Dr. Watson for Netscape error. The workaround is to use Internet Explorer (IE) or a different version of Netscape.
  • CSCdp02113

When using Internet Explorer (IE), after you click Submit in the User window, the window on the right displays a blank screen or an error message stating that the server is unreachable, because IE closes the connection to the server before the server can respond. The workaround is to click any of the main navigation buttons within 60 seconds. The window will be blank, but the user data will have been submitted successfully. Additionally, when using Windows NT 5.0 and Internet Explorer 5.x, the message The page you want is not available displays. The workaround is to click Try again.

Special Characters

  • CSCdm93544

Some special characters, such as the umlaut, that should be valid cannot be used in usernames. This means that some external users may have user accounts created during authentication that cannot be edited using the web-based interface. The workaround is to not allow these characters in usernames.

Advanced TACACS+ Settings

  • CSCdp01448

The Advanced TACACS+ Settings section always displays for cached unknown users even though the interface configuration is set to disable these displays. There is no workaround.

No AAA Server Selected Message

  • CSCdp02795

When you add a new RDBMS Synchronization configuration and you click Synchronize now, the message No AAA server selected displays. The workaround is to click Submit before you click Synchronize now. The same issue applies to Database Replication and Unknown User Policy configuration.

ODBC RADIUS Accounting

  • CSCdp03261

If tunnel attributes are selected in the ODBC RADIUS accounting log, the Show Create Table option does not create the type names. The workaround is to use a script similar to the following to create the type names:
CREATE TABLE radiusAccounting (
   LoggedAt DATE NULL,
   User_Name VARCHAR(255) NULL,
   Acct_Output_Packets INTEGER NULL,
   Tunnel_Medium_Type ,
   Tunnel_Client_Endpoint ,
   Tunnel_Private_Group_ID ,
   Tunnel_Client_Auth_ID ,

SafeWord Server

  • CSCdm53169

When the SafeWord Token Server is restarted, CiscoSecure ACS does not automatically reconnect to the SafeWord server for authentication. The Failed Attempts report displays the message External DB reports error condition. The workaround is to restart the CSAuth and CSTacacs services.

Max Sessions Limit

  • CSCdm60679

When Max Sessions are configured at the user level, users cannot log in in enable mode when the session limit is reached. Because the administrator logging in to the NAS usually telnets into it and then goes into the enable mode, the administrator might not be able to log in. The workaround is to configure Max Sessions at the group level instead of at the user level.

Unresponsive Administration Server

  • CSCdm46941

The web-based administration server enters a state that causes the service to be unresponsive for certain functions and then hangs the web-admin service for the functions that previously worked. The workaround is to re-enter the address or click the logout button (X) at the top right of the display. This will reset the browser.

IP Pooling and Virtual Private Dialup Networks (VPDN)

  • CSCdk87655 and CSCdk76477

Releases of Cisco IOS software prior to Release 12.02 do not support the IP pooling feature of CiscoSecure ACS 2.4 for Windows NT with VPDN tunnels. As a result, duplicate IP addresses might be allocated. The workaround is to use Cisco IOS Release 12.02 or later or to use the IP pooling feature of the NAS if you are using VPDN.

Changed Passwords and SQL Servers

  • CSCdk64286

Changes to passwords made on the SQL server do not take effect immediately. This is an SQL issue that might cause security problems, because users can continue to log in using their old passwords until CSAuth is restarted. The workaround is to restart CSAuth after changing passwords on the SQL server.

User Status Inconsistent

  • CSCdk85593

After a user account is disabled, Internet Explorer displays the user account status as disabled in the User Setup window but still shows it as enabled in the Group Setup window. The workaround is to restart Internet Explorer.

Single Connection Per User on PIX Firewall

  • CSCdk86462

CiscoSecure ACS 2.4 for Windows NT supports only a single connection per user when authenticating on a PIX firewall. This is an issue only for MaxSessions and the Reports and Activity: Logged-In Users window. The accounting logs correctly record the PIX accounting packets; the workaround is to use the accounting logs to track concurrent logins.

User-Defined Field Name Not Showing After Replication

  • CSCdk68592

User-defined field names do not appear in the Interface Configuration window of the replicated CiscoSecure ACS 2.4 for Windows NT immediately. The workaround is to restart CSAdmin after replication.

Network Access Server (NAS) Port Name Blank

  • CSCdk89641

If a user authenticates successfully but fails authorization, the NAS port name is blank in the Failed Attempts Log. There is no workaround at this time.

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.

[an error occurred while processing this directive]