Table Of Contents
Release Notes for Cisco Secure ACS Solution Engine Version 3.3
New Features
Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
Product Documentation
Related Documentation
Installation Notes
Upgrading to Cisco Secure ACS version 3.3
Cisco 1111—Recovering Cisco Secure ACS 3.3
Cisco 1112—Recovering Cisco Secure ACS 3.3
Security Patch Process
Limitations and Restrictions
Important Known Problems with Network Admission Control
Supported Migration Versions
Supported Web Browsers
Supported Operating Systems for Remote Agent
Windows Support for Remote Agent
Solaris Support for Remote Agent
Supported Platforms for CiscoSecure Authentication Agent
Other Supported Devices and Software
Known Problems
Cisco AAA Client Problems
Known Problems in Cisco Secure ACS Version 3.3
Resolved Problems
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco Technical Support Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS Solution Engine Version 3.3
June 2005
These release notes pertain to Cisco Secure Access Control Server Solution Engine (Cisco Secure ACS) version 3.3.
These release notes provide:
•
New Features
•Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
•Product Documentation
•Related Documentation
•Installation Notes
•Upgrading to Cisco Secure ACS version 3.3
•Cisco 1111—Recovering Cisco Secure ACS 3.3
•Cisco 1112—Recovering Cisco Secure ACS 3.3
•Security Patch Process
•Limitations and Restrictions
–Important Known Problems with Network Admission Control
–Supported Migration Versions
–Supported Web Browsers
–Supported Operating Systems for Remote Agent
–Supported Platforms for CiscoSecure Authentication Agent
–Other Supported Devices and Software
•Known Problems
•Resolved Problems
•Obtaining Documentation
•Documentation Feedback
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
New Features
Cisco Secure ACS version 3.3 contains the following new features and enhancements:
•Network admission control (NAC)—Cisco Secure ACS acts as a policy decision point in NAC deployments. Using policies you configure, it evaluates the credentials sent to it by Cisco Trust Agent, determines the state of the host, and sends the AAA client ACLs that are appropriate to the host state. Evaluation of the host credentials can enforce many specific policies, such as operating system patch level and anti-virus DAT file version. Cisco Secure ACS records the results of policy evaluation for use with your monitoring system. Policies can be evaluated locally by Cisco Secure ACS or can be the result returned from an external policy server that Cisco Secure ACS forwards credentials to. For example, credentials specific to an anti-virus vendor can be forwarded to the vendor anti-virus policy server.
•Cisco Security Agent integration (CSA)—Cisco Secure ACS Solution Engine ships with a pre-installed, standalone CSA. This integration in the base appliance image helps protect Cisco Secure ACS Solution Engine from day-zero attacks. The new behavior-based technology available with CSA protects Cisco Secure ACS Solution Engine against the constantly changing threats that viruses and worms pose.
•EAP Flexible Authentication via Secured Tunnel (EAP-FAST) support—Cisco Secure ACS supports the EAP-FAST protocol, a new publicly accessible IEEE 802.1X EAP type developed by Cisco Systems that protects authentication in a TLS tunnel but does not require use of certificates, unlike PEAP. Cisco developed EAP-FAST to support customers who cannot enforce a strong password policy and wish to deploy an 802.1X EAP type that does not require digital certificates, supports a variety of user and password database types, supports password expiration and change, and is flexible, easy to deploy, and easy to manage. For example, a customer using Cisco LEAP can migrate to EAP-FAST for protection from dictionary attacks. Cisco Secure ACS supports EAP-FAST supplicants available on Cisco Compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters.
•Machine Access Restrictions (MARs)—Cisco Secure ACS includes MARs as an enhancement of Windows machine authentication. When Windows machine authentication is enabled, you can use MARs to control authorization of EAP-TLS and Microsoft PEAP users who authenticate with a Windows external user database. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and which you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.
•Network Access Filters (NAFs)—Cisco Secure ACS includes NAF as a new type of Shared Profile Component. NAF provides a flexible way of applying network access restrictions and downloadable ACLs on AAA client names, network device groups, or the IP addresses of AAA clients. NAFs applied by IP addresses can use IP address ranges and wildcards. This feature introduces granular application of network access restrictions and downloadable ACLs, both of which previously only supported the use of the same access restrictions or ACLs to all devices. NAFs allow much more flexible network device restriction policies to be defined, a requirement common in large environments.
•Downloadble ACL enhancements—Cisco Secure ACS version 3.3 extends per-user ACL support to any layer three network device that supports this feature. This includes Cisco PIX Firewalls, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that can be applied per user or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with NAFs, downloadable ACLs can be applied differently per AAA client, enabling you to tailor ACLs uniquely per user, per access device.
•Replication enhancements—Cisco Secure ACS version 3.3 includes two enhancements to the CiscoSecure Database Replication feature:
–Configurable replication timeout—You can specify how long a replication event is permitted to continue before Cisco Secure ACS ends the replication attempt and restarts affected services. This feature improves your ability to configure replication when network connections between replication partners are slow.
–Separate replication of user database and group database—You can replicate the user and group databases separately. Replicating changes to user accounts no longer automatically requires replicating groups. Likewise, replicating groups no longer requires replicating users. This increase to replication component granularity can reduce the amount of data sent between Cisco Secure ACSes during a replication event.
Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1. ADDITIONAL LICENSE RESTRICTIONS.
•Installation and Use. The Cisco Secure Access Control Server Software component of the Cisco 11XX Hardware Platform is pre-installed. CD's containing tools to restore this Software to the 11XX hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 11XX Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 11XX Hardware Platform.
•Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Software updates and new version releases for the 11XX Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 11XX Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.
•Reproduction and Distribution. Customer may not reproduce nor distribute software.
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
Please refer to the Cisco Systems, Inc. Software License Agreement.
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 1 describes the product documentation that is available.
Table 1 Product Documentation
Document Title
|
Available Formats
|
Release Notes for Cisco Secure ACS Solution Engine
|
•Printed document that was included with the product.
•On Cisco.com.
|
Installation and Setup Guide for Cisco Secure ACS Solution Engine
|
•PDF on the product CD-ROM.
•On Cisco.com.
•Printed document available by order (part number DOC-7816532).1
|
User Guide for
Cisco Secure ACS Solution Engine
|
•PDF on the product CD-ROM.
•On Cisco.com.
•Printed document available by order (part number DOC-7816534=).1
|
Installation and User Guide for Cisco Secure ACS User-Changeable Passwords
|
•PDF on the product CD-ROM.
•On Cisco.com.
|
Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine
|
•Printed document that was included with the product.
•PDF on the product CD-ROM.
•On Cisco.com.
|
Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine
|
On Cisco.com.
|
Recommended Resources for the Cisco Secure ACS User
|
On Cisco.com.
|
Online Documentation
|
In the Cisco Secure ACS HTML interface, click Online Documentation.
|
Related Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 2 describes a set of white papers about Cisco Secure ACS for Windows Server; however, much of the information contained in these papers is applicable to Cisco Secure ACS Solution Engine. All white papers are available on Cisco.com. To view them, go to the following URL:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.shtml
Table 2 Related Documentation
Document Title
|
Description and Available Formats
|
Building a Scalable TACACS+ Device Management Framework
|
This document discusses the key benefits of and how to deploy Cisco Secure ACS Shell Authorization Command sets, which provide the facilities for constructing a scalable network device management system using familiar and efficient TCP/IP protocols and utilities supported by Cisco devices.
|
Catalyst Switching and ACS Deployment Guide
|
This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and capabilities of Cisco Secure ACS.
|
Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment
|
This paper discusses guidelines for wireless network design and deployment with Cisco Secure ACS.
|
EAP-TLS Deployment Guide for Wireless LAN Networks
|
This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and then discusses deployment issues.
|
Guidelines for Placing ACS in the Network
|
This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.
|
Initializing MC Authorization on ACS 3.1
|
This application note explains how to initialize Management Center authorization on Cisco Secure ACS.
|
Installation Notes
For information about installing Cisco Secure ACS, see Installation and Setup Guide for Cisco Secure ACS Solution Engine, version 3.3.
Upgrading to Cisco Secure ACS version 3.3
This procedure upgrades the Cisco Secure ACS software on a Cisco 1111 device to Cisco Secure ACS Solution Engine 3.3 from any of the following versions:
•Cisco Secure ACS Solution Engine 3.2.3
•Cisco Secure ACS Solution Engine 3.2.2
•Cisco Secure ACS Solution Engine 3.2.1
Note Cisco 1112 devices do not support versions of Cisco Secure ACS before version 3.3; therefore, this section does not apply to Cisco 1112 devices.
Please read this procedure carefully before proceeding. Upgrading from Cisco Secure ACS versions 3.2.1 and 3.2.2 requires significant additional steps that must be taken to preserve Cisco Secure ACS data and configuration.
To upgrade a Cisco 1111 device from Cisco Secure ACS Solution Engine version 3.2 to version 3.3, follow these steps:
Step 1 If the Cisco 1111 is running Cisco Security Agent, you must disable the CSAgent service before proceeding with the upgrade. To disable the CSAgent service, log in to the console and enter stop csagent.
Step 2 Determine what software of the following categories the Cisco 1111 is running:
•Cisco Secure ACS
•Appliance Management Software
•Patches, if any
To do so, log in to the HTML interface, select System Configuration > Appliance Upgrade Status, and view the version information displayed.
Step 3 If the Cisco 1111 you are upgrading is running Cisco Secure ACS version 3.2.1 or version 3.2.2, you must perform the following steps:
a. Back up Cisco Secure ACS data and configuration. To do so, use one of the two following features:
•ACS Backup, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Solution Engine.
•backup command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.
b. Use the Recovery CD from Cisco Secure ACS 3.2.3. to upgrade the appliance to version 3.2.3. This will destroy all data and install a new image. You can download the image of the Recovery CD image for Cisco Secure ACS Solution Engine version 3.2.3 from the following location:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For more information about reimaging the hard drive, see Installation and Setup Guide for Cisco Secure ACS Solution Engine, version 3.3.
c. Perform initial configuration of the Cisco Secure ACS Appliance. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.
d. Restore the appliance data and configuration. To do so, use one of the two following features:
•ACS Restore, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Solution Engine.
•restore command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Step 4 If either of the following conditions is true:
•In Step 3 you reimaged the Cisco 1111 with Cisco Secure ACS version 3.2.3.
•The Cisco 1111 is not running Appliance Management Software version 3.2.3.12.
you must apply the applInstAppliance_3_2_3_12 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_2_3_12 upgrade is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 5 If either of the following conditions is true:
•In Step 3 you reimaged the Cisco 1111 with Cisco Secure ACS version 3.2.3.
•The Cisco 1111 does not have the patch named "Microsoft Security Bulletin MS04-11 and MS04-012" applied.
you must apply the appl_ms04-011-012 patch, available on the Cisco Secure ACS version 3.3 upgrade CD. The appl_ms04-011-012 patch is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For assistance with applying the patch, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 6 Apply the applInstAppliance_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_3_1_16 upgrade will also be available for downloading on cisco.com.
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 7 Apply the applInstAcs_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAcs_3_3_1_16 upgrade is also available for downloading on cisco.com.
Note This is the only upgrade in this procedure that does not require that the Cisco 1111 reboot itself.
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 8 If you performed Step 2 or if the Cisco 1111 does not have the Cisco Security Agent upgrade applied, apply the Cisco Security Agent update, available on the Cisco Secure ACS version 3.3 upgrade CD. The Cisco Security Agent update is also available for downloading on cisco.com.
Step 9 Verify that Cisco Security Agent is enabled. To do so, log in to the console and enter show. If the CSAgent service is not running, enter start csagent.
Step 10 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.
When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear as follows:
Application Versions
|
Cisco Secure ACS
|
3.3.1.16
|
Appliance Management Software
|
3.3.1.16
|
Appliance Base Image
|
3.2.2.1
|
CSA
|
(Patch: 4_0_1_543)
|
Microsoft Security Bulletin MS04-11 and MS04-012
|
(Patch: 1_0_0)
|
Cisco 1111—Recovering Cisco Secure ACS 3.3
This section provides procedures for the recovery process for a Cisco 1111 that runs Cisco Secure ACS Solution Engine 3.3.
Caution You cannot use the Recovery CD for Cisco Secure ACS Solution Engine 3.3 on a Cisco 1111.
To perform recovery on a Cisco 1111 running Cisco Secure ACS Solution Engine 3.3, follow these steps:
Step 1 Use the Recovery CD from Cisco Secure ACS 3.2.3 to upgrade the appliance to version 3.2.3. This will destroy all data and install a new image. You can download the image of the Recovery CD image for Cisco Secure ACS Solution Engine version 3.2.3 from the following location:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For more information about reimaging the hard drive, see Installation and Setup Guide for Cisco Secure ACS Solution Engine, version 3.3.
Step 2 Perform initial configuration of the Cisco Secure ACS Appliance. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Step 3 Apply the applInstAppliance_3_2_3_12 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_2_3_12 upgrade is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 4 Apply the appl_ms04-011-012 patch, available on the Cisco Secure ACS version 3.3 upgrade CD. The appl_ms04-011-012 patch is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For assistance with applying the patch, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 5 Apply the applInstAppliance_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_3_1_16 upgrade is also available for downloading on cisco.com.
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 6 Apply the applInstAcs_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAcs_3_3_1_16 upgrade is also available for downloading on cisco.com.
Note This is the only upgrade in this procedure that does not require that the Cisco 1111 reboot itself.
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 7 Apply the Cisco Security Agent update, available on the Cisco Secure ACS version 3.3 upgrade CD. The Cisco Security Agent update will also be available for downloading on cisco.com.
Step 8 Verify that Cisco Security Agent is enabled. To do so, log into the console and enter show. If the CSAgent service is not running, enter start csagent.
Step 9 To see the results of this recovery procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.
When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear as follows:
Application Versions
|
Cisco Secure ACS
|
3.3.1.16
|
Appliance Management Software
|
3.3.1.16
|
Appliance Base Image
|
3.2.2.1
|
CSA
|
(Patch: 4_0_1_543)
|
Microsoft Security Bulletin MS04-11 and MS04-012
|
(Patch: 1_0_0)
|
Cisco 1112—Recovering Cisco Secure ACS 3.3
The recovery process for a Cisco 1111 that runs Cisco Secure ACS Solution Engine 3.3 is documented in Installation and Configuration Guide for Cisco Secure ACS Solution Engine, version 3.3. The Recovery CD for Cisco Secure ACS Solution Engine, version 3.3, is designed for and tested with Cisco 1112 devices.
Security Patch Process
For information about our process for evaluating and releasing Microsoft security patches for Cisco Secure ACS Solution Engine, see the Cisco Secure ACS Solution Engine Security Patch Process document, available in the Product Literature area for Cisco Secure ACS Solution Engine on cisco.com.
Limitations and Restrictions
The following limitations and restrictions apply to Cisco Secure ACS 3.3.
Important Known Problems with Network Admission Control
The following known problems are related to Network Admission Control. We recommend that you review them.
•CSCee88908—CSLog crash if a logged attribute is deleted due to replication
•CSCee87826—A deleted policy is being reassign when created with the same name
•CSCee87899—Replication of CNAC policies should be updated in the doc
Supported Migration Versions
We support migrating to Cisco Secure ACS Solution Engine version 3.3 from many versions of Cisco Secure ACS for Windows Server; however, migration requires upgrading Cisco Secure ACS for Windows Server to version 3.3.
For detailed steps for performing a migration from Cisco Secure ACS for Windows Server to Cisco Secure ACS Solution Engine, see either of the following two documents:
•Installation Guide for Cisco Secure ACS for Windows Server, version 3.3
•Installation and Configuration Guide for Cisco Secure ACS Solution Engine, version 3.3
Supported Web Browsers
To administer all features included in the HTML interface of Cisco Secure ACS 3.3, use an English-language version of one of the following tested and supported web browsers:
•Microsoft Internet Explorer for Microsoft Windows
–Version 6.0
–Service Pack 1
–Microsoft Java Virtual Machine
•Netscape Communicator for Microsoft Windows
–Version 7.1
–Sun Java Plug-in 1.4.2_04
•Netscape Communicator for Solaris 2.8
–Version 7.0
–Mozilla 5.0
–Sun Java Plug-in 1.4.0_01
Note•Several known problems are related to using Netscape Communicator with Cisco Secure ACS. For more information, please review Table 3.
•We do not recommend using a slow network connection for remote access to the Cisco Secure ACS HTML interface. Some features that use Java applets do not operate optimally, such as the HTML pages for configuring Network Access Restrictions and Network Admission Control.
We do not support other versions of these browsers or other Java virtual machines with these browsers, nor do we test web browsers by other manufacturers.
Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:
•Use an English-language version of a supported browser.
•Enable Java.
•Enable JavaScript.
•Disable HTTP proxy.
Supported Operating Systems for Remote Agent
Cisco Secure ACS 3.3 supports Cisco Secure ACS Remote Agent on Microsoft Windows 2000 and Solaris operating systems, as specified in the following two sections.
•Windows Support for Remote Agent
•Solaris Support for Remote Agent
Windows Support for Remote Agent
The computer running Cisco Secure ACS Remote Agent for Windows must use an English-language version of one of the following operating systems:
•Windows 2000 Server, with Service Pack 4 installed
•Windows 2000 Advanced Server, with the following conditions:
–with Service Pack 4 installed
–without features specific to Windows 2000 Advanced Server enabled
•Windows Server 2003, Enterprise Edition
•Windows Server 2003, Standard Edition
Note The following restrictions apply to support for Microsoft Windows operating systems:
•We have not tested and cannot support the multi-processor feature of any supported operating system.
•We cannot support Microsoft clustering service on any supported operating system.
•Windows 2000 Datacenter Server is not a supported operating system.
Tested Windows Security Patches
Note For information about remote agent support for Microsoft patches issued after the release of Cisco Secure ACS Solution Engine version 3.3, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine, version 3.3.
We tested Cisco Secure ACS Remote Agent for Windows with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:
•819696
•823182
•823559
•824105
•824141
•824146
•825119
•828028
•828035
•828741
•832894
•835732
•837001
•837009
•839643
•840374
We tested Cisco Secure ACS Remote Agent for Windows with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:
•329115
•823182
•823559
•823980
•824105
•824141
•824146
•825119
•826232
•828035
•828741
•828749
•835732
•837001
•839643
Solaris Support for Remote Agent
The computer running Cisco Secure ACS Remote Agent for Solaris must use Solaris 2.8 or 2.9.
Supported Platforms for CiscoSecure Authentication Agent
For use with Cisco Secure ACS 3.3, we tested CiscoSecure Authentication Agent on Windows XP with Service Pack 1. We support the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.3 when CiscoSecure Authentication Agent runs on one of the following client platform operating systems:
•Windows XP
•Windows 2000 Professional
•Windows 98
•Windows 95
•Windows NT 4.0
Other Supported Devices and Software
For information about supported Cisco devices, external user databases, and other software, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Version 3.3. To see this document, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp
Known Problems
This section contains information about the following topics:
•Cisco AAA Client Problems
•Known Problems in Cisco Secure ACS Version 3.3
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.
Cisco Aironet Access Point
http://www.cisco.com/univercd/cc/td/doc/product/wireless/
Cisco BBSM
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/
Cisco Catalyst Switches
http://www.cisco.com/univercd/cc/td/doc/product/lan/
Cisco IOS
http://www.cisco.com/univercd/cc/td/doc/product/software/
Cisco Secure PIX Firewall
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
Cisco VPN 3000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/
Cisco VPN 5000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/
Known Problems in Cisco Secure ACS Version 3.3
Table 3 describes problems known to exist in this release.
Note•A "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)
•Bug summaries and explanations in Table 3 are printed word-for-word as they appear in our bug tracking system.
Table 3 Known Problems in Cisco Secure ACS Solution Engine, Version 3.3
Bug ID
|
Summary
|
Explanation
|
CSCef61117
|
ACS on 2003 huge performance impact when writing to registry
|
Cisco Secure ACS 3.2.3 or 3.3 running on Windows 2003 Standard and Enterprise edition may cause huge delay when writing to the registry.
Therefore when more than six operations write to the Microsoft registry, a failure may occur. Refer to the field notices on Cisco.com for more details.
|
CSCdv35872
|
Insufficient length for NDS context entry
|
When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTML in the browser interface.
Workaround/Solution: Use a context list no longer than 4096 characters.
|
CSCdv86708
|
HTTP Port Allocation is not replicated
|
Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.
Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS, restart the CSAdmin service.
|
CSCdz61464
|
Solaris Netscape 7.0 - Minor Features Failure
|
When the administrative browser is Netscape 7.0 on Solaris 8.0, some menus in the HTML interface for Cisco Secure ACS do not work properly.
Workaround/Solution: Use a supported Windows browser.
|
CSCea25090
|
Logged In User not showing after going into enable mode on router
|
With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on Cisco Secure ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.
Cisco Secure ACS tracks user sessions by IP address and port number. When enable authentication succeeds, Cisco Secure ACS sees that the IP address and port number combination for the existing session have been reused and assumes that the accounting stop packet was not sent or was lost; therefore, the user session is removed from the Logged-In User report even though the session continues in enable mode.
Because the NAS cannot be configured to send new accounting start packets when the enable mode is entered, the Logged-In User report cannot correctly report the user session as ongoing.
Workaround: None.
|
CSCea55457
|
Radius Attributes do not appear in user/group profile page
|
After you enable RADIUS attributes in the Interface Configuration section of the Cisco Secure ACS HTML interface, they do not appear or appear only partially in Group Setup or User Setup, as applicable.
Workaround/Solution: Restart the CSAdmin service.
|
CSCea62226
|
CSAgent (solaris) - appliance present the RA as running while is not
|
The HTML interface of a Cisco Secure ACS Appliance indicates that the logging service of a Solaris remote agent is available even though it is not. For Solaris remote agents, the service status displayed for the remote agent in Network Configuration is not reliable.
Workaround/Solution: Log into the computer running the Solaris remote agent to determine if the CSLogAgent process is running.
|
CSCea74289
|
cascade replication due to user pass change-dont work
|
Cascading replication does not occur when the replication trigger is user password change and the primary Cisco Secure ACS is configured to perform replication manually.
Workaround/Solution: Use scheduled replication on the primary Cisco Secure ACS.
|
CSCea87748
|
Downloadable ACLs deleted and downsized after backup via CLI
|
If your Cisco Secure ACS Appliance has downloadable ACLs defined that have more than approximately 31 kilobytes of text in them and you use the system console to backup and restore the database, the downloadable ACLs are truncated to approximately 31 kilobytes or are deleted entirely.
Workaround/Solution: Do not create downloadable ACLs that contain more than 30 kilobytes of data; or, if this is unavoidable, keep text file records of the ACLs so that, if a restoration performed from the system console is necessary, you can recreate the downloadable ACLs.
|
CSCeb16968
|
ACS shared profile components disappear with XML error messages
|
After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications, such as Management Center for Firewalls, fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.
Workaround/Solution: You must use CiscoWorks to re-register all MCs with Cisco Secure ACS.
Log into the CiscoWorks desktop with admin privileges.
Go to Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.
Go to VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then re-register all MCs.
Log out of CiscoWorks.
|
CSCeb21037
|
Windows Remote Agent un-install issue
|
Uninstalling Cisco Secure Remote Agent for Windows does not remove some subdirectories, such as those that contain log files.
Workaround/Solution: Manually delete the directories left by the uninstallation process.
|
CSCeb51393
|
multi-admin needs to be able to add/edit/delete downloadable ACLs
|
With multi-administrator tries to add/edit/delete downloadable acl under the shared profile components, after the first admin submitted any changes, the other administrator's ACS session got locked up.
Workaround: There is no workaround. Administrators must inform each other when he/she is working on the downloadable ACLs.
|
CSCeb62898
|
Group mapping ordering applet is not properly ordered
|
In a newly created Windows group mapping configuration, group mappings list in the wrong order.
Workaround: On the page for ordering group mappings, order the group mappings and click Submit. As additional mappings are added, they appear properly at the end of the list of mappings.
|
CSCec61110
|
authentications on secondary acs may fail after replication
|
Symptom: In environment where primary and secondary Cisco Secure ACS primary and secondary servers are kept in synch using the replication feature, user authentication may fail for users defined in an external database users and the Failed Attempts log will contain an "external DB not configured" error.
Conditions: This happens with certain external database types such as LDAP, NDS, and the various token server types. It can't happen with the Windows external DB. By configuring external databases in a different order on the primary and secondary Cisco Secure ACS servers, authentication fails on the secondary server for users defined in the databases configured in a different order. If external databases are configured in same order on primary and secondary servers, this does not happen. For example, if you configure two instances of LDAP external user databases on primary and secondary servers but configure them in different orders, after users are replicated, LDAP authentication attempts fail on the secondary server.
Workaround: For each database type involved in the problem, delete the external databases on all secondary servers and reconfigure them in the same order that they are defined on the primary server. If this fails, delete the affected external databases on the primary and secondary servers and reconfigure them.
|
CSCec64143
|
Uninstalling Win Remote Agent when un-install terminates unexpected
|
When Windows Remote Agent uninstallation process terminates unexpectedly and the uninstallation process could not be completed, registry keys remain for the remote agent. Further attempts to install the remote agent will fail due to these registry keys.
Workaround: Use regedit to delete all Cisco Remote Agent entries. In the registry, search for "csagent" and "acs agent". Delete all matching entries. If they cannot be deleted, ignore them.
|
CSCec89440
|
Unable to edit some of the disabled accounts
|
The Disabled Accounts report in the Reports and Activity section of the Cisco Secure ACS HTML interface can behave oddly when you access it using an administrator account that doesn't have access to all groups.
If a page of the Disabled Accounts report has users belonging to groups that the administrator cannot access, the report doesn't allow the administrator to move to the next page of the report.
If a user account is configured to be assigned a group by the group mapping feature, the user account appears on the Disabled Accounts report even though the administrator only has access to specific groups.
Workaround: Access the Disabled Accounts report with an administrative account that has permission to access all groups.
|
CSCed39208
|
VU: Unable to auto provision with long username
|
—
|
CSCed42437
|
RADIUS Proxy with Cisco PEAP operates only with RADIUS Aironet
|
—
|
CSCed42439
|
Active Directory via LDAP - Group Mappings skip first group
|
When Active Directory is configured as Generic LDAP and group mappings are configured, the first group in the LDAP directory is skipped.
|
CSCed59826
|
CSAdmin stops responding when editing java using netscape
|
—
|
CSCed77992
|
Action Code 211 doesnt return group settings to factory defaults
|
Action Code 211 doesn't work as documented.
Document states, this code "Resets a Group User record back to its original factory defaults". However some settings are not reset to factory defaults like Shell (exec) and No escape check boxes.
|
CSCed83628
|
Replication displays error when nothing to be replicated
|
In a scheduled replication scheme, a secondary server incorrectly records an error in the replication log when scheduled replication does not occur because no changes have occurred on the primary server. For example, this can occur when the primary and secondary servers are only configured to replicate the user database and network configuration, and then a change is made to Network Configuration on the primary server but no change is made in the user database. At the next scheduled replication, the primary server correctly sends only the network configuration, but the secondary logs an error message that the user database was not received. This is not an error and the message should not be logged.
Workaround: None.
|
CSCed90144
|
When deleteing a NAF it should be deleted from the assigned dACLs
|
Deleting a NAF removes it from Cisco Secure ACS; however, the NAF is still referenced by any downloadable ACLs that referenced it before the NAF was deleted. This causes the downloadable ACLs to fail to download and, as a result, the user to whom the ACLs were to be applied fails to authenticate.
Workaround: When you delete a NAF, examine all downloadble ACL configurations and ensure that the NAF is not referenced by any of them.
|
CSCee38482
|
Admin account can see all users that are dynamically mapped
|
Local admin can see dynamic mapped users.
Workaround: It's a read only. No other workaround at this time until bug is fixed.
|
CSCee58593
|
CSAdmin restart during Replication between two ACS SW in slow link
|
Replication between two Cisco Secure ACSes in slow link (128k), the services of the primary ACS are restart after the time out that is configured on the CiscoSecure Database Replication page is expired and replication was not completed. The services that restart are:
•CSAdmin
•CSAuth
•CSTacacs
•CSRadius
|
CSCee62147
|
when create CRL with CTL contains two or more CA they change uncheck
|
When you configure a CRL, you associate it with a specific CA that you have enabled on the certificate trust list (CTL). Once the CRL is associated with the CA, the checkbox for enabling the CA on the CTL is not shown. This is intentional; however, if any other CA certificate in local storage has the exact same CN as the CA associated with the CRL, the checkboxes for those other CAs also are not shown. This is unintentional.
Workaround: To make the checkboxes accessible on the CTL, temporarily select a different CA for the CRL, make the configuration changes needed in the CTL, and then reselect the original CA for the CRL.
|
CSCee68644
|
SPC type created by EMBU DLL returns errors in Name field
|
In case of SPC component that was created by MC-based applications, the "Name" field is not limited to desired 31 chars, and allows entering many more, also returning an error message to the user. The following pattern of errors is received:
If name is less then 28chars - The name is accepted
If name is between 28 and 34 chars - "Internal Error, Failed to locate or create record for update" message is displayed
If name is more then 34 chars - "Name is invalid or contains illegal characters" message is displayed
The maximum length of the name should be limited in UI
|
CSCee77099
|
navigation bar(buttons) disappear after exit from Global Auth page
|
The navigation bar (button bar on the left) in the HTML interface may disappear after the following sequence:
1. Click System Configuration > ACS Certificate Setup > Certificate Revocation Lists.
2. Click an "Issuer Friendly Name".
3. Click Cancel three times, which returns you to the System Configuration page.
4. Click Global Authenticate Setup.
5. Click Cancel.
6. The navigation bar disappears.
Workaround: Log out of the HTML interface and log in again.
|
CSCee78472
|
Netscape prevent pressing links inside the Logging configuration
|
Using Netscape Communicator 7.1 on Windows 2000 Server to access the HTML interface of Cisco Secure ACS can result in a "The document contains no data" error message from Netscape.
Workaround: Use a different supported browser.
|
CSCee81070
|
ACS install fails if installing on machine with running Remote Agent
|
If Cisco Secure ACS Remote Agent is already installed on a computer that you later attempt install Cisco Secure ACS for Windows Server on, the installation of Cisco Secure ACS for Windows Server fails.
Workaround: Stop the remote agent service (CSAgent) before beginning the installation of Cisco Secure ACS for Windows Server.
|
CSCee83687
|
Wrong application name is being displayed
|
When more than one network admission control (NAC) attribute (also known as a credential) has the same application type ID but the application names are different, Cisco Secure ACS always displays the application name associated with the lowest vendor ID.
For example, if there are two credential types, VENDOR:AV (3000:03) and Cisco:Example (9:3), on the mandatory credentials list for configuring a NAC database, where "VENDOR:AV" should appear, Cisco Secure ACS will display "VENDOR:Example".
This problem is not obvious at first because the default attributes in Cisco Secure ACS that have the same application ID but different vendor IDs coincidentally do use the same application name. The problem arises when you add attributes that use a different application name but an application ID that is used by other attributes.
Workaround: Avoid adding NAC attributes whose application name is different than the application name used by other NAC attributes with the same application ID.
|
CSCee83875
|
Restoring to ACS Win from ACS Sol. Engine lost Interface Cfg. data
|
When backing up from a Cisco 1112 appliance to Cisco Secure ACS for Windows Server, all Interface Configuration attributes including TACACS+ and RADIUS Attributes were not the same as they were on the appliance.
Also when HTTPS was enabled on the appliance, HTTPS wasn't enabled after restoring the backup to Cisco Secure ACS for Windows Server. Instead, only HTTP was used.
These problems did not occur when a backup from Cisco Secure ACS for Windows Server was restored in Cisco Secure ACS Solution Engine.
|
CSCee83977
|
Change in NAF is not valid until the services are restarted
|
Given an IP-based NAR with NAF as its AAA client, if a change occurs in the NAF configuration, such as selection of a different NDG or a change to an IP range, the NAF change does not affect the NAR using the NAF until the ACS services are restarted.
Workaround: Restart ACS services.
|
CSCee84044
|
Restore form SW to APPL delete all CNAC attributes from remote agent
|
—
|
CSCee84048
|
New attributes do not replicate to remote agent
|
—
|
CSCee86457
|
MS PEAP pwd change not work for unknown user with CNAC
|
When using the external Windows database together with a different type of external user database, if a user is not cached in the internal database and user must change password on first login, the change password will fail.
Workaround:
1. If there are more than one database included in the Selected Databases list on the Unknown User Policy page, change the order of the database in that list so that the Windows database is NOT first.
2. Use Windows database only (without any additional databases).
|
CSCee87726
|
CSA installation could be initiated although CSA is already instaled
|
When you attempt to install the Cisco Security Agent patch to ACS Solution Engine using the CLI upgrade command, if the CSA patch is already present, the installation does not provide a message that CSA is already installed and running and the installation does not fail gracefully.
Workaround: Before installing anything on an ACS Solution Engine, check to see if CSA is installed and running. You can do this by using the show command at the CLI or by viewing the Appliance Configuration page in the HTML interface. If CSA is installed and running, you must disable it before applying any patch or upgrade; otherwise, the installation will fail.
|
CSCee87826
|
A deleted policy is being reassign when created with the same name
|
If you delete a NAC policy while it was assigned to NAC databases and then create a new policy with the same name, ACS automatically assigns the newly created policy to the databases that the deleted policy was assigned to. An example scenario:
1. Local policy 'policy1' is assigned to NAC database 'CNAC-DB1'.
2. 'policy1' is also assigned to NAC database 'CNAC-DB2'.
3. Customer edits 'CNAC-DB2' and deletes 'policy1'.
4. 'policy1' disappears from 'CNAC-DB1' as well.
5. Customer creates a new policy named 'policy1'.
6. ACS assigns the new policy named 'policy1' to 'CNAC-DB1'.
7. Workaround: Use unique names for policies and never reuse them. Also, before you delete a policy, remove it from all NAC databases except the one database you use to access the policy when you delete it.
|
CSCee87899
|
Replication of CNAC policies should be updated in the doc
|
Documentation incorrectly states that replication of NAC policies is affected by the order in which the NAC databases are created on the primary and secondary ACSes. This is wrong.
Also, the following information is missing from the user guide and online documentation:
NAC databases are not replicated, just as any external user database configurations are not replicated, but local and external NAC policies are replicated; therefore, to ensure that replicated policies are associated with the correct NAC databases on secondary ACSes, you must take the following steps on each secondary ACS that receives replicated NAC policies:
1. For each NAC database on the primary ACS, create a NAC DB of the same name on the secondary ACS.
2. In each NAC database, define same mandatory credentials.
3. For each policy on the primary ACS, create policies with the same names on the secondary ACS.
4. Assign the policies to the NAC databases in the secondary ACS in the same way they assigned on the primary ACS.
When replication occurs, the NAC database configurations on the secondary are not affected, including how policies are assigned to them, but the contents of the policies are updated to reflect any changes on the primary ACS.
|
CSCee88831
|
days-since-last-update operator should compare to GMT
|
Whenever ACS uses the operator days-since-last-update to evaluate a network admission control attribute, ACS compares the time that it got from the NAC client to ACS local time instead of comparing to Greenwich Mean Time (GMT).
Workaround: Set local time on the ACS server to GMT.
|
CSCee88908
|
CSLog crash if a logged attribute is deleted due to replication
|
The CSLog service on a secondary ACS will not stop or start for the following reason:
1. Primary and secondary ACSes (either Windows or Solution Engine) have custom NAC attributes
2. Custom NAC attributes on the primary ACS have been deleted
3. The NAC attributes deleted on the primary ACS are selected to be logged on the secondary ACS
4. Replication succeeded
If you encounter this problem, please call TAC for assistance.
Workaround: If you delete NAC attributes on a primary ACS, be sure that the NAC attributes are deleted on secondary ACSes BEFORE the next replication event.
|
CSCee89510
|
dates are logged in local time instead of GMT
|
NAC attributes that are in date format are in GMT timezone. When ACS logs these attributes, it converts them to ACS local timezone (the timezone of the ACS server).
Workaround: Configure ACS to use the GMT timezone.
|
Resolved Problems
Table 4 describes problems resolved in Cisco Secure ACS Solution Engine, version 3.3.
Note Bug summaries in Table 4 are printed word-for-word as they appear in our bug tracking system.
Table 4 Resolved Problems in Cisco Secure ACS, Version 3.3
Bug ID
|
Summary
|
Explanation
|
Resolved Problems Specific to Cisco Secure ACS Solution Engine
|
CSCdz06719
|
Support cmd allows illegal values
|
The support command allows only valid values.
|
CSCdz61454
|
FTP Restore button is not working on Solaris
|
The Restore button works correctly when you use the supported Netscape browser and Solaris operating system.
|
CSCdz73781
|
|
