Table Of Contents
Release Notes for Cisco Secure ACS
Solution Engine 4.0
Contents
New and Changed Information
New Quanta 1113 Platform
New Hotfixes in ACS SE 4.0
ACS Remote Agent for Windows
SNMP Support and CSA Integration
ACS New Features
Support for NAC 2.0
LDAP Improvements
Support for Linux Packages in Posture Validation
Product Documentation
Supported Databases
Installation Notes
Installing from the ACS SE 1111 (HP) Recovery CD
Software Compatibility
Upgrading and Migrating to ACS SE 4.0
Upgrade Paths
Migration Paths
Post-Upgrade Configuration
Upgrading From Version 3.3
Tested Windows Security Patches for ACS Remote Agent
Documentation Updates
Supported Databases
Replication with Different Send and Receive Configurations
Submit and Apply Button Changed to Apply Button
Security Advisory
Known Problems
Cisco AAA Client Problems
Known Microsoft Problems
Known Problems with ACS 4.0
Resolved Problems
Documentation Updates
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS
Solution Engine 4.0
March 2007
Full Build Numbers:
•
4.0.1.44 (1113-Quanta)
•4.0.1.42 (1112-Quanta)
•4.0.1.43 (1111-HP)
These release notes pertain to Cisco Secure Access Control Server Solution Engine release 4.0, hereafter referred to as ACS SE.
The ACS release numbering system for software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is:
•Cisco Secure ACS 4.0.1.44 for Quanta (1113)
•4.0.1.42 for Quanta (1112)
•ACS 4.0.1.43 for HP (1111)
Elsewhere in this document where 4.0 is used, we are referring to 4.0.1. ACS major release numbering starts at 4.0.1, not 4.0.0. Use this information when working with your customer service representative.
Contents
These release notes provide:
•New and Changed Information
•Product Documentation
•Supported Databases
•Installation Notes
•Security Advisory
•Known Problems
•Resolved Problems
•Documentation Updates
•Obtaining Documentation
•Documentation Feedback
•Cisco Product Security Overview
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
New and Changed Information
This section contains new and changed information for ACS SE 4.0:
•New Quanta 1113 Platform
•New Hotfixes in ACS SE 4.0
•ACS Remote Agent for Windows
•SNMP Support and CSA Integration
•ACS New Features
New Quanta 1113 Platform
The ACS SE 1113 release consists of a new hardware device that replaces the previous ACS SE 1112 device. The ACS SE 1113 device conforms to Reduction in Hazardous Substances (RoHS) directives of the European Economic Community (EEC)—Directive 73/23/EEC and Directive 89/336/EEC as amended by Directive 93/68/EEC.
New Hotfixes in ACS SE 4.0
The ACS SE base image contains the following Microsoft hotfixes:
•KB822831—BUG: Driver installation program does not install device drivers.
•KB823980—MS03-026: Buffer overrun in RPC may allow code execution.
•KB824105—MS03-034: Flaw in NetBIOS could lead to information disclosure.
•KB824146—MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs.
•KB828028—MS04-007: An ASN.1 vulnerability could allow code execution.
•KB828741—MS04-012: Cumulative Update for Microsoft RPC/DCOM.
•KB835732—MS04-011: Security Update for Microsoft Windows.
•KB893066—MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
For more information about these hotfixes, see the Microsoft website.
ACS Remote Agent for Windows
ACS Remote Agent for Windows is now supported on Japanese Windows 2000 and Japanese Windows 2003.
SNMP Support and CSA Integration
The following features were introduced in ACS SE 3.3:
•Support for Simple Network Management Protocol (SNMP).
•Integration of Cisco Security Agent in the ACS SE base image.
These features are described in the User Guide for Cisco Secure ACS Solution Engine.
ACS New Features
ACS contains the following new and changed features:
•New RoHS Solution Engine platform. The ACS SE 1113 release consists of a new hardware device that replaces the previous appliance hardware device (the ACS SE 1112 device). The ACS SE 1113 device conforms to Reduction in Hazardous Substances (RoHS) directives of the European Economic Community (EEC)—Directive 73/23/EEC and Directive 89/336/EEC as amended by Directive 93/68/EEC.
•Network Admission Control (NAC) Release 2.0 support—ACS acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates the credentials received from the Cisco Trust Agent, determines the state of the host, and sends a per-user authorization to the network access device: access control lists (ACLs), a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS patch level and antivirus DAT file version. ACS records the policy evaluation results for use with your monitoring system. ACS also allows third-party audit vendors to audit hosts without the appropriate agent technology before granting network access. ACS policies can be extended with external policy servers to which ACS forwards credentials. For example, credentials specific to an antivirus vendor can be forwarded to the vendor's antivirus policy server, and audit policy requests can be forwarded to audit vendors. For more information about the new ACS features to support NAC 2.0, see Support for NAC 2.0.
•Increased number of supported devices—ACS can now support up to 35,000 devices.
•Profile-based authentication and authorization—A new feature called network access profiles allows administrators to classify access requests according to network location, membership in a network device group, protocol type, or other specific RADIUS attribute values sent by the network device through which the user connects. Authentication, access control, posture validation and authorization policies can be mapped to specific profiles. An example of a profile-based policy is the ability to apply a different access policy for wireless access versus remote Virtual Private Network (VPN) access.
•New storage infrastructure—ACS now uses an SQL database to store all the user and configuration information. The new ACS internal database improves scaling and performance, and is less reliant on the Windows Registry. The Windows Registry will be used only for application information. A new database password is required during installation. The password is stored in the Windows registry using Microsoft Crypto API. The database is encrypted by using a hash of customer-provided password and an internal password. You can use the ACS SE CLI to change the password.
•LDAP improvements—ACS caches successful external authentications (by using LDAP), allowing it to immediately look up a user during reauthentication. ACS provides improved SSL support. See LDAP Improvements, for more information.
•Japanese browser support—Supports administration of ACS by using MS Internet Explorer 6.0 SP1 and Netscape Communicator 8.0.4 with Sun Java JRE 1.5.0; or MS Internet Explorer 6.0 SP1 with Microsoft Java Virtual Machine, which is installed on Japanese Windows Operating System (JOS). This feature is supported for entering data in English (not Japanese).
•TACACS+ and RADIUS key support at group level—Ability to set a shared secret at the group level (Network Device Group).
•Purging capability for cached users in ACS—Ability to remove dynamically saved users from the ACS database via User Setup.
•Authentication improvements:
–Support for the Microsoft Windows Callback feature.
–Ability for external users to authenticate via an enable password.
–Certificate revocation list checking during EAP-TLS authentication.
•NTLM support—ACS can now operate with Windows NT LAN Manager (NTLM) v1, NTLM v2 (with appropriate Microsoft patches), and LAN Manager (if you require it).
•External Novell NDS database support—Support for group mappings for external Novell NDS databases is now done by using generic LDAP group set mappings.
•Extended replication support—Administrators can now replicate network access profiles and all related configuration, including:
–Posture validation settings
–AAA clients and hosts
–External database configuration
–Global authentication configuration
–Network device groups
–Dictionaries
–Shared profile components
–Additional logging attributes
•Machine Access Restrictions (MAR) Exemption Lists—You can specify which groups are allowed access to the network; regardless of whether they pass machine authentication. A MAR exemption list can be configured for specific user groups (for example, managers and administrators).
•RADIUS Authorization Component (RAC) support—Includes RADIUS authorization components as a new type of shared profile component. Shared RACs contain groups of RADIUS attributes that you can dynamically assign to user sessions based on a policy.
•Support of additional Cisco hardware devices—ACS 4.0 includes support for Cisco wireless LAN controllers and Cisco adaptive security appliances.
•Online documentation—The online documentation for ACS Solution Engine opens in a separate window, and contains all the information in the User Guide for Cisco Secure ACS Solution Engine. You can search the online documentation by using the Search button, and you can open a PDF version of the user guide.
Support for NAC 2.0
The following features support NAC 2.0:
•EAP-FAST Version 1a support for NAC phase 2—Supports an authenticated tunnel (by using the server certificate) inside of which the provisioning of PACs will occur. EAP types supported inside the tunnel include:
–EAP-GTC
–EAP-MSCHAPv2
–EAP-TLS
•Agentless host support—Support for Cisco and third-party audit servers that determine posture information about a client, without relying on the presence of a NAC-compliant Posture Agent (PA). These types of clients are also called NAC Agentless Hosts (NAH).
•Linux packages support in posture validation—Supports Linux packages for the Cisco:Host plugin. The following extended attributes are available for Linux packages:
–Cisco:Host:Package:Version.
–Cisco:Host:Package:Version-String.
For additional details, see Support for Linux Packages in Posture Validation.
•Posture Validation:
–Support for an external audit server, which determines posture information about a host without relying on the presence of a Posture Agent (PA).
–Posture validation no longer requires NAC databases to verify compliance. The three options from which to choose for validation are:
- internal policies located in ACS
- policies defined on external servers
- policies defined on audit servers for NAC agentless hosts
–Authorization for posture validation is now configured within the Network Access Profiles feature. Posture validation no longer requires special authorization rules.
–This product release includes changes to optimize posture validation. In previous versions, ACS requested all the credentials by using the type-length-value (TLV) protocol. ACS has been optimized to request only the attributes that are required to evaluate posture validation.
LDAP Improvements
The ACS authentication and authorization service, CSAuth, supports multithreading to authenticate with the LDAP external database. Multiple users can simultaneously be searched and authenticated against the LDAP server(s).
LDAP over SSL now includes the option to authenticate by using certificate database files other than the Netscape cert7.db file. This new option uses the same mechanism as other Secure Sockets Layer (SSL) installations in the ACS environment.
When ACS checks authentication and authorization of a user on the LDAP server, it uses a connection with LDAP administrator account permissions to search for the user and for the users groups on the directory subtree. ACS keeps those administrator connections open for successive use. It is possible to limit the maximum number of concurrent administrator connections per generic LDAP external database configuration (primary and secondary).
After an LDAP user is successfully authenticated to the LDAP external database, its distinguished name (DN) on the LDAP server is cached in ACS. The cached DN is used during the next authentication request of the user to save search time.
Support for Linux Packages in Posture Validation
ACS 4.0 supports Linux packages for the Cisco:Host plugin. The following extended attributes are available for Linux packages:
•Cisco:Host:Package:Version
•Cisco:Host:Package:Version-String
The following Linux packages are supported:
•acrobat;cpio;cups;curl;cvs;cyrus-sasl;emacs;enscript;ethereal;evolution;gaim;gd;gdk-pixbuf;glibc;
•gnome-vfs2;gnupg;gtk2;httpd;ia32el;imagemagick;imap;imlib;iproute;ipsec-tools;kdegraphics;
•kdelibs;kdenetwork;kdepim;kernel;krb5;less;lftp;lha;libpng;libtiff;libxml;libxml2;mailman;mod_python;
•mozilla;mutt;mysql;mysql-server;nasm;net-snmp;netpbm;nfs-utils;openmotif;openoffice.org;
•openssh;openssl;perl;perl-dbi;php;postgresql;pwlib;python;qt;realplayer;redhat-config-nfs;
•rh-postgresql;rsh;rsync;ruby;samba;sharutils;slocate;sox;spamassassin;squid;squirrelmail;sysstat;
•tcpdump;telnet;tetex;utempter;vim;xchat;xemacs;xfree86;xloadimage;xpdf;zip
You can add or remove attribute packages in the NAC Attributes Management Page in the ACS SE web interface.
Extended attributes are only supported as descendants of the Cisco:Host application.
Product Documentation
Table 1 describes the product documentation for ACS SE 4.0.
Supported Databases
The various databases that ACS supports provide uneven support for the various password protocols that ACS SE supports for authentication.
Note In the User Guide for Cisco Secure ACS Solution Engine 4.0, the tables that summarize database compatibility for the protocols that ACS supports state incorrectly that ACS SE supports ODBC databases. Table 2 and Table 3 correct this error.
Table 2 specifies non-EAP authentication protocol support.
Table 2 Non-EAP Authentication Protocol and User Database Compatibility
Database
|
ASCII/PAP
|
CHAP
|
ARAP
|
MS-CHAP v.1
|
MS-CHAP v.2
|
ACS
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Windows SAM
|
Yes
|
No
|
No
|
Yes
|
Yes
|
Windows AD
|
Yes
|
No
|
No
|
Yes
|
Yes
|
LDAP
|
Yes
|
No
|
No
|
No
|
No
|
ODBC
|
No
|
No
|
No
|
No
|
No
|
LEAP Proxy RADIUS Server
|
Yes
|
No
|
No
|
Yes
|
Yes
|
All Token Servers
|
Yes
|
No
|
No
|
No
|
No
|
Table 3 specifies EAP authentication protocol support.
Table 3 EAP Authentication Protocol and User Database Compatibility
Database
|
LEAP
|
EAP-MD5
|
EAP-TLS
|
PEAP (EAP-GTC)
|
PEAP (EAP-MS
CHAPv2)
|
EAP-FAST Phase Zero
|
EAP-FAST Phase Two
|
ACS
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Windows SAM
|
Yes
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Windows AD
|
Yes
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
LDAP
|
No
|
No
|
Yes
|
Yes
|
No
|
No
|
Yes
|
ODBC
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
LEAP Proxy RADIUS Server
|
Yes
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
All Token Servers
|
No
|
No
|
No
|
Yes
|
No
|
No
|
No
|
Installation Notes
This section provides information about installing and upgrading ACS SE and ACS Remote Agents:
•Installing from the ACS SE 1111 (HP) Recovery CD
•Software Compatibility
•Upgrading and Migrating to ACS SE 4.0
•Tested Windows Security Patches for ACS Remote Agent
Note You should view ACS SE only via a console by using a serial port. We do not recommend using a monitor via the VGA port. If you use a monitor via the VGA port, you will see Windows error messages when starting ACS SE. You can ignore these messages and there is no need to reboot.
Installing from the ACS SE 1111 (HP) Recovery CD
When installing from the Recovery CD for ACS SE 1111 (HP), you might encounter the following issues:
•After installation completes, the ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback, which is normal system behavior. If, after about an hour, the CLI Initial Configuration screen does not appear, switch off the appliance, and switch it on again. Refer to CSCsc90467.
•After initial configuration ends, if you cannot access the web interface, use the CLI command, reboot, to restart the appliance. Refer to CSCsd20149.
Note These problems occur only on ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image. If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Software Compatibility
See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine on Cisco.com.
Upgrading and Migrating to ACS SE 4.0
You can upgrade your existing ACS SE appliance with the latest ACS software, appliance management software, and appliance base image. For detailed instructions see Installation Guide for Cisco Secure ACS Solution Engine on Cisco.com.
You can migrate from an existing ACS SE appliance (ACS SE 1111 or 1112) to the ACS SE 1113 by making a backup of the installation on the existing hardware device (SE 1111 or 1112) and then performing a restore of the installation on the new hardware device (SE 1113).
Note ACS Release 3.x is not supported on the SE 1113 platform.
If the existing ACS SE appliance has a previous software version, you must first upgrade the existing appliance to software version 4.0.
For detailed information, see Chapter 5 of the Installation and Setup Guide for the Cisco Secure ACS Solution Engine, "Upgrading and Migrating to Cisco Secure ACS Solution Engine."
Upgrade Paths
ACS supports the following upgrade paths. These paths have been tested and are supported:
•ACS SE release 3.3.3 to ACS SE release 4.0.
•ACS SE, release 3.3.2 to ACS SE 4.0.
•ACS SE, release 3.3.1 to ACS SE 4.0.
•ACS SE, release 3.2.3 to ACS SE 4.0.
•ACS SE versions before ACS SE 3.2.3, first upgrade to ACS SE 3.3.3, then to ACS SE 4.0. For information about upgrading to ACS SE 3.3.3, see Release Notes for Cisco Secure ACS Solution Engine 3.3.3 on Cisco.com.
Migration Paths
ACS supports the migration path from ACS for Windows 4.0 to ACS SE 4.0. Before performing migration, you must first upgrade ACS for Windows to version 4.0.
The following migration paths have been tested and are supported:
•Upgrade ACS for Windows, release 3.0.4, via 3.3.3, to ACS for Windows, release 4.0. Migrate to ACS SE 4.0.
•Upgrade ACS for Windows, release 3.2.3, to ACS for Windows, release 4.0. Migrate to ACS SE 4.0.
•Upgrade ACS for Windows, release 3.3.1, to ACS for Windows, release 4.0. Migrate to ACS SE 4.0.
•Upgrade ACS for Windows, release 3.3.2, to ACS for Windows, release 4.0. Migrate to ACS SE 4.0.
•Upgrade ACS for Windows, release 3.3.3, to ACS for Windows, release 4.0. Migrate to ACS SE 4.0.
For ACS SE versions before ACS SE 3.2.3, first upgrade to ACS SE 3.3.3, then to ACS SE 4.0. For information about upgrading to ACS SE 3.3.3, see Release Notes for Cisco Secure ACS Solution Engine 3.3.3 on Cisco.com.
Post-Upgrade Configuration
After upgrading to ACS 4.0, you may need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.0. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.
Upgrading From Version 3.3
The following actions are performed automatically when you upgrade from ACS 3.3 to ACS 4.0:
1. Local and external posture policies are automatically transformed.
2. A single NAP, (configured for NAC only) is created as a process of the upgrade.
3. Each instance of the selected ACS 3.3 Network Posture Validation Database will automatically be transformed into a posture validation rule. All the rules will be associated with the NAP that was created (in step 2). All PA message and URL redirects are mapped correspondingly.
4. A RADIUS Authorization Component will be created for each mapped group. ACS populates the RAC with all attributes that were configured in the user or group setup menus, except for the posture-token Cisco-av-pair. Since ACS dynamically updates the posture-token Cisco-av-pair attribute at runtime, there is not need to configure it manually.
5. If you manually added posture validation attributes in ACS 3.3, they will be added to the ACS version 4.0 posture dictionary during the upgrade.
Tested Windows Security Patches for ACS Remote Agent
Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for ACS Remote Agent for Windows.
Cisco experience has shown that these patches do not cause any problems with the operation of ACS Remote Agent for Windows. If the installation of one of these security patches does cause a problem with ACS, please contact Cisco Technical Assistance Center (TAC) and Cisco will resolve the problem as quickly as possible.
ACS Remote Agent for Windows has been tested with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:
•819696
•823182
•823559
•824105
•824141
•824146
•825119
•828028
•828035
•828741
•832894
•835732
•837001
•837009
•839643
•840374
ACS has been tested with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:
•329115
•823182
•823559
•823980
•824105
•824141
•824146
•825119
•826232
•828035
•828741
•828749
•835732
•837001
•839643
Documentation Updates
This section corrects errors and omissions in the ACS user documentation:
•Supported Databases
•Replication with Different Send and Receive Configurations
•Submit and Apply Button Changed to Apply Button
Supported Databases
In the User Guide for Cisco Secure ACS Solution Engine 4.0, the tables that summarize database compatibility for the protocols that ACS supports state incorrectly that ACS SE supports ODBC databases. Table 2 and Table 3 in Supported Databases correct this error.
Replication with Different Send and Receive Configurations
The user guide states that the primary ACS compares the list of database components that it is configured to send with the list of database components that the secondary ACS is configured to receive. If the secondary ACS is not configured to receive any of the components that the primary ACS is configured to send, the database replication fails.
The previous information is incorrect (bug CSCsg93907).
The primary ACS first synchronizes with the secondary ACS, and sends only the components that the secondary ACS is configured to receive. The primary ACS does not send components that the secondary ACS is not configured to receive, even if you configure the primary ACS to send those components. Thus, database replication does not fail when different send and receive configurations exist on the primary and secondary ACS.
Submit and Apply Button Changed to Apply Button
In several parts of the User Guide for Cisco Secure ACS Solution Engine 4.0, the documentation instructs the reader to click Submit + Apply to save and apply configuration changes. In release 4.0, the Apply button replaces the Submit + Apply button.
Click the Apply button to save and apply configuration changes.
Security Advisory
Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Known Problems
The following problems exist in this release:
•Cisco AAA Client Problems
•Known Microsoft Problems
•Known Problems with ACS 4.0
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of ACS. You can access these release notes online at Cisco.com. For NAC-specific client problems, go to http://www.cisco.com/go/NAC.
Known Microsoft Problems
Due to a defect in the Microsoft PEAP supplicant provided in the Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with ACS. Cisco has opened case SRX040922603052 with Microsoft on this issue. Customers who are affected by this problem should open a case with Microsoft and reference this case ID. Microsoft has prepared hotfix KB885453, which resolves the issue.
Known Problems with ACS 4.0
Table 4 contains problems known to exist in ACS SE 4.0.
Table 4 Known Problems in ACS SE 4.0
Bug ID
|
Summary
|
Explanation
|
Appliance-specific bugs
|
CSCse04125
|
SNMP ports on the ACS SE 1113 can be assigned incorrect values.
|
Symptom On the ACS SE 1113, deleting the default SNMP port
value, adding characters instead of numbers to the SNMP port
value, adding a port number greater than 65536, or adding an
SNMP port that is already in use by the device can be performed
without the appearance of any error message. In the previous
release (ACS 3.3.3), the error message "The port number is in
use or invalid" appears.
Workaround Enter a correct SNMP port number that is not already in use by the device.
|
CSCse03681
|
Entering a community string that begins or ends with a space does not result in an error message.
|
Symptom Entering a community string that begins or ends with
a space does not result in an error message. Instead the ACS
system deletes the space without informing the user about it.
|
CSCse01363
|
The appliance configuration page is not replicated when the system is migrated from the ACS SE 1112 device to the ACS SE 1113 device.
|
Symptom Under certain conditions, the appliance configuration
is not replicated when the system is migrated from the ACS SE
1112 to the ACS SE 1113.
Conditions This occurs when a user performs the following sequence of steps:
1. On the Master ACS (Quanta 4.0.1.42) accesses the Appliance Configuration page from System Configuration.
2. Enables NTP Synchronization and adds an IP address to the NTP Server.
3. Enables Cisco Security Agent.
4. Enables the SNMP Agent and changes the SNMP default Community and port, and then adds SNMP Agent Contact and Location.
5. Selects Accept SNMP packets from selected hosts and adds a host address.
6. Submits the changes.
7. The ACS SE 1112 is replicated to the ACS SE 1113.
|
CSCse01194
|
After system migration from ACS for Windows to the Solution Engine version on the ACS SE 1113, the existing HTTP configuration is not retained.
|
Symptom If the Master ACS system (ACS for Windows
4.0.1.27) is configured for certain HTTP settings (the port
ranges are changed to 60000-60005) and the system is
replicated to the ACS SE 1113 version (4.0.1.44), the specified
HTTP configuration settings are not retained on the ACS SE
1113 installation.
|
CSCsd98589
|
When the Network Interface Card (NIC) is disconnected, authentication cannot be performed.
|
Symptom If the NIC is disconnected from a previously
configured and functioning appliance, the system is rebooted
and then restarted, and the NIC is reconnected, authentications
fail.
Error messages similar to the following appear:
04/17/2006 22:01:52 Unknown NAS .. .10.56.60.115
quanta-new-5 .. No .. .. (Unknown)
Workaround Restart CSAuth. Then select System Configuration > Service Control and click the Restart button. This restarts CSLog, RADIUS, and TACACS+.
|
CSCsd94022
|
Setting the system clock forward disrupts a scheduled backup process.
|
Symptom If the system clock is set forward, for example, from
16:00 to 16:58, and a scheduled backup is configured to run
during a later time period, for example, from 17:00 to 18:00, the
scheduled backup might take a long time to complete or might
not occur. This condition can occur when the system time is
changed because of a switchover to Daylight Savings Time.
|
CSCsd93818
|
When the ACS SE 1113 appliance is restarted, the CSAdmin service does not restart.
|
Symptom If the CSAdmin service is stopped and the ACS SE
1113 device is rebooted, the CSAdmin service remains in the
"stopping" state and does not restart. The GUI is not accessible.
Workaround Reboot the appliance, and then restart the CSAdmin service. Then reboot again.
|
CSCsd93779
|
When backup is set to run after a specified period, the backup does not run.
|
Symptom When a large database is loaded from the SE 1111
release and system backup is configured to run after a specified
period, for example, every 15 minutes, the backup process does
not run.
|
CSC92719
|
The NTP configuration is not restored after a system backup.
|
Symptom When the ACS SE 1113 appliance is backed up, the
NTP configuration is not retained.
|
CSCsd91218
|
Under certain conditions when IP filtering is set during initial configuration, the specified IP filtering does not work.
|
Symptom If during an initial configuration, IP filtering is set
and the specified IP addresses are incorrect or are used by
another ACS SE 1113 device, and the ACS SE 1113 is rebooted,
the specified devices do not work; even if they are set manually
by using the set ip command.
|
CSCsd88833
|
Manual setup of IP configuration on the ACS SE 1113 appears to fail.
|
Symptom On a newly installed ACS SE 1113 device, if IP
configuration is performed manually by using the set ip
command, the output from the command does not show the
specified configuration. However, entering a show ip command
shows the correct configuration. For example, if a valid IP
address is entered by using the set ip command, a message
similar to the following appears:
Use Static IP Address [Yes]:
IP Address [0.0.0.0]: 10.56.60.114
However, entering a show ip command displays the correct IP address.
|
CSCse05502
|
The online documentation for the ACS SE 1113 states that the name of a downloadable IP ACL can contain up to 27 characters and cannot contain a backslash (\).
|
Symptom The name specified for a downloadable IP ACL can
contain up to 32 characters and can contain backslashes (\).
Entering a backslash (\) causes an error on the page. (See the
description of CSCse05420.)
|
CSCse05463
|
The online documentation for the ACS SE 1113 states that the description field for a downloadable IP ACL can contain up to 30,000 characters.
|
Symptom The description can contain only 1,006 characters.
|
CSCse05420
|
Adding an illegal backslash (\) to the downloadable Access Control List (DACL) causes an Error on page message to appear.
|
Symptom The online documentation correctly states that the
downloadable IP ACL name cannot contain a backslash
character. However, the system allows you to enter a backlash
(\) in the DACL name. No specific error message appears;
however, an Error on page message appears at the lower left
of the web page. This condition also occurs in the ACS for
Windows 4.0 (4.0.1.27) release.
|
CSCse04244
|
CSAdmin crashes when fewer than 255 characters are added to an SNMP host address.
|
Symptom The CSAdmin utility should allow entering up to 255
characters in the SNMP host address field. However, CSAdmin
sometimes terminates abnormally if a user enters a number of
characters within this range.
|
CSCse08310
|
System performance is degraded when no dynamic users exist.
|
Symptom If the ACS internal database does not contain any
users (is empty) and the system is configured to use Remote
Agent for AD authentication, it takes a long time for the system
to stabilize. This system instability is more prevalent when
more complicated authentication protocols are used, for
example, MS-PEAP, EAP-TLS, or PAP.
|
CSCsd20149
|
After installing from the ACS SE 1111 (HP) Recovery CD, you cannot access the web interface.
|
Symptom This problem occurs on the ACS SE 1111 (HP), when
performing a full upgrade including the appliance base image.
When you log in to the CLI, the appliance status indicates:
pfipmon not running.
Conditions This occurs on the ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Use the reboot CLI command to restart the appliance.
|
CSCsc90467
|
After installing from the ACS SE 1111 (HP) Recovery CD, the CLI initial configuration screen does not appear.
|
Symptom This problem occurs on the ACS SE 1111 (HP), when
performing a full upgrade including appliance base image.
When installing from the ACS SE 1111 (HP) Recovery CD,
after installation completes, the ACS SE reboots, performs
some configurations, and reboots again. The configurations that
occur after the first reboot take a significant amount of time,
during which there is no feedback, which is normal system
behavior. After this time, the CLI Initial Configuration screen
should appear, but does not.
Conditions On ACS SE 1111 (HP), when installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Switch off the appliance, and switch it on again.
|
CSCsc81981
|
CSAdmin crashed when editing the Remote Agent field after replication.
|
Symptom After replication, if you edit the Remote Agent field
in the Network Configuration page in the slave machine, the
ACS displays the error message Action canceled.
Workaround None.
|
CSCsc80481
|
Proxy distribution table prevents SNMP from working.
|
If you configure ACS SE for SNMP and check the Accept SNMP packets from selected hosts check box, and then add an entry to Proxy Distribution Table like: @cisco.com -> local ACS -> strip -> local (Default) -> local ACS -> no strip -> local, SNMP stops working and there are no more responses from ACS.
Workaround Uncheck the Accept SNMP packets from selected hosts check box.
|
CSCsc77508
|
Stress tests with EAP-TLS cause CSAuth to fail.
|
During overnight EAP-TLS stress tests against CSDB with NAP and RAC, and a Certificate Revocation List (CRL) (30% of all certificates revoked), CSAuth failed a number of times.
Workaround None.
|
CSCsc77228
|
RSA token appears in the external User DB after upgrade from 3.2.3.
|
Symptom If, in a previous version of ACS, you added RSA
SecurID Token Server to the external user database, mapped it
to a group, and selected this database in the Unknown User
Policy section; then, after upgrading to ACS 4.0, the RSA
SecurID Token Server still appears, even though all instances of
it should be deleted in the external user database, not just from
the database configuration.
Moreover, the configuration in the RSA SecurID Token Server should be replicated in the RADIUS Token Server after the upgrade to 4.0.
Workaround None.
|
CSCsc69997
|
Machine authentication fails on 2003 DC with binary comparison on.
|
Symptom EAP-TLS machine authentication fails if only binary
comparison is selected, and 2003 DC is used as the external
database. There are no problems with user authentication.
Workaround None.
|
CSCsc52381
|
ACS SE console access may not work if NTP synchronization is enabled.
|
Symptom The login prompt might not appear on the CLI
console after rebooting through the CLI or through the GUI;
even if NTP synchronization is enabled and the NTP server
address is set correctly.
Workaround Disable NTP synchronization.
|
CSCsc03778
|
Access Policy changes made in Administration Control and replicated to another SE are not enforced unless the receiving SE is rebooted.
|
Symptom If you make a change in the access policy under
Administration Control and then replicate the change to another
appliance, the changes are not enforced on the receiving
appliance.
Workaround On the receiving (secondary) appliance, do one of the following:
•Click Submit on the Access Policy page.
•Reboot the secondary appliance.
|
CSCsc02553
|
GUI logging change does not affect CSadmin until server restarted.
|
Symptom When a user changes the logging level for an ACS
appliance by using the GUI, and clicks the Restart button, the
CSadmin service is not restarted; therefore, the CSadmin
logging level does not change until the CSadmin service is
manually restarted.
Workaround Restart the CSadmin service manually.
|
CSCsb83399
|
ACS SE should save the FTP settings during software upgrade.
|
Symptom The ACS appliance does not save the defined FTP
settings during software upgrade; but, the defined backup
scheduling is saved. This behavior causes a backup problem
after software upgrade.
Workaround Reenter the FTP information manually after an upgrade.
|
CSCsb27597
|
Limitation on the custom attributes (of 31 KB as CSAdmin indicates).
|
Symptom In the T+ Settings per User/Group Configuration
page, which is accessed from the Interface Configuration page,
if you add over 1,200 entries in the custom attribute field, the
browser crashes.
The custom attribute field is currently limited to 31 KB (which is around 1,200 attributes).
Workaround None.
|
CSCsb19051
|
TCP checksum error from Cisco Secure ACS Solution Engine 1111.
|
Symptom An ACS SE 1111 (CSACSE-1111-UP-K9) may
generate transient TCP checksum errors, which may cause error
logging on other devices in the network. In particular, Cisco
switches may generate the following error message:
%IP-3-TCP_BADCKSUM:TCP bad checksum.
This error is caused by the network interface card (NIC) software driver. Not every packet being transmitted is affected. Because TCP retransmits any unacknowledged packet, the system will recover. Excessive logging of the error message within the network might occur. The problem only affects TCP packets; therefore, TACACS+ may be affected, while RADIUS will not be affected.
This problem might also occur on an ACS SE 1112 (Quanta).
Workaround A temporary workaround is to reload the server; but, because the problem is transient, it will likely recur within days or weeks.
A patch is available from TAC, which will help to reduce the amount of errors; however, since this is a network configuration problem, it cannot resolve the problem completely. Contact your TAC representative for the appropriate TCP_checksum patch for your platform.
|
CSCsb13998
|
ACS dial-in authorization fails against Win2K active directory.
|
Symptom When ACS is configured to obtain dial-in
authorization from a Microsoft Active Directory user database,
user authorization sometimes fails with the error: User does
not have dial-in permission (needed).
This defect was found in an environment where Active Directory was being replicated from an NT domain. The same errors occurred when the remote agent was installed on a Member Server or a Domain Controller.
Workaround The problem occurs because replication does not synchronize the userParameters and msNPAllowDialin attributes. See Microsoft KB article 252398 for a possible workaround (run a script to synchronize the attributes).
|
CSCeh17104
|
Certain Hostname/Admin names cause loss of access.
|
Symptom If the administrator name is same as the hostname,
there is no GUI access or CLI access.
Workaround Ensure that the administrator name is different from the hostname.
|
CSCeh04327
|
SNMP get and get-next requests for host.hrSystemNumUsers return error.
|
Symptom SNMP get and get-next requests for
host.hrSystemNumUsers return Generic error.
Workaround None.
|
CSCee89510
|
Dates are logged in local time instead of GMT.
|
Symptom NAC attributes that are in date format are in GMT
time. When ACS logs these attributes, it converts them to the
ACS local time zone (the time zone of the ACS server).
Workaround Configure ACS to use the GMT time zone.
|
General ACS bugs
|
CSCsc69976
|
Local logging file size and days do not appear after change in GUI.
|
Symptom For local logging files, changes to the following fields
are not saved:
•Keep only the last 7 files
•Delete files older than 7 days
When you change the number of files or days from 7 to another number, the setting is not saved.
Workaround None.
|
CSCsc57975
|
The database order inside a Network Access Profile may cause authentication to fail and an error message appears.
|
Symptom When a user account in the Windows AD has expired,
the user may be authenticated in another external database,
which is configured sequentially after the Windows database in
the authentication settings in the matched NAP. If the user
exists in the other database, authentication is successful. If the
user does not exist in the other database, the error message CS
user unknown (instead of Database account expired) is
displayed.
|
CSCsc49673
|
UPGRADE:Add Filter aaa:service=ip_admission to Upgrade-Profile NAP.
|
Symptom After upgrading from ACS 3.3 that included a NAC
database, a profile is created with an authorization method:
PEAP - posture only. This profile does not have a filter, which
will cause all incoming authentications to fail: except from
PEAP-POSTURE.
Workaround Add a filter of Cisco-av-pair aaa:service = ip_admission to the Upgrade-Profile. The no-posture requests will be authenticated against the global settings configuration (check the Grant access using global configuration, when no profile matches option in the created profile).
|
CSCsc43577
|
CSAdmin stalls and has a memory leak.
|
Symptom CSAdmin uses a large amount of memory when users
change the EAP-FAST inner method from GTC to MSCHAPv2
on the Network Access Profile page.
Workaround Restart the CSAdmin service.
|
CSCsc43287
|
Replication: Administration Control > Access Policy. Port allocation not replicated.
|
Symptom After replication of the interface security settings, the
HTTP port allocation settings in Administration Control >
Access Policy were not replicated (remained set to the default
- Allow any TCP ports to be used for Administration HTTP
Access).
Workaround Ensure that the HTTP access policy is set correctly on the remote GUI.
|
CSCsc41638
|
ACS does not check if the CA certificate that was issued to a user exists in CTL.
|
Symptom A user who presents a certificate in EAP-TLS or
EAP-FAST/EAP-TLS may be authenticated; even though the
ACS machine no longer trusts the certificate issuer.
Workaround Uncheck the CA certificate in question from the ACS web interface before removing the CA certificate from the machine storage.
|
CSCsc41623
|
Configuring Logs - Reset Columns erroneously populates selection lists.
|
Symptom For several report types, Reset Columns on the ACS
web interface Logging configuration page sets the selected
attributes to log (columns) to a different set of Logged
Attributes than the actual default attributes, initially set on a
fresh ACS installation.
Conditions In ACS, when you configure the logged information through the ACS web interface by choosing System Configuration > Logging and selecting one of the listed reports, the Reset Columns selection sets the selected attributes in the Selected Attributes list box to an incorrect set of attributes.
This action occurs on the following reports:
•CSV Failed Attempts
•CSV Passed Authentications
•CSV VoIP Accounting
Workaround Use the right (->) and left (<-) arrow buttons to add and remove attributes in the Logged Attributes list, shown below.
•CSV Failed Attempts—Remove the Filter Information.
•CSV Passed Authentications —Add the Cisco-av-pair attribute.
•CSV VoIP Accounting. Add the following attributes:
–Call Leg Setup Time.
–Gateway Identifier.
–Connection Id.
–Call Leg Direction.
–Call Leg Type.
–Call Leg Connect Time.
–Call Leg Disconnected Time.
–Call Leg Disconnected Cause.
–Remote Gateway IP Address.
|
CSCsc41129
|
CSAuth exceptions occur during EAP-TLS stress tests using an LDAP external database with SSL connections.
|
Symptom After a few hours of EAP-TLS authentications with
an LDAP external database and LDAP connections over SSL
(Trusted Root CA option), CSAuth may experience exceptions
and fail.
Workaround Restart the ACS services.
|
CSCsc40001
|
Session resume in EAP-FAST-TLS does not work.
|
Symptom EAP-TLS inside EAP-FAST always assumes that the
user is trying to authenticate for the first time, resulting in going
to the external DB (if valid) to get the user credentials; instead
of permitting the user to resume a previously used TLS session.
Conditions EAP-TLS as the inner method in EAP-FAST.
Workaround None.
|
CSCsc39979
|
When a NAP is updated, internal users are not deleted from the logged-in users list.
|
Symptom When a Network Access Profile (NAP) is being
updated, all dynamic users related to the NAP are deleted from
the logged in user list. The internally defined users are not
deleted.
Workaround None
|
CSCsc32154
|
Upgrading from ACS 3.3 removed APT, SPT, and Reason from Logged Attributes.
|
|
