Table Of Contents
Release Notes for Cisco Secure ACS 4.1.3
Contents
Introduction
New and Changed Information
Support for Microsoft Windows Server 2003 R2
Support for 3Com/USR VSAs
MAC and MAB Functionality Issues
Support for User-Defined Vendors Extended VSA ID
Use the CSUtil.ini file to Install User-Defined Vendor or VSA Data
Use the RDBMS Synchronization Action Codes to Install User-Defined Vendor or VSA Data
Configuring the Workstation Name For Windows Authentications
Windows Authentication Configuration Error Messages
Addition of the cisco-AVPair Attribute to the VOIP Accounting Report
Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database
Addition of Session IDs to the CSAuth Diagnostic Log
Description of Error Codes in the CSAuth Diagnostic Log
Line Numbers in Diagnostic Logs
Improved EAP Code Debug Messages
Product Documentation
Known Caveats in ACS for Windows and the Solution Engine 4.1.3
Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3
Installation Notes for ACS 4.1.3
Upgrade Path ACS 4.1.3 for Windows
System Requirements ACS 4.1.3 for Windows
Installing ACS 4.1.3 for Windows
Upgrade Path for ACS Solution Engine 4.1.3
Installing the ACS Solution Engine 4.1.3
Release Notes for Cisco Secure ACS 4.1.3
Revised: July 9, 2007, OL-12629-02
CDC Date: May 5, 2007
These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1.3. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Contents
These release notes contain:
•
Introduction
•New and Changed Information
•Product Documentation
•Known Caveats in ACS for Windows and the Solution Engine 4.1.3
•Resolved Caveats in ACS for Windows and the Solution Engine 4.1.3
•Installation Notes for ACS 4.1.3
Introduction
ACS 4.1.3 is a maintenance release for ACS 4.1 that consolidates ACS 4.1 customer patches and resolves other customer and internally found defects. ACS 4.1.3 is available through the Cisco Technical Assistance Center (TAC) only for upgrading existing ACS software deployments.
This release includes:
•ACS 4.1.3 software image.
•Appliance upgrade CD for ACS Solution Engines 1111, 1112, 1113.
New and Changed Information
ACS 4.1.3 contains these new enhancements:
•Support for Microsoft Windows Server 2003 R2
•Support for 3Com/USR VSAs
•MAC and MAB Functionality Issues
•Support for User-Defined Vendors Extended VSA ID
•Addition of the cisco-AVPair Attribute to the VOIP Accounting Report
•Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database
•Addition of Session IDs to the CSAuth Diagnostic Log
•Description of Error Codes in the CSAuth Diagnostic Log
•Improved EAP Code Debug Messages
Support for Microsoft Windows Server 2003 R2
ACS is supported on Windows Server 2003 R2.
Support for 3Com/USR VSAs
ACS now supports 3Com/USR VSAs. The 3Com/USR VSA format differs from other VSAs in that 3Com/USR VSAs have a 32-bit Extended Vendor-Type field and no length field.
The Authenticate Using drop-down list in the Network Configuration section of the ACS web interface now includes a new network device, RADIUS (3COMUSR).
Note 3Com/USR VSAs should be used for any device that uses these VSAs, not just the HiperARC cards.
Once you add the RADIUS (3COMUSR) to the Network Configuration section, it becomes available to the User Setup and Group Setup sections of the ACS web interface. These VSAs will also be available to the RADIUS accounting log. Use the Interface Configuration section to configure RADIUS (3COMUSR). For information on adding a network device, refer to the User Guide for Cisco Secure ACS 4.1.
MAC and MAB Functionality Issues
Cisco recommends that you apply patch 4.1.3.12.1 to ensure:
•ACS 4.1 functionality for MAB.
•ACS 4.0 functionality for MAC authentication.
After you apply the patch, if
• Service-Type(6) = 10 and NAP is present, MAB is invoked.
•Service-Type(6) = 10 and NAP is non-existent, MAC authentication is invoked.
This specification retains ACS 4.1 functionality for MAB and ACS 4.0 functionality for MAC authentication.
Support for User-Defined Vendors Extended VSA ID
In previous versions of ACS the vendor-specific attribute (VSA) ID length was restricted to one byte, the default value, and the VSA ID value could not be greater than 255. ACS 4.1.3 supports VSA ID lengths of 1, 2 or 4 bytes. In addition, customers can specify whether the VSA has an internal length field or not.
You can use CSUtil or RDBMS synchronization to install dictionary components for vendors that require extended VSA ID length.
Use the CSUtil.ini file to Install User-Defined Vendor or VSA Data
Use the CSUtil -addUDV option with the vendor .ini file to install VSA data for vendors that require extended VSA ID length. Table 1 contains two additional codes and definitions in the vendor .ini file used to modify the vendor configuration.
Table 1 CSUtil.ini file Options and Definitions for Vendor Configuration
Option
|
Value
|
Description
|
Need Internal Length
|
TRUE or FALSE
|
Sets the presence of Internal Length field in VSA. If not used, then the default is TRUE.
|
ID Length
|
1, 2 or 4 bytes.
|
Sets the Vendor-Specific Attribute (VSA) Type length in bytes. If not used, then the default is 1 byte.
|
Note ACS 4.1.3 supports hex-numbering for the VSA ID feature. Values starting with 0x are assumed to be hex values.
Use the following sample format of the vendor .ini file for setting the ID Length and VSA values. In this example,
•Need Internal Length value is TRUE.
•ID Length is two bytes
•vendor VSA ID values are 264 and 0x109.
[User Defined Vendor]
Name=vendor-name
IETF Code=vendor-IETF-code
Need Internal Length = TRUE
ID Length=2
VSA 264=Ascend-Max-RTP-Delay
VSA 0x109= Ascend-RTP-Port-Range
[Ascend-Max-RTP-Delay]
Type=INTEGER
Profile=OUT
[Ascend-RTP-Port-Range]
Type=STRING
Profile=OUT
Use the RDBMS Synchronization Action Codes to Install User-Defined Vendor or VSA Data
Use the RDBMS Synchronization action codes to install VSA data for vendors that require extended VSA ID length. Table 2 contains two additional codes and definitions for modifying the vendor configuration.
Table 2 RDBMS Account Action Codes and Definition for Vendor Configuration
Action Code
|
Name
|
Required
|
Description
|
356
|
SET_VSA_ID_LEN
|
V1, V2
|
Sets the Vendor-Specific Attribute (VSA) Type length in bytes.
•V1 contains the vendor IETF code.
•V2 contains VSA-Type Length, which takes the values 1, 2 or 4.
|
357
|
SET_VSA_INTERNAL_LEN
|
V1, V2
|
Sets the presence of Internal Length field in VSA.
•V1 contains the vendor IETF code.
•V2 contains BOOL value.
•1-(TRUE) if VSA requires the Internal Length field.
•0-(FALSE) if the Internal Length field is not required.
|
Configuring the Workstation Name For Windows Authentications
You use ACS to define a custom workstation name when authenticating against Active Directory (AD). In previous versions of ACS, a workstation name of CISCO was used for authentications to AD. This enhancement allows multiple ACS deployments using a single AD tree.
The Windows External Database section of the ACS web interface now contains a new configuration section. You use the new configuration section to customize the workstation name.
To configure a workstation name:
Step 1 In the navigation bar, click External User Databases.
The External User Database page appears.
Step 2 Click Database Configuration.
The External User Database Configuration page appears.
Step 3 Click Windows Database.
The Windows Authentication Configuration page appears.
Step 4 Click Configure.
a. If you are running ACS for Windows, the Windows Authentication Configuration page appears.
b. If you are running the Solution Engine, click Windows Authentication Configuration. The Windows Authentication Configuration page appears
Step 5 Choose one of the options to configure a workstation name:
a. CISCO—Configures CISCO as the workstation name. This is the default.
b. Local—Configures the local machine name as the workstation name. By default, ACS displays the local host name.
c. User defined workstation name—Specifies a name for the workstation. (Limit: 15 characters).
Note Ensure that all user accounts have login permission to the workstation.
Windows Authentication Configuration Error Messages
Table 3 lists the Windows Authentication Error Messages.
Table 3
Error Number
|
Description
|
1
|
Workstation name contains invalid characters. alpha-numerics are the only valid characters,
|
Windows Authentication Configuration Errors
Addition of the cisco-AVPair Attribute to the VOIP Accounting Report
ACS has added the cisco-AVPair attribute to the VoIP Accounting Report.
To configure the VoIP Accounting Report:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page appears.
Step 2 Click VoIP Accounting Configuration.
The VoIP Accounting Configuration page appears.
Step 3 Configure the log.
Step 4 Click Submit.
Step 5 Restart ACS in System Configuration > Service Control to adopt the new settings.
Step 6 In the navigation bar, click System Configuration > Logging.
The Logging Configuration page appears.
Step 7 Click Configure next to the VoIP Accounting Column.
Step 8 Choose the cisco-AVPair attribute and move it to the Logged Attributes list.
Step 9 Click Submit.
The Logging Configuration page reappears.
Step 10 In the navigation bar, click Reports and Activity.
The Reports and Activity page appears.
Step 11 Click VoIP Accounting.
The VoIP Accounting report appears and displays the cisco-AVPair attribute.
Note Multiple Cisco-AVPair attributes values are concatenated in the VOIP Accounting report with a semi-colon.
Configuring the ACS RADIUS Server to Reject or Discard Requests to an External ODBC Database
You use ACS RADIUS server to send an access reject reply or discard the access-request. In some deployments, the ACS server might send an access reject or discards an access request. For example, in the event of an external ODBC database failure, ACS can deny the authentication (access reject), or not respond at all. Conversely, if ACS discards an access request the network access device that can fail over to another ACS server. A drawback to this approach is that discards can cause excessive network traffic and load on the network access devices as requests continue to travel from network access devices to the ACS servers.
To configure a RADIUS server:
Step 1 In the navigation bar, click External User Databases.
The External User Databases page appears.
Step 2 Click Database Configuration.
The External User Database Configuration page appears.
Step 3 Click External ODBC Database.
The CiscoSecure ODBC Authentication Configuration page appears.
Step 4 In the RADIUS behavior in the event of database failure section select one of the RADIUS server options, shown in Table 4.
Step 5 Click Submit.
Table 4
Option
|
Description
|
Send an access reject (your devices will stay with this RADIUS server).
|
The network access devices will retry the same RADIUS server and not fail over to another RADIUS server.
|
Discard the access request (your devices may try a different RADIUS server).
|
The network access devices will use the available RADIUS servers.
|
RADIUS Server Reject and Discard Request Options
Addition of Session IDs to the CSAuth Diagnostic Log
ACS supports a session ID parameter for the CSAuth diagnostic log. You can use a unique session ID to differentiate log threads in the CSAuth diagnostic logs.
Example 1 shows the session ID 1000 is processed by two different threads (2560, 2548) in the network model thread. You can filter the logs by session ID to restrict the output for each session.
Example 1 CSAuth Diagnostic Log with session ID
AUTH 09/08/2006 18:29:57 I 5081 2560 1000 Start RQ1040, client 1 (127.0.0.1)
AUTH 09/08/2006 18:30:13 I 5094 2548 Worker 1 processing message 17.
AUTH 09/08/2006 18:30:14 I 0991 2368 0000 pvNASMonitorThreadMain: start NM
AUTH 09/08/2006 18:30:14 I 1006 2368 0000 pvNASMonitorThreadMain: commit NM
AUTH 09/08/2006 18:30:14 I 5081 2560 1000 Done RQ1040, client 1, status 0
AUTH 09/08/2006 18:30:14 I 1011 2368 0000 pvNASMonitorThreadMain: succeeded
AUTH 09/08/2006 18:30:28 I 5081 2548 1000 Start RQ1012, client 2 (127.0.0.1)
AUTH 09/08/2006 18:30:28 I 5081 2548 1000 Done RQ1012, client 2, status 0
Note The additional session ID field in the ACS diagnostic log involves minimal overhead: eight bytes per line for each authentication session.
Description of Error Codes in the CSAuth Diagnostic Log
The ACS 4.1.3 CSAuth diagnostic logs now display a description of client requests and responses. Previous versions of ACS used a numeric code for client requests and responses. The description is useful for locating client requests and responses in the CSAuth diagnostic logs.
Figure 1 contains two CSAuth diagnostic log examples. The first example represents an entry from previous versions of the CSAuth diagnostic log. The second example represents how this entry appears in the CSAuth 4.1.3 diagnostic log.
Example 2 shows that in the CSAuth diagnostic log:
•UDB_AUTHENTICATE_USER replaces the RQ1026 request code shown in the first example.
•UDB_CHALLENGE_REQUIRED replaces the 2046 status code shown in the first example.
Figure 1 CSAuth Diagnostic Log Entry
Example 1
AUTH 09/11/2006 09:55:27 I 5081 2512 Done RQ1026, client 50, status -2046
Example 2 (with Descriptive text)
AUTH 09/11/2006 09:55:27 I 5081 2512 Done UDB_AUTHENTICATE_USER, client 50, status
Table 5 and Table 6 list the descriptive text for requests and status that appear in the 4.1.3 CSAuth diagnostic logs.
Descriptive Request Text in the CSAuth Diagnostic Logs
Table 5 lists the descriptive text in the CSAuth diagnostic logs and the corresponding request code.
Table 5 Descriptive Request Text and Request Code
Request Text
|
Request Code
|
UDB_BASE_CMD
|
1000
|
UDB_HAIL
|
1001
|
UDB_OPEN
|
1002
|
UDB_CLOSE
|
1003
|
UDB_GOODBYE
|
1004
|
UDB_PING
|
1005
|
UDB_REFRESH
|
1006
|
UDB_REFRESH_EX
|
1007
|
UDB_RESET_HOST_CACHE
|
1008
|
UDB_USER_ADD
|
1010
|
UDB_USER_REMOVE
|
1011
|
UDB_VALID_USER
|
1012
|
UDB_USER_ENUM_BY_GROUP
|
1013
|
UDB_CHANGE_PASSWORD
|
1014
|
UDB_SET_PASS_STATUS
|
1015
|
UDB_GET_PASS_STATUS
|
1016
|
UDB_USER_ENUM
|
1017
|
UDB_USER_GET_INFO
|
1018
|
UDB_USER_PAP_CHECK
|
1019
|
UDB_USER_PROF_ASSIGN
|
1020
|
UDB_USER_PROF_COUNT
|
1021
|
UDB_USER_PROF_GET
|
1022
|
UDB_USER_CHAP_CHECK
|
1023
|
UDB_USER_CHECK_EXPIRY
|
1024
|
UDB_USER_SET_INFO
|
1025
|
UDB_AUTHENTICATE_USER
|
1026
|
UDB_SEND_RESPONSE
|
1027
|
UDB_SET_PASSWORD
|
1028
|
UDB_USER_LOCN_CHECK
|
1029
|
UDB_SET_VALUE
|
1030
|
UDB_GET_VALUE
|
1031
|
UDB_GET_NEXT_VALUE
|
1032
|
UDB_DEL_VALUE
|
1033
|
UDB_FIND_VALUE
|
1034
|
UDB_GET_VALUE_BY_NAME
|
1035
|
UDB_LOG
|
1040
|
UDB_SET_APPDATA
|
1041
|
UDB_GET_APPDATA
|
1042
|
UDB_DEL_DB
|
1043
|
UDB_AVERT_LOG
|
1044
|
UDB_DIR_CREATE
|
1050
|
UDB_FILE_CREATE
|
1051
|
UDB_FILE_WRITE
|
1052
|
UDB_FILE_READ
|
1053
|
UDB_FILE_CLOSE
|
1054
|
UDB_FILE_EXISTS
|
1055
|
UDB_FILE_APPEND
|
1056
|
UDB_FILE_SET_PTR
|
1057
|
UDB_USER_LIST_ADD
|
1070
|
UDB_USER_LIST_DEL
|
1071
|
UDB_USER_LIST_GET
|
1072
|
UDB_USER_LIST_COUNT
|
1073
|
UDB_USER_LIST_UPDATE
|
1074
|
UDB_USER_ALIAS_SET
|
1080
|
UDB_USER_ALIAS_DEL
|
1081
|
UDB_USER_ALIAS_VALID
|
1082
|
UDB_START_TRANSACTION
|
1090
|
UDB_END_TRANSACTION
|
1091
|
UDB_KICK_SYNC_TX
|
1092
|
UDB_KICK_SYNC_RX
|
1093
|
UDB_EXCHANGE_SYNC_INFO
|
1094
|
UDB_AQUIRE_IP_ADDRESS
|
1095
|
UDB_VALIDATE_PASSWORD
|
1096
|
UDB_EXTRACT_AGING_DATA
|
1097
|
UDB_AUTH_FAILED
|
1098
|
UDB_RESET_USER_PASSWORD_AGING_DATA
|
1099
|
UDB_GET_AGING_INFO
|
1100
|
UDB_DO_BACKUP_NOW
|
1101
|
UDB_AQUIRE_CALLBACK
|
1102
|
UDB_GET_AGING_LIMIT
|
1103
|
UDB_PURGE_NAS
|
1104
|
UDB_SEND_FAKE_STOPS
|
1105
|
UDB_SERVICE_CONTROL
|
1106
|
UDB_RESET_GROUP
|
1107
|
UDB_SET_ENABLE_PASS_STATUS
|
1108
|
UDB_UPDATE_AGING_POLICY
|
1109
|
UDB_ADD_HOST
|
1110
|
UDB_DEL_HOST
|
1111
|
UDB_GET_HOST
|
1112
|
UDB_UPDATE_HOST
|
1113
|
UDB_ADD_PROXY
|
1114
|
UDB_DEL_PROXY
|
1115
|
UDB_ADD_PROXY_TARGET
|
1116
|
UDB_ADD_NDG
|
1117
|
UDB_DEL_NDG
|
1118
|
UDB_GET_NDG_ID
|
1119
|
UDB_SET_USER_FEATURE_FLAG
|
1120
|
UDB_GET_USER_COUNTER
|
1121
|
UDB_RESET_USER_COUNTER
|
1122
|
UDB_RESET_GROUP_USERS_COUNTER
|
1123
|
UDB_GET_FIRST_QUOTA_TYPE
|
1124
|
UDB_GET_NEXT_QUOTA_TYPE
|
1125
|
UDB_SET_QUOTA
|
1126
|
UDB_HAS_USER_QUOTA_EXHAUSTED
|
1127
|
UDB_SHARED_PROFILE
|
1128
|
UDB_ADD_UDV
|
1140
|
UDB_DEL_UDV
|
1141
|
UDB_GET_VID_FROM_IETF
|
1142
|
UDB_ADD_UDV_VSA
|
1143
|
UDB_ADD_UDV_VSA_ENUM
|
1144
|
UDB_ADD_UDV_VSA_PROFILE
|
1145
|
UDB_SET_REP_DIRTY_FLAG
|
1150
|
UDB_USER_COMMIT_NOW
|
1151
|
UDB_POLICY_CREATE_CONTEXT
|
1152
|
UDB_USER_REMOVE_DYNAMIC
|
1153
|
Table 6 lists the descriptive text in the CSAuth diagnostic logs and the corresponding status code.
Table 6 Descriptive Status Text and Request Code
Status Description
|
Status Code
|
UDB_BASE_ERR
|
1000
|
UDB_DB_NOT_OPEN
|
1001
|
UDB_INVALID_ENTRY
|
1002
|
UDB_CANT_CREATE_MAP
|
1003
|
UDB_CANT_CREATE_VIEW
|
1004
|
UDB_CANT_OPEN_INDEX
|
1005
|
UDB_DB_IS_OPEN
|
1006
|
UDB_SIZE_MISMATCH
|
1007
|
UDB_CANT_OPEN_FILE
|
1008
|
UDB_CRC_FAILED
|
1009
|
UDB_CANT_INIT_INDEX
|
1010
|
UDB_INVALID_DATA
|
2011
|
UDB_CANT_GROW_FILE
|
1012
|
UDB_USER_INVALID
|
2013
|
UDB_DUPLICATE_NAME
|
1014
|
UDB_INVALID_PASSWORD
|
2015
|
UDB_IPC_DATA_INVALID
|
1016
|
UDB_FEATURE_NOT_READY
|
1017
|
UDB_SERVER_BUSY
|
1018
|
UDB_REGISTRY_READ_FAIL
|
1019
|
UDB_UNKNOWN_VARIABLE
|
2020
|
UDB_NO_FILE_HANDLES
|
1021
|
UDB_DIR_CREATE_FAILED
|
1022
|
UDB_FILE_WRITE_FAILED
|
1023
|
UDB_FILE_READ_FAILED
|
1024
|
UDB_INVALID_DIR_NAME
|
1025
|
UDB_INVALID_FILE_NAME
|
1026
|
UDB_MALLOC_FAIL
|
1027
|
UDB_INVALID_HANDLE
|
1028
|
UDB_USER_NOT_OWNER
|
1029
|
UDB_CANT_REBUILD_INDEX
|
1030
|
UDB_CANT_REMOVE_OLD_DB
|
1031
|
UDB_USER_REMOVED
|
2032
|
UDB_NO_VARIABLE
|
1033
|
UDB_PASSWORD_DISABLED
|
2034
|
UDB_FILE_SET_PTR_FAILED
|
1035
|
UDB_USER_LICENCE_LIMIT
|
1036
|
UDB_APP_NOT_LICENSED
|
1037
|
UDB_BAD_SECRET
|
1038
|
UDB_DB_VERSION_MISMATCH
|
1039
|
UDB_DIR_REMOVE_FAILED
|
1040
|
UDB_CANT_ASSIGN_PROFILE
|
1041
|
UDB_LOGGER_OFFLINE
|
1042
|
UDB_CANT_ACCESS_USERLIST
|
1043
|
UDB_SESSION_COUNT_EXCEEDED
|
2044
|
UDB_PASSWORD_REQUIRED
|
2045
|
UDB_CHALLENGE_REQUIRED
|
2046
|
UDB_NO_SESSION
|
1047
|
UDB_INTERNAL_ERROR
|
1048
|
UDB_BAD_TODDOW
|
2049
|
UDB_CANT_LOCK_RECORD
|
1050
|
UDB_NT_DIALIN_REQUIRED
|
2051
|
UDB_NT_PW_WRONG
|
2052
|
UDB_NT_AC_RESTRICTED
|
2053
|
UDB_NT_TOD_DOW
|
2054
|
UDB_NT_PW_EXPIRED
|
2055
|
UDB_NT_AC_DISABLED
|
2056
|
UDB_NT_BAD_WORKSTATION
|
2057
|
UDB_NT_UNKNOWN_ERR
|
1058
|
UDB_NT_PASS_CHANGE
|
2059
|
UDB_NT_NO_DOMAIN
|
2060
|
UDB_NT_AC_LOCKED
|
2061
|
UDB_NT_NO_BROWSER
|
2062
|
UDB_INVALID_CHAP_PW
|
2063
|
UDB_INVALID_ARAP_PW
|
2064
|
UDB_INVALID_TOKEN_PW
|
2065
|
UDB_INVALID_UNIX_PW
|
2066
|
UDB_TOKEN_SERVER_DOWN
|
1067
|
UDB_USER_CLI_FILTERED
|
2068
|
UDB_NO_SENDAUTH_PW
|
1069
|
UDB_NO_TOKENSRV
|
1070
|
UDB_NT_NO_LOGON_NOT_GRANTED
|
2071
|
UDB_CANT_START_TRANSACTION
|
1072
|
UDB_VARDB_NOT_OPEN
|
1073
|
UDB_NOT_IN_CACHE
|
1074
|
UDB_CANT_OPEN_ODBC_DB
|
1075
|
UDB_DLL_MISMATCH
|
1076
|
UDB_NOT_INSTALLED
|
1077
|
UDB_CHAP_ENFORCED
|
2078
|
UDB_ACCESS_DENIED
|
2079
|
UDB_REPLICATION_DENIED
|
1080
|
UDB_FAILED_TO_AQUIRE_IP_ADDR
|
1081
|
UDB_PASSWORD_DEAD
|
2082
|
UDB_PASSWORD_STATE_NOT_ACCESSIBLE
|
1083
|
UDB_PASSWORD_AGE_CHECK_FAILED
|
1084
|
UDB_NEW_PASSWORD_NOT_GOOD
|
2085
|
UDB_FAILED_TO_EXTRACT_DATA
|
1086
|
UDB_EXTERN_DB_ERROR
|
2087
|
UDB_BACKUP_FAILED_TO_START
|
1088
|
UDB_FAILED_TO_AQUIRE_CALLBACK
|
1089
|
UDB_FAILED_TO_PERFORM_SERVICE_OP
|
1090
|
UDB_TIME_OUT_WAITING_TO_START_AUTH
|
1091
|
UDB_AUTH_NOT_SUPPORTED_BY_EXT_DB
|
2092
|
UDB_CACHED_TOKEN_REJECTED
|
2093
|
UDB_TOKEN_PIN_CHANGED
|
2094
|
UDB_INVALID_MSCHAP_PW
|
2095
|
UDB_INVALID_EXT_CHAP_PW
|
2096
|
UDB_INVALID_EXT_ARAP_PW
|
2097
|
UDB_INVALID_EXT_MSCHAP_PW
|
2098
|
UDB_INVALID_EXT_USER
|
2099
|
UDB_NT_AC_EXPIRED
|
2100
|
UDB_AUTH_DENIED_DUE_TO_VOIP
|
2101
|
UDB_MALFORMED_USERNAME
|
2102
|
UDB_CANT_OPEN_HOST_DB
|
1103
|
UDB_CANT_OPEN_PROXY_DB
|
1104
|
UDB_CANT_OPEN_NDG_DB
|
1105
|
UDB_HOST_DB_FAILURE
|
1106
|
UDB_PROXY_DB_FAILURE
|
1107
|
UDB_NDG_DB_FAILURE
|
1108
|
UDB_INVALID_COUNTER_TYPE
|
1109
|
UDB_EXTERN_DB_TRANSIENT_ERROR
|
1110
|
UDB_INVALID_QUOTA_INDEX
|
1111
|
UDB_USAGE_QUOTA_EXCEEDED
|
2112
|
UDB_NT_CHANGE_PASS_FAILED
|
2113
|
UDB_CANT_LOAD_DLL
|
1114
|
UDB_EXTN_DLL_REJECTED
|
2115
|
UDB_INVALID_EXT_EAP_PW
|
2116
|
UDB_EAP_METHOD_NOT_SUPPORTED
|
2117
|
UDB_EAP_TLS_PASS_HS_USER_NOT_FOUND
|
2118
|
UDB_EAP_NO_MATCH_NAME_IN_CERT
|
2119
|
UDB_EAP_TLS_HANDSHAKE_FAILED
|
2120
|
UDB_EAP_IGNORE
|
2121
|
UDB_SUPPLIER_NOT_CONFIGURED
|
2122
|
UDB_UDV_CONFIG_ERROR
|
1123
|
UDB_USER_FOUND
|
2124
|
UDB_USER_NOT_FOUND
|
2125
|
UDB_EAP_FAILED
|
1126
|
UDB_MISSING_MPPE_DATA
|
2127
|
UDB_EAP_MACHINE_AUTH_DISABLED
|
2128
|
UDB_NT_NO_REMOTE_AGENT
|
2129
|
UDB_EAP_FAST_PAC_PROVISIONING
|
2130
|
UDB_EAP_FAST_USER_AND_IID_NOT_MATCH
|
2131
|
UDB_EAP_FAST_PAC_INVALID
|
2132
|
UDB_EAP_FAST_INBAND_NOT_ALLOWED
|
2133
|
UDB_EAP_FAST_INVALID_MASTER_KEY
|
2134
|
UDB_GROUP_DISABLED
|
2135
|
UDB_AVERT_NO_MAPPING
|
2136
|
UDB_EAP_PASSWORD_CHANGE_DISABLED
|
2137
|
UDB_AVERT_PROCEED_TO_UUP
|
2138
|
UDB_AVERT_LOCAL_POLICY_FAILED
|
2139
|
UDB_AVERT_EX_POLICY_FAILED
|
2140
|
UDB_AVERT_GENERAL_FAILURE
|
2141
|
UDB_ACCESS_DENIED_FAST_REC_NO_USER
|
2142
|
UDB_ACCESS_DENIED_MAR_RESTRICTION
|
2143
|
UDB_AVERT_UNKNOWN_ATTRIBUTE
|
2144
|
UDB_AUTH_PROTOCOL_NOT_ALLOWED
|
2145
|
UDB_EAP_FAST_ANON_INBAND_NOT_ALLOWED
|
2146
|
UDB_AUDIT_BAD_RESPONSE
|
2147
|
UDB_AUDIT_TOO_MANY_ROUND_TRIPS
|
2148
|
UDB_POSTURE_VALIDATION_FAILED
|
2149
|
UDB_MAC_AUTH_BYPASS_NOT_ALLOWED
|
2150
|
UDB_ACCESS_DENIED_NO_SERVICE
|
2151
|
UDB_AUTHORIZATION_REJECT
|
2152
|
UDB_PV_FAILED_NO_SERVICE
|
2153
|
UDB_LOCAL_USER_HAS_EXT_DB_AUTH
|
2154
|
UDB_SERVICE_EXT_DB_NOT_ALLOWED
|
2155
|
UDB_NT_LOGON_FAILURE
|
2156
|
UDB_MAC_AUTH_BYPASS_GROUP_DISABLE
|
2157
|
UDB_BADLY_FORMED_DACL_RQ
|
2158
|
UDB_INTERNAL_DACL_ERROR
|
2159
|
UDB_DACL_ASSIGN_ERROR
|
2160
|
UDB_INTERNAL_RAC_ERROR
|
2161
|
UDB_RAC_MISSING_ERROR
|
2162
|
UDB_AUDIT_RECIEVED_ERROR
|
2163
|
UDB_AUDIT_SERVER_UNREACHEABLE
|
2164
|
UDB_AUDIT_PARSE_ERROR
|
2165
|
UDB_EXT_POLICY_VER_ERROR
|
2166
|
UDB_EXT_POLICY_CONN_ERROR
|
2167
|
UDB_EXT_POLICY_AUTH_ERROR
|
2168
|
UDB_EXT_POLICY_TIMEOUT_ERROR
|
2169
|
UDB_ERR_PROFILE_TOO_BIG
|
1170
|
UDB_EXT_POLICY_CONN_ERROR_CA_UNKNOWN
|
2171
|
UDB_BASE_WARN
|
1000
|
UDB_ALREADY_OPEN
|
1001
|
UDB_PASSWORD_EXPIRED
|
1002
|
UDB_UNKNOWN_PASS_STATUS
|
1003
|
UDB_UDB_VALUE_OVERWRITE
|
1004
|
UDB_BUFFER_TOO_SMALL
|
1005
|
UDB_SIZE_SMALLER
|
1006
|
UDB_USER_NOT_ALIAS
|
1007
|
UDB_NO_MORE_QUOTA_TYPES
|
1008
|
Line Numbers in Diagnostic Logs
All ACS diagnostic log files now contain the correct line number of the source code that generated the error. In previous versions of ACS, the dzlog function contained the hard-coded source code line number which was populated to the ACS diagnostic log.
Improved EAP Code Debug Messages
All EAP debug messages are now reported to the CSAuth diagnostic log.
Product Documentation
Table 7 lists the product documentation for ACS 4.1.3.
Known Caveats in ACS for Windows and the Solution Engine 4.1.3
Table 8 contains known caveats in ACS for Windows and the Solution Engine 4.1. 3.
Table 8 Known Caveats in ACS Windows and the Solution Engine 4.1.3
Bug ID
|
Summary
|
Explanation
|
CSCdv86708
|
DEL/HTTP Port Allocation is not replicated.
|
Symptom Changes to HTTP Port Allocation settings do not
appear to replicate. After the HTTP Port Allocation settings are
changed on the Access Policy Setup page in the Administration
Control section on the primary Cisco Secure ACS server and
replication succeeds, the secondary Cisco Secure ACS server
does not display the changes to the HTTP Port Allocation
settings in the HTML interface.
Workaround .The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.
|
CSCeg52536
|
Failed PEAP authentication not shown up in ACS logs.
|
Symptom PEAP-MS-CHAPv2 with Machine authentication.
ACS does not show any failure in the logs nor sending a radius
reject if a client machines which does not belong to the AD
domain at all tries to authenticate. Looking in the auth.log, it
shows correctly that windows authentication fails.
Workaround None.
|
CSCeh52700
|
AD expired-user passed EAP-TLS authentication; should be rejected.
|
Symptom EAP-TLS authentication will still pass for users in
Active Directory even if their account has expired - no error is
given from ACS.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.
Workaround None.
|
CSCeh86479
|
CSUtil import -85 errors to be changed to info msg-not error.
|
Symptom The CSutil utility with the options -n, -g, and -u may
print an ODBC error message similar to the following:
ODBC Error. Message=[Sybase][ODBC Driver][Adaptive
Server Anywhere]Communication error, SqlState=08S01,
NativeError=-85
Workaround None. This would only happen when running csutil from Remote Services. This is really an informational message, and can be ignored.
|
CSCse25423
|
Bypass Info & extBDinfo fields in the passed\failed reports are empty.
|
Symptom Bypass Info & extBDinfo fields in the passed
authentication \failed attempts page in reports and activity are
Conditions
1. Select the Bypass Info & extBDinfo attributes in logging page under system configuration page for both passed authentication \failed attempts.
2. Submit
3. Perform MAB request.
Workaround None.
|
CSCsf11087
|
Cisco:PA: attributes not showing in Passed Auth rpt for Linux client.
|
Symptom Cisco:PA attributes are not showing up in the Passed
Authentication Report for a Linux client with CTA 2.1.0.10
installed. The attributes are showing up in the AUTH.log file
and are showing up for a Win XP client on the same network.
Conditions
1. In System Configuration > Logging > Passed Authentication select Cisco:PA attributes.
2. Click Submit.
3. Perform authentication using Linux client with CTA. 2.1.0.10
4. Check pass authentication log in reports and activity page.
Workaround None.
|
CSCsf16737
|
CSAuth, CSAdmin, CSRadius, CSTacacs are not started up after reboot.
|
Symptom After a system reboot, the following Services are not
started up when Windows service, Windows Firewall/Internet
Connection Sharing (ICS) is started:
•CSAuth
•CSRadius
•CSTacacs
•CSAdmin
Workaround Disable Windows Service Windows Firewall/Internet Connection Sharing (ICS). To do so, Start > Run. Enter services.msc and press OK. In the Services dialog box, scroll to Windows Service Windows Firewall/Internet Connection Sharing (ICS). Right click, and select Properties. In the Startup type: box change Automatic to Disabled.
Note You can also manually start each service.
|
CSCsg02005
|
CSMon utilizes 100% CPU - while trying to communicate with SMTP Server.
|
Symptom ACS hits 100% CPU load on CSMon.
Conditions ACS or ACS-SE running 3.3.3.11 with e-mail notification on.
Workaround Turn off e-mail notification.
|
CSCsg26367
|
Replication error on ACS 4.0. Slave does not apply changes.
|
Symptom ACS 4.0.1(27) master is sending the changed files on
the slave, only the skipped files are shown.
Logs confirm the reception of the files (RQ1051, RQ1052, RQ1054). CSMon kicks in after the configured replication timeout value (5 minute default), as configured, restarting the CSAuth service. So Slave is not showing the files that master says it has sent, then more or less hangs until restarted by CSMON. Master is not recovering from the loss of communication with slave:
AUTH 09/14/2006 00:22:48 E 1017 4268 Comms
lib:Tcp_Connect: Failed to
connect to 172.29.128.133, sock error 10061 AUTH
09/14/2006 00:22:48 E
1017 4268 Comms lib:Transport connect failed AUTH
09/14/2006 00:22:48 E
1017 4268 Comms lib:Bad endpoint address
V:\ismg_israel_acs\Acs\EndPoint\Core\endpoint.c:1788
Conditions Replications over a WAN connection.
Workaround None. Logs show that when the replication is retried, it is usually successful.
|
CSCsg71852
|
ACS ignoring RADIUS request, may not be fixed.
|
Symptom 3750 Switch with NAC-802.1x authentications
re-uses the same Radius ID for different users when ACS takes
more time to reply for the original radius request.
Conditions &# |
