Table Of Contents
Release Notes for Cisco Secure ACS 4.2
Contents
Introduction
New and Changed Information
New Features
Using ACS 4.2 in a FIPS 140-2-Compliant Mode
RADIUS Key Wrap Extended to All EAP Protocols
Installation Notes
Installation Notes for ACS 4.2 for Windows
Upgrade Path for ACS 4.2 for Windows
System Requirements for ACS 4.2 for Windows
Installation Notes for ACS 4.2 Solution Engine
Upgrade Path for ACS 4.2 Solution Engine
System Requirements for ACS 4.2 Solution Engine
Miscellaneous Issues
Known Caveats
Resolved Caveats
Documentation Updates
Updates
Cisco Secure Authentication Agent
Regulatory Compliance and Safety Information
Windows and Active Directory 2008 Supported Scenarios
Types of SAN Supported
Errors
Omissions
Product Documentation
Notices
OpenSSL/Open SSL Project
License Issues
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Secure ACS 4.2
Revised: December 2008, OL-14490-03
These release notes pertain to the Cisco Secure Access Control Server, hereafter referred to as ACS version 4.2. These release notes contain information for the Windows and Solution Engine(SE) platforms. Where necessary, the appropriate platform is clearly identified.
Cisco Secure ACS 4.2 is Federal Information Processing Standards (FIPS) 140-2-certified for Cisco Secure ACS FIPS module version 1.1—a software cryptographic library that provides cryptographic services to Cisco Secure ACS release 4.2.
Note 
The ACS release numbering system for software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 4.2.0.xxx. Elsewhere in this document where 4.2 is used, we are referring to 4.2.0. ACS major release numbering starts at 4.2.0. Please use this information when working with your customer service representative.
Contents
This document contains:
•Introduction
•New and Changed Information
•Installation Notes
•Known Caveats
•Resolved Caveats
•Documentation Updates
•Product Documentation
•Notices
•Obtaining Documentation and Submitting a Service Request
Introduction
ACS is the policy-control and integration point for access to or through Cisco devices or solutions. ACS is the dominant enterprise network-access control platform, and it is the administrative access-control system for Cisco devices and applications.
ACS 4.2 is a minor release for the ACS 4.x versions that addresses customer enhancements, bug fixes, and includes the FIPS module. ACS 4.2 includes new functionality and features described in the document and in the User Guide for ACS 4.2.
New and Changed Information
ACS 4.2 contains the following new and changed information:
•New Features
•Using ACS 4.2 in a FIPS 140-2-Compliant Mode
•RADIUS Key Wrap Extended to All EAP Protocols
New Features
ACS 4.2 provides the following new features that protect networked business systems:
•Transition to the Windows 2003 Operating System for the ACS SE
•Turning ICMP ping on/off (ACS SE)—On the ACS SE, you can turn the ICMP ping response on or off. In some cases, another network device must receive a valid ICMP ping response before sending an authentication request.
•Native RSA (ACS SE)—Support of RSA proprietary interface on the ACS SE.
•Programmatic interface enhancements for RDBMS Synchronization— RDBMS synchronization has added capabilities for dACLs. You can create, update, and delete user-level and group-level downloadable ACLs through RDBMS synchronization.
•Enabling Secure Shell (SSH) client remote invocation for RDBMS Synchronization for the ACS SE— A command line interface where you can change the ACS configuration through remote systems. An SSH server now offers a service in the ACS SE. You can connect from any SSH client to the ACS SE and use the CSDBSync command to perform database synchronization.
•Enabling CLI RDBMS Synchronization invocation for ACS for Windows.
•NetBIOS disabling—In ACS for Windows, you can now disable NetBIOS on the server on which it is running.
•Logging enhancements—Enhanced Comma Separated Values (CSV)-generated log messages. Passed and failed authentication reports now include Response Time, Session-ID, and Framed-IP-Address attributes.
•Upgrade features—You use these features to preserve and restore ACS 4.1 backup configuration to ACS 4.2. This feature eliminates the problem of upgrading existing ACS 4.1 configuration to ACS 4.2.
•Group filtering at NAP level when using LDAP—When using LDAP to query an external user database, you can perform group filtering at the Network Access Profile level. Depending on the user's external database group membership, ACS can reject or accept access to the network, based on the group filtering settings.
•RSA authentication with LDAP group mapping—ACS can authenticate with RSA and simultaneously perform group mapping with LDAP. Administrators can now use this option to control authorization based on a user's LDAP group membership.
•EAP_FAST options:
–EAP-FAST enhancement for anonymous TLS renegotiation—An anonymous TLS handshake occurs between the end-user client and ACS. EAP-MSCHAP is the only inner method in Phase 0 of EAP-FAST.
–EAP-FAST enhancement for an invalid PAC—You can now run EAP-FAST without issuing or accepting any tunnel or machine PACs when it receives an invalid PAC. All requests for PACs are ignored. ACS takes no action with PAC requests; but, instead, responds with a Success-TLV; even though no valid PAC is present. All the relevant PAC options are disabled when you choose this option.
–EAP-TLS - PAC less and no Active Directory processing EAP-TLS—ACS supports EAP-FAST tunnel establishment without PACs or client certificate lookup.
•Option of disabling caching of dynamic users—Administrators can determine whether they want to disable the creation of dynamic users while using an external database for authentication. Minimal performance disruption occurs when disabling caching of dynamic users.
•Active Directory multi forest support—ACS supports authentication in a multi-forest environment. Active Directory authentication suceeds as long as an appropriate trust relationship exists between the primary ACS forest and the requested domain's forest.
•Time configuration—You can set the ACS SE to the local or GMT time zone. Log viewing and syslog can receive local or GMT time zone stamps.
•Temporary Elevated User Privileges—ACS supports the granting of administrator privileges temporarily to another user.
•Object Identifier (OID) Check for EAP-TLS Authentication—ACS checks the OID against the Enhanced Key Usage (EKU) field in the user's certificate.
•Layer 2 Audit for Network Access Control—ACS supports auditing of agentless hosts connected to a Layer 2 Network Access Device (NAD).
•ACS for Windows now includes the GUI based CSSupport utility.
•UTF-8 Support—ACS supports the use of UTF-8 (the 8-bit Universal Coded Character Set (UCS)/Unicode Transformation Format) for the username and password only when authenticating with Active Directory.
•Adding devices through CSUtil—ACS now supports using the CSUtil import.txt file for adding and editing authentication, authorization, and accounting (AAA) devices.
•ACS now supports 3COMUSR VSAs.
•User-defined vendors extended VSA ID— You can use CSUtil or RDBMS synchronization to install dictionary components for vendors that require extended VSA ID length.
•Customizing a Workstation Name for Windows Authentication—ACS now supports multiple ACS deployments by using a single Active Directory tree.
•Configuring the ACS RADIUS Server to reject or discard requests to an external ODBC Database.
•Improved Diagnostic Logs —Diagnostic log files contain the line number of the source code that generated the error. The CSAuth diagnostic log now includes Session IDs.
•Improved EAP Code Debug Messages—All EAP debug messages are now reported to the CSAuth diagnostic log.
•RADIUS Key Wrap is now extended to all EAP protocols.
Using ACS 4.2 in a FIPS 140-2-Compliant Mode
This section describes how to use Cisco Secure ACS 4.2 in a FIPS 140-2-compliant mode:
•Follow the guidelines described in FIPS 140-2 Level 1 Security Policy for Cisco Secure ACS FIPS Module Version 1.1, at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp948.pdf to operate your ACS in a FIPS-compliant mode.
•Use only FIPS 140-2 AAA clients in approved FIPS mode of operation. Refer to the client FIPS 140-2 Security Policy configuration guidelines found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp948.pdf for more information.
•Enable ACS logging; the default setting (Low) is acceptable. Refer to the User Guide for Cisco Secure ACS 4.2 for more information.
•Enable RADIUS Key Wrap in ACS; refer to RADIUS Key Wrap Extended to All EAP Protocols.
•AAA clients must use only EAP-TLS, EAP-FAST, or PEAP protocols for authentication, with key wrap.
Note ACS 4.2 conforms to FIPS 140-2 only when you use the allowed FIPS 140-2 compliant protocols. It is the network Administrator's (FIPS 140-2 Crypto Officer) responsibility to enforce this policy; ACS does not block you from using any protocol.
Note In EAP-FAST, do not use the out-of-band protected access credentials (PAC) provisioning.
AAA clients must support Authenticated Diffie-Hellman with SHA1 and AES, or RSA with SHA1 and AES for TLS negotiation.
Note EAP-FAST enhancement for anonymous TLS renegotiation, EAP-FAST enhancement for an invalid PAC, and EAP-TLS - PAC less and no Active Directory processing EAP-TLS features, are not FIPS compliant.
RADIUS Key Wrap Extended to All EAP Protocols
RADIUS Key Wrap is extended to all EAP protocols; previously, RADIUS key wrap was available only for EAP-TLS.
In previous ACS releases the Allow RADIUS Key Wrap check box resides in the EAP-TLS section of the Network Access Profiles > Protocols page.
ACS 4.2 has moved the Allow RADIUS Key Wrap check box to the top of the EAP Configuration section, in the new Key-Wrap area. You must use this option for EAP-TLS, EAP-FAST, and PEAP protocols when operating your ACS in a FIPS 140-2-compliant mode for authentication.
Installation Notes
This section contains installation information for ACS 4.2.
Installation Notes for ACS 4.2 for Windows
This section contains:
•Upgrade Path for ACS 4.2 for Windows
•System Requirements for ACS 4.2 for Windows
Upgrade Path for ACS 4.2 for Windows
For more information on ACS 4.2 upgrade paths, see the Installation Guide for Cisco Secure ACS for Windows 4.2.
System Requirements for ACS 4.2 for Windows
For information on supported operating systems and web browsers, see the Installation Guide for Cisco Secure ACS for Windows 4.2.
Installation Notes for ACS 4.2 Solution Engine
This section contains:
•Upgrade Path for ACS 4.2 Solution Engine
•System Requirements for ACS 4.2 Solution Engine
Upgrade Path for ACS 4.2 Solution Engine
For ACS 4.2 upgrade paths, see the Installation Guide for Cisco Secure ACS Solution Engine 4.2.
System Requirements for ACS 4.2 Solution Engine
For information on the system requirements for the Solution Engine, see the Installation Guide for Cisco Secure ACS Solution Engine 4.2.
Miscellaneous Issues
This issue refers to bug CSCea91690 which explains about the event viewer errors that appear on startup and shutdown of the Windows .NET Server 2003.
When the Windows .Net Server 2003 boots up or is shutdown, false errors that indicate the Cisco Secure ACS service has failed, are generated. At startup, a dialog box appears indicating that a service, such as CSLog, encountered a problem and needs to close. The same error is logged to the Event Viewer as:
Reporting queued error: faulting application CSLog.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
The problem occurs in Windows Server 2003 when the Service Manager queries the Cisco Secure ACS services status during startup and shutdown. But, ACS services may not have started or may have stopped. Even though this is normal behavior for ACS services, Windows perceives this as an error and logs it to the Event Viewer. When Windows Server 2003 boots up and the user logs into windows, the event viewer displays all errors from the previous log session.
This behavior occurs on Windows Server 2003. To solve this error, you must verify that the ACS services are running using the control panel.
Known Caveats
Table 1 contains known caveats in ACS for Windows and Solution Engine 4.2. You can also use the Bug Toolkit on Cisco.com to find any open bugs that might not appear here.
Table 1 Known Caveats in ACS Windows and Solution Engine 4.2
Bug ID
|
Summary
|
Explanation
|
CSCsb74346
|
Authorization of disabled user succeeded.
|
Symptom When you disable a user account in the ACS Internal
Database, it does not influence TACACS+ authorization requests to
the user. TACACS+ authorization requests succeed, if they match
the user's TACACS+ settings, although the user's account is
disabled. TACACS+ authentication requests fail for such users.
Workaround None.
|
CSCsb95897
|
ACS cannot display a long list of disabled accounts correctly.
|
Symptom The ACS web interface cannot display several pages of
disabled accounts list as the Previous button can be clicked only
once.
Workaround None.
|
CSCse26754
|
ACS/ACSE Administration performs limited session validation.
|
Symptom After successful login, ACS performs only limited session
validation by matching the IP alone. This is due to a weakness in the
default configuration of ACS. Cisco is investigating this issue and
further details will be added to the Cisco Security Response as it
becomes available.
Workaround For details, see Cisco.com.
|
CSCse93831
|
In 4.0, the number of IP addresses per AAA client is limited.
|
Symptom Data is missing from certain Network Device Groups even
after the ACS upgrade process completes normally.
Conditions This was observed while upgrading from ACS 3.3.3(11) to 4.0(1). After the upgrade process, two Network Device Groups containing AAA clients with a large number of subnets (over 240), of subnets had been truncated at 94.
Workaround No workaround available this time.
|
CSCsf11087
|
Cisco PA attributes not being displayed in the Passed Authentication Report for a Linux client.
|
Symptom Cisco:PA attributes are not being displayed in the Passed
Authentication Report for a Linux client with CTA 2.1.0.10
installed. The attributes are being displayed in the auth.log file and
on a Win XP client on the same network.
Workaround In System Configuration > Logging > Passed Authentication, select Cisco:PA attributes and click on Submit. This performs the authentication using the Linux client with CTA 2.1.0.10 4. After this process is complete, check the passed authentication log on the Reports and Activity page.
|
CSCsg24486
|
Two New Tacacs Services with similar names have issues with data.
|
Symptom In Interface Configuration > TACACS (Cisco IOS), create
two new services with similar names. When you enter data in one
service and save the changes, the same data will be copied to
both services.
Conditions The new service names contain spaces.
Workaround Do not use spaces in service names.
|
CSCsg37180
|
ACS LDAP query size limit is 50000.
|
Symptom When you use LDAP as an external user database and try
to edit the ACS group to LDAP group mapping; for example, when
you click Add Group, the web interface will display the error
message "LDAP disconnected".
Conditions Your LDAP group list query response contains more than 50000 results.
Workaround Keep the number of groups under control.
|
CSCsg71976
|
ACS hangs with invalid LDAP/SSL authentications with referrals.
|
Symptom When you use ACS, with LDAP/SSL configured as an
external user database, if one login attempt fails due to an invalid
username or password, then all subsequent login attempts will fail,
even if login details are valid. You must reboot to refresh the
authentications, but if an invalid username or password is entered
again, then all further authentication attempts will fail.
Conditions The Use Secure Authentication checkbox must be checked to enable LDAP/SSL in the LDAP external user database. The LDAP server must respond with referrals to other servers.
Workaround Unencrypted LDAP works. If you use LDAP/SSL, then you must configure the LDAP database to reply without referrals. You must reboot to refresh the authentications, until the next invalid username or password is issued.
|
CSCsh89581
|
ACS Administration does not respond under heavy load.
|
Symptom When the ACS Administration GUI does not respond after
a period of time, the service has to be restarted to allow
administration access to ACS. However, this does not affect user
authentication to the ACS.
Conditions When LMS 2.6 is authenticating to an ACS appliance on 4.0.1.44 code, a patch is applied to the LMS server to ensure that sessions created by auto-refresh are also logged out. When this issue occurred, the CSAdmin logs stopped sending any further information until the services are restarted. In the environment in which this issue occurred, within 5 minutes the LMS servers established over 6000 administrative connections to CSAdmin (and logged out again). There is a high probability that this issue is related to load.
Workaround Restart the ACS (for an ACS Solution Engine) or the CSAdmin process (for ACS installed on Windows) to allow administration access to ACS GUI.
|
CSCsi55085
|
ACS services do not start on a dual CPU machine after it is replicated or rebooted.
|
Symptom ACS services do not start when the Secondary ACS
machine is rebooted within 30 minutes after database replication.
Conditions After the database replication between a primary ACS and a secondary ACS machine with dual processors, this issue occurs when the secondary ACS machine is rebooted within 30 minutes.
Workaround Do not reboot the secondary ACS machine within 30 minutes of database replication.
|
CSCsj14508
|
Some special characters in the FTP password are wrong.
|
Symptom When an incorrect password is used, backup attempts fail
with the FTP server.
Conditions This occurs when a password contains special characters such as #,%, @, etc. This may be present in ACS 4.1.3 and other ACS versions.
Workaround Use a password with only text or number characters.
|
CSCsj60407
|
ACS Backup filename is changed to uppercase letters.
|
Symptom The FTP filename created for backups must contain the
hostname of the appliance but, the hostname randomly changes to
uppercase or lowercase letters.
Conditions ACS for Windows and ACS Solution Engine on 4.1(1) Build 23.
Workaround None.
|
CSCsk25159
|
ACS Upgrade: Dictionary Corruption CiscoACS\Dictionaries\005
|
Symptom After upgrading to 4.1.1.23 or 4.1.1.24 from 4.0.1.27,
service does not start.
The RDS.log displays the error:
RDS 28/08/2007 09:29:33 P 0202 0700 Dictionary Config Error:
Ignoring unrecognized value 'Type' in key
CiscoACS\Dictionaries\005
RDS 28/08/2007 09:29:33 P 0202 0700 Dictionary Memory Error:
dict_DictionaryInitCallback cannot parse dictionary configuration
Conditions Run ACS 4.0.1.27 and then upgrade to 4.1.1.23 or 4.1.1.24. This occurs in rare cases.
Workaround Call TAC and send in your database backup. The dictionary can be repaired.
|
CSCsk27193
|
Can't use <cr> when entering multiple MAC addresses.
|
Symptom When defining authentication configuration for
NetworkAccess Profiles Access Policies, if you press "return" after
each MAC address and submit the changes, error messages
are displayed.
Conditions This occurs in ACS 4.1.1(23) when using Internet Explorer 6.0 and JRE 1.5
Workaround Separate MAC addresses with a comma (,), and do not press "return" after the last MAC address has been entered.
|
CSCsk93795
|
ACS 4.1 sends invalid MS-CHAP-MPPE-Keys to PPTP client.
|
Symptom A PPTP client that connects to an IOS router with Radius
authentication, fails if "Require encryption" is selected. Radius
attributes are configured at the user level.
Conditions ACS returns "Invalid MPPE key length (11)" this should be (34) bytes. 11 bytes are: 0c (vendor-type 12) 0b (vendor-length = 11) and 41 75 74 6f 6d 61 74 6963 (the word "Automatic"). ACS sends the wrong key length as IOS accepts a vendor-length of 34.
Workaround Use local authentication or optional encryption.
|
CSCsk94878
|
Cannot change the windows password when the PDC Emulator is down.
|
Symptom The user cannot change the windows password when the
PDC Emulator is down.
Conditions This symptom occurs even if the other Domain Controller is up for the same domain, and all of DCs are running in Native mode (W2K3 mode or W2K mode). User authentication can be successful with the other DC even if the PDC Emulator is down.
Workaround Do not attempt to change the windows password when the PDC Emulator is down.
|
CSCsl46350
|
Authentication complete message not displayed.
|
Symptom When an invalid username is entered, ACS does not reply.
Conditions
1. Use EOU with EAP-FAST.
2. Select "Prompt automatically for username and Password" in the EAP-FAST "User Credentials" setup, and enter an invalid username.
Workaround None.
|
CSCsl50122
|
ACS SE needs configurable RA timeout value.
|
Symptom This is a request to add a timer to the ACS Appliance. This
timer can be configured to monitor how long the ACS SE waits
before timing out the Remote Agent during group mapping.
Conditions ACS SE running 4.1.1.23 or higher.
Workaround If group mapping times out, manual mappings can be used.
|
CSCsl70457
|
Some ACS 1113 Appliances ship with BIOS password.
|
Symptom Some ACS 1113 appliances that ship from RMA depots,
come with a bootup password of 'acs1113'.
Conditions Appliance comes with a BIOS Password.
Workaround On boot, enter the BIOS password of 'acs1113'.
|
CSCsl88008
|
ACS GUI does not prevent the dynamic allocation of port 2002.
|
Symptom ACS does not prevent the dynamic allocation of port 2002
when a users logs in or when LMS is used.
Workaround Login to ACS, change the Administration Control, Access Policy, and HTTP Port Allocation to:
Restrict Administration Sessions to the following port range From Port 2003 to Port 65535.
|
CSCsl99170
|
Logged in Users not functional in Proxy Scenario.
|
Symptom Logged in users are not being updated in the proxy ACS.
This error occurs only real time and does not occur in simulators
(Used Switch with dot1x config).
Conditions
1. Configure two ACS servers as ACS 2 & ACS 3.
2. Configure ACS 2 as the Primary ACS server.
3. When a request is received in UPN format (user@nmtg.com), ACS 2 directs the request to ACS 3(@nmtg.com, suffix, strip) (Acct - local/remot)
4. ACS 3 processes the request and authenticates the user.
5. Logged in users are not updated in ACS 3.
Workaround None.
|
CSCsm36747
|
Increasing memory consumption in the CSAdmin during import process.
|
Symptom CSAdmin consumes memory and does not get released.
Conditions During the import process of AAA clients from the CLI, using the CSUtil tool.
Workaround Restart all services.
|
CSCsm45861
|
Windows Database Group Mapping fails when the username is in UPN format.
|
Symptom Unable to find user name even though it is present in the
local group.
Conditions When ACS is configured to use the old API.
Workaround You must use a plain username without the UPN format (without domain suffix).
|
CSCsm60215
|
ACS Appliance has authorization issues with extended attributes.
|
Symptom After upgrading to 4.1.1, third party devices using
extended attributes, fail to authorize ACS and sends an RST to the
authorization session.
Conditions Using 4.x code on an appliance that uses extended attributes.
Workaround None.
|
CSCsm64286
|
Request from NAS fails when default NAS is defined under NDG.
|
Symptom Authentication fails, when a request is sent from the
"other" NAS.
Conditions NAR is configured to deny the request from the defined NAS. While the "others" default TACACS+ NAS is defined under NDG.
Workaround None.
|
CSCsm64931
|
NAR does not filter users when "Apply password change rule" is selected.
|
Symptom All the devices are TACAS+ devices.
1. Define per group NAR with two NDGs (GA, GB) and configure it to permit access (Permit).
2. Define the device named 'others' with IP address *.*.*.*.
3. Do not include 'others' in the NAR.
4. In the group setting, check the checkbox "Apply password change rule".
5. Change the password for one of the users in that group.
6. Authenticate (telnet) to a TACACS+ device which is not explicitly defined in any group.
Result: You are prompted to change the password and subsequently access the device. But in the next authentication, you are denied access to the device.
Conditions This error occurs when NAR is applied.
Workaround None.
|
CSCsm66268
|
If there is no NAP, Group Mapping fails with Ext DB when service type is 10.
|
Symptom Group mapping fails when service type is 10 and when no
Network Access Profile is configured in ACS.
Conditions Perform MAC authentication with service type as 10 against the LDAP database. Do not configure NAP in ACS if Group mapping fails.
Workaround Configure NAP and enable "Allow Agentless Request Processing" or do not send the request with service-type as 10.
|
CSCsm68921
|
No console access during System Recovery.
|
Symptom When performing system recovery with the recovery CD,
the console output freezes after the "Press <SpaceBar> to update
BIOS" message appears.
Conditions The problem can occur with any version of the recovery CD.
Workaround None.
|
CSCsm69491
|
Disabled users accounts and groups still check external databases.
|
Symptom ACS checks the external database for password
verification before checking if the user account is disabled.
Conditions ACS checks the external database for password verification before checking if the user account is disabled. This was present in the RADIUS database but may also be present in other external databases.
Workaround This is an enhancement request. This is a request to change the flow, so that ACS first checks if the account is disabled before checking the external database for password verification.
|
CSCsm70790
|
Default BIOS configuration are changed.
|
Symptom In some of the new appliances the BIOS settings are
different from the existing one. Due to this image the appliance
cannot be imaged with the recovery CD.
Conditions This error occurs in some of the new appliances.
Workaround None.
|
CSCsi82254
|
FAST1a When Posture PA is large - Auth is failed.
|
Symptom Authorization using FAST1a with big PA message fails.
Conditions It occurs in ACS 4.1.2.11 on Windows 2003.
Workaround Provide a short PA.
|
CSCsj23646
|
Performing a stress test on GAME during audit server outage, causes an internal error.
|
Symptom An internal error occurs, when testing GAME on an audit
server that is down.
Conditions When performing a stress test using GAME.
Workaround The Audit server must be up and running.
|
CSCsj87562
|
Remote Logging Reports shows wrong information.
|
Symptom The remote logging report displays wrong information for
the column "Logged Remotely".
Conditions Configure Remote Logging and do an authentication check for the Remote Logging Reports (passed Authentication or Failed Attempts). The Column "Logged Remotely" displays "No" when it should be "Yes". This occurs in ACS 4.1.
Workaround None.
|
CSCsj99992
|
RDS logs show Merge Control attribute missing from PDE policy output.
|
Symptom RDS logs show the Merge Control attribute missing from
the policy agent. This is a warning message as a result of the client
packet and can be ignored.
Conditions It occurs in ACS 4.2.
Workaround None.
|
CSCsk09761
|
Called Station ID value is not logged in passed or failed attempts reports.
|
Symptom Called-Station-ID is not logged in the Passed or Failed
attempts report.
Conditions While performing any authentication with Called-Station-ID attribute.
Workaround None.
|
CSCsk17182
|
Extend maximum allowed characters for absolute filepath - DBSync via CSV.
|
Symptom [Microsoft][ODBC Text Driver]String data right
truncated on column number 6 (ValueName). Warning massage
appears in RDBMS Synchronization reports.
Conditions Absolute file path specified for account action codes (ex 385 .. ), is more than 49 characters.
Workaround Specify absolute filepath that is less than 49 characters.
|
CSCsk29412
|
ACS fails to use correct credentials to authenticate users.
|
Symptom Failure to authenticate user in anonymous in-band
PAC provisioning.
Conditions In ACS EAP-FAST when anonymous in-band PAC provisioning is configured and the clients user identity is an outer identity, PAC provisioning fails to authenticate the user when incorrect credentials are provided. This authentication fails even when the correct credentials are provided as ACS continues to use the invalid credentials when attempting to authenticate the user. This condition occurs in all versions of ACS 4.x
Workaround Use an anonymous identity as the outer identity.
|
CSCsk32262
|
Count increases in group when the same user is authenticated by PKI auth Bypass.
|
Symptom The function "List All Users" under "User Setup"
increases for the same user.
Conditions This occurs when you configure EAP-FAST with PAC-less when the Client Certificate Lookup and Comparison is disabled.
Workaround None.
|
CSCsk53325
|
Windows Authentication must fail when duplicate NetBIOS names exist in forest.
|
Symptom Creates ambiguity when searching for a user in AD.
Conditions This occurs when more than one domain is configured and the NETBIOS name of two domains are identical.
Workaround Windows does not allow you to create two domains with identical NETBIOS names.
|
CSCsk53454
|
ACS should allow you to retry in case of password change failure.
|
Symptom ACS does not allow password retry for the error code 709
- "Password Change failed".
Conditions Change the password through EAP-FAST/GTC (or any other methods that support password change) with the new password which does not meet password complexity.
Workaround Enter a new password that meets the password complexity rule.
|
CSCsk59988
|
EAP-FAST [ TLS ] does not work for Cross forest user authentication.
|
Symptom Occurs when doing EAP-FAST authentication with the
CSSC client.
Conditions Client is sends inner-identity without domain markup.
Workaround This is not a bug since CSSC can be customized to send inner-identity in UPN format.
|
CSCsk60007
|
Inconsistent message when deleting the CA certificate in CTL.
|
Symptom Message when you delete CA certificate in CTL.
Conditions When you delete the CA certificate in CTL it fails but does not explain the reason for failure. This condition occurs in ACS 4.2.
Workaround None.
|
CSCsk62859
|
EAP-FAST: Second phase represented as None during machine authentications.
|
Symptom EAP-FAST Inner methods appear as None in machine
authentication. This error occurs for all inner methods for
EAP-FAST.
Conditions Occurs in ACS 4.2 for all EAP-FAST inner methods.
Workaround None.
|
CSCsk68870
|
Work Station Restriction not functioning with EAP-TLS authentication.
|
Symptom While doing EAP-TLS authentication, the workstation
does not allow the user to be present.
Conditions While doing EAP-TLS authentication
Workaround This is not a bug as TLS authentication searches for the user in a respective domain. The workstation attribute is acceded only if the user is authenticated using a password.
|
CSCsk92498
|
CS-Log fails to start after Replicating the Secondary machine.
|
Symptom CS-Log fails to start after Replication in the
secondary machine.
Conditions This error occurs when you replicate a huge database from Primary Windows 2000 ACS to Secondary Windows 2003 Standard Edition ACS.
Workaround None.
|
CSCsl02590
|
CS-Auth restarts & authentication fails during EAP-TLS.
|
Symptom CSAuth restarts and the authentication fails during
EAP-TLS.
Conditions When a stress test is run from one machine with 1000 user X 100 cycle 1 workers per client for the build ACS 4.2.0 build 111 in windows 2003 machines.
Workaround None.
|
CSCsl10248
|
Log files become unusable after downloading using firefox and netscape.
|
Symptom Log files downloaded using Firefox or Netscape browsers
are not usable.
Conditions This occurs when the download is done using Firefox or Netscape.
Workaround Use Internet Explorer.
|
CSCsl16871
|
CSUtil strips username while creating PAC.
|
Symptom While creating PAC, CSUtil strips domain information
from the username.
Conditions When the manual cPAC provisioning is used.
Workaround Automatic PAC provisioning will solve the issue or a username without domain markup.
|
CSCsl79863
|
ACS Certificate Installation
|
Symptom When installing a new certificate in ACS Windows, from
the System Configuration > Install ACS Certification page, the old
certificate is deleted even before the new certificate is uploaded.
Conditions Occurs in all 4.x releases of ACS.
Workaround None.
|
CSCsl96222
|
Appliance RDBMS Sync: Failed to connect to FTP server.
|
Symptom While syncing, FTP connection is failed.
Conditions While downloading files from FTP, connection is not established.
Workaround By setting FTP password without '/' can solve this issue.
|
CSCsm07762
|
Drop Down Menu not functioning for posture token - do not audit groups.
|
Symptom The drop down menu for selecting the Posture Token for
the host that will not be audited, is not functioning.
Conditions The user does not want to audit the members of some ACS user groups. He needs to select a Posture Token for the hosts that will not be audited.
Workaround There is an option to audit, based on the Host IP Addresses and Ranges or Host MAC Addresses. Select the option, do not audit these hosts. This option will enable the functioning of the Drop down menu for selecting the Posture Token for the host that will not be audited. You can select the required posture token.
|
CSCsm36481
|
PEAP TLS MachineAuthentication with account disabled generates internal error.
|
Symptom PEAP TLS MachineAuthentication with account disabled
displays the following error message:
Authentication fails with Internal error in the Auth log, instead of:
Authentication fails with External DB account disabled.
Conditions This error message appears if you:
•Configure PEAP TLS machine authentication.
•Disable the machine account in AD.
•Perform Authentication.
Workaround None.
|
CSCsm36518
|
Machine Authentication with groupmapping configuration set to <No Access> is not logged in Failed.
|
Symptom Machine Authentication with group mapping
configuration to <No Access> is not logged in the Failed
attempts log.
Conditions Occurs in ACS 4.1 and 4.2 with the following ACS configuration:
•Configure PEAP TLS Machine Authentication.
•Configure External DB group mapping to be <No Access>.
•Perform Machine Authentication.
Workaround None.
|
CSCsm37778
|
ACS needs to normalize MAC addresses for Attribute [1].
|
Symptom ACS does not normalize the MAC addresses for
Attribute [1].
Conditions MAB from a switch sends the following attributes:
•Attribute [1] (Username) - MAC address of the client that requires network access for MAB.
•Attribute [30] (Called-Station-ID) - MAC address of the ingress interfaces of the switch or authenticator.
•Attribute [31] (Calling-Station-ID) - MAC address of the client that requires network access for MAB.
Attributes [30] and [31] are sent in the format of XX-XX-XX-XX-XX-XX for all switches. This has recently been updated in the switch code base to ensure compatibility with legacy switch code and also compliance with RFC 3580. 802.1X requests operate the same way. Neither of these attributes, are expected to provide the authentication service provided by MAB.
Authentication and authorization are provided from RADIUS Attribute [1] (username) and RADIUS Attribute [2] (password). For IOS-based switches and recent versions of CatOS, the format for the username and password attributes is simply hhhhhhhhhhhh. This is an all lower-case version of hhhh.hhhh.hhhh with the punctuation stripped out.
ACS normalizes a MAC address for Attribute [31] only. When an LDAP query is performed when a NAP is matched, 3 separate queries are generated in the form of:
•macAddress=00-11-22-33-44-55
•macAddress=00:11:22:33:44:55
•macAddress=0011.2233.4455-
ACS must be able to do this for Attribute [1] and support legacy MAB environments, whose back end databases may not store the MAC address in the"hhhhhhhhhhhh" format.
|
CSCsm37851
|
RADIUS Accounting logs are false.
|
Symptom RADIUS Accounting logs are false.
Conditions When MAB authenticates on a port and sets the following on a RADIUS Access-Accept:
•Attribute[27] = 60
•Attribute[29] = RADIUS-Request-->
Every 60 seconds the device should re-authenticate and an interim update should also be logged in RADIUS-Accounting.
However, before the Accounting entry for any interim update occurs, a false entry appears in the accounting, which displays "NAS-Port re-used". It reports an incorrect session time.
Workaround None.
|
CSCsm43674
|
Fields edited for an upgraded user, displays wrong information in Administration Audit.
|
Symptom Fields edited for an upgraded user, gives wrong
information in Administration audit.
Conditions It occurs in ACS 4.2 with the following configuration:
•In ACS4.1 add users with Network Access restriction.
•Take a back up of ACS 4.1.
•Restore the dump in ACS 4.2 using "Restore from 4.1 backup file to ACS 4.2".
•Edit the ACS 4.1 user, and check the logs in Administration Audit. The administration audit contains information for the file that is not edited.
Workaround None.
|
CSCsm52514
|
ACS Java causes Firefox and JRE 1.6.0_04 to hang on Japanese Windows.
|
Symptom Sun Java hangs and prevents login when accessing ACS.
Conditions
•Japanese Windows XP/2003: Japanese Firefox 2.0.0.11 + JRE 1.6.0_04
•Japanese Windows XP/2003: Japanese Firefox 2.0.0.11 + JRE 1.6.0_03 => OK
•Japanese Windows XP/2003: Japanese internet Explorer 6.0 SP2 + JRE 1.6.0_04 is OK
•US-English Windows XP/2003: US-English Firefox 2.0.0.11 + JRE 1.6.0_03 => OK
Workaround Use IE or Open Java Console first <firefox menu -> tools -> Java Console>, and then access ACS.
|
CSCsm57518
|
ODBC Configuration fails after upgrading from 4.1.
|
Symptom Occurs when upgrading from 4.1 to 4.2.
Conditions ODBC configuration is missing after upgrading to 4.2.
Workaround After upgrading, configure once more to solve the issue.
|
CSCsm57566
|
Windows user fails when ODBC is placed above in Unknown User Policy.
|
Symptom When performing authentication with Windows database
and ODBC, if the ODBC is placed at the top in an unknown user
policy, then authentication fails.
Conditions While doing authentication with windows database and ODBC.
Workaround Place the windows database at the top of the unknown user policy when the user is authenticating to a windows database.
|
Resolved Caveats
Table 2 contains the resolved caveats for ACS 4.2. Check the Bug Toolkit on Cisco.com for any resolved bugs that might not appear here.
Table 2 Resolved Caveats in ACS Windows and Solution Engine 4.2
Bug ID
|
Description
|
CSCee89510
|
Syslog: dates are logged in GMT always, need to be configurable.
|
CSCsb24849
|
ACS does not purge the AAA Client user information after Accounting On.
|
CSCsc77154
|
Proxy authentications fail when no DHCP is present at installation.
|
CSCsc84543
|
CSMon doesn't restart services when CSTacacs hangs.
|
CSCsc90467
|
After Install from Recovery CD, no CLI access.
|
CSCsd18172
|
After Installing Appliance the default windows IP remains in the AAA server.
|
CSCsd25239
|
ACS does not detect a change to its IP address.
|
CSCsd40204
|
Document that dynamic ACL is not applicable for DDR/aggregation.
|
CSCsd52663
|
Cross forest user/machine authentication does not work.
|
CSCsd88833
|
Manual setup of ip configuration failed, CLI is not foolproof enough.
|
CSCse69819
|
Custom UDV, Replication don't replicate. Failure to create on secondary.
|
CSCsf15057
|
Can't ping the ACS appliance if the CSA agent is turned on.
|
CSCsf17112
|
SSL Handshake error message too general.
|
CSCsg40727
|
ACS 4.0: RDMS fails account action 220 250 with Synchronization Partners.
|
CSCsi39730
|
ACS Solution Engine 4.1 Rec CD Install Wrong Device Name and IP address.
|
CSCsi53074
|
ACS Account permissions sometimes needs Logon as a Batched Job.
|
CSCsi77061
|
The called-station-id attr is not included in passed/failed reports.
|
CSCsj01813
|
BIOS settings on the ACS SE for action on power up.
|
CSCsj08738
|
Optional Posture Validation in ACS not functional.
|
CSCsj09748
|
csmon logs filled with Message:Could not generate valid Password.
|
CSCsj32256
|
Permit/Denied for others TACACS+ default NAS is inverse in NARs.
|
CSCsj36562
|
Replication fails under condition of stress between WAN Geography.
|
CSCsj58199
|
CSAuth crashes Exception trapped on UDB_SEND_RESPONSE
|
CSCsj61652
|
ACS does not update the version number in registry after upgrade.
|
CSCsj70952
|
ASA 8.0: ACS 3076/11 attribute needs new enumeration for SVC protocol.
|
CSCsj71204
|
Need to post ACS 4.1.x and 4.0.x patches for ASA 8.0 attributes deltas.
|
CSCsj86746
|
Unable to add attributes for logging.
|
CSCsj87434
|
ACS does not bind ACS group and Domain after config replication.
|
CSCsk02317
|
Misleading Error messages in Auth.log after replication.
|
CSCsk12033
|
Replication might take long time to finish due to EventNotifier deadlock.
|
CSCsk15339
|
To allow no AD processing when PACLESS is enabled.
|
CSCsk15412
|
Action code 224 and 225 for Update and Read AAA client.
|
CSCsk20823
|
CSTacacs memory leak.
|
CSCsk23467
|
Remote agent installation guide doesn't contain updated info.
|
CSCsk44072
|
MS-PEAP authentication failed not shown up in ACS logs.
|
CSCsk44292
|
After ACSE and switch reboot all authentications are failing.
|
CSCsk50267
|
CSAuth crashes when EAP-FAST user and initiater IDs are different.
|
CSCsk53707
|
Exception trapped and CSAuth restarts with NAR configured.
|
CSCsk62604
|
CAA fails to prompt for password change in ACS 4.1.3 code.
|
CSCsk64715
|
Group mapping (NAP) replication fails with a timed replication.
|
CSCsk67139
|
ACS SE patch certificate expired. Throwing warning message.
|
CSCsk71372
|
Make 4.1.4 replication updates configurable.
|
CSCsk76343
|
'others' NAS is processed inversely by NAR when in an NDG.
|
CSCsk76533
|
ACS will not restart by CSMon, when caughting exception.
|
CSCsk88667
|
Provide option for both implicit AND and implicit OR for OID comparison.
|
CSCsl09917
|
CSAuth restarts when machine auth user name is without domain info.
|
CSCsl11777
|
dbserv9 start up parameters and command line should be hidden.
|
CSCsl41548
|
ACS using EAP-FAST-Authentication(inner EAP type GTC) reprompts 3 times.
|
CSCsl49180
|
Cisco Secure ACS User-Changeable Password Buffer Overflows.
|
CSCsl49205
|
Cisco Secure ACS User-Changeable Password XSS Vulnerability.
|
CSCsl51500
|
Failed to get GC Server for trust - when DC & GC are different machines.
|
CSCsl62845
|
ACS Remote Agent logging date format is not as specified on Appliance.
|
CSCsm23558
|
Problem while logging TACACS+ command accounting.
|
CSCsm52554
|
Doc:EAP TLS machine authentication not allowed for SAN & CN outer identity.
|
CSCsm55253
|
Others TACACS+ adopt permit/denied from defined NAR.
|
CSCsm71037
|
CSAgent doesn't start after bootup.
|
Table 3 contains the resolved caveats for ACS Windows and Solution Engine 4.1.3. Check the Bug Toolkit on Cisco.com for any resolved bugs that might not appear here.
Table 3 Resolved Caveats in ACS Windows and Solution Engine 4.1.3
Bug ID
|
Description
|
CSCeb43948
|
Could not generate valid Password with password length => 9.
|
CSCed45731
|
ACS logs should indicate level of logging.
|
CSCee65661
|
CSCeh42116
|
CSCeg52536
|
Failed PEAP authentication not shown up in ACS logs.
|
CSCeh42116
|
EAP-TLS Machine Authentication fails when AD PDC emulator down.
|
CSCsd12551
|
IP pools disappear occasionally from Group Setup/Edit Settings.
|
CSCsd20149
|
After initial config from Recovery CD, no GUI access.
|
CSCsd63894
|
ACS does not respond with the same IP address for RADIUS.
|
CSCsd95346
|
VSA definition for Total Control HiperARC card accounting attributes.
|
CSCsd98589
|
Authentications fail when NIC reconnected after reboot.
|
CSCse49827
|
ACS Remote Agent fails users with too many groups.
|
CSCsf28775
|
Expired accounts are incorrectly reported.
|
CSCsf98129
|
Client host name in ACS cannot be deleted.
|
CSCsg24465
|
Update OS to support Daylight Saving Time for the 2007 energy bill.
|
CSCsg32883
|
Feature: Authentications from ACS not hardcoded to workstation CISCO.
|
CSCsg37381
|
ACS authentication stops intermittently with - Unknown error code: -1018.
|
CSCsg62459
|
Unable to delete CA Cert from CA list.
|
CSCsg87232
|
Enhancement: Add Cisco-AvPair to VOIP accounting records.
|
CSCsg89656
|
CSAuth does not shutdown cleanly in some ACS 4.0 installs.
|
CSCsg96534
|
ACS support for Windows 2003 R2 needs clarification.
|
CSCsg97429
|
TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
|
CSCsh05964
|
ACS 4.1: Separate enable password fails when unix password type used.
|
CSCsh18742
|
ACS should silently discard packet when external ODBC DB not available.
|
CSCsh24710
|
Shell Commands Authorization Set part of commands are effective
|
CSCsh32888
|
Separate enable password does not work after ACS upgrade to 4.1
|
CSCsh39305
|
Administrative access policy does not take effect after replication.
|
CSCsh42893
|
ACS GUI hangs and times out when service is restarted during stress.
|
CSCsh43814
|
No users at IP x.x.x.x.
|
CSCsh62641
|
MAC authentication causes internal errors.
|
CSCsh65197
|
CSAuth crashes when username has a comma.
|
CSCsh69160
|
EAP FFAST1: ACS does not provide the supplicant with reason of rejection.
|
CSCsh74140
|
Loss of ext. database breaks NAD AAA redundancy concept.
|
CSCsh77651
|
Anti Virus is locking DB file.
|
CSCsh77806
|
EAP-TLS will fail authentication if name contains forwardslash /
|
CSCsh84447
|
Limited administrator sees first page empty if trying to list all users.
|
CSCsh87466
|
Authentication failure on first login after remote agent restart.
|
CSCsh89335
|
ACS EAP-FAST Replication fails generating server not responding error.
|
CSCsh90602
|
MAB no more functional after installing accumulative patch 4.1.1.23.3
|
CSCsh91209
|
ACS 4.X will fail to upgrade if DASL is greater than 32K.
|
CSCsh91761
|
ACS: XSS vulnerability via search facility in online help.
|
CSCsh99260
|
Feature: need to support Solaris 9 & 10 for ACS remote logging agent.
|
CS |
