Table Of Contents
Release Notes for Cisco Secure ACS Solution Engine 3.3.3
New Features
Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
Product Documentation
Related Documentation
Installation Notes
Upgrading to Cisco Secure ACS
Upgrading to Cisco Secure ACS 3.3.3 from 3.3
Upgrading to Cisco Secure ACS 3.3.3 with SNMP Support
Upgrading to Cisco Secure ACS 3.3.3 without SNMP Support
Upgrading to Cisco Secure ACS 3.3.3 from 3.2
Upgrading to Cisco Secure ACS 3.3.3 with SNMP Support
Upgrading to Cisco Secure ACS 3.3.3 without SNMP Support
Recovering Cisco Secure ACS 3.3
Security Patch Process
Security Advisory
Limitations and Restrictions
Important Known Problems with Network Admission Control
Supported Migration Versions
Supported Web Browsers
Supported Operating Systems for Remote Agent
Windows Support for Remote Agent
Solaris Support for Remote Agent
Supported Platforms for CiscoSecure Authentication Agent
Other Supported Devices and Software
Documentation Updates
Configuring SNMP Support
Using the CRL Issuer Page
Installation Guide Chassis Figures Updated
LDAP Multi-Threading
Unknown NAS Authentication Failure
Known Problems
Cisco AAA Client Problems
Known Microsoft Problems
Known Problems in Cisco Secure ACS 3.3
Resolved Problems
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Submitting a Service Request
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS Solution Engine 3.3.3
October 2005
Full Build Number: 3.3.3.11
These release notes pertain to Cisco Secure Access Control Server Solution Engine (Cisco Secure ACS) version 3.3.3
Note 
The release numbering system used by Cisco Secure ACS software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 3.3.3.11, Appliance Management Software 3.3.3.5, and Appliance Base Image (1111 - 3.3.1.4 and 1112 - 3.3.1.8). Elsewhere in this document where 3.3.3 is used, it refers to 3.3.3.11. Cisco Secure ACS major release numbering starts at 3.3.1, not 3.3.0. Use this information when working with your customer service representative.
These release notes provide:
•New Features, includes new features from 3.3.1 to 3.3.3
•Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
•Product Documentation
•Related Documentation
•Installation Notes
•Upgrading to Cisco Secure ACS 3.3.3 from 3.2
•Recovering Cisco Secure ACS 3.3
•Security Patch Process
•Limitations and Restrictions
–Important Known Problems with Network Admission Control
–Supported Migration Versions
–Supported Web Browsers
–Supported Operating Systems for Remote Agent
–Supported Platforms for CiscoSecure Authentication Agent
–Other Supported Devices and Software
•Documentation Updates
•Known Problems
•Resolved Problems
•Obtaining Documentation
•Documentation Feedback
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
New Features
Cisco Secure ACS 3.3 contains the following new features and enhancements:
•SNMP Support—Cisco Secure ACS provides Simple Network Management Protocol (SNMP) support for the appliance only. The SNMP agent provides read-only SNMP v1 and SNMP v2c support. The supported MIBs include:
–Structure and Identification of Management Information for TCP/IP-based Internets (1155)
–SNMP (1157)
–Management Information Base for Network Management of TCP/IP-based internets: MIB-II (1213)
–MIB-II and LAN Manager MIB-II for Windows
–Host Resources MIB (RFC 1514/2790)
The SNMP agent is configurable on the appliance configuration page.
•Network admission control (NAC)—Cisco Secure ACS acts as a policy decision point in NAC deployments. Using policies that you configure, it evaluates the credentials sent to it by the Cisco Trust Agent, determines the state of the host, and sends the AAA client ACLs that are appropriate to the host state. By evaluating the host credentials many specific policies can be enforced, such as operating system patch level and antivirus DAT file version. Cisco Secure ACS records the results of policy evaluation for use with your monitoring system. You can evaluate policies locally by the Cisco Secure ACS or by an external policy server to which Cisco Secure ACS forwards credentials. For example, credentials that are specific to an antivirus vendor can be forwarded to the vendor antivirus policy server.
•Cisco Security Agent integration (CSA)—Cisco Secure ACS Solution Engine ships with a preinstalled, standalone CSA. This integration in the base appliance image helps to protect Cisco Secure ACS Solution Engine from day-zero attacks. The new behavior-based technology available with CSA protects Cisco Secure ACS Solution Engine against the constantly changing threats that viruses and worms pose.
•EAP Flexible Authentication via Secured Tunnel (EAP-FAST) support—Cisco Secure ACS supports the EAP-FAST protocol, a new publicly accessible IEEE 802.1X EAP type developed by Cisco Systems that protects authentication in a TLS tunnel but does not require the use of certificates, unlike PEAP. Cisco developed EAP-FAST to support customers who cannot enforce a strong password policy and wish to deploy an 802.1X EAP type that:
–does not require digital certificates
–support a variety of user and password database types
–support password expiration and change
–is flexible, easy to deploy, and easy to manage
For example, a customer who uses Cisco LEAP can migrate to EAP-FAST for protection from dictionary attacks. Cisco Secure ACS supports EAP-FAST supplicants that are available on Cisco-compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters.
•Machine Access Restrictions (MARs)—Cisco Secure ACS includes MARs as an enhancement of Windows machine authentication. When Windows machine authentication is enabled, you can use MARs to control authorization of EAP-TLS and Microsoft PEAP users who authenticate with a Windows external user database. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and that you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.
•Network Access Filters (NAFs)—Cisco Secure ACS includes NAFs as a new type of Shared Profile Component. NAFs provides a flexible way of applying network-access restrictions and downloadable ACLs on AAA client names, network device groups, or the IP addresses of AAA clients. NAFs applied by IP addresses can use IP address ranges and wildcards. This feature introduces granular application of network-access restrictions and downloadable ACLs, both of which previously only supported the use of the same access restrictions or ACLs to all devices. NAFs allow much more flexible network-device restriction policies to be defined, a requirement common in large environments.
•Downloadble ACL enhancements—Cisco Secure ACS version 3.3 extends per-user ACL support to any layer-three network device that supports this feature. This support includes Cisco PIX firewalls, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that can be applied per user or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with NAFs, downloadable ACLs can be applied differently per AAA client, enabling you to tailor ACLs uniquely per user, per access device.
•Configurable replication timeout—An enhancement to CiscoSecure Database Replication which allows you to specify how long a replication event is permitted to continue before Cisco Secure ACS ends the replication attempt and restarts the affected services. This feature improves your ability to configure replication when network connections between replication partners are slow.
Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1. ADDITIONAL LICENSE RESTRICTIONS.
•Installation and Use. The Cisco Secure Access Control Server Software component of the Cisco 11XX Hardware Platform is preinstalled. CD's containing tools to restore this Software to the 11XX hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 11XX Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 11XX Hardware Platform.
•Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Software updates and new version releases for the 11XX Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 11XX Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.
•Reproduction and Distribution. Customer may not reproduce nor distribute software.
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
Please refer to the Cisco Systems, Inc., Software License Agreement.
Product Documentation
Note Cisco sometimes updates the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 1 describes the product documentation that is available.
Table 1 Product Documentation
Document Title
|
Available Formats
|
Release Notes for Cisco Secure ACS Solution Engine
|
On Cisco.com.
|
Installation and Setup Guide for Cisco Secure ACS Solution Engine
|
•PDF on the product CD-ROM.
•On Cisco.com.
•Printed document available by order (part number DOC-7816532).1
|
User Guide for
Cisco Secure ACS Solution Engine
|
•PDF on the product CD-ROM.
•On Cisco.com.
•Printed document available by order (part number DOC-7816534=).1
|
Installation and User Guide for Cisco Secure ACS User-Changeable Passwords
|
•PDF on the product CD-ROM.
•On Cisco.com.
|
Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine
|
•Printed document that was included with the product.
•PDF on the product CD-ROM.
•On Cisco.com.
|
Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine
|
On Cisco.com.
|
Recommended Resources for the Cisco Secure ACS User
|
On Cisco.com.
|
Online Documentation
|
In the Cisco Secure ACS HTML interface, click Online Documentation.
|
Related Documentation
Note Cisco sometimes updates the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 2 describes a set of white papers about Cisco Secure ACS for Windows Server; however, much of the information contained in these papers is applicable to Cisco Secure ACS Solution Engine. All white papers are available on Cisco.com. To view them, go to the following URL:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.shtml
Table 2 Related Documentation
Document Title
|
Description and Available Formats
|
Building a Scalable TACACS+ Device Management Framework
|
This document discusses the key benefits of and how to deploy Cisco Secure ACS Shell Authorization Command sets, which provide the facilities for constructing a scalable network device-management system by using familiar and efficient TCP/IP protocols and utilities that Cisco devices support.
|
Catalyst Switching and ACS Deployment Guide
|
This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and the capabilities of Cisco Secure ACS.
|
Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment
|
This paper discusses guidelines for wireless network design and deployment with Cisco Secure ACS.
|
EAP-TLS Deployment Guide for Wireless LAN Networks
|
This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and then discusses deployment issues.
|
Guidelines for Placing ACS in the Network
|
This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.
|
Initializing MC Authorization on ACS 3.1
|
This application note explains how to initialize Management Center authorization on Cisco Secure ACS.
|
Installation Notes
For information about installing Cisco Secure ACS, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Upgrading to Cisco Secure ACS
Table 3 describes the upgrade procedures for the Cisco Secure ACS software based on the device that you are using, the upgrade path, and whether you want to install the SNMP support feature. Table 4 describes various installation use cases that may assist you in deciding the appropriate procedure to follow.
Caution Backup and restore are supported and tested only when done on the same version. For example, back up on 3.3.3 and restore on 3.3.3 is supported; not backup on 3.3.2 and restore on 3.3.3.
Tip If you failed to install Cisco Secure ACS on a previous upgrade to 3.3.1, you should do so now. Refer to the installation processes that are documented in the user guide and the installation guide.
Upgrading to Cisco Secure ACS 3.3.3 from 3.3
The two options to choose from when upgrading are:
•Upgrading to Cisco Secure ACS 3.3.3 with SNMP Support
•Upgrading to Cisco Secure ACS 3.3.3 without SNMP Support
Upgrading to Cisco Secure ACS 3.3.3 with SNMP Support
To upgrade to 3.3.3 with the SNMP support feature, you will need to upgrade your software to 3.3.3 by using the upgrade packages, back up your configuration, reinstall ACS 3.3.3, and then restore your data.
This procedure upgrades the Cisco Secure ACS software to version 3.3.3 on a Cisco 1111 or a Cisco 1112 device.
To reinstall a Cisco 1111 or 1112 device from Cisco Secure ACS Solution Engine 3.3.1 or 3.3.2 follow these steps:
Step 1 If the Cisco Secure ACS Solution Engine is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is running, enter stop csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not selected. If it is selected, clear the CSA Enabled check box and click Submit.
Step 2 Apply the Upgrade Package Appliance Management Software, which is available on the Cisco Secure ACS 3.3. upgrade CD.
Step 3 Apply the Upgrade Package ACS Software 3.3.3.11 for Appliance, which is available on the Cisco Secure ACS 3.3 upgrade CD.
For details on using the HTML interface to upgrade, see the User Guide for Cisco Secure ACS Solution Engine 3.3. For details on using the command line to upgrade, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 4 To save and restore your existing data, you must perform the following steps. If you do not want to save your data, go to Step 4b.
a. Back up Cisco Secure ACS data and configuration. To do so, use one of the two following features:
•ACS Backup, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•The backup command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
b. Use the Recovery CD from Cisco Secure ACS 3.3 to upgrade the appliance to 3.3.3. The upgrade destroys all data and installs a new image. Ensure that you have the correct version for your hardware.
For more information about reimaging the hard drive, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
c. Perform an initial configuration of the Cisco Secure ACS Appliance. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
d. To save and restore the appliance data and configuration, use one of the two following feature. If you do not want to save your data, go to Step 5.
•ACS Restore, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•The restore command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
You can apply upgrades by using the HTML interface or the console. For assistance with applying the upgrade by using the HTML interface, see the User Guide for Cisco Secure ACS Solution Engine 3.3. For assistance with applying the upgrade by using the console, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
Step 5 Verify that Cisco Security Agent is enabled. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is not running, enter start csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is selected. If not, select it and click Submit.
Step 6 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.
When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear:.
Application Versions
|
Cisco Secure ACS
|
3.3.3.11
|
Appliance Management Software
|
3.3.3.5
|
Appliance Base Image
|
Cisco 1111 - 3.3.1.4; Cisco 1112 - 3.3.1.8
|
Upgrading to Cisco Secure ACS 3.3.3 without SNMP Support
If you do not want SNMP support, you will need to upgrade your Appliance Management Software and Cisco Secure ACS upgrade packages on top of the existing image as specified in the procedure below.
This procedure upgrades the Cisco Secure ACS software to version 3.3.3 on either a Cisco 1111 device or a Cisco 1112 device.
To upgrade from Cisco Secure ACS Solution Engine from 3.3.2 or 3.3.1 without SNMP support, follow these steps:
Step 1 If Cisco Secure ACS Solution Engine is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is running, enter stop csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not selected. If it is selected, clear the CSA Enabled check box and click Submit.
Step 2 Apply the Upgrade Package Appliance Management Software ACS 3.3.3.11, which is available on the Cisco Secure ACS 3.3 upgrade CD.
Step 3 Apply the Upgrade Package ACS Software for Appliance, which is available on the Cisco Secure ACS 3.3 upgrade CD.
For details on using the HTML interface to upgrade, see the User Guide for Cisco Secure ACS Solution Engine 3.3. For details on using the command line to upgrade, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 4 To save and restore your existing data, you must perform the following steps. If you do not want to save your data, go to Step 5.
a. Back up Cisco Secure ACS data and configuration. To do so, use one of the two following features:
•ACS Backup, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•backup command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
b. To save and restore the appliance data and configuration, use one of the two following feature. If you do not want to save your data, go to Step 5.
•ACS Restore, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•restore command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
You can apply upgrades by using the HTML interface or the console. For assistance with applying the upgrade using the HTML interface, see the User Guide for Cisco Secure ACS Solution Engine 3.3. For assistance with applying the upgrade using the console, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 5 Verify that Cisco Security Agent is enabled. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is not running, enter start csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is selected. If not, select it and click Submit.
Step 6 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.
When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear:.
Application Versions
|
Cisco Secure ACS
|
3.3.3.11
|
Appliance Management Software
|
3.3.3.5
|
Appliance Base Image
|
Cisco 1111 - 3.3.1.4; Cisco 1112 - 3.3.1.8
|
Upgrading to Cisco Secure ACS 3.3.3 from 3.2
This procedure upgrades the Cisco Secure ACS software on a Cisco 1111 device to Cisco Secure ACS Solution Engine 3.3.3 from any of the following versions:
•Cisco Secure ACS Solution Engine 3.2.3
•Cisco Secure ACS Solution Engine 3.2.2
•Cisco Secure ACS Solution Engine 3.2.1
Note Cisco 1112 devices do not support versions of Cisco Secure ACS before version 3.3; therefore, this section does not apply to Cisco 1112 devices.
Please read this procedure carefully before proceeding. Upgrading from Cisco Secure ACS 3.2.x requires additional steps that must be taken to preserve Cisco Secure ACS data and configuration.
The two options to choose from when upgrading from 3.2 are:
•Upgrading to Cisco Secure ACS 3.3.3 with SNMP Support
•Upgrading to Cisco Secure ACS 3.3.3 without SNMP Support
Upgrading to Cisco Secure ACS 3.3.3 with SNMP Support
To upgrade to 3.3.3 with the SNMP support features, you will need to upgrade your software to 3.3 using the upgrade packages, back up your configuration, and reinstall ACS 3.3.3. Keeping the DB requires a backup/restore.
To upgrade a Cisco 1111 device from Cisco Secure ACS Solution Engine 3.2.3, 3.2.2, or 3.2.1, follow these steps:
Step 1 If the Cisco 1111 is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is running, enter stop csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not selected. If it is selected, clear the CSA Enabled check box and click Submit.
Step 2 Determine what versions of the following software the Cisco 1111 is running:
•Cisco Secure ACS
•Appliance Management Software
•Patches
To do so, log in to the HTML interface, select System Configuration > Appliance Upgrade Status, and view the version information that appears.
Step 3 Apply the Upgrade Package Appliance Management Software, which is available on the Cisco Secure ACS 3.3. upgrade CD.
Step 4 Apply the Upgrade Package ACS Software 3.3.3.11 for Appliance, which is available on the Cisco Secure ACS 3.3 upgrade CD.
For details on using the HTML interface to upgrade, see the User Guide for Cisco Secure ACS Solution Engine 3.3. For details on using the command line to upgrade, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 5 If the Cisco 1111that you are upgrading is running Cisco Secure ACS 3.2.1, 3.2.2, or 3.2.3 and you want to keep your database, you must perform the following steps. If you do not want to keep the database, perform the backup, but skip the restore steps (Step 5d.).
a. Back up Cisco Secure ACS data and configuration. To do so, use one of the following features:
•ACS Backup, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•The backup command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
b. Use the Recovery CD from Cisco Secure ACS 3.3.3 to upgrade the appliance to 3.3.3. This upgrade will destroy all data and install a new image.
For more information about reimaging the hard drive, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.
c. Perform the initial configuration of the Cisco Secure ACS Appliance. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
d. Restore the appliance data and configuration. To do so, use one of the following features:
•ACS Restore, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•The restore command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 6 If either of the following conditions is true:
•In Step 5 you reimaged the Cisco 1111 with Cisco Secure ACS 3.2.3.
•The Cisco 1111 is running Appliance Management Software version 3.2.3.11
you must apply the "Upgrade Package Appliance Management Software ACS 3.2.3.12", available on the Cisco Secure ACS 3.3 upgrade CD. You can apply upgrades by using the HTML interface or the console. For assistance with applying the upgrade by using the HTML interface, see the User Guide for CiscoSecure ACS Solution Engine 3.3. For assistance with applying the upgrade using the console, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 7 If either of the following conditions is true:
•In Step 5 you reimaged the Cisco 1111 with Cisco Secure ACS version 3.2.3
•The Cisco 1111 does not have the patch named "Microsoft Security Bulletin MS04-11 and MS04-012" applied
you must apply the "MS Security hotfix MS04-011 for ACS Appliance 3.2.3" patch, available on the Cisco Secure ACS 3.3 upgrade CD.
Step 8 Verify that Cisco Security Agent is enabled. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is not running, enter start csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is selected. If not, select it and click Submit.
Step 9 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.
When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear:
Application Versions
|
Cisco Secure ACS
|
3.3.3.11
|
Appliance Management Software
|
3.3.3.5
|
Appliance Base Image
|
Cisco 1111 - 3.3.1.3
|
Upgrading to Cisco Secure ACS 3.3.3 without SNMP Support
If you do not want SNMP support, you will need to use the management and ACS upgrade packages as specified in the procedure below.
To upgrade a Cisco 1111 device from Cisco Secure ACS Solution Engine 3.2.3, 3.2.2, or 3.2.1, follow these steps:
Step 1 If the Cisco 1111 is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is running, enter stop csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not selected. If it is selected, clear the CSA Enabled check box and click Submit.
Step 2 Determine what versions of the following software the Cisco 1111 is running:
•Cisco Secure ACS
•Appliance Management Software
To do so, log in to the HTML interface, select System Configuration > Appliance Upgrade Status, and view the version information that appears.
Step 3 Apply the Upgrade Package Appliance Management Software ACS 3.3.3.5, which is available on the Cisco Secure ACS version 3.3 upgrade CD.
Step 4 Apply the Upgrade Package ACS Software 3.3.3.11 for Appliance, which is available on the Cisco Secure ACS 3.3.3 upgrade CD.
For assistance with applying the upgrade, use the upgrade procedure in the User Guide for Cisco Secure ACS Solution Engine.
Step 5 To save and restore your existing data, you must perform the following steps. If you do not want to save your data, skip to Step 6.
a. Back up Cisco Secure ACS data and configuration. To do so, use one of the following features:
•ACS Backup, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•The backup command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
b. To save and restore the appliance data and configuration, use one of the following features. If you do not want to save your data, go to Step 5.
•ACS Restore, which is available in the System Configuration section of the HTML interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine 3.3.
•restore command, which is available on the serial console. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
You can apply upgrades by using the HTML interface or the console. For assistance with applying the upgrade using the HTML interface, see the User Guide for Cisco Secure ACS Solution Engine 3.3. For assistance with applying the upgrade using the console, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 6 If you do not want to save your data, perform the following steps:
a. Use the Recovery CD from Cisco Secure ACS 3.3 to upgrade the appliance to 3.3.3. This upgrade will destroy all data and install a new image.
For more information about reimaging the hard drive, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.2.
b. Perform the initial configuration of the Cisco Secure ACS Appliance. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 7 If either of the following conditions is true:
•In Step 5 you reimaged the Cisco 1111 with Cisco Secure ACS 3.2.3.
•The Cisco 1111 is running Appliance Management Software version 3.2.3.11
you must apply the "Upgrade Package Appliance Management Software ACS 3.2.3.12", available on the Cisco Secure ACS 3.3 upgrade CD. You can apply upgrades by using the HTML interface or the console. For assistance with applying the upgrade by using the HTML interface, see the User Guide for CiscoSecure ACS Solution Engine 3.3. For assistance with applying the upgrade using the console, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Step 8 If either of the following conditions is true:
•In Step 5 you reimaged the Cisco 1111 with Cisco Secure ACS version 3.2.3
•The Cisco 1111 does not have the patch named "Microsoft Security Bulletin MS04-11 and MS04-012" applied
you must apply the "MS Security hotfix MS04-011 for ACS Appliance 3.2.3" patch, available on the Cisco Secure ACS 3.3 upgrade CD.
Step 9 Verify that Cisco Security Agent is enabled. You can do so at the console or in the HTML interface:
•Using the console, enter show. If the CSAgent service is not running, enter start csagent.
•Using the HTML interface, select System Configuration > Appliance Configuration and verify that the CSA Enabled check box is selected. If not, select it and click Submit.
Step 10 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.
When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear:.
Application Versions
|
Cisco Secure ACS
|
3.3.3.11
|
Appliance Management Software
|
3.3.3.5
|
Appliance Base Image
|
Cisco 1111 - 3.3.1.3
|
Recovering Cisco Secure ACS 3.3
You can recover Cisco Secure ACS 3.3 on a Cisco 1111 or Cisco 1112 device. The recovery process for Cisco Secure ACS Solution Engine 3.3 is documented in the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3.
Caution Be sure you use the correct recovery CD for your Cisco Secure ACS Solution Engine device. Do not use the recovery CD for Cisco 1111 devices on a Cisco 1112 device; likewise, do not use the recovery CD for Cisco 1112 devices on a Cisco 1111 device.
Security Patch Process
Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for Cisco Secure ACS for Windows.
Past experience has shown that these patches do not cause any problems with the operation of Cisco Secure ACS for Windows. If the installation of one of these security patches does cause a problem with Cisco Secure ACS, please contact Cisco TAC and Cisco will resolve the problem as quickly as possible.
For information about our process for evaluating and releasing Microsoft security patches for Cisco Secure ACS Solution Engine, see the Cisco Secure ACS Solution Engine Q & A document, which is available in the Product Literature area for Cisco Secure ACS Solution Engine on Cisco.com.
For information on tested security patches, see Tested Windows Security Patches.
Security Advisory
Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at
http://www.cisco.com/en/US/products/products_security_advisories_
listing.html
Limitations and Restrictions
The following limitations and restrictions apply to Cisco Secure ACS 3.3.
Important Known Problems with Network Admission Control
The following known problems are related to Network Admission Control. Cisco recommends that you review them.
•CSCee88908—CSLog crash if a logged attribute is deleted due to replication
•CSCee87826—A deleted policy is being reassign when created with the same name
•CSCee87899—Replication of NAC policies should be updated in the doc
Supported Migration Versions
Cisco supports migrating to Cisco Secure ACS Solution Engine version 3.3.3 from many versions of Cisco Secure ACS for Windows Server; however, migration requires upgrading Cisco Secure ACS for Windows Server to version 3.3.3.
For detailed steps for performing a migration from Cisco Secure ACS for Windows Server to Cisco Secure ACS Solution Engine, see one of the following documents:
•Installation Guide for Cisco Secure ACS for Windows Server 3.3
•Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3
Supported Web Browsers
To administer all features included in the HTML interface of Cisco Secure ACS 3.3, use an English-language version of one of the following tested and supported web browsers:
•Microsoft Internet Explorer for Microsoft Windows
–Version 6.0
–Service Pack 1
–Sun Java Plug-in 1.4.2_04 or Microsoft Java Virtual Machine (JVM)
Note Microsoft does not include its JVM in Windows Server 2003. Instead, use the Sun Java Plug-in which are listed above. For more information about Microsoft plans regarding its JVM, see http://www.microsoft.com/mscorp/java/
•Netscape Communicator for Microsoft Windows
–Version 7.1
–Sun Java Plug-in 1.4.2_04
•Netscape Communicator for Solaris 2.8
–Version 7.0
–Mozilla 5.0
–Sun Java Plug-in 1.4.0_01
Note•Several known problems are related to using Netscape Communicator with Cisco Secure ACS. For more information, see Table 5.
•Cisco does not recommend using a slow network connection for remote access to the Cisco Secure ACS HTML interface. Some features that use Java applets do not operate optimally, such as the HTML pages for configuring Network Access Restrictions and Network Admission Control.
Cisco does not support other versions of the previous browsers or other Java virtual machines with these browsers, nor do we test web browsers by other manufacturers.
Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:
•Use an English-language version of a supported browser.
•Enable Java (see the supported browser list above for JVM details).
•Enable JavaScript.
•Disable HTTP proxy.
Supported Operating Systems for Remote Agent
Cisco Secure ACS 3.3 supports Cisco Secure ACS Remote Agent on Microsoft Windows 2000 and Solaris operating systems, as specified in the following two sections.
•Windows Support for Remote Agent
•Solaris Support for Remote Agent
Windows Support for Remote Agent
The computer that runs Cisco Secure ACS Remote Agent for Windows must use an English-language version of one of the following operating systems:
•Windows 2000 Server, with Service Pack 4 installed
•Windows 2000 Advanced Server, with the following conditions:
–with Service Pack 4 installed
–without features specific to Windows 2000 Advanced Server enabled
•Windows Server 2003, Enterprise Edition with Service Pack 1 installed
•Windows Server 2003, Standard Edition with Service Pack 1 installed
Note The following restrictions apply to support for Microsoft Windows operating systems:
•Cisco Secure ACS Remote Agent for Windows is not designed to use the multiprocessor feature of any supported operating system; however, we did test the remote agent on dual-processor computers.
•Cisco cannot support Microsoft clustering service on any supported operating system.
•Windows 2000 Datacenter Server is not a supported operating system.
Tested Windows Security Patches
Cisco Secure ACS Remote Agent for Windows has been tested with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:
•819696
•823182
•823559
•824105
•824141
•824146
•825119
•828028
•828035
•828741
•832894
•835732
•837001
•837009
•839643
•840374
Cisco Secure ACS Remote Agent for Windows has been tested with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:
•329115
•823182
•823559
•823980
•824105
•824141
•824146
•825119
•826232
•828035
•828741
•828749
•835732
•837001
•839643
Solaris Support for Remote Agent
The computer that runs Cisco Secure ACS Remote Agent for Solaris must use Solaris 2.8 or 2.9.
You cannot back up, restore, replicate information, or log in remotely using different versions of Cisco Secure ACS. For example:
•You cannot restore from dump files produced by using the backup process on different versions numbers of Cisco Secure ACS.
•You must not perform replication between different versions numbers of Cisco Secure ACS.
•You must not use remote logging between different versions numbers of Cisco Secure ACS.
•You must not use remote logging on Cisco Secure ACS for Windows Server software between different versions numbers of Cisco Secure ACS.
The following Cisco Secure ACS components that have identical versions and build numbers are supported and have been tested:
•Replication
•Backup/restore processes
•Remote logging software to remote ACS
•Remote logging of Windows authentication to the Cisco Secure Solution Engine.
Other combinations of authentication and remote logging agents may work together; however, they have not been tested and are not supported.
Supported Platforms for CiscoSecure Authentication Agent
For use with Cisco Secure ACS 3.3, Cisco tested CiscoSecure Authentication Agent on Windows XP with Service Pack 1. Cisco supports the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.3 when CiscoSecure Authentication Agent runs on one of the following client platform operating systems:
•Windows XP
•Windows 2000 Professional
•Windows 98
Other Supported Devices and Software
For information about supported Cisco devices, external user databases, and other software, see the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Version 3.3. To see this document, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp
Documentation Updates
This section describes new or changed documentation for this release.
Configuring SNMP Support
To configure the SNMP Agent, select System Configuration > Appliance Configuration from the navigation bar. For more details, see the online help.
Using the CRL Issuer Page
The CRL Issuers Page has been revised. You can no longer add a CRL by using this page. A CRL is automatically added to the CRL Issuers page after you select a CA in the Certificate Trust List. The CRL Issuers list contains an entry for every trusted CA in the Certificate Trust List.
Installation Guide Chassis Figures Updated
The front and back panel figures in the Installation and Setup Guide for Cisco Secure ACS Solution Engine 3.3 have been updated.
LDAP Multi-Threading
Cisco Secure ACS 3.3.3 now processes multiple LDAP authentication requests in parallel as opposed to the sequential processing mechanism in versions earlier than 3.2.
Unknown NAS Authentication Failure
Documentation on unknown NAS authentication failure can be found in the Troubleshooting section of the User Guide for Cisco Secure ACS Solution Engine.
Known Problems
This section contains information about the following topics:
•Cisco AAA Client Problems
•Known Microsoft Problems
•Known Problems in Cisco Secure ACS 3.3
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.
Cisco Aironet Access Point
http://www.cisco.com/univercd/cc/td/doc/product/wireless/
Cisco BBSM
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/
Cisco Catalyst Switches
http://www.cisco.com/univercd/cc/td/doc/product/lan/
Cisco IOS
http://www.cisco.com/univercd/cc/td/doc/product/software/
Cisco Secure PIX Firewall
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
Cisco VPN 3000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/
Cisco VPN 5000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/
Known Microsoft Problems
Due to a defect in the Microsoft PEAP supplicant provided in Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with Cisco Secure ACS. Microsoft case SRX040922603052 has been opened on this issue. Customers affected by this problem should open a case with Microsoft and reference this case ID. Microsoft has prepared hotfix KB885453, which resolves the issue. You can download the hotfix at http://www.microsoft.com. A workaround is to disable Fast Reconnect.
Known Problems in Cisco Secure ACS 3.3
Table 5 describes problems known to exist in version 3.3.
Note•A "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)
•Bug summaries and explanations in Table 5 are printed word-for-word as they appear in our bug-tracking system.
•
Table 5 Known Problems in Cisco Secure ACS Solution Engine 3.3
Bug ID
|
Summary
|
Explanation
|
CSCdv86708
|
HTTP Port Allocation is not replicated
|
Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.
Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS, restart the CSAdmin service.
|
| < |
