Table Of Contents
Release Notes for Cisco Secure ACS 4.1
Contents
ACS New Features
Product Documentation
Security Advisory
Known Problems in ACS for Windows and the Solution Engine 4.1
Cisco AAA Client Problems
Known Microsoft Problems
Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
Replication with Different Send and Receive Configurations
Problem with Accounting Records in the TACACS+ Administration Log
Known CLI Administrator Problem
Verifying the ACS Solution Engine CD Recovery Process
Known Caveats in ACS for Windows and the Solution Engine 4.1
Resolved Caveats in ACS for Windows and the Solution Engine 4.1
Known Caveats with ACS Solution Engine 4.1
Resolved Caveats in the ACS Solution Engine 4.1
ACS for Windows 4.1
System Requirements
Software Compatibility
Upgrading to a New Software Release
Installation Notes
Upgrade Paths
Supported Upgrades for ACS for Windows
Supported Migration Path for ACS for Windows
Unsupported Migration Path to ACS 4.1
Post-Upgrade Configuration
Upgrading From Version 3.3
Limitations and Restrictions
Interoperability Testing
ACS Solution Engine 4.1
New and Changed Information for the ACS Solution Engine 4.1
New Hotfixes in ACS SE 4.1
ACS Remote Agent for Windows
Installation Notes for the Solution Engine 4.1
Installing from ACS SE 1111 (HP) Recovery CD
Software Compatibility
Supported Upgrades for ACS SE
Supported Migrations for ACS SE
Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Documentation Updates
Changes
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS 4.1
March 2007
Full Build Number: 4.1.1.23
These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Note 
The ACS release numbering system for software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 4.1.1.23. Elsewhere in this document where 4.1 is used, we are referring to 4.1.1. ACS major release numbering starts at 4.1.1, not 4.1.0. Use this information when working with your customer service representative.
Contents
These release notes provide information about:
•ACS New Features
•Product Documentation
•Known Problems in ACS for Windows and the Solution Engine 4.1
•Known Caveats in ACS for Windows and the Solution Engine 4.1
•Resolved Caveats in ACS for Windows and the Solution Engine 4.1
•Known Caveats with ACS Solution Engine 4.1
•Resolved Caveats in the ACS Solution Engine 4.1
•ACS for Windows 4.1
•Limitations and Restrictions
•ACS Solution Engine 4.1
•New and Changed Information for the ACS Solution Engine 4.1
•Installation Notes for the Solution Engine 4.1
•Documentation Updates
•Obtaining Documentation
•Documentation Feedback
•Cisco Product Security Overview
•Product Alerts and Field Notices
•Obtaining Additional Publications and Information
ACS New Features
ACS contains the following new and changed features:
•Improved Compliance Support—This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance; for example, Sarbanes-Oxley (SOX). ACS includes the following capabilities for:
Authentication:
–Forcing periodic change of administrator's password.
–Applying password structure policy.
–Forcing administrator's password change for inactive account.
–Preventing the reuse of old password (password history).
–Disabling administrator accounts for inactivity.
–Disabling administrator accounts after failed logins.
–Allowing ACS administrators to change their own passwords.
Audit and Reporting:
–Logging all administrative actions via system logging (syslog), in addition to existing logging targets.
–Controlling administrators' access to log file configuration to prevent specific audit logging from being disabled.
–Adding new reports for administrators privileges.
Authorization: Providing a read-only privilege for users and groups.
•External database support for MAC Authentication Bypass—The ability to maintain MAC address lists in an external LDAP server and map MAC addresses to user groups.
•Improved diagnostics and error messages—Improved diagnostic information about certificate mismatches with HCAP and GAME servers. The raw dump of GAME and HCAP messages is in a readable format and the authentication failure codes are now more intuitive.
•PEAP/EAP-TLS Support—The authenticator side of PEAP/EAP-TLS as a protocol enhancement is now included. ACS can now authenticate clients with PEAP by using EAP-TLS as the phase-two inner method, and enables certificate-based authentication to occur within a secure tunnel, encrypting identity information. Since EAP-TLS normally relies on client-side certificates for authentication, the PEAP tunnel will protect the client's certificate content.
•Logging and Reporting Extensions—New internal mechanisms for logging now create consistent log levels and improved performance. ACS now supports syslog and the capability to log ACS messages to remote servers that support the syslog standard.
•Multiple concurrent logging destinations—You can send Log data to multiple destinations simultaneously.
•Enhanced remote agent support for logging—You can expose reports externally that were previously provided only locally, for files from previous versions; for example, sending audit reports to a remote agent on an appliance.
•RADIUS AES Key Wrap Functionality—This feature supports a secure, certified mode of operation, notably in a Federal Information Processing Standard (FIPS)-compliant wireless solution. RADIUS Key Wrap support with EAP-TLS authentication in ACS, is another step toward satisfying the set of security requirements in practical, deployable, and interoperable secure solutions from Cisco Systems. AES replaces MD5 encryption.
•Cisco NAC support—ACS 4.1 acts as a policy decision point in NAC deployments. By using configurable policies, it evaluates and validates the credentials that it receives from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the network-access device: ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS patch level and antivirus DAT file version. ACS records the policy evaluation result for use with monitoring systems. Before granting network access, ACS 4.1 also allows third-party Audit Vendors to audit hosts without the appropriate agent technology. ACS policies can be extended with external policy servers to which ACS forwards posture credentials. For example, credentials specific to an antivirus vendor can be forwarded to the vendor's antivirus policy server, and audit policy requests can be forwarded to third-party audit products.
–GAME Group Feedback—This feature provides the ability to authorize a host based on checking the device-type categorization returned from authentication as a user-group against an audit server.
–Expanded agentless support—This feature adds support for auditing agentless hosts connected to a Layer 2 Network Access Device (NAD). The agentless host is admitted to a quarantined network where it can receive an IP address and only then instantiate the audit. When instantiated, the audit will continue as with a regular Layer 3 host.
•Extended replication components—Improved and enhanced replication components are now available. Administrators now can replicate:
–Posture validation settings.
–Additional logging attributes.
•Audit support for MAC Authentication Bypass —Audit processing has been enhanced to include MAC Authentication Bypass (MAB). MAB enables double-checking an audit request against a MAC authentication policy and an Audit Policy, and combines the evaluation of these two policies.
•Audit Verification of MAC Exceptions — You can apply MAC exceptions to Network Admission Control (NAC) audit requests. Dual verification of endpoints is then possible. You can check whether the user group (which signifies the device type) that the agentless request processing returns matches the device type that the audit server returns, and you can define a policy for handling mismatches.
•Japanese Microsoft Windows Support—New support for the Japanese version of Microsoft Windows 2003 at the service pack level is available.The ACS web interface can run on browsers running the Japanese version of the Windows operating system. In addition, the ACS for Windows software can run on a Windows server running the Japanese version of the Windows operating system.
Note We do not support distributed ACS deployments in a Network Address Translation (NAT) environment.
Product Documentation
The following product documentation is available for ACS 4.1:
Note Some of the preceding documents are in PDF format. You need the Adobe Acrobat Reader to open these files.
Security Advisory
Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Known Problems in ACS for Windows and the Solution Engine 4.1
The problems in this release are:
•Cisco AAA Client Problems
•Known Microsoft Problems
•Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
•Replication with Different Send and Receive Configurations
•Problem with Accounting Records in the TACACS+ Administration Log
•Known CLI Administrator Problem
•Verifying the ACS Solution Engine CD Recovery Process
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of ACS. You can access these release notes online at Cisco.com. For NAC-specific client problems, go to http://www.cisco.com/go/NAC.
Known Microsoft Problems
Due to a defect in the Microsoft PEAP supplicant provided in the Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with ACS. Cisco has opened case SRX040922603052 with Microsoft on this issue. Customers who are affected by this problem should open a case with Microsoft and reference the Cisco case ID. Microsoft has prepared hotfix KB885453, which resolves the issue. The hotfix is available on the Microsoft website.
Note ACS for Windows only. When ACS runs on a domain controller and you need to authenticate users with a Windows user database, you must take additional configuration steps; see the Installation Guide for Cisco Secure ACS 4.1 Windows for post-installation steps regarding Windows NT LAN Manager (NTLM). A Microsoft hotfix may be required, depending on your configuration.
Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
The upgrade from the trial version of ACS 4.1 to the ACS 4.1 FCS version fails after the evaluation period has expired. To prevent this:
1. Perform a system backup on the expired ACS trial version.
2. Retain the system backup dump file. The backup functionality in CSAuth remains operational.
3. Uninstall the trial version 3.
4. Install the unrestricted FCS version 4.
5. Restore the system backup dump file on the installed FCS version.
Note Note: The upgrade problem only applies to the software evaluation version of ACS 4.1.
Replication with Different Send and Receive Configurations
The user guide states that the primary ACS compares the list of database components that it is configured to send with the list of database components that the secondary ACS is configured to receive. If the secondary ACS is not configured to receive any of the components that the primary ACS is configured to send, the database replication fails.
This information is not correct (bug CSCsg93907).
The primary ACS first synchronizes with the secondary ACS, and sends only the components that the secondary ACS is configured to receive. The primary ACS does not send components that the secondary ACS is not configured to receive, even if you configure the primary ACS to send those components. Thus, database replication does not fail when different send and receive configurations exist on the primary and secondary ACS.
Problem with Accounting Records in the TACACS+ Administration Log
After upgrading to ACS 4.1, TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).
Command accounting is configured on the Network Access Server (NAS). No records are visible in the TACACS+ Administration log file after entering commands on the NAS. Debugs on the NAS show the records being sent, and they do arrive at the ACS server; but, the appropriate log file is not updated.
The patch information resolves this issue.
Click this link if you are using ACS for Windows: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des?psrtdcat20e2 and download:
•ACS-4.1.1.23-CSTacacs-SW-CSCsg97429.zip
•ACS-4.1.1.23-CSTacacs-SW-CSCsg97429-Readme.txt
Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip
Known CLI Administrator Problem
If you do not set up a GUI account for the CLI administrator by using the add-guiadmin command, then the CLI administrator will be unable to access the SE by using a web browser over the serial connection.
To add a GUI account that the CLI administrator can use, use the add-guiadmin command.
add-guiadmin [admin] [password]
Verifying the ACS Solution Engine CD Recovery Process
After you remove the recovery CD from the drive, and press Enter, the system reboots, and displays system version information. The ACS Solution Engine recovery process is complete and the Solution Engine is operational when the following information appears on your console.
Cisco Secure ACS: 4.1.1.16
Appliance Management Software: 4.1.1.16
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Status: Appliance is functioning properly
Note If only the login prompt appears you must reboot the Solution Engine.
For detailed information on the Solution Engine CD recovery process, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Known Caveats in ACS for Windows and the Solution Engine 4.1
Table 2 contains known caveats in ACS for Windows and the Solution Engine 4.1.
Table 2 Known Caveats in ACS Windows and the Solution Engine 4.1
Bug ID
|
Summary
|
Explanation
|
CSCsc49673
|
UPGRADE:Add Filter aaa:service=ip_admission to Upgrade-Profile NAP.
|
Symptom After upgrading from ACS 3.3 that included a NAC
database, a profile is created with an authorization method:
PEAP - posture only. This profile does not have a filter, which
will cause all incoming authentications to fail; except from
PEAP-POSTURE.
Workaround Add a filter of Cisco-av-pair aaa:service = ip_admission to the Upgrade-Profile. The no-posture requests will be authenticated against the global settings configuration. (Check the Grant access using global configuration, when no profile matches option in the created profile.)
|
CSCsc43577
|
CSAdmin stalls and has a memory leak.
|
Symptom CSAdmin consumes a large amount of memory (351
MB) when updating EAP-FAST inner method GTC to
MSCHAPv2 by using the Network Access Profile page.
Workaround Restart the CSAdmin service.
|
CSCsc41638
|
ACS does not check if the Certificate Authority (CA) certificate that was issued to a user exists in the certificate trust list (CTL).
|
Symptom A user who presents a certificate in EAP-TLS or
EAP-FAST/EAP-TLS may be authenticated; even though the
ACS machine no longer trusts the certificate issuer.
Workaround Uncheck the CA certificate from the ACS web interface before removing the CA certificate from the machine storage.
|
CSCsc32154
|
Upgrading from ACS 3.3 removed APT, SPT, and Reason from Logged Attributes.
|
If one or more of the APT, SPT, and Reason attributes were selected to be logged in the Failed or Passed reports in ACS 3.3, they will not appear in the Logged Attributes column after upgrading to ACS 4.1.
|
CSCsb95897
|
ACS cannot correctly display a list containing several pages of disabled accounts.
|
Symptom The ACS web interface has problems displaying
disabled accounts lists if they contain several pages. Next is
working as needed; but, Previous is available only once.
Workaround None.
|
CSCeh79954
|
EAP-TLS time-of-day restriction in Active Directory (AD) does not fail user; authentication succeeds.
|
Symptom EAP-TLS authentication of users in Windows Active
Directory will still pass when a user's time-of-day setting
(located in AD) is outside the hours they are allowed. ACS does
not generate an error.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 or 2003 environment.
Workaround None.
|
CSCeh68821
|
LDAP authentication passes after modifying the subtree node due to domain name (DN) caching.
|
Symptom If you change the User Directory Subtree in the
Common LDAP Configuration, users that already authenticated
by using this Generic LDAP instance (External User Database)
are not affected and will continue to pass authentication; even
if users are no longer under the new User Directory Subtree.
ACS does not perform a new search for the users because of the
user-cached Distinguished Name.
Workaround If you want to enforce a new search on the User Directory Subtree, delete the users from the ACS internal database.
|
CSCeh60564
|
An Active Directory locked-out user passed EAP-TLS authentication; should be rejected.
|
Symptom EAP-TLS authentication will still pass for users in
Active Directory; even if their account is locked out. ACS does
not generate an error message.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.
Workaround None. Windows 2003 has introduced some new attributes that should help resolve this issue in the future.
|
CSCeh52700
|
An Active Directory expired-user passed EAP-TLS authentication; should be rejected.
|
Symptom EAP-TLS authentication will still pass for users in the
Active Directory; even if their account has expired. ACS does
not generate an error message.
Workaround If you want to use Active Directory to authenticate users with EAP-TLS when ACS runs on a member server, additional configuration is required. For more information, including steps for the additional configuration, see the Installation Guide for Cisco Secure ACS 4.1 Windows, Release 4.1 or the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
|
CSCeh00074
|
GUI LDAP group mapping submission failure.
|
Symptom When adding LDAP groups to be mapped to ACS
groups, the Submit operation sometimes fails and an Empty
list error message appears.
Conditions This failure might occur when working on the ACS web interface from a remote machine (for example, with Terminal Services) or from other group mapping pages.
Workaround Move to another window from the Group Mapping page, before you click Submit, or click on another frame in the ACS web interface.
|
CSCeg50237
|
Overinstall causes the added AVP Attributes to disappear.
|
Symptom Adding AVP attributes and then performing an
overinstall causes those attributes to disappear from the Log
Attribute field.
Workaround None.
|
CSCef96208
|
ACS reports incorrect privilege level.
|
Symptom ACS may report users with the incorrect authorized
privilege level. In particular, when using TACACS+, users who
are correctly authenticated with a privilege level of 15 are
reported with a level of 1.
Workaround The error is cosmetic; there is no workaround.
|
CSCef85310
|
Group discretionary access control list (DACL) is downloaded if user's DACL content is empty.
|
Symptom It is possible to define an ACL with empty content.
Following this defect, if a user with an empty ACL belongs to
a group on which a not empty ACL is defined authenticates,
then the ACL of the group is downloaded to the device instead
of the user's. (While the user's DACL content is not empty, it is
downloaded to the device, as it should be).
Workaround Do not define an empty downloadable ACL.
|
CSCef55730
|
ACS authorization passes even for a disabled user.
|
Symptom The default administrative user account defined
within the CiscoWorks local (user) database (and replicated
within ACS TACACS+ user database) is granted access to all
installed Management Center applications; even if the user
account is disabled within ACS.
|
CSCef12461
|
ACS administrators are not restored, when on a large database, you restore a dump file on Windows 2000.
|
Symptom When ACS contains a big database with 500 or more
administrators, after restoring the dump file on Windows 2000,
the ACS administrators are not restored.
Workaround Manually create administrators after restore.
|
CSCee64596
|
During stress tests, ACS does not reduce the size of the CSAdmin file based on the Service Control settings.
|
Symptom Intensive use of the Logged-In Users report may lead
to significant memory utilization (140 MB) by the CSAdmin
service.
Workaround Restart the CSAdmin service.
|
CSCsb15116
|
The Apply and Restart button in the Network Access Profiles (NAP) page does not release the Network Access Filter (NAF) policy.
|
Symptom When deleting a Network Access Filter, which is used
in a Network Access Profile Setup Page, unexpected behavior
(NAPs fail) may occur and authentication fails.
Workaround Perform one of the following:
•Before deleting a Network Access Filter, remove it from the relevant Network Access Profiles.
•After deleting a Network Access Filter for each relevant Network Access Profile, click Submit (without performing changes) in the Profile Setup Page.
|
CSCsc57975
|
The database order inside a Network Access Profile may cause authentication to fail and an error message appears.
|
Symptom When a user account in the Windows Active
Directory has expired, the user may be authenticated in another
external database, which is configured sequentially after the
Windows database in the authentication settings in the matched
NAP. If the user exists in another database, authentication is
successful. If the user does not exist in another database, the
error message CS user unknown (instead of Database
account expired) appears.
Workaround None.
|
CSCse03681
|
Entering a community string that begins or ends with a space does not result in an error message.
|
Symptom Entering a community string that begins or ends with
a space does not result in an error message. Instead, the ACS
system deletes the space without informing the user.
Workaround None.
|
CSCse01194
|
After system migration from ACS for Windows to the Solution Engine version on the ACS SE 1113, the existing HTTP configuration is not retained.
|
Symptom If the master ACS system (ACS for Windows
4.0.1.27) is configured for certain HTTP settings (the port
ranges are changed to 60000-60005) and the system is
replicated to the ACS SE 1113 version (4.0.1.44), the specified
HTTP configuration settings are not retained on the ACS SE
1113 installation.
Workaround None.
|
CSCsc41860
|
CSAuth fails when you use CSUtil to delete more than 10,000 AAA clients concurrently.
|
Symptom A large amount of (35K) AAA clients were imported
to an ACS server. Then CSUtil import was used to delete
35,000 devices. After deleting the AAA clients, CSAuth failed.
Conditions This defect can occur on a clean installation.
Workaround When deleting a large number of AAA clients, you can use CSUtil to delete them in batches of up to 10,000 AAA clients concurrently.
|
CSCsb48683
|
Log and accounting file locking causes problems with backup software.
|
Symptom ACS diagnostic and accounting log-file locking
results in service problems when the directories are backed up
by certain software applications (in reported case, Veritas
software was used).
Workaround Upgrade your backup software.
|
CSCec72911
|
Issue with Windows 2003 password-aging page.
|
Symptom ACS is installed on Windows 2003 Server and the
password-aging feature is enabled. Only the generate
greetings for successful logins option in Password Aging
settings is checked. After clicking Submit or Submit +
Restart, ACS for the first time displays the valid error message:
Error: Generation of greetings on successful logins
requires at least one password aging rule to be
configured. But, when you click one of these buttons a second
time, the errors active canceled or the page cannot be
displayed appear.
Conditions Occurs after installing and as long as no changes are performed. Occurs when managing ACS only on the local machine by using Internet Explorer 6.0.
Workaround Restart ACS.
|
CSCea91690
|
Event Viewer errors on startup and shutdown in .NET
|
Symptom On Windows .NET Server 2003 or Windows 2003
Enterprise Edition shutdown and startup, you may see errors
that falsely indicate that an ACS service have failed. At startup,
you may see a dialog box that indicates that a service, such as
CSLog, encountered a problem and will close. The same error
logged to Event Viewer, as in:
Reporting queued error: faulting application
CSLog.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.
In Windows Server 2003, the Service Manager queries the ACS services status during startup and shutdown; but ACS services might not have started yet or might have stopped already. Even though this is normal behavior for ACS services, Windows perceives error and logs it to the Event Viewer.
On startup, the user sees all errors from the Event Viewer, which is why, when users logs into Windows right after startup, they see errors from the previous login session.
This behavior is observed on Windows Server 2003 only.
Workaround Verify that ACS services are running by using the Control Panel.
|
CSCsf13603
|
Cisco PEAP authentication against the RSA server with NEW PIN Mode fails.
|
Symptom When you work with the RSA as the external
database, and try to change the personal identification number
(PIN) mode from the RSA Server, it forces the supplicant to add
a new PIN. However, when the Supplicant adds a new PIN, ACS
does not receive it and consequently the authentication fails.
|
CSCsg37711
|
CSAuth terminated: EAPFAST (all inner) Authentication and Posture
|
Symptom The same IP address and user are processed
simultaneously on 2 separate sessions.
|
CSCsg12943
|
CSAuth faulting application crashes and the network-access devices (NADs), show RADIUS_DEAD and is unable to authenticate any more ports.
|
Symptom During stress testing, CSAuth crashes, and the
network-access devices (NADs), also known as AAA clients,
shows RADIUS_DEAD and is unable to authenticate any more
ports.
Conditions This is caused by clientless stress.
Workaround None.
|
CSCsg44214
|
ACS is not sending external Posture Validation Servers (PVSs) to the Username server, causing no posture return.
|
The OfficeScan policy server requires a local account authentication before allowing access to PostureRequest.dll. The ACS server times out.
Workaround None.
|
CSCsg40727
|
RDBMS fails account action 220 250 with synchronization partners.
|
Symptom Network device groups (NDGs) are not getting added
to synchronization partners, but an additional (duplicated) entry
is getting added to primary. The AAA-Client cannot be deleted.
Workaround Prevent the attempt to synchronize remote targets for specific device-type actions.
|
CSCsg56677
|
Reauthentication fails for an EAP-FAST user after you upgrade with User Principal Name (UPN) or Windows Security Account Manager (SAM) formats.
|
Symptom When you attempt to upgrade ACS 4.0 to build
4.0.1.49 or to ACS 4.1, re-authentication fails with the error
message:
Access denied:fast-reconnect was successful
but user was not found in cache.
Workaround There are two cases to review:
Case 1: Customers using Manual Protected Access Credentials (PAC) provisioning.
In this case you reprovision PACs with correct usernames (usernames containing domains).
Case 2: Customers using Automatic PAC provisioning.
In this case you set the values for the EAP-FAST settings on the EAP-FAST Configuration page:
Active master key TTL = 1 hours
Retired master key TTL = 2 hours
Tunnel PAC TTL = 30 minutes
Authorization PAC TTL = 10 minutes
Note that the Active master and Retired master key times to live (TTLs) are changed to force invalidation of PACs issued by ACS 4.0 (4.0.1.27, 4.0.1.42/43/44).
Tunnel PAC and Authorization PAC TTLs are changed due to limitation that their values must be less than Active master and Retired master key TTLs.
Note When the customers environment contains several ACS servers, this change must be applied on ALL ACS servers configured as an EAP-FAST master server. This change should be replicated to corresponding slave ACS Servers. This change will lead to reprovisioning of ALL PACs.
You can change the EAP-FAST settings back a day after these change are applied and replicated to all ACS servers in the customer's environment. The default values are:
Active master key TTL = 1 months
Retired master key TTL = 3 months
Authorization PAC TTL = 1 hours
|
CSCsg74699
|
When you upgrade the AAA Client and Server configuration might be dropped due to DNS failure.
|
Symptom ACS allows customers to enter AAA client or server
using the host name. ACS stores the host name and resolves the
IP address at startup.
Conditions During an upgrade, if the DNS resolution of a hostname fails, that host configuration data is ignored and, following the upgrade the AAA client and server configuration, is missing for the host names that failed the DNS test.
Workaround None.
|
CSCsg19044
|
ACS syslog and ODBC configuration is missing in the listing for Trend, McAfee, and Qualys.
|
Symptom When you select System Configuration > Logging,
configuration information is missing (failed attempts or passed
attempts) for syslog and ODBC. The attributes for Trend,
Qualys, and McAfee are not listed in either column; but are
listed under the CSV configuration.
Workaround None.
|
CSCsg16875
|
ACS sends an internal error when CSA is disabled and enabled.
|
Symptom ACS 4.1 sends an internal error in the failed
authorization logs when the CSA security level is changed from
Medium to Off and then back to Medium.
Conditions This defect occurred in an environment with CTA 2.1.18.0, the CTA 802.1x Wired Client, CSA 5.0.0.181, and ACS 4.1.
Workaround Restart the ACS CSAuth service manually or wait for ACS to do it automatically.
|
CSCsb93223
|
An internal posture validation policy is created even though a template profile cannot be configured.
|
Symptom An internal posture validation policy is created by
using the NAC 802.1x template.
Conditions All conditions. Occurs any time when using the NAC 802.1x template and you cannot create a profile (for example, Global Authentication Setup is not configured properly).
Workaround None.
|
CSCsg24439
|
Required credentials are inconsistent for logging and behavior internally and externally.
|
Symptom Credentials for Cisco:Host and Cisco:PA that are not
selected as required credentials are still requested from CTA
and are still evaluated.
Conditions All conditions.
Workaround None.
|
CSCsg39294
|
On the internal Posture Validation page, the policy details should be left-justified.
|
Symptom The policy details column of the internal posture
validation setup is centered so that you have to scroll over to see
the column headings and action buttons. This text should be
justified left to make it easier to view.
Workaround Left-justify the text.
|
CSCsf28775
|
Expired accounts are incorrectly reported.
|
Symptom After upgrading ACS from 3.3.3 to 4.0, accounts
which have expired due to their user expiry configuration are
not reported in the Disabled Accounts report.
Conditions This problem has been observed on ACS 4.0 after an upgrade from 3.3.3. Upgrades from other versions might be affected as well.
Workaround None.
|
CSCsf25057
|
ACS support for TACACS+ single-connection.
|
Symptom ACS does not support the TACACS+ single-connect
flag.
Conditions ACS support for TACACS+ single-connection was intentionally removed to work with IOS, which does not correctly support the feature.
Workaround None.
|
CSCsg24408
|
ACS syslog facility needs to be configurable for localX, not fixed AUTH.
|
Symptom To determine which logging facility was being used
you need to trace the traffic coming from ACS that was destined
for the syslog server on port 514.
Workaround Set up syslog to accept AUTH and not a localX facility. For example, auth.debug.
|
CSCsf16737
|
CSAuth, CSAdmin, CSRadius, CSTacacs are not started up after reboot.
|
Symptom After a system reboot, the following Services are not
started up when Windows service, Windows Firewall/Internet
Connection Sharing (ICS) is started:
•CSAuth
•CSRadius
•CSTacacs
•CSAdmin
Workaround Disable Windows Service Windows Firewall/Internet Connection Sharing (ICS). To do so, Start > Run. Enter services.msc and press OK. In the Services dialog box, scroll to Windows Service Windows Firewall/Internet Connection Sharing (ICS). Right click, and select Properties. In the Startup type: box change Automatic to Disabled.
Note You can also manually start each service.
|
Resolved Caveats in ACS for Windows and the Solution Engine 4.1
Table 3 contains the resolved caveats for the ACS 4.1 release. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.
Table 3 Resolved Caveats in ACS Windows and the Solution Engine 4.1
Bug ID
|
Summary
|
Explanation
|
CSCsc43287
|
Replication: Administration Control > Access Policy. Port allocation not replicated.
|
The port allocation settings now enable replication. For detailed information see the User Guide for Cisco Secure ACS 4.1.
|
CSCsc41129
|
CSAuth experiences exceptions during EAP-TLS stress versus LDAP external database with a secure sockets layer (SSL) connections.
|
CSAuth no longer experiences exceptions or failures after stress testing EAP-TLS authentications with an LDAP external database and LDAP connections over SSL connections.
|
CSCsc39979
|
Update to NAP delete the external user in Logged All Users report.
|
External users related to the NAP are no longer deleted from the Logged All Users report.
|
CSCef85314
|
Group DACL is downloaded if user's content NAF is not suitable.
|
The ACL and NAF features works as desired as documented in the User Guide for Cisco Secure ACS 4.1.
|
CSCsc06942
|
Script interface fails the 1,000 bytes limit at the Layer 2 level.
|
This issue is relevant only for non fragmented messages in tunneled protocols (Microsoft PEAP, Cisco PEAP, and EAP-FAST). Unfragmented tunneled EAP messages should not exceed the total length of 1,002 bytes.
|
CSCsc00788
|
Password change is not supported in Generic Token Card (GTC) against a Windows database.
|
Password change is supported in EAP-GTC against a Windows database. You must perform the following steps to enable the password:
6. Mark the password in Windows as must change password at the next logon.
7. Run EAP-FAST with GTC as the inner method and ensure that the changed password works.
|
CSCsb25151
|
When a AAA client has multiple IP addresses, NAF for downloadable ACLs fail.
|
NAF for downloadable ACLs no longer fails for AAA clients.
|
CSCsa79327
|
Authentications fail for users whose passwords contain the Euro (symbol).
|
Authentication no longer fails for users that use the Euro (symbol) in their password.
|
CSCeh24979
|
Users fail to authenticate when upgrading and attempting to access an obsolete (no longer used) database.
|
Users now authenticate, when upgrading and attempting to access an obsolete database.
|
CSCeh10491
|
Authentication errors on timeout waiting for local logging.
|
Authentication errors due to timeout no longer occurs.
|
CSCeb78551
|
When handling an LEAP RADIUS proxy between a front-end ACS server and a back-end ACS server, problems arise if the configuration is not correct.
|
You must incorporate the required configuration settings to successfully use this feature.
For detailed information, see the User Guide for Cisco Secure ACS 4.1:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html
|
CSCsc69976
|
Local logging file size and days do not appear after change in GUI.
|
Local logging file size and days appear after a change in the GUI.
|
CSCsc27168
|
User authentication succeeds even though a database is not selected.
|
Before deleting the external database configuration, ensure that it is not used in any NAP.
|
CSCsb72286
|
ACS RADIUS proxy uses RADIUS 1645, not current 1812.
|
ACS is now able to work with different ports. ACS can now use its proxy capability for other AAA servers.
|
CSCeh37907
|
Duplicate IP addresses are assigned due to reordered Accounting Stop packets.
|
Duplicate IP addresses are no longer assigned.
|
CSCsc41673
|
CSAuth fails after importing an Airespace NAS.
|
This problem has been fixed in the most recent version of ACS.
|
CSCeh35121
|
Local logging stopped working after ODBC logging removed.
|
Local logging is successful after ODBC logging is removed.
|
CSCsc95237
|
ACS Services do not start after upgrading from 3.x to 4.1.1
|
A trailing space was found in the IP address for a particular network device. This caused the database conversion process to fail, which prevented ACS services from starting after the upgrade. Use the registry editor to remove the trailing space and ACS services will start after the upgrade.
|
CSCsc72958
|
ACS documentation does not indicate that IP NAR requires attribute 31.
|
The User Guide for Cisco Secure ACS 4.1 has been updated with the correct information:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html.
|
CSCsf11031
|
Upgrading to ACS 4.1 from a patched ACS will not implement the Critical Logger.
|
You do not need the patch. The critical logging function is introduced in ACS 4.1. When you upgrade from ACS 4.0 to 4.1, the patch is canceled and the critical logger is enabled.
|
CSCeh54670
|
EAP-TLS Strip Domain Name check box has been removed in the 4.1 GUI.
This feature controlled whether ACS removes the domain name from a username that is derived from the Subject Alternative Name (SAN) field in an end-user certificate.
|
The Windows EAP Setting, EAP-TLS Strip Domain Name check box, has been removed from the version 4.1 GUI. In version, 4.1 the Active Directory (AD) search functionality enables you to authenticate a username.
|
CSCsc77190
|
The <no access> group does not prevent EAP-TLS user from accessing the network.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsg02005
|
CSMon utilizes 100% of the CPU while trying to communicate with the SMTP Server.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsb38899
|
Upgrade to 5.1(0.7) resets all tuned signatures to default settings.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsc27158
|
A memory leak occurred during stress tests of PAP authentications with LDAP server (OpenLDAP) and legacy SSL enabled (cert7.db). For example, memory usage reached 100MB after ~1.5 million authentications.
|
This problem has been fixed in the most recent version of ACS.
|
CSCsc06942
|
Script interface fails the 1K limit at the Layer 2 level.
|
Workaround This problem has been fixed in the most recent version of ACS.
|
Known Caveats with ACS Solution Engine 4.1
Table 4 contains the known caveats for ACS Solution Engine 4.1
Table 4 Known Caveats in ACS SE 4.1
Bug ID
|
Summary
|
Explanation
|
CSCse01363
|
The appliance configuration page is not replicated when the system is migrated from the ACS SE 1112 device to the ACS SE 1113 device.
|
Symptom Under certain conditions, the appliance
configuration is not replicated when the system is
migrated from the ACS SE 1112 to the ACS SE 1113.
Conditions This occurs when a user:
1. On the Master ACS (Quanta 4.0.1.42), accesses the Appliance Configuration page from System Configuration.
2. Enables NTP Synchronization and adds an IP address to the NTP Server.
3. Enables the Cisco Security Agent.
4. Ensures that the SNMP Agent is enabled and changes the SNMP default Community and port, and then adds SNMP Agent Contact and Location.
5. Checks Accept SNMP packets from selected hosts and adds a host address.
6. Submits changes.
7. The ACS SE 1112 is replicated to the ACS SE 1113.
|
CSCse04125
|
SNMP ports on the ACS SE 1113 can be assigned incorrect values.
|
Symptom No error message will appear if, on the ACS
SE 1113, you:
•Delete the default SNMP port value.
•Add characters instead of numbers to the SNMP port value.
•Add an SNMP port that the device is already using.
Symptom On the ACS SE 1113, deleting the default
SNMP port value, adding characters instead of numbers
to the SNMP port value, adding a port number greater
than 65536, or adding an SNMP port that the device
already uses can be performed without the appearance
of any error message. In the previous release (ACS
3.3.3), the error message The port number is in
use or invalid appears.
Workaround Enter a correct SNMP port number that the device is not already using.
|
CSCse08310
|
System performance is degraded when no dynamic users exist.
|
Symptom If the ACS internal database is empty
(contains no users) and the system is configured to use
Remote Agent for AD authentication, it takes a long
time for the system to stabilize. This system instability
is more prevalent when more complicated
authentication protocols are used, for example,
MS-PEAP, EAP-TLS, or PAP.
|
CSCsd98589
|
When the Network Interface Card (NIC) is disconnected, authentication cannot be performed.
|
Symptom Authentication fails if the NIC is disconnected
from a previously configured and functioning appliance,
the system is rebooted and restarted, and the NIC is
reconnected.
Error messages similar to the following appear:
04/17/2006 22:01:52 Unknown NAS .. .10.56.60.115
quanta-new-5 .. No .. .. (Unknown)
Workaround Restart CSAuth. Then choose System Configuration > Service Control and click the Restart button to restart CSLog, RADIUS, and TACACS+.
|
CSCsd94022
|
Setting the system clock forward disrupts a scheduled backup process.
|
Symptom If the system clock is set forward, for
example, from 16:00 to 16:58, and a scheduled backup
is configured to run during a later time period, for
example, from 17:00 to 18:00, the scheduled backup
might take a long time to complete or might not occur.
This condition can occur when the system time is
changed because of the switch to Daylight Savings
Time.
|
CSCsd92719
|
The NTP configuration is not restored after a system backup.
|
Symptom When the ACS SE 1113 appliance is backed
up, the NTP configuration is not retained.
|
CSCsd91218
|
Under certain conditions, when IP filtering is set during initial configuration, the specified IP filtering does not work.
|
Symptom If, during an initial configuration, IP filtering
is set and the specified IP addresses are incorrect or are
used by another ACS SE 1113 device, and the ACS SE
1113 is rebooted, the specified devices do not work;
even if they are set manually by using the set ip
command.
|
CSCsd88833
|
Manual setup of IP configuration on the ACS SE 1113 appears to fail.
|
Symptom On a newly installed ACS SE 1113 device, if
you manually configure the IP configuration by using
the set ip command, the output from the command does
not show the specified configuration. However, entering
a show ip command displays the correct configuration.
For example, if a valid IP address is entered by using the
set ip command, a message similar to the following
appears:
Use Static IP Address [Yes]:
IP Address [0.0.0.0]: 10.56.60.114
However, entering a show ip command displays the correct IP address.
|
CSCsd20149
|
After initial configuration from the Recovery CD, there is no GUI access.
|
Symptom This problem occurs on ACS SE 1111 (HP),
when performing a full upgrade, including the appliance
base image. After installing from the ACS SE 1111 (HP)
Recovery CD, and initial configuration ends, you cannot
access the web interface.
When you log in to CLI, the appliance status indicates that pfipmon not running.
Conditions On ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Use the CLI command, reboot, to restart the appliance.
|
CSCsc63854
|
ODBC Mapping exists after restoring image created on software.
|
Symptom After restoring the appliance image from the
software version of ACS 4.0.1, the ODBC configuration
still remains in Unknown User Policy and in
NAP/Authentication.
Workaround: None.
|
CSCsc52381
|
ACS SE console access might not work if NTP synchronization is enabled.
|
Symptom The login prompt might not appear on the CLI
console after rebooting through the CLI or through the
GUI; even if NTP synchronization is enabled and the
NTP server address is set correctly.
Workaround: Disable NTP synchronization.
|
CSCsc03778
|
ACS SE replicated changes under Administration Control not enforced unless the user reboots.
|
Symptom If you make a change in the Access Policy
under Administration Control and then replicate the
change to another appliance, the changes are not
enforced on the receiving appliance.
Workaround: On the receiving (secondary) appliance:
•Click Submit on the Access Policy page.
•Reboot the secondary appliance.
|
CSCsb27597
|
Limitation on the custom attributes (of 31,000 as CSAdmin indicates).
|
Symptom In the T+ Settings per User Group
Configuration page, which is accessed from the
Interface Configuration page, if you add the 1201st
entry in the custom attribute field, the browser crashes.
The custom attribute field is currently limited to 31KB (approximately 1,200 attributes).
Workaround: None.
|
| < |
