Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.1.2

These release notes pertain to Cisco Secure Access Control Server for Windows Server (Cisco Secure ACS) version 3.1.2.

Introduction

Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. A AAA client is any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS. For a general description of Cisco Secure ACS and its features, see User Guide for Cisco Secure ACS for Windows Server.

Documentation Roadmap

With the exception of online documentation, all Cisco Secure ACS documentation is available in PDF format on the product CD. The documentation directory on the CD also contains a white paper about Cisco Secure ACS and related products and technologies.

Installation Guide for Cisco Secure ACS for Windows Server (DOC-7814713=)—Contains information and procedures required for installing Cisco Secure ACS.
User Guide for Cisco Secure ACS for Windows Server (DOC=7814696=)—Contains concepts about Cisco Secure ACS and procedures for using all Cisco Secure ACS features.
Installation and User Guide for Cisco Secure ACS User-Changeable Passwords—Contains procedures for installing and using the User-Changeable Password utility for Cisco Secure ACS.
Online Documentation—In addition to the abbreviated help that appears adjacent to every page in the Cisco Secure ACS HTML interface, the online documentation contains the same information as User Guide for Cisco Secure ACS for Windows Server.

You can also access Cisco Secure ACS documentation on Cisco.com at the following URL:

You can find other product literature, including white papers, data sheets, and product bulletins, at the following URL:

New and Changed Features in 3.1.1

PEAP Support—PEAP provides stronger security, greater extensibility, and support for one-time token authentication and password aging. The goal of our PEAP implementation is to replace LEAP client/server user authentication services with the standards-based, non-proprietary PEAP protocol for wireless user authentication. PEAP provides enhanced security and richer extensibility of end-user databases than can be provided with LEAP.
SSL Support for Administrative Access—Administrative access to the Cisco Secure ACS HTML interface can be secured with SSL. This security enhancement provides both certificate-based server authentication and encrypted tunnel support so that administrative access is encrypted with SSL.
CHPASS Improvements—Cisco Secure ACS allows you to control whether network administrators can change passwords during Telnet sessions hosted by TACACS+ AAA clients.
Improved IP Pool Addressing—Cisco Secure ACS uses the IETF RADIUS Class attribute as an additional index for user sessions. This reduces the possibility of allocating an IP address that is already in use but incorrectly reported to Cisco Secure ACS as released.
Network Device Search—You can search for a configured network device based on the device name, IP address, type (AAA client or AAA server), and network device group. This feature is particularly useful if you are managing several network devices.
Improved PKI Support—During EAP-TLS authentication, Cisco Secure ACS can perform binary comparison of the certificate received from an end-user client to user certificates stored in LDAP directories.
EAP Proxy Enhancements—Cisco Secure ACS supports LEAP and EAP-TLS proxy to other RADIUS or external databases using EAP over standard RADIUS. Previous versions of Cisco Secure ACS relied on LEAP proxy using MSCHAP over RADIUS proxy, making it more difficult to scale over an extended range of external user databases.
Cisco Management Center Application Support—Cisco Secure ACS provides a consolidated administrative TACACS+ control framework for many Cisco security management tools, such as CiscoWorks VPN/Security Management Solution (VMS) and CiscoWorks Management Centers.

Changed Features in 3.1.2

New CSMon test for the internal database—CSMon periodically tests the internal database to determine if database reads function properly. If not, CSMon restarts CSAuth automatically.
Updated Cisco VPN 3000 RADIUS dictionary—The Cisco VPN 3000 RADIUS vendor-specific attributes (VSAs) in Table 1 have been changed.

Table 1 Changed Cisco VPN 3000 Concentrator RADIUS VSAs

Attribute	Change	Number	Type of Value	Inbound/Outbound	Multiple
CVPN3000-IPSec- Authentication	Added an enumeration: "Kerberos- Active- Directory"	13	integer	Outbound	No
CVPN3000-DHCP- Network-Scope	New VSA	61	ipaddr (maximum length 15 characters)	Outbound	No
CVPN3000- Authorization-Type	New VSA	65	integer	Outbound	No
CVPN3000- Authorization-Required	New VSA	66	integer	Outbound	No
CVPN3000-DN-Field	New VSA	67	string (maximum length 247 characters)	Outbound	No
CVPN3000- Confidence-Interval	New VSA	68	integer	Outbound	No
CVPN3000-Cisco- LEAP-Bypass	New VSA	75	integer	Outbound	No

Installation Notes

For information about installing Cisco Secure ACS, see Installation Guide for Cisco Secure ACS for Windows Server, version 3.1.

Changes to Token Server Support

With the exception of RSA SecurID token servers, Cisco Secure ACS supports token servers using RADIUS. This is a change from earlier versions, which used vendor-proprietary interfaces for token servers. Beginning with Cisco Secure ACS 3.0.1, we supported CRYPTOCard token servers using a standard RADIUS interface. Cisco Secure ACS 3.1 extends the use of RADIUS to all token servers except RSA SecurID. For RSA SecurID, the vendor-proprietary interface is used.

If you upgrade to Cisco Secure ACS 3.1, the installation program may prompt you for information about token servers, depending on the version of Cisco Secure ACS you are upgrading from and the token server databases detected by the upgrade process.

If you are upgrading from Cisco Secure ACS 3.0, the installation program prompts you for information if you have one of these token servers:

SafeWord
PassGo (formerly Axent)

If you are upgrading from Cisco Secure ACS 2.6, the installation program prompts you for information if you have one of these token servers:

CRYPTOCard
SafeWord
PassGo

With this information, the installation program replaces the older token server configuration with a new one that uses the RADIUS interface of the token server. For more information about RADIUS support by your token server, see the applicable token server documentation.

Changes to CiscoSecure Database Replication

We enhanced the CiscoSecure Database Replication feature to require a handshake between primary and secondary Cisco Secure ACSes. The handshake is based upon the shared secret of the primary Cisco Secure ACS.

Each Cisco Secure ACS has a AAA Servers table that lists itself and the other Cisco Secure ACSes that it is configured to communicate with. Each entry in the AAA Servers table records a shared secret for the Cisco Secure ACS that the list entry represents. The shared secret for the primary Cisco Secure ACS is defined in the AAA Servers table entry that the primary Cisco Secure ACS has for itself.

Each secondary Cisco Secure ACS must have a AAA Servers table entry for the primary Cisco Secure ACS. The shared secret in that entry must be identical to the shared secret in the AAA Servers table entry that the primary Cisco Secure ACS has for itself. When this is true, replication succeeds.

If a secondary Cisco Secure ACS has a AAA Servers table entry for the primary Cisco Secure ACS and the shared secret in that entry does not match the shared secret that the primary Cisco Secure ACS records for itself, replication fails.

Changes to Inter-Cisco Secure ACS Communication

We enhanced communications between Cisco Secure ACSes to use 128-bit encryption. This change has the following effects:

Remote logging with Cisco Secure ACS 3.1 can only occur with other Cisco Secure ACSes that run version 3.1.
The only version of the web-based User-Changeable Passwords (UCP) application that works with Cisco Secure ACS 3.1 is the version of UCP distributed with Cisco Secure ACS 3.1. If you are upgrading to Cisco Secure ACS 3.1 and you use UCP, you must upgrade UCP, too.

Evaluation Version

The evaluation version of Cisco Secure ACS 3.1 provides full functionality for 90 days after the date of installation. This allows you to use all features of Cisco Secure ACS 3.1 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.1 will be available within 30 days after the release of the commercial version of Cisco Secure ACS 3.1.

The evaluation version of Cisco Secure ACS 3.1 can be distinguished from the commercial version in the following ways:

The word "trial" appears in the title of the installation routine.
The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.
In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the HTML Cisco Secure ACS HTML interface notifying you that your evaluation period has elapsed.

Purchasing the Commercial Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.1 online, use Part Number CSACS-3.1-WIN-K9 at the following URL:

Upgrading to the Commercial Version

After purchasing a commercial version of Cisco Secure ACS 3.1, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.1, follow the instructions in Installation Guide for Cisco Secure ACS for Windows Server, version 3.1.

Limitations and Restrictions

Downloadable ACLs

The next release of Cisco Secure ACS 3.2 includes expanded support for downloadable ACLs. With Cisco Secure ACS 3.2, you can use downloadable ACLs with Cisco VPN 3000-series concentrators that use version 4.0 or greater of the VPN 3000 operating system.

Cisco Secure ACS 3.1.1 supports downloadable ACLs only with Cisco PIX devices using a version of the PIX operating system capable of supporting downloadable ACLs. With Cisco Secure ACS 3.1.2, the Downloadable PIX ACLs feature remains limited to PIX devices.

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.

Supported Upgrade Versions

We tested upgrading to Cisco Secure ACS 3.1.2 from the following previous versions:

Cisco Secure ACS 3.1.1.
Cisco Secure ACS 3.0.3.
Cisco Secure ACS 2.6.4.

Supported Operating System

The only supported operating system for Cisco Secure ACS for Windows Servers 3.1, is Windows 2000 Server. Both the operating system and the service pack must be English-language versions.

We tested Cisco Secure ACS 3.1.2 with the English-language version of Windows 2000 Service Pack 4 and with Microsoft patch MS03-026 applied.

Upgrading from Windows NT 4.0

Cisco Secure ACS 3.1 runs only on Windows 2000 Server (for operating system requirements, see Installation Guide for Cisco Secure ACS for Windows Server. If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. This is because the setup program for previous versions of Cisco Secure ACS detected which Windows operating system the computer used and customized Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.

For information about how to upgrade from Cisco Secure ACS on Windows NT 4.0, see Installation Guide for Cisco Secure ACS for Windows Server.

PEAP Limitations

External Databases Only—PEAP only supports external user databases. The CiscoSecure user database cannot support PEAP authentication; therefore, only users who have an account in a supported external user database can authenticate with PEAP.
Unknown User Processing—Enabling unknown user processing is strictly required to support PEAP authentication. Cisco Secure ACS uses unknown user processing during phase 1 of PEAP authentication, when the username is not known to Cisco Secure ACS. For more information about the Unknown User Policy, see User Guide for Cisco Secure ACS for Windows Server.

EAP-TLS Authentication with Active Directory

To perform EAP-TLS authentication using Active Directory as the external user database, Cisco Secure ACS must run on a domain controller. EAP-TLS authentication using Active Directory fails when Cisco Secure ACS runs on a member server.

Tested EAP-TLS Dialup with IOS

We tested Cisco Secure ACS 3.1.2 for EAP-TLS authentication with a dialup connection using Cisco IOS 12.3(1).

Tested Certificate Servers

Supported Web Browser Versions

We tested the HTML interface of Cisco Secure ACS 3.1.2 using an Microsoft Internet Explorer version 6.0. For administration of Cisco Secure ACS 3.1.2, we support only this browser, with the following additional restrictions:

English-language version only.
Microsoft Windows only.
Service Pack 1 for Internet Explorer 6.0 applied (also English-language only).

Note We did not test other versions of these browsers, nor did we test web browsers by other manufacturers.

To use a web browser to access the Cisco Secure ACS HTML interface, you must configure the browser as follows:

Enable Java
Enable JavaScript
Disable proxy server

For more information about accessing the Cisco Secure ACS HTML interface, see User Guide for Cisco Secure ACS for Windows Server, version 3.1.

Tested Token Server Versions

We tested Cisco Secure ACS 3.1.2 with RSA ACE/Server version 5.0 and ACE/Client version 5.5 for Windows 2000

Tested LDAP Server

We used Novell NDS v8.6 on Novell Netware 6.0 to test standard LDAP database support.

Tested Novell NDS and Novell Clients

We used Netware 6.0 to test Novell NDS v8.6 external user databases. We tested Cisco Secure ACS 3.1.2 with the Novell Requestor software found in Novell Client version 4.8.3 SP2 for Windows 2000. If you want to authenticate users with a Novell NDS external user database, you must install the Novell Requestor software on the computer that runs Cisco Secure ACS.

Tested Windows User Databases

We used Windows 2000 with Service Pack 4 and Windows NT 4.0 with Service Pack 6 to test Cisco Secure ACS 3.1.2 for Windows authentication.

Tested Platforms for CiscoSecure Authentication Agent

We have not tested CiscoSecure Authentication Agent specifically with Cisco Secure ACS 3.1.2; however, with Cisco Secure ACS 3.1.1, we tested CiscoSecure Authentication Agent on the following client platform operating systems:

Windows 98
Windows 2000

Caveats

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Aironet Access Point

Cisco BBSM

Cisco Catalyst Switches

Cisco IOS

Cisco Secure PIX Firewall

Cisco VPN 3000 Concentrator

Cisco VPN 5000 Concentrator

Resolved Caveats—Version 3.1.2

CSCdx66485: discrepancies with Logged-in users report for Aironet users
CSCdx81108: LDAP registry error
CSCdy39914: wireless client cannot EAP login when max session limit is 1
CSCdz48094: CSRadius preventing wlan APs failing over
CSCdz90720: Replicated password changes do not work on the slave
CSCea00643: eap-tls with dialup to IOS failing
CSCea01192: SPC crash on open
CSCea14558: call back fails when callback string is specified in active directory
CSCea19930: Leak in CSAuth when using IP based NARs
CSCea35303: Change of NDG for NAS isnt applied until CSAuth is restarted manual
CSCea44596: Need to reboot ACS server before modified user detail are recognised
CSCea54293: CSMon can crash when processing logging messages from other services
CSCea65978: EAP compliance issues with ACS v3.1
CSCea67792: Change of NDG for NAS isnt applied until CSAuth is restarted manual
CSCea75293: Leak in CSAuth when using IP based NARs
CSCea75308: Need to reboot ACS server before modified user detail are recognised
CSCea87470: Unknown user policy with ACE has returned inconsistent group inform
CSCeb11686: restarting the services does not unlock locked object
CSCeb11691: SPC names are limited to 31 characters in size
CSCeb34958: ACS CPU utilization 100% causes no authen after all
CSCeb47081: Using VOIP accounting with CID as user names cause to problem
CSCeb48341: duplicate selections from pull down menu of downloadable acl
CSCeb63027: duplicate selections from pull down menu of downloadable acl
CSCeb63031: SPC names are limited to 31 characters in size
CSCeb63035: restarting the services does not unlock locked object
CSCeb64302: Network Model within ACS Registry grows in accounting
CSCeb64317: Network Model within ACS Registry grows in accounting
CSCeb77357: ACS strips off CN from DN for GroupObjectType
CSCec04053: CSAdmin and CSAuth could not start with DrWatson
CSCec19050: Incorrect behavior under stress of EndPoint.dll

Resolved Caveats—Version 3.1.1

CSCdy65014: CSauth lockup during replication
CSCdy50199: Restart condition for CSMon
CSCdy50140: ACS backup routine does not erase all temporary created files
CSCdy32890: Can not define multiple instances of cisco-ssg-control-info
CSCdy19385: Whitespace only entries in Groupmap javacontol hang browser
CSCdy18833: Auth. fails when ACS/NT 3.0 is auth. to Windows Active Directory
CSCdy16496: T+ Hang when Varsdb breaks
CSCdy16493: NDS does not auth FQ usernames if they begin with . [dot]
CSCdy15215: Character in hostname crashes ACS
CSCdy14582: Minimum account rights needed to start/stop CiscoSecure services
CSCdy11858: When passwords are limited to alphanumeric, all CSMon tests fail
CSCdy11740: Database replication partner order not saved
CSCdy11718: Unable to add renamed user-defined attributes ito Radius accounting
CSCdy02582: user CLID gets truncated after exporting into 3.0
CSCdx92037: Configuring CSNT to use port 2002 only results in gui lockout
CSCdx91072: ODBC Authentication with CHAP/MSCHAP1/2
CSCdx62520: When passwords are limited to alphanumeric, all CSMon tests fail
CSCdx29451: DB updates via RDBMS Sync do not cause replication
CSCdx29446: unauthorized disclosure of data can be achieved using crafted URL
CSCdx29403: CSRadius fails to restart properly on Submit & Restart
CSCdx29400: CSRadius fails to restart properly on Submit & Restart
CSCdx29389: NAR doesn't match with wildcards in NAS definition
CSCdx29383: ODBC Authentication with CHAP/MSCHAP1/2
CSCdx29378: Distribution table and test accounts
CSCdx29377: GlobalAuthenticationConfiguration should be added as per adm privilege
CSCdx29374: sending crafted URL can cause CSADMIN to crash or exec user code
CSCdx29372: Radius Proxy of accounting packets kill CSRadius
CSCdx29370: T+ crashes under load
CSCdx29368: ACS 3.0 crash with Dr Watson Accounting request has no status type
CSCdx21407: Allow anonymous administrator username and password for LDAP
CSCdx19053: User guide wrongly states that reboot.bat exists
CSCdx16701: CSNT variable lengths (groups, NASs restrictions, etc.) undocumented
CSCdw86405: ResetCounters and Quota assignment Action codes are swapped
CSCdw64726: Embedded Documentation on Replication Configuration vague
CSCdw51174: Replication log message shows error on successful completion
CSCdw48049: Docs need clarification regarding Windows authentication
CSCdw45665: Docs inaccurate and incomplete regarding max number of AAA clients
CSCdw27571: GlobalAuthenticationConfiguration should be added as per adm privele
CSCdw19605: ACS 2.6(3) stops authenticating under heavy load - NDS
CSCdw09587: acs with external database DB2,not send foreign IP
CSCdw07015: Class attribute missing from Radius Accounting section
CSCdv62731: Docs wrong about Domain List effect on failed Win DB logins
CSCdv47186: Unable to add renamed user-defined attribute ito Radius accounting
CSCdu39662: ERROR_EXPORT_DISK_TOO_LOW error when upgrading to CSNT 2.6
CSCdp40874: CSNT refuse/allow new behavior undocumented

Open Caveats—Version 3.1.2

CSCdu33140: PPTP Tunnel with VPN3000 and MS-CHAP V2 method

A PPTP tunnel using a Cisco VPN 3000-series concentrator and MS-CHAP version 2 fails. The VPN concentrator indicates that authentication passed; however, tunnel establishment fails. When using the MS-CHAP version 1 method with the same configuration, tunnel establishment succeeds. When using the concentrator's internal user database with MS-CHAP version 2, tunnel establishment succeeds.

Workaround/Solution: There are few steps which needs to be filled when configuring Cisco Secure ACS to support PPTP Tunnel in MS-CHAP version 2 (and version 1) authentication methods:

Setup two users at least on Cisco Secure ACS, one as a tunnel user and the others as the authenticated users. The tunnel user and its password should be the same as the tunnel group name on the concentrator and its password.

The authenticated users must include the following settings in Cisco Secure ACS, as well:

In "IETF RADIUS Attributes" check the "[025] Class" attribute and the following value should be entered in the text box: "ou=groupname;" where groupname is the name of the tunnel user name previously configured.
In "Microsoft RADIUS Attributes", select the "[311\012] MS-CHAP-MPPE-Keys" check box.
Add a group name similar to the tunnel users name, and in the "Cisco VPN 3000 Concentrator RADIUS Attributes" select the [3076\011] CVPN3000-Tunneling-Protocols check box and the [3076\020] CVPN3000-PPTP-Encryption check box.
Select the [3076\011] CVPN3000-Tunneling-Protocols check box, then select PPTP from the corresponding list.
Select the [3076\020] CVPN3000-PPTP-Encryption check box, then select 128-bit or lower from the corresponding list, according to the client encryption capability

Use the Windows 2000 PPTP client and establish the PPTP tunnel via MS-CHAP V2 authentication method.

CSCdu48120: CSNT error occurred during the move data process

Workaround/Solution: Delete pdh.dll from the Windows system32 directory, then restart the installation.

CSCdv35872: Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTMLin the browser interface.

CSCdv86707: User Data Field name is not replicated

Changes to user-defined fields in user records do not appear to replicate. After the user-defined fields are changed in the Interface Configuration section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the user-defined fields in the HTML interface.

Workaround/Solution: The changes to the user-defined fields do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdv86708: HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdv89331: VOIP Accounting Configuration - no upgrade, no backup & restore

In the System Configuration section, settings made on the VoIP Account Configuration page are not restored from backup. Neither are these settings preserved during reinstallation of Cisco Secure ACS 3.0 or upgrading to a later build of Cisco Secure ACS 3.0.

CSCdx56300: Certificates cant be found in OS storage

When using the "Use certificate from storage" option on the ACS Certificate Setup page in System Configuration, the error message "Cannot find certificate with specified common name in the ACS storage" occurs even though the server certificate was installed in the operating system local machine storage.

Workaround/Solution: To install a server certificate in local machine storage so that Cisco Secure ACS can find it, follow the instructions in "Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks", available at:

CSCdx79277: Netscape - no left hand splash buttons with https connectivity

If you use implement HTTPS transport for access to the Cisco Secure ACS HTML interface and you use Netscape Communicator version 6.2.3 running on Windows 2000 Professional with Windows Service Pack 2, Cisco Secure ACS does not present the Navigation Bar that usually displays the section buttons on the left side of the page.

Workaround/Solution: The problem is caused by Netscape. If you implement HTTPS, use Microsoft Internet Explorer for Windows, version 5.5 or 6.0, to access the Cisco Secure ACS HTML interface.

CSCdx81906: Unable to replicate to more than 20 partners

Customer has run into a limitation on replication partners of 20. You can configure more, but the 21st partner in the list but it will not work - the master will say that it's not responding.

Workaround/Solution: If you delete one of the servers higher up in the list, thus moving the problem server into slot number 20, replication works.

CSCdy11747: deleted SPC remain configured in user/ group profiles

If a shared profile component is deleted, user and group profiles previously configured to use the deleted component still reference it, causing authorization failures.

Workaround/Solution: When you delete a shared profile component, such as a network access restriction, command authorization set, or downloadable PIX ACL, be sure that no user or group profiles reference the component you want to delete.

CSCdy14259: T+ ascii login doesn't work correctly with cryptocard

Users authenticating with CryptoCard incorrectly receive a password prompt in addition to the username, challenge, and response prompts.

Workaround/Solution: Users can enter any string at the password prompt and press Enter, then continue CryptoCard authentication normally.\

CSCdy30639: ACSNT rename of network device group problem with command set

Each time that you rename a "Network Device Group", the system is unable to keep track and to update the association that there is between the renamed group and the command set that is applied on that devices.

Workaround/Solution: You must manually delete the association between the old-named device group and the command set and add manually a new association with the renamed device group and the same command set.

CSCdy38832: List All Users/Group column value is 0 after restore/install wit

The group list in Group Setup has inaccurate numbers of users if you reload the internal user database using CSUtil.exe. This can also occur after upgrading if you preserve the existing configuration during the upgrade process.

CSCdy44938: Activcard auth misbehavior via T+

The problem occurs for TACACS+ with ActivCard token server as an external user database. If the asynchronous (challenge/response) OTP authentication mode is used, and users enter a wrong response, they cannot authenticate for the next 2-3 minutes. Authentication requests are denied even if the correct credentials are entered.

Workaround/Solution: After several minutes users can authenticate with the right credentials.

CSCdy44940: OTP Password is echoed on T+ NAS

When using TACACS+ login and a static shell password prompt defined on "TACACS+ Shell configuration" for RADIUS OTP external databases the user OTP password (fixed or dynamic) is always echoed on TACACS+ AAA client input.

CSCdy46284: Vasco auth misbehavior via T+

The problem occurs for TACACS+ with Vasco token server as an external user database. If the asynchronous (challenge/response) OTP authentication mode is used, and users enter a wrong response, they cannot authenticate for the next 2-3 minutes. Authentication requests are denied even if the correct credentials are entered.

Workaround/Solution: After several minutes users can authenticate with the right credentials.

CSCdy51214: fail to delete aaa server when its in sync table/aaa server side

table in Network Configuration if the Synchronize"= list under Synchronization Partners on the RDBMS Synchronization Setup page is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" appears.

Workaround/Solution: Move any other AAA server to the Synchronize list, then delete the AAA server.

CSCdy59706: CAA messaging wont work with ppp callback and callin authentication

When having ppp callback and only callin is authenticated (ppp authentication pap chap callin), then messaging to the CAA client will fail with all aging rules selected in ACS.

Workaround/Solution: Either remove the "callin" keyword to enable authentication for callin and callout (callback in this scenario), or disable callback altogether.

CSCdy64935: After editing CTL, restart message is not displayed

After administrator has changed the Certificate Trust List (CTL), the services must be restarted in order to adopt new settings. The standard ACS restart message must be displayed.

Workaround/Solution: After modifying the CTL, go to the Service Control page in System Configuration and click Restart.

CSCdz30261: ACS doc does not have examples with product setups

CSCdz61875: Configured Default Proxy Distribution Entry is not restored

If you configure the (Default) of "Proxy Distribution Table" in "Network Configuration" after backed up. Previously settings before backup are not restored. Example...

Change the configuration of "Send Accounting Information" in "Proxy Distribution Table" to "Local/Remote" from "Local".
Backup ACS Server
Change that value to "Local" from "Local/Remote".
Restore the ACS Server using backup data of 1:.
That value is restored as "Local" not "Local/Remote".

CSCea25090: Logged In User not showing after going into enable mode on router

With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.

CSCea67901: UCP has trouble with dots in usernames

When using the User changeable passwords utility to change the passwords for the usernames which contain dot (".") character, after clicking on one of the links on the top, the links at the top in the subsequent screen contain only the part of the username before the dot.

Workaround/Solution: edit the passwd.htm and result.htm files in the cgi-bin directory to comment out the table with the links - so that the users would not be able to get confused.

CSCea91947: ACS will not authen Win2k users when NTLMv2 is enabled on network

Customer using NTLMv2 on their network for security will not allow Win2k users to authenticate through ACS. If customer changes the NTLMv2 to NTLM then authentication works fine

CSCeb00416: token caching with radius token server based ext db fail with tacacs

CSCeb02010: CiscoSecure ACS Group NAR not working

I have Group-Level Shared NAR and Group-Level NAR enabled. The Group display shows Per-User NAR which doesnt work when tried. This looks like a bug in the display of the Edit Group function.

CSCeb02660: acs windows CSNTERRORSTRING isnt logged with chap authentications

CSNTERRORSTRING included in the return field from the ext ODB isnt logged with chap authentications. It is logged with pap authentications in auth.log

CSCeb36221: Unable to add ACL with special character - or /

Customer is cannot add ACL with special character like "-" or "/" in Shared profile components --> Downloadable PIX ACL

CSCeb43302: WaitForMultipleObjects returned [-1] feeds up HDD, then system down

The size of "CSDBSync.log" became large(60GByte) and it caused a system down, but the customer was not using RDBMS Sync. "WaitForMultipleObjects returned [-1]" fed up CSDBSync.log file.

CSCeb45832: Cisco VSA cannot be added to the CSV VoIP Accounting logging

On the "CSV VoIP Accounting File Configuration" cisco radius VSA are not appear on the attribute text area.

Workaround/Solution: The workaround that done for ITXS is a special registry file that add those missing VSA to the attribute list on this page.

CSCeb51393: multi-admin needs to be able to add/edit/delete downloadable ACLs

With multi-administrator tries to add/edit/delete downloadable acl under the shared profile components, after the first admin submitted any changes, the other administrator's ACS session got locked up.

Workaround/Solution: There is no workaround. Administrators must inform each other when he/she is working on the downloadable ACLs.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

All users can order annual or quarterly subscriptions through the online Subscription Store:

Ordering Documentation

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac ) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

Opening a TAC Case

The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen ) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

This document is to be used in conjunction with the documents listed in the "Obtaining Documentation" section.

Table of Contents