|
Table Of Contents
Release Notes for Cisco Secure ACS for Windows Server Version 3.2
HTTPS Support Change and Management Center Applications
Changes to Token Server Support
Purchasing the Commercial Version
Upgrading to the Commercial Version
Supported Platforms for CiscoSecure Authentication Agent
Other Supported Devices and Software
Known Problems in Cisco Secure ACS Version 3.2.1
Resolved Problems in Cisco Secure ACS Version 3.2.1
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS for Windows Server Version 3.2
These release notes pertain to Cisco Secure Access Control Server for Windows Server (Cisco Secure ACS) version 3.2.1.
These release notes provide:
• HTTPS Support Change and Management Center Applications
• Changes to Token Server Support
• Limitations and Restrictions
– Supported Platforms for CiscoSecure Authentication Agent
– Other Supported Devices and Software
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information
New Features
Cisco Secure ACS version 3.2 contains the following new features:
•PEAP support for Microsoft Windows clients—Cisco Secure ACS 3.2 adds support for Microsoft PEAP supplicants available today for Windows 98, NT, 2000, and XP. The Microsoft PEAP supplicant supports client authentication by only MS-CHAPv2 compared to Cisco PEAP supplicant (available through Cisco Aironet wireless adapters) which supports client authentication by logon passwords or one-time passwords (OTPs). Unlike Microsoft PEAP supplicant, Cisco PEAP supplicant provides support for one-time token authentication and powerful extensibility of non-MSCHAP end-user databases such as LDAP, NDS, and ODBC. Cisco Secure ACS 3.2 allows selection of Microsoft PEAP and/or Cisco PEAP from its EAP Configuration page. PEAP is an Internet draft standard in the IETF PPP working group.
•LDAP Multithreading—Cisco Secure ACS 3.2 can process multiple LDAP authentication requests in parallel as opposed to the sequential processing mechanism employed in pre-3.2 versions. This feature greatly improves Cisco Secure ACS performance in "Task-hungry" configurations such as in Wireless deployments.
•EAP-TLS Enhancements—EAP-TLS enhancements in Cisco Secure ACS 3.2 further extend Cisco Secure ACS PKI capabilities. EAP-TLS authentication against ODBC user databases, and EAP-TLS silent session-resume support are among the newly added capabilities. Similarly to the PEAP silent session resume, EAP-TLS silent session resume prevents users from re-authenticating during a RADIUS session timeout. This is particularly advantageous in wireless applications where users are continually moving. The duration of the EAP-TLS silent session timeout is configurable from Cisco Secure ACS GUI.
•Machine authentication support—Cisco Secure ACS 3.2 adds 802.1X machine authentication option using either PEAP with MSCHAPv2 implementation (PEAP-EAP-MSCHAPv2) or EAP-TLS. Machine authentication is used at boot time to authenticate and communicate with Windows Domain Controllers when connecting to 802.1X secure ports. Machine authentication allows pulling down machine group policies from Windows Active Directory independently of a subsequent interactive user authentication session.
•EAP mixed configurations—Cisco Secure ACS 3.2 supports the following EAP types:
–PEAP(EAP-GTC), which is Cisco PEAP
–PEAP(EAP-MSCHAPv2), which is Microsoft PEAP
–EAP-TLS
–EAP-MD5
–Cisco EAP Wireless, which is LEAP
Cisco Secure ACS 3.2 allows flexible EAP settings—one or several EAP types can be selected concurrently—enabling Cisco Secure ACS to intelligently process EAP authentications depending on the 802.1X supplicant.
•Accounting support for Aironet—Cisco Secure ACS 3.2 supports user-based accounting from Cisco Aironet wireless Access Points when Cisco Secure ACS is configured to recognize them as RADIUS (Cisco Aironet) AAA clients.
•Downloadable access control lists for VPN users—Cisco Secure ACS 3.2 extends per-user access control list support to Cisco VPN solutions (in addition to the current support for PIX Firewall solutions). With this option, administrators can define access control lists, for users of groups of users within the Cisco Secure ACS HTML interface.
Tip An easy way to distinguish whether a version of Cisco Secure ACS supports only Cisco PIX devices with downloadable ACLs is to determine the name of the downloadable ACL feature in the Shared Profile Components section of the Cisco Secure ACS HTML interface. In Cisco Secure ACS 3.0 and 3.1, that feature is named "Downloadable PIX ACLs", indicating the limitation of support to PIX devices. In Cisco Secure ACS 3.2, the corresponding feature is named "Downloadable IP ACLs", reflecting the expanded support.
Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1. ADDITIONAL LICENSE RESTRICTIONS.
•Installation and Use. The Software components are provided to Customer solely to install, update, supplement, or replace existing functionality of the applicable Network Management Software product. Customer may install and use following Software component:
–Access Control Server (ACS): May be installed on one (1) server in Customer's network management environment.
•Reproduction and Distribution. Customer may not reproduce nor distribute software.
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
Please refer to the Cisco Systems, Inc. Software License Agreement.
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 1 describes the product documentation that is available.
Table 1 Product Documentation
Document Title Available FormatsRelease Notes for Cisco Secure ACS for Windows Server
•Printed document that was included with the product.
•PDF on the product CD-ROM.
•On Cisco.com:
a. Log into Cisco.com.
b. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Release Notes .
Installation Guide for Cisco Secure ACS for Windows Server
•PDF on the product CD-ROM.
•On Cisco.com:
a. Log into Cisco.com.
b. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Installation Guides .
•Printed document available by order (part number DOC-7815570=).1
User Guide for Cisco Secure ACS for Windows Server
•PDF on the product CD-ROM.
•On Cisco.com:
a. Log into Cisco.com.
b. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > User Guides.
•Printed document available by order (part number DOC-7815571=). 1
Installation and User Guide for Cisco Secure ACS User-Changeable Passwords
•PDF on the product CD-ROM.
•On Cisco.com:
a. Log into Cisco.com.
b. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Installation Guides.
Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server
1. Log into Cisco.com.
2. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Device Support Tables.
Recommended Resources for the Cisco Secure ACS User
1. Log into Cisco.com.
2. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Technical References.
Online Documentation
In the Cisco Secure ACS HTML interface, click Online Documentation.
Online Help
In the Cisco Secure ACS HTML interface, online help appears in the right-hand frame when you are configuring a feature.
1 See the "Obtaining Documentation" section.
Related Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 2 describes a set of white papers about Cisco Secure ACS. All white papers are available on Cisco.com. To view them:
1. Log into Cisco.com.
2. Select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Product Literature > White Papers.
Installation Notes
For information about installing Cisco Secure ACS, see Installation Guide for Cisco Secure ACS for Windows Server, version 3.2.
HTTPS Support Change and Management Center Applications
Cisco Secure ACS version 3.1 introduced support for HTTPS to protect administrative access to the HTML interface. In response to a problem discovered in Cisco Secure ACS 3.1 (see bug ID CSCea40150 in Table 4), Cisco Secure ACS does not allow HTTP and HTTPS to function simultaneously.
Multi-device management applications, such as Management Center for Firewalls, can be configured to use Cisco Secure ACS for authentication of administrators and authorization of their actions. Communication between early versions of multi-device management applications and Cisco Secure ACS requires HTTP. If you enable HTTPS in Cisco Secure ACS 3.2, communication between multi-device management applications and Cisco Secure ACS fails.
If you use Cisco Secure ACS with a multi-device management application that is not yet capable of HTTPS for communicating with Cisco Secure ACS, you must disable HTTPS in Cisco Secure ACS; otherwise, integration with Cisco Secure ACS fails.
Note Beginning with version 2.2 with Service Pack 2, CiscoWorks supports HTTPS; therefore, multi-device management applications using CiscoWorks 2.2 with Service Pack 2 or later are designed to communicate with Cisco Secure ACS using HTTPS.
Changes to Token Server Support
Token server support in Cisco Secure ACS 3.2 is identical to that in Cisco Secure ACS 3.1; however, if you upgrade from Cisco Secure ACS 2.6.4 or Cisco Secure ACS 3.0.2 and you use token server databases, you should understand the changes to token server support that we began with Cisco Secure ACS 3.0 and completed in Cisco Secure ACS 3.1.
Beginning with Cisco Secure ACS 3.0.1, we supported CRYPTOCard token servers using a standard RADIUS interface. Cisco Secure ACS 3.1.1 extended the use of RADIUS to all token servers except RSA SecurID. For RSA SecurID, the vendor-proprietary interface is used.
If you upgrade to Cisco Secure ACS 3.2, the installation program may prompt you for information about token servers, depending on the version of Cisco Secure ACS you are upgrading from and the token server databases detected by the upgrade process.
•If you are upgrading from Cisco Secure ACS 3.0, the installation program prompts you for information if you have one of these token servers:
–SafeWord
–PassGo (formerly Axent)
•If you are upgrading from Cisco Secure ACS 2.6, the installation program prompts you for information if you have one of these token servers:
–CRYPTOCard
–SafeWord
–PassGo
With this information, the installation program replaces the older token server configuration with a new one that uses the RADIUS interface of the token server. For more information about RADIUS support by your token server, see the applicable token server documentation.
Note If a RADIUS-based token server, such as CRYPTOCard, runs on the same computer as Cisco Secure ACS, make sure that the token server uses UDP ports different from the ports used by Cisco Secure ACS to receive RADIUS requests. For information about RADIUS ports used by Cisco Secure ACS, see User Guide for Cisco Secure ACS for Windows Server. For information about RADIUS ports used by a token server, see the applicable token server documentation.
Evaluation Version
The evaluation version of Cisco Secure ACS 3.2 provides full functionality for 90 days after the date of installation. This allows you to use all features of Cisco Secure ACS 3.2 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.2 will be available within 30 days after the release of the commercial version of Cisco Secure ACS 3.2.
The evaluation version of Cisco Secure ACS 3.2 can be distinguished from the commercial version in the following ways:
•The word "trial" appears in the title of the installation routine.
•The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.
•In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.
When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the Cisco Secure ACS HTML interface notifying you that your evaluation period has elapsed.
Purchasing the Commercial Version
Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.2 online, use the following URL:
http://www.cisco.com/pcgi-bin/cm/welcome.pl
Upgrading to the Commercial Version
Note To avoid the issue documented in CSCeb34179, we recommend upgrading to the commercial version before the 90-day evaluation period has passed. For more information about CSCeb34179, see Table 3.
After purchasing a commercial version of Cisco Secure ACS 3.2, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.2, follow the instructions in Installation Guide for Cisco Secure ACS for Windows Server, version 3.2.
Limitations and Restrictions
The following limitations and restrictions apply to Cisco Secure ACS 3.2.1.
Interoperability Testing
Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, we performed no interoperability testing. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use the versions of software and operating systems listed in this document.
Supported Upgrade Versions
We tested upgrading to Cisco Secure ACS 3.2.1 from the following previous versions:
•Cisco Secure ACS 3.1.1.28
•Cisco Secure ACS 3.0.2.5
•Cisco Secure ACS 2.6.4.4
Supported Operating System
Cisco Secure ACS for Windows Servers 3.2.1 only supports two versions of the Windows 2000 operating system, as listed below. Both the operating system and the service pack must be English-language versions.
•Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
•Windows 2000 Advanced Server, with the following conditions:
–with Service Pack 3 or Service Pack 4 installed
–without Microsoft clustering service installed
–without other features specific to Windows 2000 Advanced Server enabled
Note The following two limitations apply to support for Windows 2000:
•We have not tested and cannot support the multi-processor feature of Windows 2000 Advanced Server.
•Windows 2000 Datacenter Server is not a supported operating system.
Upgrading from Windows NT 4.0
If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. This is because the setup program for previous versions of Cisco Secure ACS detected which Windows operating system the computer used and customized Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.
We last published information about how to upgrade the operating system of the computer running Cisco Secure ACS to Windows 2000 in the documentation for Cisco Secure ACS 3.1. For more information, log in to Cisco.com and select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Installation Guides > Installation Guide for Cisco Secure ACS for Windows Server > Installation Guide for Cisco Secure ACS for Windows Server 3.1.
Supported Web Browsers
To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:
•Microsoft Internet Explorer version 6.0 with Service Pack 1 for Microsoft Windows
•Netscape Communicator version 7.0 for Microsoft Windows
•Netscape Communicator version 7.0 for Solaris 2.7
We do not support other versions of these browsers, nor do we test web browsers by other manufacturers.
Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:
•Use an English-language version of a supported browser.
•Enable Java.
•Enable JavaScript.
•Disable HTTP proxy.
Supported Platforms for CiscoSecure Authentication Agent
For use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2.1, we support CiscoSecure Authentication Agent on the following client platform operating systems:
•Windows XP with Service Pack 1
•Windows 2000 Professional with Service Pack 3
On the following client platform operating systems, we do not support the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2.1:
•Windows 98
•Windows 95
•Windows NT 4.0
Other Supported Devices and Software
For information about supported Cisco devices, external user databases, and other software, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server Version 3.2. To see this document, log in to Cisco.com and select Products & Services > Security and VPN Software > Cisco Secure Access Control Server for Windows > Technical Documentation > Device Support Tables.
Known and Resolved Problems
This section contains information about the following topics:
• Known Problems in Cisco Secure ACS Version 3.2.1
• Resolved Problems in Cisco Secure ACS Version 3.2.1
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.
Cisco Aironet Access Point
http://www.cisco.com/univercd/cc/td/doc/product/wireless/
Cisco BBSM
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/
Cisco Catalyst Switches
http://www.cisco.com/univercd/cc/td/doc/product/lan/
Cisco IOS
http://www.cisco.com/univercd/cc/td/doc/product/software/
Cisco Secure PIX Firewall
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
Cisco VPN 3000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/
Cisco VPN 5000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/
Known Problems in Cisco Secure ACS Version 3.2.1
Table 3 describes problems known to exist in this release.
Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)
Resolved Problems in Cisco Secure ACS Version 3.2.1
Table 4 describes problems resolved since the last release of Cisco Secure ACS for Windows Server.
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order annual or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
Click Subscriptions & Promotional Materials in the left navigation bar.
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit e-mail comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Cisco TAC Website
The Cisco TAC website ( http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case
Using the online TAC Case Open Tool ( http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.
For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
Posted: Thu Mar 18 12:26:23 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.