These release notes contain important information regarding CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS). For complete documentation on this product, refer to the following documents:
CiscoSecure ACS 2.4 for Windows NT Server User Guide
Quick Installation Card: CiscoSecure ACS 2.4 for Windows NT Server
Read Me First: CiscoSecure ACS 2.4 for Windows NT Server Getting Started
Quick Reference Card: Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords
Release Notes for CiscoSecure ACS 2.4(1) for Windows NT Server
Caution
Always back up your data before you install CiscoSecure ACS 2.4 for Windows NT. Read the included PDF files for installation instructions and information for CiscoSecure ACS.
CSCdm92865
During installation, if you click Back, the data you just configured is lost. The workaround is to re-enter the data manually.
CSCdm91495
If you are upgrading from CiscoSecure ACS 2.3 to CiscoSecure ACS 2.4, a message displays asking if you want to remove the PSAPI.DLL file. If you answer yes, installation fails. The workaround is to answer No to the prompt. If you accidentally answered yes, follow these steps:
Step 1 Copy PSAPI.DLL from another system.
Step 2 Run CLEAN.EXE.
Step 3 Run SETUP.EXE again. You might need to reload the data from backup.
CSCdp00197
After upgrading, the administrator cannot edit user and group profiles through the web-based interface. The workaround is to click Administration Control > Session Policy > Allow automatic local login.
CSCdm48134
A Dr. Watson error might appear when you are upgrading over an earlier version of CiscoSecure ACS. The workaround is to run CLEAN.EXE and re-run SETUP.EXE as described in the README.TXT file.
After you change the date format, CiscoSecure ACS does not create a .CSV file for the existing logs with the new date format. The workaround is to import the .CSV file to a spreadsheet application and manually change the dates.
ODBC Authentication does not work against an Oracle data source name (DSN). ODBC Authentication expects the called SQL procedures to return data in a record set, also known as Select procedures. Oracle returns data via procedure output parameters and does not work with the current dynamic link library (DLL). The workaround is to create a new external database, "ODBC Authentication for Oracle," that is the same as the existing DLL except that the results are collected from output parameters instead of row data.
To use the Grant Dialin Permission to User feature, a two-way trust relationship must be established between the remote Windows NT domain and the CiscoSecure ACS for Windows NT server. This is a Windows NT issue. There is no workaround.
When using Netscape Communicator 4.6 with CiscoSecure ACS for Windows NT, if a remote administrator clicks logout, Netscape's Smart Download window pops up and attempts to download a file. The administration session is never terminated. The workaround is to disable Smart Download or use IE or a different version of Netscape.
CSCdm72261
Editing user/group profiles while using Netscape Navigator 4.08 or Netscape Communicator 4.61 produces a Dr. Watson for Netscape error. The workaround is to use Internet Explorer (IE) or a different version of Netscape.
CSCdp02113
When using Internet Explorer (IE), after you click Submit in the User window, the window on the right displays a blank screen or an error message stating that the server is unreachable, because IE closes the connection to the server before the server can respond. The workaround is to click any of the main navigation buttons within 60 seconds. The window will be blank, but the user data will have been submitted successfully. Additionally, when using Windows NT 5.0 and Internet Explorer 5.x, the message The page you want is not available displays. The workaround is to click Try again.
Some special characters, such as the umlaut, that should be valid cannot be used in usernames. This means that some external users may have user accounts created during authentication that cannot be edited using the web-based interface. The workaround is to not allow these characters in usernames.
The Advanced TACACS+ Settings section always displays for cached unknown users even though the interface configuration is set to disable these displays. There is no workaround.
When you add a new RDBMS Synchronization configuration and you click Synchronize now, the message No AAA server selected displays. The workaround is to click Submit before you click Synchronize now. The same issue applies to Database Replication and Unknown User Policy configuration.
If tunnel attributes are selected in the ODBC RADIUS accounting log, the Show Create Table option does not create the type names. The workaround is to use a script similar to the following to create the type names:
When the SafeWord Token Server is restarted, CiscoSecure ACS does not automatically reconnect to the SafeWord server for authentication. The Failed Attempts report displays the message External DB reports error condition. The workaround is to restart the CSAuth and CSTacacs services.
When Max Sessions are configured at the user level, users cannot log in in enable mode when the session limit is reached. Because the administrator logging in to the NAS usually telnets into it and then goes into the enable mode, the administrator might not be able to log in. The workaround is to configure Max Sessions at the group level instead of at the user level.
The web-based administration server enters a state that causes the service to be unresponsive for certain functions and then hangs the web-admin service for the functions that previously worked. The workaround is to re-enter the address http://127.0.0.1:2002 or click the logout button (X) at the top right of the display. This will reset the browser.
Releases of Cisco IOS software prior to Release 12.02 do not support the IP pooling feature of CiscoSecure ACS 2.4 for Windows NT with VPDN tunnels. As a result, duplicate IP addresses might be allocated. The workaround is to use Cisco IOS Release 12.02 or later or to use the IP pooling feature of the NAS if you are using VPDN.
Changes to passwords made on the SQL server do not take effect immediately. This is an SQL issue that might cause security problems, because users can continue to log in using their old passwords until CSAuth is restarted. The workaround is to restart CSAuth after changing passwords on the SQL server.
After a user account is disabled, Internet Explorer displays the user account status as disabled in the User Setup window but still shows it as enabled in the Group Setup window. The workaround is to restart Internet Explorer.
CiscoSecure ACS 2.4 for Windows NT supports only a single connection per user when authenticating on a PIX firewall. This is an issue only for MaxSessions and the Reports and Activity: Logged-In Users window. The accounting logs correctly record the PIX accounting packets; the workaround is to use the accounting logs to track concurrent logins.
User-defined field names do not appear in the Interface Configuration window of the replicated CiscoSecure ACS 2.4 for Windows NT immediately. The workaround is to restart CSAdmin after replication.
If a user authenticates successfully but fails authorization, the NAS port name is blank in the Failed Attempts Log. There is no workaround at this time.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information,productdocumentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
