|
These release notes pertain to Cisco Secure Access Control Server for Windows 2000/NT Servers (Cisco Secure ACS) version 2.6.2.
Cisco Secure ACS is network security software that helps you authenticate users by controlling dial-in access to a network access server (NAS) device, such as an access server, PIX Firewall, or router.
Cisco Secure ACS operates as a Windows NT or Windows 2000 service and controls the authentication, authorization, and accounting (AAA) of users accessing networks. Cisco Secure ACS operates with Windows NT Server version 4.0 and Windows 2000 Server. Provided that Microsoft Clustering Services are not installed, Cisco Secure ACS operates on Windows 2000 Advanced Server and Windows 2000 Datacenter Server.
Cisco Secure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With Cisco Secure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of Cisco Secure ACS with the Windows NT and Windows 2000 operating systems enables companies to use the working knowledge gained from and the investment already made in building their Windows NT and Windows 2000 networks.
Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," in Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide provides information about the following subjects:
The Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide also provides detailed information about configuring and using Cisco Secure ACS. This guide is available from Cisco.com or on the product CD-ROM.
For information about installing Cisco Secure ACS, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers quick reference card.
Information regarding messages or warnings that may arise during installation can be found in the readme file, located on the CD-ROM.
The evaluation version of Cisco Secure ACS 2.6 provides full functionality for 90 days after the date of installation. This allows you to use all the features of Cisco Secure ACS 2.6 while determining if it suits your needs.
The evaluation version of Cisco Secure ACS 2.6 can be distinguished from the commercial version in the following ways:
When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the administrative interface notifying you that your evaluation period has elapsed.
Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the full, retail version of Cisco Secure ACS 2.6 online, use Part Number CSNT-2.6 at the following URL:
http://www.cisco.com/pcgi-bin/cm/welcome.pl
After purchasing a commercial version of Cisco Secure ACS 2.6, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 2.6, follow the instructions in the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers quick reference card.
The following topics are limitations and restrictions that apply to Cisco Secure ACS 2.6.2.
To administer all features included in Cisco Secure ACS 2.6.2, you must use a supported web browser. Cisco Systems tested Cisco Secure ACS 2.6.2 using Microsoft Internet Explorer versions 5.0.x and 5.5, and Netscape Communicator versions 4.75 and 4.76. Other versions of these browsers and web browsers by other manufacturers are not supported.
We tested Cisco Secure ACS 2.6 with the following versions of the supported token-card servers.
Note This version of Secure Computing SafeWord runs only on Windows NT 4.0. For more information about the operating systems supported by SafeWord, please refer to SafeWord documentation. |
If you are using a Novell NDS database as an external user database, the Novell Requestor software must be installed on the Cisco Secure ACS server. We tested Cisco Secure ACS 2.6 with the Novell Requestor software found in the following versions of the Novell Client:
Cisco Secure ACS 2.6 supports Windows 2000 Server, Advanced Server, and Datacenter (without Microsoft Clustering Services installed) only with Service Pack 1 for Windows 2000 installed.
The Cisco Secure ACS CiscoSecure Authentication Agent is supported only on the following client platform operating systems:
Cisco Systems has not tested the CiscoSecure Authentication Agent on the following client platform operating systems:
If users connect to your network with the Microsoft Dial-Up Network client and establish a Virtual Private Network (VPN) tunnel using Point-to-Point Tunneling Protocol with Microsoft Point-to-Point Encryption, the NAS through which users connect to the network must be one of three types:
Both the NAS and the Microsoft Dial-Up Network client must have 128-bit encryption installed. For the Microsoft Dial-Up Network client, this requires the High Encryption pack. For users on Microsoft Windows 95/98/NT 4.0, install the 128-bit encryption package included with Internet Explorer 5.5. Internet Explorer is available at the following address:
http://www.microsoft.com/windows/ie/download/ie55.htm
For users on Microsoft Windows 2000, download the High Encryption pack for Windows 2000. The High Encryption pack is available at the following address:
http://www.microsoft.com/windows2000/downloads/recommended/encryption/
Cisco Secure ACS 2.6 supports Microsoft Point-to-Point Encryption (MPPE) and Microsoft Point-to-Point Compression (MPPC) for users accessing your network through a Cisco VPN 3000 Concentrator. The essential configuration details are in the following sections:
For an overview of this authentication process, see the "Authentication Process Overview" section.
To enable authentication using the Cisco Secure ACS server, follow these steps:
Step 2 In Configuration: System: User Management: Groups, create an external group. Assign the group a descriptive name, such as "VPN3000TunnelGroup". Be sure the group type is set to External.
Note For more information about configuring your Cisco VPN 3000 Concentrator, see the concentrator documentation. |
Configuring Cisco Secure ACS to authenticate users accessing your network via the Cisco VPN 3000 Concentrator and to enable MPPE and MPPC for the VPN tunnels used by those users requires that Cisco Secure ACS authenticate both the tunnel group and the individual users. The following steps create a Cisco Secure ACS user that corresponds to the Cisco VPN 3000 Concentrator tunnel group and a Cisco Secure ACS user for a network user accessing your network via the Cisco VPN 3000 Concentrator.
To configure Cisco Secure ACS to authenticate Cisco VPN 3000 users and enable MPPE and MPPC for the user tunnels, follow these steps:
a. Rename the group so that it is easily identifiable. For example, "VPN3000TunnelGroup".
b. Under Cisco VPN 3000 Concentrator RADIUS Attributes, click to select [3076\020] CVPN3000-PPTP-Encryption and select Stateless Required from the corresponding list.
Note If the required RADIUS attributes do not appear, you must enable them in Interface Configuration. |
c. Under Cisco VPN 3000 Concentrator RADIUS Attributes, click to select [3076\037] CVPN3000-PPTP-MPPC-Compression and set the corresponding list to True.
Step 2 Add a user for authentication of the VPN 3000 Concentrator group you created:
a. The user name must be identical to the VPN 3000 group that you created in the "Cisco VPN 3000 Configuration" section. For example, "VPN3000TunnelGroup".
b. The password must be identical to the password assigned to the VPN 3000 group that you created in the "Cisco VPN 3000 Configuration" section.
c. Assign the user to the Cisco Secure ACS group you set up in Step 1.
Step 3 Edit the Cisco Secure ACS user account for each user that is to access your network via a VPN 3000 concentrator tunnel with MPPE and MPPC:
a. Make sure the user is assigned to a different Cisco Secure ACS group than the group you set up in Step 1.
b. Under IETF RADIUS Attributes, click to select [025] Class and in the corresponding text box type:
where tunnelgroup matches the VPN 3000 Concentrator group you created in the "Cisco VPN 3000 Configuration" section. Be sure to include the semicolon (;) after tunnelgroup.
Note If the required RADIUS attributes do not appear, you must enable them in Interface Configuration. |
When a user attempts to access your network and the Cisco VPN 3000 Concentrator and Cisco Secure ACS are configured as described above, the authentication process occurs as follows:
1. The VPN 3000 Concentrator sends an authentication request to Cisco Secure ACS for the user.
2. Cisco Secure ACS authenticates the user and returns to the concentrator the RADIUS attribute [311\012] MS-CHAP-MPPE-Keys with a generated value and a RADIUS attribute [025] Class attribute with a value of "ou=tunnelgroup;".
3. The concentrator recognizes the [025] Class attribute value as a VPN 3000 Concentrator group name and sends an authentication request to Cisco Secure ACS for a user with the name tunnelgroup.
4. Cisco Secure ACS authenticates the user, which corresponds to the VPN 3000 Concentrator group, and returns to the concentrator the RADIUS attribute [3076\037] CVPN3000-PPTP-MPPC-Compression with a value of "True" and the RADIUS attribute [3076\020] CVPN3000-PPTP-Encryption with the encryption type value you selected in "Cisco Secure ACS Configuration" section.
5. The VPN 3000 Concentrator has the information needed to establish the user connection using MPPE and MPPC.
This section identifies caveats and issues for Cisco Secure ACS.
Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following addresses.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120cavs/
index.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/
121cavs/index.htm
This section identifies the caveats resolved in Cisco Secure ACS 2.6.2
This section identifies known caveats and issues with Cisco Secure ACS 2.6.2.
If Cisco Secure VPN Client version 1.1 is installed on the Windows NT 4.0 server on which you are installing Cisco Secure ACS, Cisco Secure ACS fails to install, with an error message about the following file:
This file is necessary for the VPN Client to work properly.
Workaround/Solution: Exit the Cisco Secure ACS installation, uninstall Cisco Secure VPN Client from the server, install Cisco Secure ACS 2.6, and then reinstall Cisco Secure VPN Client.
On the Before You Begin dialog box of the Cisco Secure ACS installation, the following three check box items could be misunderstood.
Workaround/Solution: The three check box items are clarified below.
When you are configuring a Cisco IOS router to enable the AAA paradigm, there is always a slight risk that the administrative Telnet or console session may be lost. If an administrative Telnet or console session is lost while enabling the AAA paradigm on a Cisco IOS router, the administrator is locked out of the router.
Workaround/Solution: Enabling the AAA paradigm with the command aaa new-model on a Cisco IOS router has important ramifications that a user must be aware of when configuring these devices for the first time. At a minimum the following commands should be entered in the order shown:
[global configuration]
aaa new-model
username username password password
aaa authentication login default local group [security protocol]
where username is the username for the new local account and password is the password for the new local account.
Specifying the "local" method enables users to re-establish their Telnet or console session and use the locally defined authentication list to access the router once more. If not, physical access to the router is required (console session), with a minimum of having to perform a password recovery sequence. At worst, the entire configuration saved in NVRAM can be lost.
After an administrator adds a CRYPTOCard database in External User Databases: Database Configuration, the CRYPTOCard database appears in the Selected Databases list in Unknown User Policy.
Workaround/Solution: This occurs when a configuration for an external user database of any type is added to Cisco Secure ACS and a configuration for a database of that type was deleted before that database was removed from the Selected Databases list in Unknown User Policy. When the database is configured again, Cisco Secure ACS recalls that the database was in the Selected Databases list and adds it again.
To prevent this behavior, be sure to remove a database from the Selected Databases list in Unknown User Policy prior to deleting its external user database configuration.
RDBMS Synchronization fails to provide an error message if it encounters a value of zero in the Action field of the accountActions table. Cisco Secure ACS does not perform the desired action.
Workaround/Solution: Change the value in the Action field to a valid value other than the default value of zero. For more information about action codes, see Chapter 7, "Database Information Management," in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 User Guide.
Cisco Secure ACS pauses for several seconds before replying to a Cisco Aironet Access Point authentication request. This results in the Access Point resending its authentication request.
Workaround/Solution: None. Authentications for valid requests succeed after the delay.
The user interface does not allow an administrator to change the default RADIUS authentication (1645) and accounting (1646) ports. Routers using Cisco IOS versions later than 12.1 have changed their default behavior to reflect the new ports of 1812 for authentication and 1813 for accounting.
Workaround/Solution: Cisco Secure ACS now supports both pairs of ports for RADIUS authentication and accounting. Ports 1645 and 1812 are used for RADIUS authentication; ports 1646 and 1813, for RADIUS accounting.
If you need to use ports other than those supported by Cisco Secure ACS, you can change the ports used for RADIUS authentication and accounting by editing attribute values of the proper key in the Windows Registry. The ports are the AccountingPort and AuthenticationPort attributes of the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\CISCO\CiscoAAAv2.5\
CSRadius
After changing the port attribute values, restart the Cisco Secure ACS server.
If the active Primary Domain Controller (PDC) for a Windows NT domain is unavailable, you cannot use the Cisco Secure ACS administrative user interface to configure group mappings for this domain.
Workaround/Solution: If the configuration changes are not vital, wait until the PDC becomes available again. Otherwise, promote a suitable Backup Domain Controller to the role of PDC.
Windows 2000 allows users to enter their user names as username@domain-name. For example, fred@domain.com. This format is equivalent to entering the Windows NT 4.0 user name of DOMAIN/fred.
Workaround/Solution: Cisco Secure ACS does not support this style of user name when authenticating against an external Windows 2000 server. Continue to prefix account names with the NT 4.0-style domain name.
A few of the NASes supported by Cisco Secure ACS either do not support "new PIN mode" functionality or support it in a limited fashion. New PIN mode is when token-card users can be required to enter new PINs at login.
The following two types of NASes do not support new PIN mode functionality:
Additionally, Cisco IOS routers can support new PIN mode functionality with specific configuration.
Workaround/Solution: There is no workaround if the NAS is a Cisco Secure VPN 3000 Concentrator or a Cisco Secure PIX Firewall.
For Cisco IOS routers, new PIN mode functionality is supported if the routers are configured as described here. The Microsoft DUN for token-card users must be configured to enable Bring up a terminal window after dialing. The Cisco IOS router through which users are accessing the network must be configured as follows:
Users would be presented with a terminal window in which they would change their PINs. After the PIN was reset, users could start a PPP session manually or a script could be configured to start PPP automatically.
The Sample Configurations chapter of the user guide has errors in examples depicted. In NAS Configuration under the "Password Aging and User-Changeable Passwords Using CiscoSecure ACS with CAA" section, the example is written with the assumption that IP address assignment for a dial-up user is assigned by the NAS itself, yet it does not give sufficient configuration for IP address assignment to be handled by the NAS.
The chapter also references Cisco IOS Release 11.5T, which does not exist.
Workaround/Solution: To depict accurately a configuration where the NAS handles IP address assignment, the NAS configuration example should have the following line in its global configuration section:
where xxx.xxx.xxx.xxx is the starting IP address of the IP address range and yyy.yyy.yyy.yyy is the ending IP address of the IP address range. The IP address range defined should be a part of a subnet belonging to a routeable interface connected to the corporate network.
References to Cisco IOS Release 11.5T should refer to Cisco IOS Release 12.0.
The Online Documentation describes the behavior of CSUtil.exe incorrectly and has some errors in the examples provided.
The following changes should be made to the Online Documentation:
Under the heading Database Import Utility, in an example provided for a user to be authenticated by Windows NT, the example reads:
"ADD:user02:EXT_NT::PROFILE:2"
"ADD:mary:EXT_NT:CHAP:achappassword"
which suggests that the CiscoSecure database retains the Windows NT password. This is incorrect. The example should read:
A third example contains a typographical error:
"ADD:fobar:ZXT_LDAP::PROFILE:10"
"ADD:fobar:EXT_LDAP::PROFILE:10"
Under the heading CSUtils Backup, the following information about the output of executing "CSUtil.exe -b filename" is incorrect:
"This creates the following files in Utils\SysBackups\directory\:
-- A compressed backup file named with the current date and time in the format yyyymmddhhmm.zip. This file is written to the Cisco Secure ACS\utils\dbcheckpoint directory. Each backup creates a file that does not overwrite existing files. The data is stored in compressed format and, therefore, takes up little space. The system administrator must still perform the necessary file management to maintain adequate disk space."
Executing "CSUtil.exe -b filename" creates a single file named filename in the current directory. No other output is generated.
If you use Internet Explorer 5.5 or Netscape 4.7 and refresh or reload the frame when viewing Interface Configuration: TACACS+(Cisco IOS), you receive the following error message:
Vendor Config Edit Failed
-------------------------
Failed to Edit TACACS+ (Cisco IOS)
configuration
because -=+None+=-
Click Interface Configuration: TACACS+(Cisco IOS) and continue editing the TACACS+ settings.
Cisco Secure ACS for Windows 2000/NT uses port 2000 for its replication feature. This conflicts with Cisco CallManager, which uses the same port.
The port used by Cisco Secure ACS for replication is not configurable. If the replication feature must be used, install Cisco Secure ACS and Cisco CallManager on different servers.
If a user responds to a Safeword token challenge after ACS has timed out the session, the CSAuth service attempts to process the request although the session has already timed out. The Safeword authenticator returns an exception and the user is not authenticated.
The following sections describe updates to the published documentation for Cisco Secure ACS 2.6.2.
In the "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers" chapter within the Online Documentation section of Cisco Secure ACS 2.6.2, the first note under "Software Requirements" now reads as follows:
Note Cisco Secure ACS 2.6 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.6 is installed on a Member Server, the Member Server must be a member of its domain. |
In the "User Databases" chapter of the Online Documentation section of Cisco Secure ACS 2.6, within the first paragraph after Figure 3-1, the word "exponentially" has been replaced with the word "logarithmically."
In Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," the first note on page 1-4 now reads as follows:
Note Cisco Secure ACS 2.6 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.6 is installed on a Member Server, the Member Server must be a member of its domain. |
In Chapter 3, "User Databases," on page 3-2, the word "exponentially" has been replaced with the word "logarithmically."
The second paragraph under "Product Summary" on page 1 now reads as follows:
Cisco Secure ACS 2.6 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.6 is installed on a Member Server, the Member Server must be a member of its domain.
The following documents directly support Cisco Secure ACS:
In addition to these documents, online documentation is provided within the Cisco Secure ACS user interface. The entire Cisco Secure ACS documentation set is also available from the following address:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/
The following sections provide sources for obtaining documentation from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at the following sites:
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Cisco documentation is available in the following ways:
http://www.cisco.com/cgi-bin/order/order_root.pl
http://www.cisco.com/go/subscription
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it todCisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
This document is to be used in conjunction with the "Related Documentation" section.
AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0104R)
Copyright © 1999-2001, Cisco Systems, Inc.
All rights reserved.
Posted: Tue Apr 8 11:35:46 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.