Release Notes for Cisco Secure Access Control Server for Windows 2000/NT Servers Version 2.6.4

These release notes pertain to Cisco Secure Access Control Server for Windows 2000/NT Servers (Cisco Secure ACS) version 2.6.4.

Introduction

Cisco Secure ACS is network security software that helps you authenticate users by controlling dial-in access to a network access server (NAS) device, such as an access server, PIX Firewall, or router.

Cisco Secure ACS operates as a Windows NT or Windows 2000 service and controls the authentication, authorization, and accounting (AAA) of users accessing networks. Cisco Secure ACS operates with Windows NT Server version 4.0 and Windows 2000 Server. Provided that Microsoft Clustering Services are not installed, Cisco Secure ACS operates on Windows 2000 Advanced Server and Windows 2000 Datacenter Server.

Cisco Secure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With Cisco Secure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of Cisco Secure ACS with the Windows NT and Windows 2000 operating systems enables companies to use the working knowledge gained from and the investment already made in building their Windows NT and Windows 2000 networks.

Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," in Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide provides information about the following:

New features
Changed features
System requirements
Network requirements

The Cisco Secure Access Control Server for Windows 2000/NT Servers User Guide also provides detailed information about configuring and using Cisco Secure ACS. This guide is available from Cisco.com or on the product CD-ROM.

Installation Notes

For information about installing Cisco Secure ACS, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers quick reference card.

Information regarding messages or warnings that may arise during installation can be found in the readme file, located on the CD-ROM.

Evaluation Version

The evaluation version of Cisco Secure ACS 2.6 provides full functionality for 90 days after the date of installation. This allows you to use all the features of Cisco Secure ACS 2.6 while determining if it suits your needs.

The evaluation version of Cisco Secure ACS 2.6 can be distinguished from the commercial version in the following ways:

The word "trial" appears in the title of the installation routine.
The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.
In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message upon accessing the administrative interface notifying you that your evaluation period has elapsed.

Purchasing the Commerical Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the full, retail version of Cisco Secure ACS 2.6 online, use Part Number CSNT-2.6 at the following URL:

Upgrading to the Commercial Version

After purchasing a commercial version of Cisco Secure ACS 2.6, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 2.6, follow the instructions in the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers quick reference card.

Limitations and Restrictions

The following topics are limitations and restrictions that apply to Cisco Secure ACS 2.6.4.

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than the software and operating system versions listed in this document, no other interoperability testing was performed. Using untested software with Cisco Secure ACS may cause undesired results. For the best performance of Cisco Secure ACS, we recommend that you use only the versions of software and operating systems listed in this document.

Tested Web Browser Versions

To administer all features included in Cisco Secure ACS 2.6.4, you must use a tested web browser. Cisco Systems tested Cisco Secure ACS 2.6.4 using Microsoft Internet Explorer versions 5.0.x and 5.5, and Netscape Communicator versions 4.75 and 4.76. We did not test other versions of these browsers and web browsers by other manufacturers.

Tested Token Server Versions

We tested Cisco Secure ACS 2.6.4 with the following versions of supported token servers.

AXENT Defender version 4.1.
Secure Computing SafeWord version 5.2.
RSA ACE/Server version 5.0 and ACE/Client version 1.1.2 for Windows 2000

Tested Novell Clients

If you are using a Novell NDS database as an external user database, the Novell Requestor software must be installed on the Cisco Secure ACS server. We tested Cisco Secure ACS 2.6.4 with the Novell Requestor software found in Novell Client versions 4.8 and 4.8.1 for Windows NT 4.0 and Windows 2000.

Windows Operating Systems and Service Packs

Your Cisco Secure ACS server must have the English-language version of one of the following Microsoft Windows operating systems installed:

Windows 2000 Server with Service Pack 1 or Service Pack 2 installed
Windows 2000 Advanced Server, with these additional requirements:

without Microsoft Clustering Services installed
with Service Pack 1 or Service Pack 2 installed

Windows 2000 Datacenter Server, with these additional requirements:

without Microsoft Clustering Services installed
with Service Pack 1 or Service Pack 2 installed

Windows NT Server 4.0 with Service Pack 6a installed.

We tested Cisco Secure ACS 2.6.4 on Windows 2000 with Service Pack 2 installed and on Windows NT Server 4.0 with Service Pack 6a installed.

Windows Service Packs can be applied either before or after installing Cisco Secure ACS. If you do not install a required Service Pack before installing Cisco Secure ACS, the Cisco Secure ACS installation program warns you that the required Service Pack is not present on your server. If you receive a Service Pack message, continue the installation, and then install the required Service Pack before starting user authentication with Cisco Secure ACS.

Supported Platforms for CiscoSecure Authentication Agent

The Cisco Secure ACS CiscoSecure Authentication Agent is supported only on the following client platform operating systems:

Windows 95 OSR1
Windows NT 4.0 Workstation with Service Pack 6a
Windows 98 Special Edition
Windows 2000 Server and Advanced Server
Windows Millennium Edition

Cisco Systems has not tested the CiscoSecure Authentication Agent on the following client platform operating systems:

Windows 95 OSR2
Windows 98 (non-Special Edition)
Windows 2000 Professional
Windows 2000 Datacenter

128-bit Encryption with Microsoft Dial-Up Networking

If users connect to your network with the Microsoft Dial-Up Network client and establish a Virtual Private Network (VPN) tunnel using Point-to-Point Tunneling Protocol with Microsoft Point-to-Point Encryption, the NAS through which users connect to the network must be one of three types:

Cisco Secure PIX Firewall
Cisco Secure VPN 3000 Concentrator
Cisco IOS router, 7100 or 7200 series only

Both the NAS and the Microsoft Dial-Up Network client must have 128-bit encryption installed. For the Microsoft Dial-Up Network client, this requires the High Encryption pack. For users on Microsoft Windows 95/98/NT 4.0, install the 128-bit encryption package included with Internet Explorer 5.5. Internet Explorer is available at the following URL:

For users on Microsoft Windows 2000, download the High Encryption pack for Windows 2000. The High Encryption pack is available at the following URL:

Enabling MPPE and MPPC for Cisco VPN 3000 Concentrator Users

Cisco Secure ACS 2.6 supports Microsoft Point-to-Point Encryption (MPPE) and Microsoft Point-to-Point Compression (MPPC) for users accessing your network through a Cisco VPN 3000 Concentrator. The essential configuration details are in the following sections:

Cisco VPN 3000 Configuration

Step 2 In Configuration: System: User Management: Groups, create an external group. Assign the group a descriptive name, such as "VPN3000TunnelGroup". Be sure the group type is set to External.

Cisco Secure ACS Configuration

Configuring Cisco Secure ACS to authenticate users accessing your network via the Cisco VPN 3000 Concentrator and to enable MPPE and MPPC for the VPN tunnels used by those users requires that Cisco Secure ACS authenticate both the tunnel group and the individual users. The following steps create a Cisco Secure ACS user that corresponds to the Cisco VPN 3000 Concentrator tunnel group and a Cisco Secure ACS user for a network user accessing your network via the Cisco VPN 3000 Concentrator.

To configure Cisco Secure ACS to authenticate Cisco VPN 3000 users and enable MPPE and MPPC for the user tunnels, follow these steps:

Step 2 Add a user for authentication of the VPN 3000 Concentrator group you created:

Step 3 Edit the Cisco Secure ACS user account for each user that is to access your network via a VPN 3000 concentrator tunnel with MPPE and MPPC:

where tunnelgroup matches the VPN 3000 Concentrator group you created in the "Cisco VPN 3000 Configuration" section. Be sure to include the semicolon (;) after tunnelgroup.

Authentication Process Overview

When a user attempts to access your network and the Cisco VPN 3000 Concentrator and Cisco Secure ACS are configured as described above, the authentication process occurs as follows:

1. The VPN 3000 Concentrator sends an authentication request to Cisco Secure ACS for the user.

2. Cisco Secure ACS authenticates the user and returns to the concentrator the RADIUS attribute [311\012] MS-CHAP-MPPE-Keys with a generated value and a RADIUS attribute [025] Class attribute with a value of "ou=tunnelgroup;".

3. The concentrator recognizes the [025] Class attribute value as a VPN 3000 Concentrator group name and sends an authentication request to Cisco Secure ACS for a user with the name tunnelgroup.

4. Cisco Secure ACS authenticates the user, which corresponds to the VPN 3000 Concentrator group, and returns to the concentrator the RADIUS attribute [3076\037] CVPN3000-PPTP-MPPC-Compression with a value of "True" and the RADIUS attribute [3076\020] CVPN3000-PPTP-Encryption with the encryption type value you selected in "Cisco Secure ACS Configuration" section.

5. The VPN 3000 Concentrator has the information needed to establish the user connection using MPPE and MPPC.

Caveats

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure ACS. You can access these release notes online at the following addresses.

Cisco Secure PIX Firewall

Cisco IOS Releases 12.0 and 12.1

Closed Caveats—Version 2.6.4

CSCds52298: Domain still listed in LHP after being assinged into RHP
CSCdt91325: Delayed response to Safeword challenge crashes CSAuth
CSCdu20868: Aironet LEAP packet format problem
CSCdu44252: Groups not Read for user authed into root context (.)
CSCdu87549: MAR DEL Timeouts required for LDAP searches
CSCdv08759: Remove Ldap Ext DB config causes Ext Auth Config Error
CSCdv21395: Radius packet dumping doesnt work
CSCdv25235: Replication occurs every other time regardless on need
CSCdv42366: Documentation wrong about admin failed attempts feature
CSCdv63442: ODBC logging, Fractional truncation errors, not dropping connections
CSCdv75358: Add system info to CSSUpport
CSCdw04627: NULL response to AXENT challenge crashes CSAuth
CSCdw07015: Class attribute missing from Radius Accounting section
CSCdw11365: NULL password to Safeword crashes CSAuth
CSCdw19541: LEAP reporting fix
CSCdw19543: Radius accounting requests not validated fully as per RFC
CSCdw19550: MARLEAP dll doesn't work correctly with EAP-TLS clients
CSCdw19565: Memory leak in CSAdmin
CSCdw19571: Group mapping for local groups is ignored
CSCdw31100: NULL response to AXENT challenge crashes CSAuth
CSCdw31101: NULL password to Safeword crashes CSAuth
CSCdw31105: Replication occurs every other time regardless on need
CSCdw31107: Class attribute missing from Radius Accounting section
CSCdw31110: Radius packet dumping doesnt work
CSCdw31114: ODBC logging, Fractional truncation errors, not dropping connections
CSCdw37579: Memory Leak in CSAdmin
CSCdw46924: ACS authenticates NDS expired/disabled users

Open Caveats—Version 2.6.4

CSCds14916: ACS fails to list Windows NT groups when PDC is down

If the active Primary Domain Controller (PDC) for a Windows NT domain is unavailable, you cannot use the Cisco Secure ACS administrative user interface to configure group mappings for this domain.

Workaround/Solution: If the configuration changes are not vital, wait until the PDC becomes available again. Otherwise, promote a suitable Backup Domain Controller to the role of PDC.

CSCds15692: Installer replaces Cisco Secure VPN Client (1.1) DLL

If Cisco Secure VPN Client version 1.1 is installed on the Windows NT 4.0 server on which you are installing Cisco Secure ACS, Cisco Secure ACS fails to install, with an error message about the following file:

Workaround/Solution: Exit the Cisco Secure ACS installation, uninstall Cisco Secure VPN Client from the server, install Cisco Secure ACS 2.6, and then reinstall Cisco Secure VPN Client.

CSCds22861: GUI does not allow user to change RADIUS auth/acct ports

The user interface does not allow an administrator to change the default RADIUS authentication (1645) and accounting (1646) ports. Routers using Cisco IOS versions later than 12.1 have changed their default behavior to reflect the new ports of 1812 for authentication and 1813 for accounting.

Workaround/Solution: Cisco Secure ACS now supports both pairs of ports for RADIUS authentication and accounting. Ports 1645 and 1812 are used for RADIUS authentication; ports 1646 and 1813, for RADIUS accounting.

If you need to use ports other than those supported by Cisco Secure ACS, you can change the ports used for RADIUS authentication and accounting by editing attribute values of the proper key in the Windows Registry. The ports are the AccountingPort and AuthenticationPort attributes of the following key:

CSCds33765: When configuring NAS (IOS router), add local username and method

When you are configuring a Cisco IOS router to enable the AAA paradigm, there is always a slight risk that the administrative Telnet or console session may be lost. If an administrative Telnet or console session is lost while enabling the AAA paradigm on a Cisco IOS router, the administrator is locked out of the router.

Workaround/Solution: Enabling the AAA paradigm with the command aaa new-model on a Cisco IOS router has important ramifications that a user must be aware of when configuring these devices for the first time. At a minimum the following commands should be entered in the order shown:

[global configuration]
aaa new-model
username username password password
aaa authentication login default local group [security protocol]

where username is the username for the new local account and password is the password for the new local account.

Specifying the "local" method enables users to re-establish their Telnet or console session and use the locally defined authentication list to access the router once more. If not, physical access to the router is required (console session), with a minimum of having to perform a password recovery sequence. At worst, the entire configuration saved in NVRAM can be lost.

CSCds44804: Windows 2000-style user@domain authentication not supported

Windows 2000 allows users to enter their user names as username@domain-name. For example, fred@domain.com. This format is equivalent to entering the Windows NT 4.0 user name of DOMAIN/fred.

Workaround/Solution: Cisco Secure ACS does not support this style of user name when authenticating against an external Windows 2000 server. Continue to prefix account names with the NT 4.0-style domain name.

CSCds48020: Installation GUI Before You Begin check boxes are unclear

On the Before You Begin dialog box of the Cisco Secure ACS installation, the following three check box items could be misunderstood.

A dial-up client can successfully dial in to the network access server.
The network access server is running Cisco IOS release 11.1 or later.
Microsoft Internet Explorer v5.0 (or later) or Netscape Communicator v4.7 (or later) is installed on this Windows 2000/NT Server

Dial-up clients only need to be able to connect to your network if you intend to support dial-up access. If not, this is not a requirement for installing Cisco Secure ACS.
Only Cisco IOS devices need to be running Cisco IOS release 11.1 or later. Other devices, such as supported versions of the Cisco Aironet Access Point, do not need to be running Cisco IOS.
The supported web browsers must also have a Java virtual machine installed in order to support the Cisco Secure ACS administration interface.

CSCds67703: New PIN mode not supported for some NASes

A few of the NASes supported by Cisco Secure ACS either do not support "new PIN mode" functionality or support it in a limited fashion. New PIN mode is when token-card users can be required to enter new PINs at login.

Cisco Secure VPN 3000 Concentrator
Cisco Secure PIX Firewall

Additionally, Cisco IOS routers can support new PIN mode functionality with specific configuration.

Workaround/Solution: There is no workaround if the NAS is a Cisco Secure VPN 3000 Concentrator or a Cisco Secure PIX Firewall.

For Cisco IOS routers, new PIN mode functionality is supported if the routers are configured as described here. The Microsoft DUN for token-card users must be configured to enable Bring up a terminal window after dialing. The Cisco IOS router through which users are accessing the network must be configured as follows:

Users would be presented with a terminal window in which they would change their PINs. After the PIN was reset, users could start a PPP session manually or a script could be configured to start PPP automatically.

CSCds68316: Sample Configuration chapter has incorrect examples depicted

The Sample Configurations chapter of the user guide has errors in examples depicted. In NAS Configuration under the "Password Aging and User-Changeable Passwords Using CiscoSecure ACS with CAA" section, the example is written with the assumption that IP address assignment for a dial-up user is assigned by the NAS itself, yet it does not give sufficient configuration for IP address assignment to be handled by the NAS.

Workaround/Solution: To depict accurately a configuration where the NAS handles IP address assignment, the NAS configuration example should have the following line in its global configuration section:

where xxx.xxx.xxx.xxx is the starting IP address of the IP address range and yyy.yyy.yyy.yyy is the ending IP address of the IP address range. The IP address range defined should be a part of a subnet belonging to a routeable interface connected to the corporate network.

CSCds88673: Timeout issue for Aironet client causing authentication problem

Cisco Secure ACS pauses for several seconds before replying to a Cisco Aironet Access Point authentication request. This results in the Access Point resending its authentication request.

Workaround/Solution: None. Authentications for valid requests succeed after the delay.

CSCds90043: Default action value for CSDBSync does not cause an error

RDBMS Synchronization fails to provide an error message if it encounters a value of zero in the Action field of the accountActions table. Cisco Secure ACS does not perform the desired action.

Workaround/Solution: Change the value in the Action field to a valid value other than the default value of zero. For more information about action codes, see Chapter 7, "Database Information Management," in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 User Guide.

CSCds90678: Failed to Edit TACACS+ (Cisco IOS) configuration

If you use Internet Explorer 5.5 or Netscape 4.7 and refresh or reload the frame when viewing Interface Configuration: TACACS+(Cisco IOS), you receive the following error message:

Vendor Config Edit Failed
-------------------------
Failed to Edit TACACS+ (Cisco IOS)
configuration
because -=+None+=-

Workaround/Solution: Click Interface Configuration: TACACS+(Cisco IOS) and continue editing the TACACS+ settings.

CSCds92312: CRYPTOCard Token Server inserts itself into Unknown User Policy

After an administrator adds a CRYPTOCard database in External User Databases: Database Configuration, the CRYPTOCard database appears in the Selected Databases list in Unknown User Policy.

Workaround/Solution: This occurs when a configuration for an external user database of any type is added to Cisco Secure ACS and a configuration for a database of that type was deleted before that database was removed from the Selected Databases list in Unknown User Policy. When the database is configured again, Cisco Secure ACS recalls that the database was in the Selected Databases list and adds it again.

To prevent this behavior, be sure to remove a database from the Selected Databases list in Unknown User Policy prior to deleting its external user database configuration.

CSCdt63400: CSNT port 2000 conflict with CCM

Cisco Secure ACS for Windows 2000/NT uses port 2000 for its replication feature. This conflicts with Cisco CallManager, which uses the same port.

Workaround/Solution: The port used by Cisco Secure ACS for replication is not configurable. If the replication feature must be used, install Cisco Secure ACS and Cisco CallManager on different servers.

CSCdt75695: When upgrading from 2.4 to 2.6 it does not update safeword token dll

After upgrading from Cisco Secure ACS 2.4 to 2.6, users cannot authenticate using a Safeword token-card server. Upon editing the Safeword external user database configuration, you receive the message:

An error has occurred while processing the External Database Configuration Page because the external database DLL could not be loaded, because this DLL is missing or other dependant DLLs could not be located.

Workaround/Solution: After installation, do not start the CiscoSecure ACS services. Instead, use regedit to change the name of the safeword DLL to the correct name. For the registry key:

CSCdu01636: CSUtil.exe behavior incorrectly documented

The Online Documentation describes the behavior of CSUtil.exe incorrectly and has some errors in the examples provided.

Workaround/Solution: The following changes should be made to the Online Documentation:

Under the heading Database Import Utility, in an example provided for a user to be authenticated by Windows NT, the example reads:

which suggests that the CiscoSecure database retains the Windows NT password. This is incorrect. The example should read:

Under the heading CSUtils Backup, the following information about the output of executing "CSUtil.exe -b filename" is incorrect:

-- A compressed backup file named with the current date and time in the format yyyymmddhhmm.zip. This file is written to the Cisco Secure ACS\utils\dbcheckpoint directory. Each backup creates a file that does not overwrite existing files. The data is stored in compressed format and, therefore, takes up little space. The system administrator must still perform the necessary file management to maintain adequate disk space."

Executing "CSUtil.exe -b filename" creates a single file named filename in the current directory. No other output is generated.

CSCdu20672: CSNT cant see admin groups after upgrade from 2.3 to 2.6

After a Cisco Secure ACS 2.3 database dump file is imported into Cisco Secure ACS 2.6, administrators who previously could manage all groups can only manage 17 groups.

Workaround/Solution: In Cisco Secure ACS 2.6, use the Cisco Secure ACS HTML interface to edit the administrator accounts so that the administrators can manage all the groups that are required.

CSCdu36350: Documentation bug: LDAP and CHAP are not supported together

CHAP is not supported when using LDAP server as external database. The mistake in the documentation is in the following location:

Workaround/Solution: LDAP external user databases do not support CHAP authentication. The documentation will be amended in future releases.

CSCdu39662: ERROR_EXPORT_DISK_TOO_LOW error when upgrading to CSNT 2.6

When upgrading from 2.x to 2.6 release of Cisco Secure ACS for NT/2000, you may get an error "ERROR_EXPORT_DISK_TOO_LOW - entry not found in the string table", leading you to believe that disk space is low; however, there is enough disk space and this error message is misleading.

Workaround/Solution: Use CSUtil.exe to dump the existing users to a dump file, uninstall existing Cisco Secure ACS, install new version, and then load the database using the dump.txt file.

CSCdu40827: Passwords submitted with Netscape on Solaris dont work

Workaround/Solution: Use a Windows version of the web browsers used to test Cisco Secure ACS 2.6.

CSCdu48120: CSNT error occurred during the move data process

Workaround/Solution: Delete pdh.dll from the Windows system32 directory, then restart the installation.

CSCdu61901: Cant add userID in lowercase after adding it in uppercase

A user ID is created in uppercase (for example, JSMITH), and then the user ID is deleted and re-added in lowercase ("jsmith").

The new user appears in uppercase letters rather than lowercase ("JSMITH" not "jsmith").

Workaround/Solution: After deleting the uppercase user ID, use CSUtil.exe to dump, reinitialize, and reload the user database. You can then add the user ID in lowercase letters.

CSCdu63916: Corrupt ip pool data breaks import during upgrade

Prior to Cisco Secure ACS 2.6.3, if IP Pools are enabled, any user who does not have an IP Pool assigned at the user level will result in the ACS Pool list for that user being corrupt. This has no operational effect; it only becomes a problem at upgrade because, if the corrupt string contains an EOF character, the upgrade process stops processing the dump file.

Because the corruption is random, the dump.txt file may or may not include erroneous EOF characters.

Workaround/Solution: This issue has been resolved, both in CSAdmin and in CSUtil.exe; however, because the problem was not consistently reproducible, the DDTS entry remains in the Unreproducible state.

CSCdu65095: add Usage Quota w/ Netscape in Interface Config removes options

In Cisco Secure ACS 2.6.X, when the Usage Quota feature is enabled in Interface Configuration using a Netscape browser, this causes options VOIP, Default TOD, Callback, Max sessions, and NAS restrictions to disappear in the group settings.

Workaround/Solution: Use a tested version of the Microsoft Internet Explorer web browser to make the changes.

CSCdu65230: Cross version replication error not in docs

The Cisco Secure ACS 2.6 User Guide does not clearly state that replication between installations of Cisco Secure ACS requires that the Cisco Secure ACS servers involved run the same release of Cisco Secure ACS, including patch level.

Workaround/Solution: None at this time. CiscoSecure Database Replication requires that all Cisco Secure ACS servers involved in the replication run the same release and patch level of Cisco Secure ACS.

CSCdu65240: Inter version replication failure error not logged

If an administrator attempts to use the CiscoSecure Database Replication feature between Cisco Secure ACS servers that are not running the same release and patch level, replication fails and no error message is generated.

Workaround/Solution: While no error message is generated, in the event of a failed replication due to release and patch level mismatch between the master Cisco Secure ACS server and one of its replication partners, the CSAuth service log on the master Cisco Secure ACS server records the following message:

CSCdu72474: Group Enable option for define max priv. on a per NDG basis

The "Define max Privilege on a per network device group basis" option of the Enable Options feature in Group Setup does not work if this option has not first been configured once in User Setup.

Workaround/Solution: Configure this feature for users first (rather than for a group). Then, reconfigure this feature for a group. After doing so, this feature works on a group level. All failed attempts are registered in the failed attempts log as "T+ enable privilege too low."

CSCdu76831: 255 IP address fails on installation

During installation, if you use an IP address of 10.0.10.255 with a 23-bit subnet mask (255.254.0.0), the installation fails with an error message indicating that you cannot use a broadcast IP address.

Workaround/Solution: During installation, enter any IP address not ending in 255. After installation, use the Cisco Secure ACS HTML interface to correct the IP address.

CSCdw07015: Class attribute missing from Radius Accounting section

Under the System Configuration - Logging - Radius Accounting section, the Class (IETF Radius attr. 25) attribute is missing from the list of available attributes.

Workaround/Solution: Edit the Registry key: HKEYLOCALMACHINE/SOFTWARE/Cisco/CiscoAAAvM.m/Dictionaries/002/025

Change value "Profile" from "MULTI OUT" to "MULTI IN OUT". Restart ALL services (i.e. needs manual re-start of admin from the Control Panel).

Documentation Updates

The following sections describe updates to the published documentation for Cisco Secure ACS 2.6.4.

Changes to Online Documentation

In the "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers" chapter within the Online Documentation section of Cisco Secure ACS 2.6.4, the first note under "Software Requirements" now reads as follows:

Note Cisco Secure ACS 2.6 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.6 is installed on a Member Server, the Member Server must be a member of its domain.

In the "User Databases" chapter of the Online Documentation section of Cisco Secure ACS 2.6, within the first paragraph after Figure 3-1, the word "exponentially" has been replaced with the word "logarithmically."

Changes to the Cisco Secure ACS 2.6 for Windows 2000/NT Servers User Guide

In Chapter 1, "Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers," the first note on page 1-4 now reads as follows:

In Chapter 3, "User Databases," on page 3-2, the word "exponentially" has been replaced with the word "logarithmically."

Changes to Read Me First: Cisco Secure ACS 2.6 for Windows 2000/NT Server Getting Started

Cisco Secure ACS 2.6 operates with Windows NT Server version 4.0 or Windows 2000. As a Windows NT 4.0 Server, Cisco Secure ACS can be a Primary Domain Controller, a Backup Domain Controller, or a Member Server. If Cisco Secure ACS 2.6 is installed on a Member Server, the Member Server must be a member of its domain.

Table of Contents