|
Table Of Contents
Release Notes for Cisco Secure ACS Appliance Version 3.2.3
Upgrading to Cisco Secure ACS version 3.2.3
Upgrading from Cisco Secure ACS version 3.2.2
Upgrading from Cisco Secure ACS version 3.2.1
HTTPS Support and Management Center Applications
Supported Operating Systems for Remote Agent
Supported Platforms for CiscoSecure Authentication Agent
Other Supported Devices and Software
Known Problems in Cisco Secure ACS Version 3.2.3
Resolved Problems in Cisco Secure ACS Version 3.2.3
Resolved Problems in Cisco Secure ACS Version 3.2.2
Resolved Problems in Cisco Secure ACS Version 3.2.1
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS Appliance Version 3.2.3
December 2004
These release notes pertain to Cisco Secure Access Control Server Appliance (Cisco Secure ACS) version 3.2.3.
Note Cisco Secure ACS Appliance is also known as Cisco Secure ACS Solution Engine.
These release notes provide:
• Upgrading to Cisco Secure ACS version 3.2.3
• HTTPS Support and Management Center Applications
• Limitations and Restrictions
– Supported Migration Versions
– Supported Operating Systems for Remote Agent
– Supported Platforms for CiscoSecure Authentication Agent
– Other Supported Devices and Software
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information
New Features
Cisco Secure ACS version 3.2.3 contains the following new features:
•EAP Flexible Authentication via Secured Tunnel (EAP-FAST) authentication support—Cisco Secure ACS 3.2.3 supports the EAP-FAST protocol, a new authentication protocol that protects authentication in a TLS tunnel but does not require use of certificates, unlike PEAP.
•Windows Server 2003 Enterprise Edition—You can install and operate Cisco Secure ACS Remote Agent for Windows Server version 3.2.3 on Windows Server 2003 Enterprise Edition.
Note When running Cisco Secure ACS Remote Agent on Windows Server 2003, you may encounter event messages that falsely indicate that Cisco Secure ACS Remote Agent services have failed. This is issue is documented in bug CSCea91690. For more information about CSCea91690, see Table 3.
•Machine Access Restrictions (MARs)—Cisco Secure ACS 3.2.3 includes MARs as an enhancement of Windows machine authentication. When Windows machine authentication is enabled, you can use MARs to control authorization of EAP-TLS and Microsoft PEAP users who authenticate with a Windows external user database. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and which you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.
•Cisco Aironet AP EAP Request Timeout—Cisco Secure ACS 3.2.3 adds the ability to specify a timeout value that IOS-based Cisco Aironet Access Points use during EAP transactions with Cisco Secure ACS. This value applies only during the EAP transaction. This option is available on the Global Authentication Setup page in the System Configuration section of the HTML interface.
Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1. ADDITIONAL LICENSE RESTRICTIONS.
•Installation and Use. The Cisco Secure Access Control Server Software component of the Cisco 11XX Hardware Platform is pre-installed. CD's containing tools to restore this Software to the 11XX hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 11XX Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 11XX Hardware Platform.
•Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Software updates and new version releases for the 11XX Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 11XX Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.
•Reproduction and Distribution. Customer may not reproduce nor distribute software.
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
Please refer to the Cisco Systems, Inc. Software License Agreement.
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 1 describes the product documentation that is available.
Table 1 Product Documentation
Document Title Available FormatsRelease Notes for Cisco Secure ACS Appliance
•Printed document that was included with the product.
•PDF on the product CD-ROM.
•On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacsapp/csapp32Installation and Setup Guide for Cisco Secure ACS Appliance
•PDF on the product CD-ROM.
•On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacsapp/csapp32/install•Printed document available by order (part number DOC-7814573=).1
User Guide for
Cisco Secure ACS Appliance•PDF on the product CD-ROM.
•On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacsapp/csapp32/user/index.htm•Printed document available by order (part number DOC-7814698=). 1
Installation and User Guide for Cisco Secure ACS User-Changeable Passwords
•PDF on the product CD-ROM.
•On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacsapp/csapp32/ucp.htmRegulatory Compliance and Safety Information for Cisco Secure ACS Appliance
•Printed document that was included with the product.
•PDF on the product CD-ROM.
•On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacsapp/csapp32/32rcsi.htmSupported and Interoperable Devices and Software Tables for Cisco Secure ACS Appliance
On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacsapp/csapp32/2ap32sdt.htmRecommended Resources for the Cisco Secure ACS User
On Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/
acs_soft/csacs4nt/acs32/linksw32.htmOnline Documentation
In the Cisco Secure ACS HTML interface, click Online Documentation.
1 See the "Obtaining Documentation" section.
Related Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 2 describes a set of white papers about Cisco Secure ACS for Windows Server; however, much of the information contained in these papers is applicable to Cisco Secure ACS Appliance. All white papers are available on Cisco.com. To view them, go to the following URL:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.shtml
Installation Notes
For information about installing Cisco Secure ACS, see Installation and Setup Guide for Cisco Secure ACS Appliance, version 3.2.
Note For additional information about rack mounting, see CSCed23602.
Upgrading to Cisco Secure ACS version 3.2.3
We tested upgrading to Cisco Secure ACS version 3.2.3 from versions 3.2.1 and 3.2.2. Depending upon the version of Cisco Secure ACS you are upgrading from, the upgrade process differs.
Upgrading your Cisco Secure ACS Appliance to version 3.2.3 requires using the backup and restore features. Changes to the appliance management software in version 3.2.3 require the upgrade method described in this procedure.
Upgrading from Cisco Secure ACS version 3.2.2
To upgrade a Cisco Secure ACS Appliance from version 3.2.2 to version 3.2.3, follow these steps:
Step 1 Back up the appliance data and configuration. To do so, use one of the two following features:
•ACS Backup, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Appliance.
•backup command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Appliance.
Step 2 Apply CiscoSecure ACS Solution Engine Hotfix KB828028 to the Cisco Secure ACS Appliance. Use the upgrade procedure in User Guide for Cisco Secure ACS Appliance.
You can download the patch from the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/solution_engine
Tip The upgrade procedure is available at:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/
csapp32/user/sba.htm#wp911322Step 3 Upgrade the Cisco Secure ACS Appliance to version 3.2.3. Use the upgrade procedure in User Guide for Cisco Secure ACS Appliance.
Tip The upgrade procedure is available at:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/
csapp32/user/sba.htm#wp911322Step 4 Restore the appliance data and configuration. To do so, use one of the two following features:
•ACS Restore, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Appliance.
•restore command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Appliance.
Result: The appliance is upgraded to Cisco Secure ACS Appliance version 3.2.3, with the data and configuration preserved by the backup and restore features.
Upgrading from Cisco Secure ACS version 3.2.1
Note You cannot upgrade from version 3.2.1 to version 3.2.3 by using the Appliance Upgrade Status page in the HTML interface or the download and upgrade commands at the console. Do not use the appliance upgrade procedures in User Guide for Cisco Secure ACS Appliance and Installation and Setup Guide for Cisco Secure ACS Appliance.
To upgrade a Cisco Secure ACS Appliance from version 3.2.1 to version 3.2.3, follow these steps:
Step 1 Back up the appliance data and configuration. To do so, use one of the two following features:
•ACS Backup, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Appliance.
•backup command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Appliance.
Step 2 Record appliance IP and time configuration. To do so, use the show command to display appliance configuration with the system console.
Result: You have a record of appliance network and time configuration. When you perform Step 3, network and time configuration are lost.
Step 3 Use the Recovery CD for version 3.2.3 to upgrade the appliance to version 3.2.3. This will destroy all data and install a new image.
To upgrade the Cisco Secure ACS Appliance, follow these steps:
Caution Performing this procedure destroys all data stored on the Cisco Secure ACS Appliance. Be sure you have successfully backed up Cisco Secure ACS before proceeding.
a. Put the Recovery CD in the Cisco Secure ACS Appliance CD-ROM drive.
b. Power on the Cisco Secure ACS Appliance or, if the appliance is already running, use the reboot command to reboot it.
Result: The Cisco Secure ACS Appliance displays the following message on the console:
ACS Appliance Recovery Options [1] Reset administrator account [2] Restore hard disk image from CD [3] Exit and reboot Enter menu item number: [ ]
c. Type 2, and then press Enter.
Result: The Cisco Secure ACS Appliance displays the following message on the console:
This operation will completely erase the hard drive. Press `Y' to confirm, any other key to cancel: __
Caution The next step erases the Cisco Secure ACS Appliance hard drive. You will permanently lose all system data that you have not backed up.
d. Type Y.
Result: The Cisco Secure ACS Appliance processes the new image (this may take more than 2 minutes) while displaying random characters and then displays the following message on the console:
The system has been reimaged successfully. Please remove this recovery CD from the drive, then hit RETURN to restart the system:
e. Remove the Recovery CD from the Cisco Secure ACS Appliance.
f. Press Enter to restart the Cisco Secure ACS Appliance.
Result: The Cisco Secure ACS Appliance reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback; this is normal system behavior.
Step 4 Perform initial configuration of the Cisco Secure ACS Appliance. For more information, see Installation and Setup Guide for Cisco Secure ACS Appliance.
Tip Initial appliance configuration procedures are available at:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/
csapp32/install/instalap.htm#wp1049782Step 5 Restore the appliance data and configuration. To do so, use one of the two following features:
•ACS Restore, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Appliance.
•restore command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Appliance.
Result: The appliance is upgraded to Cisco Secure ACS Appliance version 3.2.3, with the data and configuration preserved by the backup and restore features.
Cisco Security Notices
The following two Cisco Security Notices are relevant to the Cisco Secure ACS Appliance:
• http://www.cisco.com/en/US/products/sw/voicesw/ps556/
products_tech_note09186a00801aedd6.shtml• http://www.cisco.com/en/US/products/sw/voicesw/ps556/
products_tech_note09186a00801b143a.shtmlWe produced a patch for the Cisco Secure ACS Appliance that resolves the issues described in both Cisco Security Notices. The patch is available at the following site:
http://www.cisco.com/pcgi-bin/tablebuild.pl/solution_engine
HTTPS Support and Management Center Applications
Cisco Secure ACS 3.2 does not allow HTTP and HTTPS to function simultaneously. Multi-device management applications, such as Management Center for Firewalls, can be configured to use Cisco Secure ACS for authentication of administrators and authorization of their actions. Communication between early versions of multi-device management applications and Cisco Secure ACS requires HTTP. If you enable HTTPS in Cisco Secure ACS 3.2, communication between multi-device management applications and Cisco Secure ACS fails.
If you use Cisco Secure ACS with a multi-device management application that is not yet capable of HTTPS for communicating with Cisco Secure ACS, you must disable HTTPS in Cisco Secure ACS; otherwise, integration with Cisco Secure ACS fails.
Note Beginning with version 2.2 with Service Pack 2, CiscoWorks supports HTTPS; therefore, multi-device management applications using CiscoWorks 2.2 with Service Pack 2 or later can communicate with Cisco Secure ACS using HTTPS.
Limitations and Restrictions
The following limitations and restrictions apply to Cisco Secure ACS 3.2.3.
Supported Migration Versions
We support migrating from Cisco Secure ACS for Windows Server version 3.2 to Cisco Secure ACS Appliance 3.2.3. We do not support migration from other versions of Cisco Secure ACS for Windows Server.
Steps for performing a migration from Cisco Secure ACS for Windows Server to Cisco Secure ACS Appliance are documented in Installation Guide for Cisco Secure ACS for Windows Server, available at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
acs32/win32sig.htm#10598Supported Web Browsers
To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:
•Microsoft Internet Explorer version 6.0 with Service Pack 1 for Microsoft Windows
•Netscape Communicator version 7.0 for Microsoft Windows
•Netscape Communicator version 7.0 for Solaris 2.7
We do not support other versions of these browsers, nor do we test web browsers by other manufacturers.
Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:
•Use an English-language version of a supported browser.
•Enable Java.
•Enable JavaScript.
•Disable HTTP proxy.
Supported Operating Systems for Remote Agent
Cisco Secure ACS 3.2 supports Cisco Secure ACS Remote Agent on Microsoft Windows 2000 and Solaris operating systems, as specified in the following two sections.
• Windows Support for Remote Agent
• Solaris Support for Remote Agent
Windows Support for Remote Agent
The computer running Cisco Secure ACS Remote Agent for Windows must use an English-language version of one of the following operating systems:
•Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
•Windows 2000 Advanced Server, with the following conditions:
–with Service Pack 3 or Service Pack 4 installed
–without Microsoft clustering service installed
–without other features specific to Windows 2000 Advanced Server enabled
Note We have not tested and cannot support the multi-processor feature of Windows 2000 Advanced Server. Windows 2000 Datacenter Server is not a supported operating system.
•Windows Server 2003, Enterprise Edition
Note When running Cisco Secure ACS Remote Agent on Windows Server 2003, you may encounter event messages that falsely indicate that Cisco Secure ACS Remote Agent services have failed. This is issue is documented in bug CSCea91690. For more information about CSCea91690, see Table 3.
Tested Windows Security Patches
During testing of Cisco Secure ACS version 3.2.3, we tested Cisco Secure ACS Remote Agent for Windows Server with the following Microsoft security patches installed:
• MS03-026
• MS03-039
• MS03-041
• MS03-042
• MS03-043
• MS03-044
• MS03-045
Solaris Support for Remote Agent
The computer running Cisco Secure ACS Remote Agent for Solaris must use Solaris 2.8.
Supported Platforms for CiscoSecure Authentication Agent
For use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2, we support CiscoSecure Authentication Agent on the following client platform operating systems:
•Windows XP with Service Pack 1
•Windows 2000 Professional with Service Pack 3
On the following client platform operating systems, we do not support the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.2:
•Windows 98
•Windows 95
•Windows NT 4.0
Other Supported Devices and Software
For information about supported Cisco devices, external user databases, and other software, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Appliance Version 3.2. To see this document, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/
csapp32/2ap32sdt.htmKnown and Resolved Problems
This section contains information about the following topics:
• Known Problems in Cisco Secure ACS Version 3.2.3
• Resolved Problems in Cisco Secure ACS Version 3.2.3
• Resolved Problems in Cisco Secure ACS Version 3.2.2
• Resolved Problems in Cisco Secure ACS Version 3.2.1
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.
Cisco Aironet Access Point
http://www.cisco.com/univercd/cc/td/doc/product/wireless/
Cisco BBSM
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/
Cisco Catalyst Switches
http://www.cisco.com/univercd/cc/td/doc/product/lan/
Cisco IOS
http://www.cisco.com/univercd/cc/td/doc/product/software/
Cisco Secure PIX Firewall
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
Cisco VPN 3000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/
Cisco VPN 5000 Concentrator
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/
Known Problems in Cisco Secure ACS Version 3.2.3
Table 3 describes problems known to exist in this release.
Note•A "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
•Bug summaries and explanations in Table 3 are printed word-for-word as they appear in our bug tracking system.
Table 3 Known Problems in Cisco Secure ACS Appliance, Version 3.2.3
Bug ID Summary ExplanationCSCef61117
ACS on 2003 huge performance impact when writing to registry
Cisco Secure ACS 3.2.3 or 3.3 running on Windows 2003 Standard and Enterprise edition may cause huge delay when writing to the registry.
Therefore when more than six operations write to the Microsoft registry, a failure may occur. Refer to the field notices on Cisco.com for more details.
CSCdv35872
Insufficient length for NDS context entry
When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTML in the browser interface.
Workaround/Solution: Use a context list no longer than 4096 characters.
CSCdv86708
HTTP Port Allocation is not replicated
Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.
Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS, restart the CSAdmin service.
CSCdy51214
fail to delete aaa server when its in sync table/aaa server side
A AAA server cannot be deleted from the "(Not Assigned) AAA Servers" table in Network Configuration if the Synchronize"= list under Synchronization Partners on the RDBMS Synchronization Setup page is empty. An error message "x.x.x.x can not be deleted since it is an synchronization partner" appears.
Workaround/Solution: Move any other AAA server to the Synchronize list, then delete the AAA server.
CSCdy59706
CAA messaging wont work with ppp callback and callin authentication
When having ppp callback and only callin is authenticated (ppp authentication pap chap callin), then messaging to the CAA client will fail with all aging rules selected in ACS.
This is a documentation bug, the above won't work without changes.
Workaround/Solution: Either remove the "callin" keyword to enable authentication for callin and callout (callback in this scenario), or disable callback altogether.
CSCdx19854
Memory check for certificates in https transport is required
When you select the "Use HTTPS Transport for Administration Access" check box on the Access Policy page and more than two HTTPS sessions are active, the following error is presented:
Can't initialize HTTPS transport: too many active HTTPS sessions
SSL Admin design does not enforce a restriction that prevents the modification of Cisco Secure ACS certificates so that there are not more than two certificates in memory at once.
Instead Cisco Secure ACS prevents the initialization of HTTPS when more than two HTTPS sessions are in use.
Workaround/Solution: Reduce the number of concurrent administrative sessions to two or one before attempting to enable HTTPS using the new certificate.
CSCdz06719
Support cmd allows illegal values
On the Cisco Secure ACS Appliance command-line interface, the support command accepts illegal values at various prompts. For example, the "Enter FTP Server Hostname or IP Address" prompt accepts IP addresses that are not valid.
Workaround/Solution: Be careful to respond to prompts with valid responses. For guidance with the use of the support command and its prompts, see the "Obtaining Support Logs via the Serial Console" procedure in Installation and Setup Guide for Cisco Secure ACS Appliance.
CSCdz61454
FTP Restore button is not working on Solaris
When the administrative browser is Netscape 7.0 on Solaris 8.0, clicking the Restore button in the Cisco Secure ACS HTML interface has no effect.
Workaround/Solution: Use a supported Windows browser or, if you are using Cisco Secure ACS Appliance, use the restore command on the system console for the appliance.
CSCdz61464
Solaris Netscape 7.0 - Minor Features Failure
When the administrative browser is Netscape 7.0 on Solaris 8.0, some menus in the HTML interface for Cisco Secure ACS do not work properly.
Workaround/Solution: Use a supported Windows browser.
CSCdz61529
Netscape hangs on several times during login session on Solaris
When you use Netscape 7.0 to access the HTML interface of Cisco Secure ACS, the browser stops responding after you access the User Setup page or while trying to add a shared profile component.
Workaround/Solution: Use a supported Windows browser.
CSCdz61875
Configured Default Proxy Distribution Entry is not restored
If you configure the (Default) of "Proxy Distribution Table" in "Network Configuration" after backed up. Previously settings before backup are not restored. Example...
•Change the configuration of "Send Accounting Information" in "Proxy Distribution Table" to "Local/Remote" from "Local".
•Backup ACS Server
•Change that value to "Local" from "Local/Remote".
•Restore the ACS Server using backup data of 1:.
•That value is restored as "Local" not "Local/Remote".
Workaround: There is no workaround.
CSCdz73781
Netscape browser on WinNT pointing ACSAppliance is not stable
When you use Netscape 7.0 on Windows to access the HTML interface of Cisco Secure ACS, the browser may stop responding, often while using 99% of CPU time.
Workaround/Solution: Use Task Manager to stop Netscape. Use a supported Internet Explorer browser to access the HTML interface.
CSCdz74860
Cannot delete if Radius and AAA have same self IP
If you add a AAA server entry that is defined as a RADIUS server that has the same IP address as the AAA server entry that represents the Cisco Secure ACS itself, you cannot delete the new RADIUS server entry. Cisco Secure ACS appears to identify this second entry as its self-entry though it is not.
Workaround/Solution: None at this time.
CSCdz86955
Cannot remove shell authorization from groups display
Shell command authorization remains in the User Setup and Group Setup sections of the HTML interface, even after shell command authorization is disabled in Interface Configuration and the feature is not in use.
Workaround/Solution: None at this time.
CSCea00431
Appliance AAA Server entry does not exist after install
After using the recovery CD to restore the appliance harddrive to the original image, Cisco Secure ACS does not have a AAA server table entry for itself in the Network Configuration section.
Workaround: Create a AAA server entry that corresponds to the appliance. The AAA server name may appear as "Self" rather than the name you specify.
CSCea24309
RADIUS (Ascend) page is empty
In the Interface Configuration section of the HTML interface, the page for RADIUS (Ascend) may not display any Ascend RADIUS attributes even though a AAA client entry in Network Configuration is configured to use RADIUS (Ascend).
Workaround: Restart the CSAdmin service.
CSCea25090
Logged In User not showing after going into enable mode on router
With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on Cisco Secure ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.
Cisco Secure ACS tracks user sessions by IP address and port number. When enable authentication succeeds, Cisco Secure ACS sees that the IP address and port number combination for the existing session have been reused and assumes that the accounting stop packet was not sent or was lost; therefore, the user session is removed from the Logged-In User report even though the session continues in enable mode.
Because the NAS cannot be configured to send new accounting start packets when the enable mode is entered, the Logged-In User report cannot correctly report the user session as ongoing.
Workaround: None.
CSCea28562
Restore deleted Self AAA Server
When you restore the system database for Cisco Secure ACS Appliance, the AAA Servers table entry that represents the appliance itself is deleted.
Workaround/Solution: Recreate the self entry manually after performing a system restoration.
CSCea50039
T+ authentication errors when stressing TACACS func.
Under heavy TACACS+ authentication load, Cisco Secure ACS incorrectly fails authentication for a very small number of TACACS+ authentication requests. In testing, less than one hundredth of one percent of TACACS+ authentication requests were incorrectly failed.
Workaround/Solution: If you have more than one Cisco Secure ACS server available for TACACS+ authentication, distribute TACACS+ authentication load as evenly as possible to all Cisco Secure ACS servers.
CSCea55457
Radius Attributes do not appear in user/group profile page
After you enable RADIUS attributes in the Interface Configuration section of the Cisco Secure ACS HTML interface, they do not appear or appear only partially in Group Setup or User Setup, as applicable.
Workaround/Solution: Restart the CSAdmin service.
CSCea60497
no msg in rdbms log on the sync partner about the sync operation
When a Cisco Secure ACS Appliance receives RDBMS Synchronization data from a primary ACS, the RDBMS Synchronization log on the secondary ACS does not record the synchronization event, regardless of success or failure.
Workaround/Solution: None at this time. You may be able to deduce when synchronization occurred and whether it succeeded by reading the synchronization logs and reviewing the RDBMS Synchronization configuration on the primary ACS.
CSCea62226
CSAgent (solaris) - appliance present the RA as running while is not
The HTML interface of a Cisco Secure ACS Appliance indicates that the logging service of a Solaris remote agent is available even though it is not. For Solaris remote agents, the service status displayed for the remote agent in Network Configuration is not reliable.
Workaround/Solution: Log into the computer running the Solaris remote agent to determine if the CSLogAgent process is running.
CSCea66355
Login prompt displayed too early when upgrade via CLI
When you apply an upgrade to a Cisco Secure ACS appliance using the upgrade command at the serial console command prompt, you erroneously receive a Login prompt just before the appliance reboots itself.
Workaround/Solution: None. The appliance reboots after the Login prompt. After the reboot is complete, you can login normally.
CSCea67901
UCP has trouble with dots in usernames
When using the User changeable passwords utility to change the passwords for the usernames which contain dot (".") character, after clicking on one of the links on the top, the links at the top in the subsequent screen contain only the part of the username before the dot.
Workaround: Edit the passwd.htm and result.htm files in the cgi-bin directory to comment out the table with the links - so that the users would not be able to get confused.
CSCea71759
Headline of UCP application stating Cisco Secure ACS
The web pages of the User-Changeable Passwords (UCP) utility have titles and headings that suggest that the user is logging into Cisco Secure ACS for an administrative session. This is not possible from UCP and the headings and titles are erroneous.
Workaround/Solution: Educate users about the function of UCP or modify the HTML file contents to change the misleading titles and headings.
CSCea74269
CSAdmin issue when downloading upgrade via GUI and https is in use
If HTTPS is enabled for administrative access to the HTML interface, you cannot transfer an upgrade package to a Cisco Secure ACS appliance. The transfer fails with an "Action canceled" message.
Workaround/Solution: Temporarily disable HTTPS before transferring the upgrade package.
CSCea74289
cascade replication due to user pass change-dont work
Cascading replication does not occur when the replication trigger is user password change and the primary Cisco Secure ACS is configured to perform replication manually.
Workaround/Solution: Use scheduled replication on the primary Cisco Secure ACS.
CSCea87748
Downloadable ACLs deleted and downsized after backup via CLI
If your Cisco Secure ACS Appliance has downloadable ACLs defined that have more than approximately 31 kilobytes of text in them and you use the system console to backup and restore the database, the downloadable ACLs are truncated to approximately 31 kilobytes or are deleted entirely.
Workaround/Solution: Do not create downloadable ACLs that contain more than 30 kilobytes of data; or, if this is unavoidable, keep text file records of the ACLs so that, if a restoration performed from the system console is necessary, you can recreate the downloadable ACLs.
CSCea91690
Event Viewer errors on startup/shutdown in .NET
On Windows .Net Server 2003 shutdown and startup you may see errors that falsely indicate that Cisco Secure ACS service have failed. At startup, you may see a dialog box indicating that a service, such as CSLog, encountered a problem and needs to close. The same error logged to Event Viewer, as in the following example:
Reporting queued error: faulting application CSLog.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
The problem is that in Windows Server 2003, the Service Manager queries the Cisco Secure ACS services status during startup and shutdown, but Cisco Secure ACS services may not have started yet or may have stopped already. Even though this is normal behavior for Cisco Secure ACS services, Windows perceives this as an error and logs it to the Event Viewer.
On startup, all errors from event viewer displayed to user, which is why, when users logs into Windows right after startup, they see errors from the previous login session.
This behaviour observed on Windows Server 2003 only.
Workaround: You can verify that Cisco Secure ACS services are running by using Control Panel.
CSCea91947
ACS will not authen Win2k users when NTLMv2 is enabled on network
Customer using NTLMv2 on their network for security will not allow Win2k users to authenticate through ACS.
If customer changes the NTLMv2 to NTLM then authentication works fine
CSCeb00443
ODBC logging settings appear after restore/replication from SW
After replicating from Cisco Secure ACS for Windows Server to a Cisco Secure ACS appliance or after using a backup file from the Windows version to restore the appliance version, ODBC logging settings may appear on the Logging page of the System Configuration section of the appliance HTML interface. This is erroneous because the appliance version does not support ODBC logging.
Workaround/Solution: None at this time.
CSCeb11207
rdbms sync dont get the first line in action file
RDBMS Synchronization fails when accountactions.csv has data on its first line.
Workaround/Solution: The first line of accountactions.csv should either be blank or contain column titles.
CSCeb11691
SPC names are limited to 31 characters in size
SPC names are limited to 31 characters in size not 32 as the doc below specifies.
http://www.cisco.com/en/US/products/sw/secursw/
ps2086/products_user_guide_chapter09186a00800
d9e6b.htmlCSCeb14972
appliance ip is 0.0.0.0 after recovery & upgrade
After you apply an upgrade to a Cisco Secure ACS appliance, a AAA client entry may appear in Network Configuration that has the same name as the appliance but has the IP address 0.0.0.0.
Workaround/Solution: Delete the AAA client entry erroneously created by the upgrade process.
CSCeb15110
appliance name doesn't appear in dist table, rdbms sync table
After you upgrade a Cisco Secure ACS appliance, the Proxy Distribution Table in Network Configuration may be missing the entry that represents the appliance itself. You may also notice that the appliance entry is missing from the Synchronization Partners table on the RDBMS Sychronization page.
Workaround/Solution: None at this time.
CSCeb15219
Couldnt add NAS filter by CSDdsync
When you attempt to add a network access restriction using RDBMS Synchronization, action code 122 "ADD_NAS_ACCESS_FILTER" doesn't work. When you use the UN variable, the error message "The named user variable cannot be found" is logged even though the user exists in the CiscoSecure user database.
Workaround/Solution: Synchronization with action code 122 succeeds after you manually select the "Define IP based access restrictions" option in user profile.
CSCeb16968
ACS shared profile components disappear after ACS upgrade
After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications, such as Management Center for Firewalls, fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.
Workaround/Solution: You must use CiscoWorks to re-register all MCs with Cisco Secure ACS.
Log into the CiscoWorks desktop with admin privileges.
Go to Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.
Go to VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then re-register all MCs.
Log out of CiscoWorks.
CSCeb21037
Windows Remote Agent un-install issue
Uninstalling Cisco Secure Remote Agent for Windows does not remove some subdirectories, such as those that contain log files.
Workaround/Solution: Manually delete the directories left by the uninstallation process.
CSCeb21053
rdbms sync on add nas-err on log while nas are been added
When you add a AAA client or AAA server to a Cisco Secure ACS appliance using RDBMS Synchronization, you may an error in the RDBMS Synchronization log that says the AAA client/Server was not added when in was added to the AAA client or AAA server tables in Network Configuration.
Workaround/Solution: None. You can confirm the addition of the AAA client or AAA server by viewing the AAA client and AAA server tables in the Network Configuration section of the HTML interface.
CSCeb21358
CSLogAgent could not be started when certain acct attr is selected
When an "unknown" attribute is added to the logging configuration on the
"Remote Logging Agent CSV RADIUS Accounting File Configuration" page in a Cisco Secure ACS appliance, remote agents that use the appliance as a configuration provider have difficulties starting CSLogAgent.
Workaround/Solution: Remove any "unknown" attributes from the RADIUS Accounting log configuration in the Cisco Secure ACS HTML interface.
CSCeb23766
Inconsistency with ACS response if username contains invalid chars
Radius usernames entered with invalid characters results in the ACS server not sending any response at all. This can cause the NAS to fail over to the configured secondary authentication method which may not be desirable.
Workaround: At the present time, TACACS authentication does not appear to have this same problem.
CSCeb36966
large number Windows groups causes ACS GUI timeout
When there is a large number of Windows groups (this was observed with 25000), the ACS http GUI connection times out.
Workaround/Solution: Force the Windows server that Cisco Secure ACS uses to retrieve the groups to cache the groups locally. Go into Active Directory Users and Groups on the computer running Cisco Secure ACS for Windows Server. If you are using Cisco Secure ACS Solution Engine, go into Active Directory Users and Groups on the computer running the Cisco Secure Remote Agent for Windows. In Active Directory, view all the groups. In Cisco Secure ACS, configure the mappings. This works because the server has cached the information.
CSCeb43948
Could not generate valid Password with password length => 9
If, in System Configuration > Local Password Management, you configure Cisco Secure ACS to require user passwords to be nine or more characters in length, Cisco Secure ACS generates "Could not generate valid Password" messages in the logs for the CSMon service. The message appears on the schedule you define for CSMon to test services. This has been verified as a problem on 3.1 and 3.2. Earlier versions were not tested, but likely have the problem.
Workaround: None.
CSCeb45624
NAR does not work comma separated source address
The documentation and the short help pages in the browser indicate that you can specify multiple IP addresses separated by commas for a source IP in the IP-based NAR section. This is not true. Any attempt to actually do so will result in Cisco Secure ACS ignoring the NAR config for the telnet connections to a router. This has been verified in ACS 3.2 and ACS 3.1.
Workaround: Do not use commas to separate multiple IP addresses in NARs.
CSCeb51393
multi-admin needs to be able to add/edit/delete downloadable ACLs
With multi-administrator tries to add/edit/delete downloadable acl under the shared profile components, after the first admin submitted any changes, the other administrator's ACS session got locked up.
Workaround: There is no workaround. Administrators must inform each other when he/she is working on the downloadable ACLs.
CSCeb58107
cisco-nas-port attribute should be included in VoIP accounting log
The cisco-nas-port attribute should be available in the VoIP accounting log.
CSCeb63032
SPC names are limited to 31 characters in size
SPC names are limited to 31 characters in size not 32 as the doc below specifies Section from the following link below : Note The name of a PIX ACL may contain up to 32 characters. The name may contain spaces; but it may not contain leading, trailing, or multiple spaces, or the following characters: - [ ] / - http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
CSCeb62898
Group mapping ordering applet is not properly ordered
In a newly created Windows group mapping configuration, group mappings list in the wrong order.
Workaround: On the page for ordering group mappings, order the group mappings and click Submit. As additional mappings are added, they appear properly at the end of the list of mappings.
CSCeb63188
database define with special chars permitted but unusable later
Symptom: ACS allows definition of a database with special characters in the name, like "Windows (test)" but on trying to actually use the database in the 'Selected Databases' column with 3.0.3 & 3.2, the error message is 'The selected DB search list is empty'. The software should not allow naming of a database when the name cannot be used.
Workaround: Do not use special characters in a database name.
CSCeb82133
PEAP re-keying type not logged to Failed log
—
CSCeb82136
ACL size 35K cannot be edited - The page cannot be displayed
If you create a downloadable ACL that is larger than 32KB (roughly 32,000 characters, including name and description), when you try to edit it later, the browser shows a "page cannot be displayed" error.
Workaround: Do not add or edit a downloadable ACL so that it is larger than 32KB.
CSCec00789
Calling-Station-ID attribute description inaccurate
In the user guide for Cisco Secure ACS, RADIUS IETF attribute 31, Called-Station-ID is inaccurately documented as only being supported for ISDN and modem calls for AS5200s. This is not true.
Cisco Secure ACS supports this attribute regardless of what type of AAA client sends it.
CSCec06340
acs is miscalculating the user-password when proxying
Symptom: in such a topology:
nas---> acs1 proxy ----> radius b
and when using the proxy distribution table to do the proxy.
when acs 3.1 and up is being used as a proxy server, when it re-calculates the user-password attribute in order to forward it to the end radius server, it miscalculates the user-password attribute. if the same pre-shared key is being used between acs1 and radius b, then in principal the same user-password should be calculated, but it's not and usually that user-password attribute gets same values as first couple of bytes of the original user-password while the rest are zeros.
This problem has been observed in acs 3.1 and 3.2 released versions. it also might be in 3.0.
This problem doesn't happen when proxying between 2 acs servers. it only happens between an acs server and some 3rd party server due to the way the password is calculated.
Workaround: instead of using proxy distribution table to do the proxy in acs 1, configure radius b as a "radius token server" in external databases, and configure unknown user policy on acs1 to check radius b. of course in that case on radius b you should configure acs 1 as a network device and give it the correct pre-shared secret configured in radius token server on acs1.
CSCec18522
PIX downloadable ACLs do not allow -; no pix object groups
The Cisco Secure ACS downloadable ACL feature does not allow hyphens, "-", in ACL definitions; however, the PIX Firewall access-list command has a "object-group" keyword. You cannot configure downloadable ACLs in Cisco Secure ACS using the object-group keyword.
Workaround: None at this time.
CSCec18573
Replication of VMS configurations requires restart of CSAdmin
VMS-specific attributes replicated to secondary Cisco Secure ACS are not available. This also prevents a CiscoWorks administrator from registering an application with the secondary Cisco Secure ACS.
Workaround: Restart the CSAdmin service. After this service is restarted, registration from CiscoWorks succeeds and the VMS configuration data replicated to the secondary Cisco Secure ACS is available in the HTML interface.
CSCec39523
Proxy ACS changes upper case letters to lower in username RADIUS att
Topology: NAS--proxy RADIUS ACS--authenticating RADIUS server
Symptom: If the NAS is sending a username (IETF attribute 1) in a RADIUS acces-request packet, which contains upper- and lower-case letters, the proxy ACS RADIUS will forward this access-request packet to the authenticating RADIUS server with all upper-case letters changed to lower-case letters
Conditions: This is observed only when prefix stripping is configured on the proxy RADIUS ACS and the username contains the prefix to be stripped by the proxy RADIUS ACS.
This is not observed when suffix stripping or no stripping takes place.
Workaround: Do not use upper-case letters in the username attribute, when performing prefix stripping
CSCec46370
Group mapping misbehavior
When an external RADIUS database attempts to specify a user's group using Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair, and the group number specified is "500", Cisco Secure ACS fails the user authentication and logs a seemingly unrelated error related to Group 100 and network access restrictions (even if no NARs are applied to the user). Specifying a group number larger than 500, such as 501, functions as expected, with the user assigned to the Default group.
RADIUS group specification requires that the assignment in the cisco-av-pairattribute use the following format:
ACS:CiscoSecure-Group-Id = N
where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user.
Workaround: Ensure that the external RADIUS server database only specifies a group number between 0 and 499.
CSCec61110
authentications on secondary acs may fail after replication
Symptom: In environment where primary and secondary Cisco Secure ACS primary and secondary servers are kept in synch using the replication feature, user authentication may fail for users defined in an external database users and the Failed Attempts log will contain an "external DB not configured" error.
Conditions: This happens with certain external database types such as LDAP, NDS, and the various token server types. It can't happen with the Windows external DB. By configuring external databases in a different order on the primary and secondary Cisco Secure ACS servers, authentication fails on the secondary server for users defined in the databases configured in a different order. If external databases are configured in same order on primary and secondary servers, this does not happen. For example, if you configure two instances of LDAP external user databases on primary and secondary servers but configure them in different orders, after users are replicated, LDAP authentication attempts fail on the secondary server.
Workaround: For each database type involved in the problem, delete the external databases on all secondary servers and reconfigure them in the same order that they are defined on the primary server. If this fails, delete the affected external databases on the primary and secondary servers and reconfigure them.
CSCec63624
ACS 3.2 admin gui locks and displays action canceled message
If the Shell (exec) service is disabled in Interface Configuration > TACACS+ (Cisco IOS) and you attempt to access a group other than the default group, the Cisco Secure ACS HTML interface ends the administrative session.
Workaround: To start a new session, close the browser window, open a new browser window, and access the HTML interface again.
To permit access to groups other than the default group, enable the group-level Shell (exec) service in Interface Configuration > TACACS+ (Cisco IOS).
CSCec64143
Uninstalling Win Remote Agent when un-install terminates unexpected
When Windows Remote Agent uninstallation process terminates unexpectedly and the uninstallation process could not be completed, registry keys remain for the remote agent. Further attempts to install the remote agent will fail due to these registry keys.
Workaround: Use regedit to delete all Cisco Remote Agent entries. In the registry, search for "csagent" and "acs agent". Delete all matching entries. If they cannot be deleted, ignore them.
CSCec72911
2003-password aging page display issue
—
CSCec86357
Upgrade via GUI is effected when using CLI for certain operations
With Cisco Secure ACS Solution Engine, applying a patch or an upgrade using the HTML interface while also performing commands on the console can cause problems. For example, changing the hostname while applying a patch can cause the solution engine to fail.
Workaround: Be sure that no one is performing console commands while applying a patch or an upgrade using the HTML interface.
CSCec89440
Unable to edit some of the disabled accounts
The Disabled Accounts report in the Reports and Activity section of the Cisco Secure ACS HTML interface can behave oddly when you access it using an administrator account that doesn't have access to all groups.
If a page of the Disabled Accounts report has users belonging to groups that the administrator cannot access, the report doesn't allow the administrator to move to the next page of the report.
If a user account is configured to be assigned a group by the group mapping feature, the user account appears on the Disabled Accounts report even though the administrator only has access to specific groups.
Workaround: Access the Disabled Accounts report with an administrative account that has permission to access all groups.
CSCed01640
Memory leak in CSAuth caused with Leap-Proxy scenario
When you use LEAP proxy with Cisco Secure ACS under stress, the CSAuth service uses additional system memory and does not release the memory when the stress is removed from the system.
Workaround: Restart the CSAuth service.
CSCed08009
Directory / file management doesn't enforce exact number of files
When changing parameters in Log File Management on Appliance (config provider) Directory / file management doesn't enforce exact number of files:
Steps to reconstruct:
Set the size to greater than 100KB & Keep only the last 3 files.
Checked files are created every 100K & are limited to 3 files.
Change the upper limit of file number to 5, you should see that number of log files is not enforced as it did in the first step.
After running authentications you should get more than 5 log files to see that the new settings are not applied.
It happened on Passed Authentications & Failed Attempts.
It goes for other remote logging services as well.
CSCed12218
User Usage Quotas -limit user x hours of online time
—
CSCed23602
Docs unclear about rack mounting parts and procedure
The Installation and Setup Guide for Cisco Secure ACS Appliance provides inadequate details about how to assemble the rack mounting kit. Terminology used to refer to the cable support bracket and the cable tray clamp should be clarified. The procedure needs to be revised to more clearly express how the cable support bracket and cable tray clamp should be attached to the appliance, the rails, and each other.
Workaround: For clarification, refer to the following information.
The rack mount kit has four parts. These include two rails, a cable support bracket, and a cable tray clamp. In the product packaging, the cable support bracket may be separated from the other three rack mounting kit parts; however, the cable support bracket is essential for proper rack mounting.
The cable support bracket is C-shaped and has a screw on one end and a metal tab on the other. The cable tray clamp has a black plastic clamp that slides open and closed.
As you face the appliance from the rear, the cable support bracket should be attached to the left side of the appliance. Its tab must be inserted in the slot in the upper left corner of the rear of the appliance. To do so, you MUST remove the appliance cover, taking the appropriate safety precautions outlined in the documentation. The right side of the of the cable support bracket screws into the appliance. The screw hole is located at the bottom edge of the appliance rear panel.
Do not attach the cable tray clamp directly to the appliance. Instead, attach it to the right, rear corner of the cable support bracket and to the rail on the right, using the screws built into the cable tray clamp. Again, directions are relative to facing the rear of the appliance.
Note If you attempt to attach the cable tray clamp directly to the appliance, the ports on the rear of the appliance may be partially blocked or more difficult to access.
CSCed30876
radius proxy does not return ietf attr when using ios radius
—
CSCed39208
VU: Unable to auto provision with long username
—
CSCed40111
Session ends before Session timeout value
—
CSCed42437
RADIUS Proxy with Cisco PEAP operates only with RADIUS Aironet
—
CSCed42439
Active Directory via LDAP - Group Mappings skip first group
When Active Directory is configured as Generic LDAP and group mappings are configured, the first group in the LDAP directory is skipped.
CSCed59826
CSAdmin stops responding when editing java using netscape
—
CSCed61135
DOC - Certificate Signing Request for public CA
The Certificate Signing Request screen within ACS does not have fields required by public Certificate Authorities, but you can still obtain a proper CSR by using the following subject format:
CN=server.domain.com,c=US,S=State,L=City,o=Company, ou=Department
CSCed71133
All Other Combinations mapping ignored when group fetch fails
If the NT group fetch fails, ACS 3.2 will map a user to group 0 regardless of the setting of the All Other Combinations mapping.
Workaround: Fix the Microsoft permission problems that are causing the group fetch to fail. The user that runs the ACS services must have full read permission on any domain that ACS will be using for authentication.
CSCed77992
Action Code 211 doesnt return group settings to factory defaults
Action Code 211 doesn't work as documented.
Document states, this code "Resets a Group User record back to its original factory defaults". However some settings are not reset to factory defaults like Shell (exec) and No escape check boxes.
CSCed82937
Password attribute malformed to external RADIUS token database
When ACS receives a blank password from a user in an external RADIUS token database, it sends a malformed password attribute to the token RADIUS server - the attribute length is 2, but RFC 2865 dictates that the length will be between 18 to 130 characters, in multiples of 16.
CSCed92815
ACS Main page shows wrong copyright message - year 2003
Cisco Secure ACS Main 3.2.3 page shows a wrong Copyright message :
Copyright @2003 Cisco Systems, Inc.
The correct copyright statement for Cisco Secure ACS 3.2.3
Copyright @2004 Cisco Systems, Inc
CSCin45582
VMS2.2-BT:Shared Profile components are not overwritten
If you re-register a Management Center application with Cisco Secure ACS, Cisco Secure ACS retains the authorization settings from the previous registration rather than replacing them with default authorization settings.
Workaround: None.
Resolved Problems in Cisco Secure ACS Version 3.2.3
Table 5 describes problems resolved in Cisco Secure ACS Appliance, version 3.2.3.
Note Bug summaries in Table 5 are printed word-for-word as they appear in our bug tracking system.
Resolved Problems in Cisco Secure ACS Version 3.2.2
Table 5 describes problems resolved in Cisco Secure ACS Appliance, version 3.2.2.
Note Bug summaries in Table 5 are printed word-for-word as they appear in our bug tracking system.
Resolved Problems in Cisco Secure ACS Version 3.2.1
Table 6 describes problems resolved since the Beta release of Cisco Secure ACS Appliance, version 3.2.
Note Bug summaries in Table 6 are printed word-for-word as they appear in our bug tracking system.
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order annual or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
Click Subscriptions & Promotional Materials in the left navigation bar.
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit e-mail comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Cisco TAC Website
The Cisco TAC website ( http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case
Using the online TAC Case Open Tool ( http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.
For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Posted: Wed Jul 13 00:20:14 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.