|
Table Of Contents
Release Notes for Cisco Secure ACS 4.1
Known Problems in ACS for Windows and the Solution Engine 4.1
Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
Replication with Different Send and Receive Configurations
Problem with Accounting Records in the TACACS+ Administration Log
Known CLI Administrator Problem
Verifying the ACS Solution Engine CD Recovery Process
Known Caveats in ACS for Windows and the Solution Engine 4.1
Resolved Caveats in ACS for Windows and the Solution Engine 4.1
Known Caveats with ACS Solution Engine 4.1
Resolved Caveats in the ACS Solution Engine 4.1
Upgrading to a New Software Release
Supported Upgrades for ACS for Windows
Supported Migration Path for ACS for Windows
Unsupported Migration Path to ACS 4.1
New and Changed Information for the ACS Solution Engine 4.1
Installation Notes for the Solution Engine 4.1
Installing from ACS SE 1111 (HP) Recovery CD
Supported Migrations for ACS SE
Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Secure ACS 4.1
March 2007
Full Build Number: 4.1.1.23These release notes pertain to Cisco Secure Access Control Server, hereafter referred to as ACS version 4.1. These release notes contain information for the Windows and Solution Engine platforms. Where necessary, the appropriate platform is clearly identified.
Note The ACS release numbering system for software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 4.1.1.23. Elsewhere in this document where 4.1 is used, we are referring to 4.1.1. ACS major release numbering starts at 4.1.1, not 4.1.0. Use this information when working with your customer service representative.
Contents
These release notes provide information about:
•Known Problems in ACS for Windows and the Solution Engine 4.1
•Known Caveats in ACS for Windows and the Solution Engine 4.1
•Resolved Caveats in ACS for Windows and the Solution Engine 4.1
•Known Caveats with ACS Solution Engine 4.1
•Resolved Caveats in the ACS Solution Engine 4.1
•New and Changed Information for the ACS Solution Engine 4.1
•Installation Notes for the Solution Engine 4.1
•Cisco Product Security Overview
•Product Alerts and Field Notices
•Obtaining Additional Publications and Information
ACS New Features
ACS contains the following new and changed features:
•Improved Compliance Support—This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance; for example, Sarbanes-Oxley (SOX). ACS includes the following capabilities for:
Authentication:
–Forcing periodic change of administrator's password.
–Applying password structure policy.
–Forcing administrator's password change for inactive account.
–Preventing the reuse of old password (password history).
–Disabling administrator accounts for inactivity.
–Disabling administrator accounts after failed logins.
–Allowing ACS administrators to change their own passwords.
Audit and Reporting:
–Logging all administrative actions via system logging (syslog), in addition to existing logging targets.
–Controlling administrators' access to log file configuration to prevent specific audit logging from being disabled.
–Adding new reports for administrators privileges.
Authorization: Providing a read-only privilege for users and groups.
•External database support for MAC Authentication Bypass—The ability to maintain MAC address lists in an external LDAP server and map MAC addresses to user groups.
•Improved diagnostics and error messages—Improved diagnostic information about certificate mismatches with HCAP and GAME servers. The raw dump of GAME and HCAP messages is in a readable format and the authentication failure codes are now more intuitive.
•PEAP/EAP-TLS Support—The authenticator side of PEAP/EAP-TLS as a protocol enhancement is now included. ACS can now authenticate clients with PEAP by using EAP-TLS as the phase-two inner method, and enables certificate-based authentication to occur within a secure tunnel, encrypting identity information. Since EAP-TLS normally relies on client-side certificates for authentication, the PEAP tunnel will protect the client's certificate content.
•Logging and Reporting Extensions—New internal mechanisms for logging now create consistent log levels and improved performance. ACS now supports syslog and the capability to log ACS messages to remote servers that support the syslog standard.
•Multiple concurrent logging destinations—You can send Log data to multiple destinations simultaneously.
•Enhanced remote agent support for logging—You can expose reports externally that were previously provided only locally, for files from previous versions; for example, sending audit reports to a remote agent on an appliance.
•RADIUS AES Key Wrap Functionality—This feature supports a secure, certified mode of operation, notably in a Federal Information Processing Standard (FIPS)-compliant wireless solution. RADIUS Key Wrap support with EAP-TLS authentication in ACS, is another step toward satisfying the set of security requirements in practical, deployable, and interoperable secure solutions from Cisco Systems. AES replaces MD5 encryption.
•Cisco NAC support—ACS 4.1 acts as a policy decision point in NAC deployments. By using configurable policies, it evaluates and validates the credentials that it receives from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the network-access device: ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS patch level and antivirus DAT file version. ACS records the policy evaluation result for use with monitoring systems. Before granting network access, ACS 4.1 also allows third-party Audit Vendors to audit hosts without the appropriate agent technology. ACS policies can be extended with external policy servers to which ACS forwards posture credentials. For example, credentials specific to an antivirus vendor can be forwarded to the vendor's antivirus policy server, and audit policy requests can be forwarded to third-party audit products.
–GAME Group Feedback—This feature provides the ability to authorize a host based on checking the device-type categorization returned from authentication as a user-group against an audit server.
–Expanded agentless support—This feature adds support for auditing agentless hosts connected to a Layer 2 Network Access Device (NAD). The agentless host is admitted to a quarantined network where it can receive an IP address and only then instantiate the audit. When instantiated, the audit will continue as with a regular Layer 3 host.
•Extended replication components—Improved and enhanced replication components are now available. Administrators now can replicate:
–Posture validation settings.
–Additional logging attributes.
•Audit support for MAC Authentication Bypass —Audit processing has been enhanced to include MAC Authentication Bypass (MAB). MAB enables double-checking an audit request against a MAC authentication policy and an Audit Policy, and combines the evaluation of these two policies.
•Audit Verification of MAC Exceptions — You can apply MAC exceptions to Network Admission Control (NAC) audit requests. Dual verification of endpoints is then possible. You can check whether the user group (which signifies the device type) that the agentless request processing returns matches the device type that the audit server returns, and you can define a policy for handling mismatches.
•Japanese Microsoft Windows Support—New support for the Japanese version of Microsoft Windows 2003 at the service pack level is available.The ACS web interface can run on browsers running the Japanese version of the Windows operating system. In addition, the ACS for Windows software can run on a Windows server running the Japanese version of the Windows operating system.
Note We do not support distributed ACS deployments in a Network Address Translation (NAT) environment.
Product Documentation
The following product documentation is available for ACS 4.1:
Table 1 Product Documentation
Document Title DescriptionDocumentation Guide for Cisco Secure ACS 4.1
•Printed document with the product.
•PDF on the product CD-ROM.
•On Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_release_notes_list.html•Orderable; see Obtaining Documentation.
Release Notes for Cisco Secure ACS 4.1
New features, documentation updates, and resolved problems. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_release_notes_list.htmlProduct online help
Help topics for all pages in the ACS web interface. Select an option from the ACS menu; the help appears in the right pane.
User Guide for Cisco Secure ACS 4.1
ACS functionality and procedures for using the ACS features. Available in the following formats:
•By clicking Online Documentation in the ACS navigation menu. The user guide PDF is available on this page by clicking View PDF.
•PDF on the ACS Recovery CD-ROM.
•On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.htmlSupported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1
Supported devices and firmware versions for all ACS features. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.htmlInstallation and User Guide for User Changeable Passwords 4.1
Installation and user guide for the user-changeable password add-on. Available on Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.htmlConfiguration Guide for Cisco Secure ACS 4.1.
Provides provide step-by-step instructions on how to configure and deploy ACS.
Available on Cisco.com:
Installation Guide for Cisco Secure ACS 4.1 Windows
Details on installation and upgrade of ACS software and post-installation tasks. Available in the following formats:
•PDF on the ACS Recovery CD-ROM.
•On Cisco.com: http://www.cisco.com/en/US/products/
sw/secursw/ps2086/prod_installation_guides_list.htmlInstallation Guide for Cisco Secure ACS Solution Engine 4.1
Details on ACS SE 1112 and ACS SE 1113 hardware and hardware installation, and initial software configuration.
•PDF on the ACS Recovery CD-ROM.
•Available on Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.htmlRegulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1
Translated safety warnings and compliance information.
•Printed document with the product.
•PDF on the ACS Recovery CD-ROM.
•On Cisco.com:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html•Orderable; see Obtaining Documentation.
Installation and Configuration Guide for Cisco Secure ACS Remote Agents
Installation and configuration guide for ACS remote agents for remote logging.
•PDF on the ACS Recovery CD-ROM.
•Available on Cisco.com:
Note Some of the preceding documents are in PDF format. You need the Adobe Acrobat Reader to open these files.
Security Advisory
Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Known Problems in ACS for Windows and the Solution Engine 4.1
The problems in this release are:
•Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
•Replication with Different Send and Receive Configurations
•Problem with Accounting Records in the TACACS+ Administration Log
•Known CLI Administrator Problem
•Verifying the ACS Solution Engine CD Recovery Process
Cisco AAA Client Problems
Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of ACS. You can access these release notes online at Cisco.com. For NAC-specific client problems, go to http://www.cisco.com/go/nac.
Known Microsoft Problems
Due to a defect in the Microsoft PEAP supplicant provided in the Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with ACS. Cisco has opened case SRX040922603052 with Microsoft on this issue. Customers who are affected by this problem should open a case with Microsoft and reference the Cisco case ID. Microsoft has prepared hotfix KB885453, which resolves the issue. The hotfix is available on the Microsoft website.
Note ACS for Windows only. When ACS runs on a domain controller and you need to authenticate users with a Windows user database, you must take additional configuration steps; see the Installation Guide for Cisco Secure ACS 4.1 Windows for post-installation steps regarding Windows NT LAN Manager (NTLM). A Microsoft hotfix may be required, depending on your configuration.
Upgrade from the Trial version of ACS 4.1 to the ACS 4.1 First Customer Ship (FCS) version fails
The upgrade from the trial version of ACS 4.1 to the ACS 4.1 FCS version fails after the evaluation period has expired. To prevent this:
1. Perform a system backup on the expired ACS trial version.
2. Retain the system backup dump file. The backup functionality in CSAuth remains operational.
3. Uninstall the trial version 3.
4. Install the unrestricted FCS version 4.
5. Restore the system backup dump file on the installed FCS version.
Note Note: The upgrade problem only applies to the software evaluation version of ACS 4.1.
Replication with Different Send and Receive Configurations
The user guide states that the primary ACS compares the list of database components that it is configured to send with the list of database components that the secondary ACS is configured to receive. If the secondary ACS is not configured to receive any of the components that the primary ACS is configured to send, the database replication fails.
This information is not correct (bug CSCsg93907).
The primary ACS first synchronizes with the secondary ACS, and sends only the components that the secondary ACS is configured to receive. The primary ACS does not send components that the secondary ACS is not configured to receive, even if you configure the primary ACS to send those components. Thus, database replication does not fail when different send and receive configurations exist on the primary and secondary ACS.
Problem with Accounting Records in the TACACS+ Administration Log
After upgrading to ACS 4.1, TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).
Command accounting is configured on the Network Access Server (NAS). No records are visible in the TACACS+ Administration log file after entering commands on the NAS. Debugs on the NAS show the records being sent, and they do arrive at the ACS server; but, the appropriate log file is not updated.
The patch information resolves this issue.
Click this link if you are using ACS for Windows: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des?psrtdcat20e2 and download:
•ACS-4.1.1.23-CSTacacs-SW-CSCsg97429.zip
•ACS-4.1.1.23-CSTacacs-SW-CSCsg97429-Readme.txt
Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip
Known CLI Administrator Problem
If you do not set up a GUI account for the CLI administrator by using the add-guiadmin command, then the CLI administrator will be unable to access the SE by using a web browser over the serial connection.
To add a GUI account that the CLI administrator can use, use the add-guiadmin command.
add-guiadmin [admin] [password]
Verifying the ACS Solution Engine CD Recovery Process
After you remove the recovery CD from the drive, and press Enter, the system reboots, and displays system version information. The ACS Solution Engine recovery process is complete and the Solution Engine is operational when the following information appears on your console.
Cisco Secure ACS: 4.1.1.16Appliance Management Software: 4.1.1.16Appliance Base Image: 4.1.1.4CSA build 4.0.1.543.2: (Patch: 4_0_1_543)Status: Appliance is functioning properly
Note If only the login prompt appears you must reboot the Solution Engine.
For detailed information on the Solution Engine CD recovery process, see the Installation Guide for Cisco Secure ACS Solution Engine 4.1.
Known Caveats in ACS for Windows and the Solution Engine 4.1
Table 2 contains known caveats in ACS for Windows and the Solution Engine 4.1.
Resolved Caveats in ACS for Windows and the Solution Engine 4.1
Table 3 contains the resolved caveats for the ACS 4.1 release. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.
Table 3 Resolved Caveats in ACS Windows and the Solution Engine 4.1
Bug ID Summary ExplanationCSCsc43287
Replication: Administration Control > Access Policy. Port allocation not replicated.
The port allocation settings now enable replication. For detailed information see the User Guide for Cisco Secure ACS 4.1.
CSCsc41129
CSAuth experiences exceptions during EAP-TLS stress versus LDAP external database with a secure sockets layer (SSL) connections.
CSAuth no longer experiences exceptions or failures after stress testing EAP-TLS authentications with an LDAP external database and LDAP connections over SSL connections.
CSCsc39979
Update to NAP delete the external user in Logged All Users report.
External users related to the NAP are no longer deleted from the Logged All Users report.
CSCef85314
Group DACL is downloaded if user's content NAF is not suitable.
The ACL and NAF features works as desired as documented in the User Guide for Cisco Secure ACS 4.1.
CSCsc06942
Script interface fails the 1,000 bytes limit at the Layer 2 level.
This issue is relevant only for non fragmented messages in tunneled protocols (Microsoft PEAP, Cisco PEAP, and EAP-FAST). Unfragmented tunneled EAP messages should not exceed the total length of 1,002 bytes.
CSCsc00788
Password change is not supported in Generic Token Card (GTC) against a Windows database.
Password change is supported in EAP-GTC against a Windows database. You must perform the following steps to enable the password:
6. Mark the password in Windows as must change password at the next logon.
7. Run EAP-FAST with GTC as the inner method and ensure that the changed password works.
CSCsb25151
When a AAA client has multiple IP addresses, NAF for downloadable ACLs fail.
NAF for downloadable ACLs no longer fails for AAA clients.
CSCsa79327
Authentications fail for users whose passwords contain the Euro (symbol).
Authentication no longer fails for users that use the Euro (symbol) in their password.
CSCeh24979
Users fail to authenticate when upgrading and attempting to access an obsolete (no longer used) database.
Users now authenticate, when upgrading and attempting to access an obsolete database.
CSCeh10491
Authentication errors on timeout waiting for local logging.
Authentication errors due to timeout no longer occurs.
CSCeb78551
When handling an LEAP RADIUS proxy between a front-end ACS server and a back-end ACS server, problems arise if the configuration is not correct.
You must incorporate the required configuration settings to successfully use this feature.
For detailed information, see the User Guide for Cisco Secure ACS 4.1:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.htmlCSCsc69976
Local logging file size and days do not appear after change in GUI.
Local logging file size and days appear after a change in the GUI.
CSCsc27168
User authentication succeeds even though a database is not selected.
Before deleting the external database configuration, ensure that it is not used in any NAP.
CSCsb72286
ACS RADIUS proxy uses RADIUS 1645, not current 1812.
ACS is now able to work with different ports. ACS can now use its proxy capability for other AAA servers.
CSCeh37907
Duplicate IP addresses are assigned due to reordered Accounting Stop packets.
Duplicate IP addresses are no longer assigned.
CSCsc41673
CSAuth fails after importing an Airespace NAS.
This problem has been fixed in the most recent version of ACS.
CSCeh35121
Local logging stopped working after ODBC logging removed.
Local logging is successful after ODBC logging is removed.
CSCsc95237
ACS Services do not start after upgrading from 3.x to 4.1.1
A trailing space was found in the IP address for a particular network device. This caused the database conversion process to fail, which prevented ACS services from starting after the upgrade. Use the registry editor to remove the trailing space and ACS services will start after the upgrade.
CSCsc72958
ACS documentation does not indicate that IP NAR requires attribute 31.
The User Guide for Cisco Secure ACS 4.1 has been updated with the correct information:
http://www.cisco.com/en/US/products/
sw/secursw/ps2086/products_user_guide_list.html.CSCsf11031
Upgrading to ACS 4.1 from a patched ACS will not implement the Critical Logger.
You do not need the patch. The critical logging function is introduced in ACS 4.1. When you upgrade from ACS 4.0 to 4.1, the patch is canceled and the critical logger is enabled.
CSCeh54670
EAP-TLS Strip Domain Name check box has been removed in the 4.1 GUI.
This feature controlled whether ACS removes the domain name from a username that is derived from the Subject Alternative Name (SAN) field in an end-user certificate.
The Windows EAP Setting, EAP-TLS Strip Domain Name check box, has been removed from the version 4.1 GUI. In version, 4.1 the Active Directory (AD) search functionality enables you to authenticate a username.
CSCsc77190
The <no access> group does not prevent EAP-TLS user from accessing the network.
This problem has been fixed in the most recent version of ACS.
CSCsg02005
CSMon utilizes 100% of the CPU while trying to communicate with the SMTP Server.
This problem has been fixed in the most recent version of ACS.
CSCsb38899
Upgrade to 5.1(0.7) resets all tuned signatures to default settings.
This problem has been fixed in the most recent version of ACS.
CSCsc27158
A memory leak occurred during stress tests of PAP authentications with LDAP server (OpenLDAP) and legacy SSL enabled (cert7.db). For example, memory usage reached 100MB after ~1.5 million authentications.
This problem has been fixed in the most recent version of ACS.
CSCsc06942
Script interface fails the 1K limit at the Layer 2 level.
Workaround This problem has been fixed in the most recent version of ACS.
Known Caveats with ACS Solution Engine 4.1
Table 4 contains the known caveats for ACS Solution Engine 4.1
Resolved Caveats in the ACS Solution Engine 4.1
Table 5 contains the resolved caveats for ACS Solution Engine 4.1. Check the Bug Navigator on Cisco.com for any resolved bugs that might not appear here.
ACS for Windows 4.1
The following sections contain information specific to ACS for Windows 4.1.
System Requirements
System requirements are documented in the Installation Guide for Cisco Secure ACS 4.1 Windows. The following updates have been made to the ACS system requirements. ACS 4.1 supports:
•Pentium dual-core processors. This support is with Intel but not Advanced Micro Devices (AMD).
•VMware. ACS 4.1 was tested on the following VMWare platform:
–VMWare ESX server 3.0.0
–Processor—AMD Opteron Dual core
–# of Virtual machines—4
–Guest operating system—Windows 2003 Standard Edition
–RAM for each guest operation system—3 GB
Note The Microsoft JVM is no longer supported. ACS 4.1 supports the Sun Java Run-time Environment (JRE) 1.4.2_04. This is an ACS for Windows web client requirement.
Note ACS is supported on Windows Server 2003 R2.
Software Compatibility
See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1 on Cisco.com.
Note The SafeWord Premier Access token servers version 3.1 and 3.2 are supported and have been tested. For additional information see the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1 on Cisco.com.
Upgrading to a New Software Release
For detailed instructions see Installation Guide for Cisco Secure ACS 4.1 Windows on Cisco.com. For upgrade paths, see Upgrade Paths.
Installation Notes
The following installation notes are important:
•ACS will not install properly if a Sybase server is installed on the same machine.
•Remote installations performed by using Windows Terminal Services have not been tested and are not supported. We recommend that you disable Terminal Services while performing any installation or upgrade. Virtual Network Computing (VNC) has been tested successfully.
•Tested Windows Security Patches for ACS Remote Agent and ACS for Windows.
See the Installation Guide for Cisco Secure ACS 4.1 Windows for installation, upgrade, and uninstall instructions, as well as post-installation tasks. For post-installation tasks, see Post-Upgrade Configuration.
Upgrade Paths
This section describes the following ACS 4.1 upgrade and migration topics:
•Supported Upgrades for ACS for Windows
•Supported Migration Path for ACS for Windows
•Unsupported Migration Path to ACS 4.1
Supported Upgrades for ACS for Windows
We tested upgrades to ACS for Windows Server 4.1 from releases 4.0.1, 3.3.4 and 3.3.3 directly, 3.3.2**, 3.3.1**, 3.2.3**, 3.2.2*, 3.2.1*, 3.1.2*, and 3.0.4*.
* You should first upgrade to Cisco Secure ACS for Windows Server, release 3.3.3 or 3.3.4.** You should first upgrade to Cisco Secure ACS for Windows Server, release 3.3.3, 3.3.4, or 4.0.1.After you upgrade to ACS release 3.3.3, 3.3.4, or 4.0.1, you can then upgrade to release 4.1.
Note If you are upgrading to ACS 3.3.3 and do not have access to that software, review the README text for details on the upgrade procedure.
Supported Migration Path for ACS for Windows
ACS has tested and supports the migration path from:
•ACS 3.2.3 to ACS 3.3.3 to ACS 4.1.
•ACS 3.3.3 to ACS 4.1.
Note ACS has also tested and supports the migration path from ACS 3.3.3 to ACS 4.0 to ACS 4.1.
Unsupported Migration Path to ACS 4.1
ACS does not support migration paths prior to ACS 3.2.3 This includes versions:
•ACS 3.2.1
•ACS 3.2.2
Note ACS does not support direct migration paths from ACS 3.3.1 and 3.3.2
Post-Upgrade Configuration
The following section contains information about post-upgrade configuration:
•After upgrading to ACS 4.1, you might need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.1. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.
•If you used ACS 3.x ODBC logging and upgraded to ACS 4.1, preserving your data, you must update the ODBC tables so that the SQL tables continue to work.
For details on how to complete post-installation tasks, see the Installation Guide for Cisco Secure ACS 4.1 Windows.
Upgrading From Version 3.3
When you upgrade from ACS 3.3 to ACS 4.1:
1. Local and external posture policies are automatically transformed.
2. A single Network Access Profile, (configured for NAC only) is created as a process of the upgrade.
3. Each instance of the selected ACS 4.0 Network Posture Validation Database will automatically be transformed into a posture validation rule. All the rules will be associated with the NAP that was created (in step 2). All PA message and URL redirects are mapped correspondingly.
4. A RADIUS Authorization Component will be created for each mapped group. ACS populates the RAC with all attributes that were configured in the user or group setup menus, except for the posture-token Cisco-av-pair. Since ACS dynamically generates the posture-token Cisco-av-pair attribute at runtime, manual configuration is unnecessary.
5. If you manually added posture validation attributes in ACS 4.0, they are added to the ACS version 4.1 posture dictionary during the upgrade.
Limitations and Restrictions
The following limitations and restrictions apply to ACS 4.1.
•User/Machine Out-of-Band PAC Provisioning for EAP-FAST version 1a has not been tested. The Out-of-band provisioning feature was not tested since the MDC (Meetinghouse) supplicant does not support it. (CSCsb46242)
•The TACACs+ and LEAP protocols for Network Access Profiles are not supported in ACS version 4.1.
•Network device limitation supports up to 35,000 devices.
•CSAuth experiences exceptions or failures in two cases:
–After stress testing EAP-TLS authentications.
–When one of external databases is a Generic LDAP using the legacy (cert7.db) secure socket layer (SSL) connection mode.
This problem does not occur if you use the new SSL option (Trusted Root CA), instead of the legacy option (cert7.db) on the Generic LDAP Configuration Options page in ACS. We strongly recommend that you do not use the legacy option; use only the new SSL option.
Interoperability Testing
ACS has not been tested for interoperability with other Cisco software. Other than for the software and operating system versions listed in this document, Cisco performed no interoperability testing. Using untested software with ACS may cause problems. For the best performance of ACS, Cisco recommends that you use the versions of software and operating systems in the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows on Cisco.com.
ACS Solution Engine 4.1
The following sections contain information specific to the ACS Solution Engine 4.1
New and Changed Information for the ACS Solution Engine 4.1
This section contains:
•Installation Notes for the Solution Engine 4.1
New Hotfixes in ACS SE 4.1
The ACS SE base image contains the following Microsoft hotfixes:
•KB822831—BUG: Driver installation program does not install device drivers.
•KB823980—MS03-026: Buffer Overrun in RPC May Allow Code Execution.
•KB824105—MS03-034: Flaw in NetBIOS could lead to information disclosure.
•KB824146—MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs.
•KB828028—MS04-007: An ASN.1 vulnerability could allow code execution.
•KB828741—MS04-012: Cumulative Update for Microsoft RPC/DCOM.
•KB835732—MS04-011: Security Update for Microsoft Windows.
•KB893066—MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
For more information about these hotfixes, see the Microsoft website.
ACS Remote Agent for Windows
Japanese Windows 2000 and Japanese Windows 2003 are supported on ACS Remote Agent for Windows.
Installation Notes for the Solution Engine 4.1
This section provides information about installing and upgrading ACS SE and ACS Remote Agents:
•Installing from ACS SE 1111 (HP) Recovery CD
•Supported Upgrades for ACS SE
•Supported Migrations for ACS SE
•Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Note You should only view ACS SE through a console by using a serial port. We do not recommend using a monitor via VGA port. If you use a monitor via VGA port, you will see Windows error messages when starting ACS SE. You can ignore these messages; rebooting is unnecessary.
Installing from ACS SE 1111 (HP) Recovery CD
When installing from the Recovery CD for ACS SE 1111 (HP), after installation ends,:
•The ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which no feedback appears, which is normal system behavior. If, after about an hour, the CLI Initial Configuration screen does not appear, switch off the appliance, and switch it on again. Refer to CSCsc90467.
•If you cannot access the web interface, use the CLI command, reboot, to restart the appliance. Refer to CSCsd20149.
Note The two previous problems occur only on ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image. If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Software Compatibility
See the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS 4.1 on Cisco.com.
Supported Upgrades for ACS SE
We tested upgrades for the ACS Solution Engine from releases 3.3.3 to release 4.0.1, and 4.1 and from release 3.3.4 to release 4.1. To upgrade the Solution Engine from an earlier release (3.2.1, 3.2.2, 3.2.3, 3.3.1, and 3.3.2), you must first upgrade to either release 3.3.3 and then upgrade to release 4.0.1 or 4.1 or upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Supported Migrations for ACS SE
We support direct migration from ACS for Windows releases 3.3.3, 3.3.4 and 4.0.1 to release 4.1 of the ACS Solution Engine. To migrate from an earlier release of ACS for Windows (3.3.2, 3.3.1, 3.2.3, 3.2.2, 3.2.1, 3.1.2, and 3.0.4), you must either first upgrade to release 3.3.3, and then upgrade to release 4.0.1 or 4.1, or first upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Solaris Support for the Remote Agent
The Cisco Secure ACS Remote Agent for Solaris runs on Solaris 2.8.
Note The Solaris Remote Agent requires the libstdc++.so library (C++ runtime). Without this library, the Remote Agent is not operational. The default path is set in the environment variable LD_LIBRARY_PATH and the directory /router/lib.
Post-Upgrade Configuration
After upgrading to ACS 4.1, you might need to perform additional configuration steps to successfully use ACS and Network Access Profiles (NAP). If you used NAC in ACS 3.3, ACS will not operate in an identical manner in ACS 4.0. For example, you must create a new set of authorization rules for Network Access Profiles that are created during the upgrade process.
Tested Windows Security Patches for ACS Remote Agent and ACS for Windows
Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for ACS Remote Agent for Windows and ACS for Windows
Cisco experience has shown that these patches do not cause any problems with the operation of ACS Remote Agent for Windows and ACS for Windows. If the installation of one of these security patches does cause a problem with ACS, contact Cisco TAC and Cisco will resolve the problem as quickly as possible.
We tested the ACS Remote Agent for Windows and ACS for Windows with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:
•819696
•823182
•823559
•824105
•824141
•824146
•825119
•828028
•828035
•828741
•832894
•835732
•837001
•837009
•839643
•840374
We tested ACS with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:
•329115
•823182
•823559
•823980
•824105
•824141
•824146
•825119
•826232
•828035
•828741
•828749
•835732
•837001
•839643
Documentation Updates
This section provides documentation updates.
Changes
Regulatory Compliance and Safety Information
In the printed and online version of the Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine 4.1, Statement 191—VCCI Class A Warning for Japan has been updated.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
The Product Documentation DVD is created monthly and is released in the middle of the month. DVDs are available singly or by subscription. Registered Cisco.com users can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
Ordering Documentation
You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
If you do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Documentation Feedback
You can provide feedback about Cisco technical documentation on the Cisco Technical Support & Documentation site area by entering your comments in the feedback form available in every online document.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to do the following:
•Report security vulnerabilities in Cisco products
•Obtain assistance with security incidents that involve Cisco products
•Register to receive security information from Cisco
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:
To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
•For emergencies only — security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•For nonemergencies — psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
•1 877 228-7302
•1 408 525-6532
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Never use a revoked encryption key or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending any sensitive material.
Product Alerts and Field Notices
Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.
To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do) Registered users can access the tool at this URL: https://www.cisco.com/web/siteassets/account/index.html
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification Tool to locate your product serial number before submitting a request for service online or by phone. You can access this tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing Cisco Product Identification Tool from the alphabetical list. This tool offers three search options: by product ID or model name; by tree view; or, for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Tip Displaying and Searching on Cisco.com
If you suspect that the browser is not refreshing a web page, force the browser to update the web page by holding down the Ctrl key while pressing F5.
To find technical information, narrow your search to look in technical documentation, not the entire Cisco.com website. On the Cisco.com home page, click the Advanced Search link under the Search box and then click the Technical Support & Documentation.radio button.
To provide feedback about the Cisco.com website or a particular technical document, click Contacts & Feedback at the top of any Cisco.com web page.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—An existing network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of the network is impaired while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:
•Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•Cisco Press publishes a wide range of general networking, training, and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
•Packet magazine is the magazine for Cisco networking professionals. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can subscribe to Packet magazine at this URL:
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
•Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:
http://www.cisco.com/en/US/products/index.html
•Networking Professionals Connection is an interactive website where networking professionals share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL: