Cisco Acs 5 1 Evaluation Essay

Device-Specific Mitigation and Identification

Caution:The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Cisco IOS Routers and Switches

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy transit access control lists (tACLs) to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against these vulnerabilities when the attack originates from a trusted source address.

The tACL policy denies unauthorized IPv4 packets on TCP ports 2020 and 2030 that are sent to affected devices. In the following example, 192.168.60.0/24 represents the IP address space that is used by the affected ACS devices, and the hosts at 192.168.100.1 are also considered trusted Cisco Secure ACS servers that require access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is in Transit Access Control Lists: Filtering at Your Edge and Identifying the Effectiveness of Security Mitigations Using Cisco IOS Software.

! !-- Include explicit permit statements for trusted sources that !-- require access on the vulnerable TCP ports ! access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 2020 access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 2030 ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 2020 access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 2030 ! !-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Explicit deny for all other IP traffic ! access-list 150 deny ip any any ! ! ! !-- Apply tACL to interface in the ingress direction ! interface GigabitEthernet0/0 ip access-group 150 in Additional information about tACLs is in Transit Access Control Lists: Filtering at Your Edge.

Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy transit access control lists (tACLs) to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against these vulnerabilities when the attack originates from a trusted source address.

The tACL policy denies unauthorized IPv4 packets on TCP ports 2020 and 2030 that are sent to affected devices. In the following example, 192.168.60.0/24 represents the IP address space that is used by the affected Cisco Secure ACS devices, and the hosts at 192.168.100.1 are also considered trusted Cisco Secure ACS servers that require access to the affected devices. Care should be taken to allow the required traffic for routing and administrative access prior to denying all unauthorized traffic.

For information about using the Cisco firewall command-line interface to gauge the effectiveness of tACLs, see the Cisco Security white paper Identification of Security Exploits with Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls.

! !-- Include explicit permit statements for trusted sources !-- that require access on the vulnerable TCP ports ! access-list tACL-Policy extended permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 2020 access-list tACL-Policy extended permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 2030 ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! access-list tACL-Policy extended deny tcp any 192.168.60.0 0.0.0.255 eq 2020 access-list tACL-Policy extended deny tcp any 192.168.60.0 0.0.0.255 eq 2030 ! !-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Explicit deny for all other IP traffic ! access-list tACL-Policy extended deny ip any 192.168.60.0 0.0.0.255 !
! ! !-- Apply tACL to interfaces in the ingress direction !
access-group tACL-Policy in interface outside

Table Of Contents

Release Notes for Cisco Secure ACS for Windows Server 3.3.3

New Features

Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software

Product Documentation

Related Documentation

Installation Notes

Evaluation Version

Purchasing the Commercial Version

Upgrading to the Commercial Version

Security Advisory

Limitations and Restrictions

Important Known Problems with NAC

Interoperability Testing

Supported Upgrade Versions

Supported Operating System

Tested Windows Security Patches

Upgrading from Windows NT 4.0

Supported Web Browsers

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Documentation Updates

Interoperability and Version Requirements

LDAP Multithreading

Unknown NAS Authentication Failure

Using the Certificate Revocation Lists Issuer Page

Known Problems

Cisco AAA Client Problems

Known Microsoft Problems

Known Problems in Cisco Secure ACS 3.3

Resolved Problems

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Definitions of Service Request Severity

Submitting a Service Request

Obtaining Additional Publications and Information


Release Notes for Cisco Secure ACS for Windows Server 3.3.3


October 2005
Full Build Number: 3.3.3.11

These release notes pertain to Cisco Secure Access Control Server for Windows Server (Cisco Secure ACS) version 3.3.3.


Note The release numbering system used by Cisco Secure ACS software includes major release, minor release, maintenance build, and interim build number in the MMM.mmm.###.BBB format. For this release, the versioning information is Cisco Secure ACS 3.3.3.11. Elsewhere in this document where 3.3.3 is used, it refers to 3.3.3.11. Cisco Secure ACS major release numbering starts at 3.3.1, not 3.3.0. Use this information when working with your customer service representative.


These release notes provide:

New Features

Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software

Product Documentation

Related Documentation

Installation Notes

Evaluation Version

Limitations and Restrictions

Important Known Problems with NAC

Interoperability Testing

Supported Upgrade Versions

Supported Operating System

Supported Web Browsers

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Documentation Updates

Known Problems

Resolved Problems

Obtaining Documentation

Documentation Feedback

Obtaining Technical Assistance

Obtaining Additional Publications and Information

New Features

Cisco Secure ACS 3.3 contains the following new features and enhancements:

Network admission control (NAC)—Cisco Secure ACS acts as a policy decision point in NAC deployments. Using policies you configure, it evaluates the credentials sent to it by Cisco Trust Agent, determines the state of the host, and sends the AAA client ACLs that are appropriate to the host state. Evaluation of the host credentials can enforce many specific policies, such as operating system patch level and antivirus DAT file version. Cisco Secure ACS records the results of policy evaluation for use with your monitoring system. Policies can be evaluated locally by Cisco Secure ACS or can be the result returned from an external policy server to which Cisco Secure ACS forwards credentials. For example, credentials that are specific to an antivirus vendor can be forwarded to the vendor antivirus policy server.

EAP Flexible Authentication via Secured Tunnel (EAP-FAST) support—Cisco Secure ACS supports the EAP-FAST protocol, a new publicly accessible IEEE 802.1X EAP type developed by Cisco Systems that protects authentication in a TLS tunnel but does not require use of certificates, unlike PEAP. Cisco developed EAP-FAST to support customers who cannot enforce a strong password policy and wish to deploy an 802.1X EAP type that:

does not require digital certificates

support a variety of user and password database types

support password expiration and change

is flexible, easy to deploy, and easy to manage

For example, a customer who uses Cisco LEAP can migrate to EAP-FAST for protection from dictionary attacks. Cisco Secure ACS supports EAP-FAST supplicants that are available on Cisco-compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters.

Machine Access Restrictions (MARs)—Cisco Secure ACS includes MARs as an enhancement of Windows machine authentication. When Windows machine authentication is enabled, you can use MARs to control authorization of EAP-TLS and Microsoft PEAP users who authenticate with a Windows external user database. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and that you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.

Network Access Filters (NAFs)—Cisco Secure ACS includes NAFs as a new type of Shared Profile Component. NAFs provides a flexible way of applying network-access restrictions and downloadable ACLs on AAA client names, network device groups, or the IP addresses of AAA clients. NAFs applied by IP addresses can use IP address ranges and wildcards. This feature introduces granular application of network-access restrictions and downloadable ACLs, both of which previously only supported the use of the same access restrictions or ACLs to all devices. NAFs allow much more flexible network-device restriction policies to be defined, a requirement common in large environments.

Downloadable ACL enhancements—Cisco Secure ACS 3.3 extends per-user ACL support to any layer-three network device that supports this feature. This support includes Cisco PIX firewalls, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that can be applied per user or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with NAFs, downloadable ACLs can be applied differently per AAA client, enabling you to tailor ACLs uniquely per user, per access device.

Configurable replication timeout—An enhancement to CiscoSecure Database Replication which allows you to specify how long a replication event is permitted to continue before Cisco Secure ACS ends the replication attempt and restarts the affected services. This feature improves your ability to configure replication when network connections between replication partners are slow.

Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Software

IMPORTANTREAD CAREFULLY: This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.

By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.

1. ADDITIONAL LICENSE RESTRICTIONS.

Installation and Use. The Software components are provided to Customer solely to install, update, supplement, or replace existing functionality of the applicable Network Management Software product. Customer may install and use the following Software component: Access Control Server (ACS): May be installed on one (1) server in Customer's network management environment.

Reproduction and Distribution. Customer may not reproduce nor distribute software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

Please refer to the Cisco Systems, Inc., Software License Agreement.

Product Documentation


Note Cisco sometimes updates the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 1 describes the product documentation that is available.

Document Title

Available Formats

Release Notes for Cisco Secure ACS for Windows Server

On Cisco.com.

Installation Guide for Cisco Secure ACS for Windows Server

PDF on the product CD-ROM.

On Cisco.com.

Printed document available by order (part number DOC-7816529=).1

User Guide for Cisco Secure ACS for Windows Server

PDF on the product CD-ROM.

On Cisco.com.

Printed document available by order (part number DOC-7816592=).1

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords

PDF on the product CD-ROM.

On Cisco.com.

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server

On Cisco.com.

Recommended Resources for the Cisco Secure ACS User

On Cisco.com.

Online Documentation

In the Cisco Secure ACS HTML interface, click Online Documentation.

Online Help

In the Cisco Secure ACS HTML interface, online help appears in the right-hand pane when you are configuring a feature.


Related Documentation


Note Cisco sometimes updates the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 2 describes a set of white papers about Cisco Secure ACS. All white papers are available on Cisco.com. To view them, go to the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.shtml

Document Title

Description and Available Formats

Building a Scalable TACACS+ Device Management Framework

This document discusses the key benefits of and how to deploy Cisco Secure ACS Shell Authorization Command sets, which provide the facilities constructing a scalable network device-management system by using familiar and efficient TCP/IP protocols and utilities that Cisco devices support.

Catalyst Switching and ACS Deployment Guide

This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and the capabilities of Cisco Secure ACS.

Cisco Secure ACS for Windows vs. Cisco Secure ACS for UNIX

This bulletin compares the overall feature sets of Cisco Secure ACS for Windows and CiscoSecure ACS for UNIX. It also examines the advantages and disadvantages of both platforms and discusses issues related to migrating from the UNIX-based product to the Windows version.

Configuring LDAP

This document outlines deployment concepts for Cisco Secure ACS when authenticating users of a Lightweight Directory Access Protocol (LDAP) directory server, and describes how to use these concepts to configure Cisco Secure ACS.

Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment

This paper discusses guidelines for wireless network design and deployment with Cisco Secure ACS.

EAP-TLS Deployment Guide for Wireless LAN Networks

This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and then discusses deployment issues.

External ODBC Authentication

This paper presents concepts and configuration issues in deploying Cisco Secure ACS for Windows Server to authenticate users against an external open database connectivity (ODBC) database. This paper also describes configuring, testing, and troubleshooting a relational database management system (RDBMS) with ODBC and Cisco Secure ACS, and provides sample Structured Query Language (SQL) procedures.

Guidelines for Placing ACS in the Network

This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.

Initializing MC Authorization on ACS 3.1

This application note explains how to initialize Management Center authorization on Cisco Secure ACS.

Securing ACS Running on Microsoft Windows Platforms

This paper describes how the Cisco Secure ACS can be protected against the vulnerabilities of the Windows 2000 operating system and explains how to improve security on the computer that runs Cisco Secure ACS. It discusses making the system dedicated to Cisco Secure ACS, removing all unnecessary services, and other measures. It also discusses how to improve administrative security for Cisco Secure ACS through such methods as stronger passwords and controlled administrative access. This paper concludes with considerations of physical security for Cisco Secure ACS and its host.


Installation Notes

For information about installing Cisco Secure ACS, see the Installation Guide for Cisco Secure ACS for Windows Server 3.3. To see all Cisco Secure ACS documentation, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/

Evaluation Version

The evaluation version of Cisco Secure ACS 3.3 provides full functionality for 90 days after the date of installation. This evaluation period allows you to use all features of Cisco Secure ACS 3.3 while determining if it suits your needs. The evaluation version of Cisco Secure ACS 3.3 will be available within 30 days after the release of the commercial version of Cisco Secure ACS 3.3.

The evaluation version of Cisco Secure ACS 3.3 can be distinguished from the commercial version in the following ways:

The word "trial" appears in the title of the installation routine.

The Windows Control Panel Add/Remove applet indicates that the Cisco Secure ACS installation is a trial version.

In the administrative interface of Cisco Secure ACS, the word "trial" appears on the title of the initial screen.

When the evaluation period has elapsed, the CSRadius and CSTacacs services fail to start. You will receive a message when you access the Cisco Secure ACS HTML interface that notifies you that your evaluation period has elapsed.

Purchasing the Commercial Version

Please contact your Cisco Sales Representative(s) to inquire about purchasing the commercial version of Cisco Secure ACS. To purchase the commercial version of Cisco Secure ACS 3.3 online, use the following URL:

http://www.cisco.com/pcgi-bin/cm/welcome.pl

Upgrading to the Commercial Version

After purchasing a commercial version of Cisco Secure ACS 3.3, you can upgrade your Cisco Secure ACS server from the evaluation version to the commercial version by installing the commercial version over the evaluation version. For information on installing Cisco Secure ACS 3.3, follow the instructions in the Installation Guide for Cisco Secure ACS for Windows Server 3.3.

Security Advisory

Cisco issues a security advisory when security issues directly impact its products and require action to repair. For the list of security advisories for Cisco Secure on Cisco.com, see the Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server at

http://www.cisco.com/en/US/products/products_security_advisories_
listing.html

Limitations and Restrictions

The following limitations and restrictions apply to Cisco Secure ACS 3.3.

Important Known Problems with NAC

The following known problems are related to Network Admission Control. Cisco recommends that you review them.

CSCee88908—CSLog crash if a logged attribute is deleted due to replication

CSCee87826—A deleted policy is being reassign when created with the same name

CSCee87899—Replication of NAC policies should be updated in the doc

Interoperability Testing

Cisco Secure ACS has not been interoperability tested with other Cisco software. Other than for the software and operating system versions listed in this document, Cisco performed no interoperability testing. Using untested software with Cisco Secure ACS may cause problems. For the best performance of Cisco Secure ACS, Cisco recommends that you use the versions of software and operating systems listed in this document.

Supported Upgrade Versions

We support upgrading to Cisco Secure ACS for Windows Server 3.3.3, from the following versions:

Cisco Secure ACS for Windows Server 3.3.2

Cisco Secure ACS for Windows Server 3.3.1

Cisco Secure ACS for Windows Server 3.2.3

Cisco Secure ACS for Windows Server 3.2.2

Cisco Secure ACS for Windows Server 3.2.1

Cisco Secure ACS for Windows Server 3.1.2

Cisco Secure ACS for Windows Server 3.0.4


Note To upgrade to version 3.3 from a version earlier than 3.0.4, upgrade to one of the supported upgrade versions, Which are previously listed, and then upgrade to Cisco Secure ACS 3.3.


Supported Operating System

Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. The operating system and the service pack must be English-language versions.

Windows 2000 Server, with Service Pack 4 installed

Windows 2000 Advanced Server

with Service Pack 4 installed

without features specific to Windows 2000 Advanced Server enabled

Windows Server 2003, Enterprise Edition with Service Pack 1 installed

Windows Server 2003, Standard Edition with Service Pack 1 installed


Note The following windows operating system restrictions apply to support for Microsoft Windows operating systems:

Cisco Secure ACS for Windows Server is not designed to use the multiprocessor feature of any supported operating system; however, we did test Cisco Secure ACS using dual-processor computers.

We cannot support Microsoft clustering service on any supported operating system.

Windows 2000 Datacenter Server is not a supported operating system.

When running Cisco Secure ACS on Windows Server 2003, you may encounter event messages that falsely indicate that Cisco Secure ACS services have failed. This issue is documented in bug CSCea91690.


Tested Windows Security Patches

Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for Cisco Secure ACS for Windows.

Cisco experience has shown that these patches do not cause any problems with the operation of Cisco Secure ACS for Windows. If the installation of one of these security patches does cause a problem with Cisco Secure ACS, please contact Cisco TAC and Cisco will resolve the problem as quickly as possible.

For information about our process for evaluating and releasing Microsoft security patches for Cisco Secure ACS Solution Engine, see the Cisco Secure ACS Solution Engine Q & A document, which is available in the Product Literature area for Cisco Secure ACS Solution Engine on Cisco.com.

Cisco Secure ACS for Windows Server has been tested with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:

819696

823182

823559

824105

824141

824146

825119

828028

828035

828741

832894

835732

837001

837009

839643

840374

Cisco Secure ACS for Windows Server has been tested with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:

329115

823182

823559

823980

824105

824141

824146

825119

826232

828035

828741

828749

835732

837001

839643

Upgrading from Windows NT 4.0

If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. The setup program for previous versions of Cisco Secure ACS detects which Windows operating system the computer used and customizes Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.

We last published information about how to upgrade the operating system of the computer running Cisco Secure ACS to Windows 2000 in the documentation for Cisco Secure ACS 3.1. For more information, see the Installation Guide for Cisco Secure ACS for Windows Server 3.1, which is available at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
acs31/acsinst

Supported Web Browsers

To administer all features that are included in the HTML interface of Cisco Secure ACS 3.3, use an English-language version of one of the following tested and supported web browsers:

Microsoft Internet Explorer for Microsoft Windows

Version 6.0

Service Pack 1

Sun Java Plug-in 1.4.2_04 or Microsoft Java Virtual Machine (JVM)


Note Microsoft does not include its JVM in Windows Server 2003. Instead, use the Sun Java Plug-in which are previously listed. For more information about Microsoft plans regarding its JVM, see http://www.microsoft.com/mscorp/java/


Netscape Communicator for Microsoft Windows

Version 7.1

Sun Java Plug-in 1.4.2_04


NoteSeveral known problems are related to using Netscape Communicator with Cisco Secure ACS. For more information, please review Table 3.

We do not recommend using a slow network connection for remote access to the Cisco Secure ACS HTML interface. Some features that use Java applets do not operate optimally, such as the HTML pages for configuring Network Access Restrictions and Network Admission Control.


We do not support other versions of these browsers or other Java virtual machines with these browsers, nor do we test web browsers by other manufacturers.


Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:

Use an English-language version of a supported browser.

Enable Java (see the previous supported browser list for JVM details).

Enable JavaScript.

Disable HTTP proxy.


Supported Platforms for CiscoSecure Authentication Agent

For use with Cisco Secure ACS 3.3, Cisco tested CiscoSecure Authentication Agent on Windows XP with Service Pack 1. Cisco supports the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.3 when CiscoSecure Authentication Agent runs on one of the following client platform operating systems:

Windows XP

Windows 2000 Professional

Windows 98

Other Supported Devices and Software

For information about supported Cisco devices, external user databases, and other software, see the Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server Version 3.3. To see all Cisco Secure ACS documentation, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/

Documentation Updates

This section describes new or changed documentation for this release.

Interoperability and Version Requirements

If your Cisco Secure ACS for Windows logs information to a remote ACS server, both ACS versions must be identical release and build numbers or the logging may fail.

As with previous versions of Cisco Secure ACS, you must not perform backups, restores, or replication between different versions of Cisco Secure ACS.

LDAP Multithreading

Cisco Secure ACS 3.3.3 now processes multiple LDAP authentication requests in parallel as opposed to the sequential processing mechanism employed in versions earlier than 3.2.

Unknown NAS Authentication Failure

Documentation on unknown NAS authentication failure can be found in the "Troubleshooting" section of the User Guide for Cisco Secure ACS for Windows Server.

Using the Certificate Revocation Lists Issuer Page

The Certificate Revocation Lists (CRL) Issuers Page has been revised. You can no longer add a CRL by using this page. A CRL is automatically added to the CRL Issuers page after you select a Certificate Authority (CA) in the Certificate Trust List. The CRL Issuers list contains an entry for every trusted CA in the Certificate Trust List.

Known Problems

This section contains information about the following topics:

Cisco AAA Client Problems

Known Microsoft Problems

Known Problems in Cisco Secure ACS 3.3

Cisco AAA Client Problems

Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs:

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco BBSM

http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Known Microsoft Problems

Due to a defect in the Microsoft PEAP supplicant provided in the Windows XP Service Pack 2, the PEAP supplicant cannot reauthenticate successfully with Cisco Secure ACS. Microsoft case SRX040922603052 has been opened on this issue. Customers who are affected by this problem should open a case with Microsoft and reference this case ID. Microsoft has prepared hotfix KB885453, which resolves the issue.

Known Problems in Cisco Secure ACS 3.3

Table 3 describes problems known to exist in version 3.3.


NoteA "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)

Bug summaries and explanations in Table 3 are printed word-for-word as they appear in our bug-tracking system.


Bug ID

Summary

Explanation

CSCdv35872

Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list longer than 4095 characters, editing the NDS configuration page results in incorrect HTML in the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

CSCdv86708

HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS server, restart the CSAdmin service.

CSCdz61464

Solaris Netscape 7.0 - Minor Features Failure

When the administrative browser is Netscape 7.0 on Solaris 8.0, some menus in the HTML interface for Cisco Secure ACS do not work properly.

Workaround/Solution: Use a supported Windows browser.

CSCea25090

Logged In User not showing after going into enable mode on router

With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on Cisco Secure ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.

Cisco Secure ACS tracks user sessions by IP address and port number. When enable authentication succeeds, Cisco Secure ACS sees that the IP address and port number combination for the existing session have been reused and assumes that the accounting stop packet was not sent or was lost; therefore, the user session is removed from the Logged-In User report even though the session continues in enable mode.

Because you cannot configured the NAS to send new accounting start packets when the enable mode is entered, the Logged-In User report cannot correctly report the user session as ongoing.

Workaround: None.

CSCea55457

Radius Attributes do not appear in user/group profile page

After you enable RADIUS attributes in the Interface Configuration section of the Cisco Secure ACS HTML interface, they do not appear or appear only partially in Group Setup or User Setup, as applicable.

Workaround/Solution: Restart the CSAdmin service.

CSCea74289

cascade replication due to user pass change-dont work

Cascading replication does not occur when the replication trigger is a user password change and the primary Cisco Secure ACS is configured to perform replication manually.

Workaround/Solution: Use scheduled replication on the primary Cisco Secure ACS.

CSCea91690

Event Viewer errors on startup/shutdown in .NET

On Windows .Net Server 2003 shutdown and startup, you may see errors that falsely indicate that Cisco Secure ACS service have failed. At startup, you may see a dialog box that indicates that a service, such as CSLog, encountered a problem and will close. The same error logged to Event Viewer, as in the following example:

Reporting queued error: faulting application CSLog.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

The problem is that, in Windows Server 2003, the Service Manager queries the Cisco Secure ACS services status during startup and shutdown, but Cisco Secure ACS services may not have started yet or may have stopped already. Even though this is normal behavior for Cisco Secure ACS services, Windows perceives this as an error and logs it to the Event Viewer.

On startup, the user sees all errors from the event viewer, which is why, when users logs into Windows right after startup, they see errors from the previous login session.

This behavior observed on Windows Server 2003 only.

Workaround: You can verify that Cisco Secure ACS services are running by using the Control Panel.

CSCeb16968

ACS shared profile components disappear with XML error messages

After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications, such as Management Center for Firewalls, fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.

Workaround/Solution: You must use CiscoWorks to reregister all MCs with Cisco Secure ACS.

Log into the CiscoWorks desktop with admin privileges.

Go to Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.

Go to VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then reregister all MCs.

Log out of CiscoWorks.

CSCeb51393

multi-admin needs to be able to add/edit/delete downloadable ACLs

When multiple administrators try to add/edit/delete downloadable ACLs under the shared profile components, there is a conflict. After the first admin submits changes, the other administrator's ACS sessions get locked up.

Workaround: There is no workaround. Administrators must inform each other when they are working on the downloadable ACLs.

CSCeb62898

Group mapping ordering applet is not properly ordered

In a newly created Windows group mapping configuration, group mappings list in the wrong order.

Workaround: On the page for ordering group mappings, order the group mappings and click Submit. As additional mappings are added, they appear properly at the end of the list of mappings.

CSCec61110

authentications on secondary acs may fail after replication

Symptom: In environments where primary and secondary Cisco Secure ACS primary and secondary servers are kept in sync by using the replication feature, user authentication may fail for users who are defined in an external database and the Failed Attempts log will contain an "external DB not configured" error.

Conditions: This problem happens with certain external database types such as LDAP, NDS, and the various token server types. This problem does not happen with the Windows external DB. By configuring external databases in a different order on the primary and secondary Cisco Secure ACS servers, authentication fails on the secondary server for users who are defined in the databases that are configured in a different order. If external databases are configured in the same order on primary and secondary servers, this problem does not happen. For example, if you configure two instances of LDAP external user databases on primary and secondary servers, but configure them in different orders after users are replicated, LDAP authentication attempts fail on the secondary server.

Workaround: For each database type involved in the problem, delete the external databases on all secondary servers and reconfigure them in the same order that they are defined on the primary server. If this solution fails, delete the affected external databases on the primary and secondary servers and reconfigure them.

CSCec72911

2003-password aging page display issue

CSCec89440

Unable to edit some of the disabled accounts

The Disabled Accounts report in the Reports and Activity section of the Cisco Secure ACS HTML interface is unable to edit when you access it by using an administrator account that doesn't have access to all groups.

If a page of the Disabled Accounts report has users who belong to groups that the administrator cannot access, the report doesn't allow the administrator to move to the next page of the report.

If a user the group mapping feature to assign a user account to a group, the user account appears on the Disabled Accounts report, even though the administrator only has access to specific groups.

Workaround: Access the Disabled Accounts report with an administrative account that has permission to access all groups.

CSCed42439

Active Directory via LDAP - Group Mappings skip first group

When Active Directory is configured as Generic LDAP and group mappings are configured, the first group in the LDAP directory is skipped.

CSCed59826

CSAdmin stops responding when editing java using netscape

CSCed62260

Remote Agents entries are being deleted after restore

When restoring a dump file that is created on Cisco Secure ACS software version on Appliance, Remote Agent entries (inside Network Configuration) will be deleted.

This behavior should be taken into consideration, since ACS on Appliance behaves similarly as it behaves on the software version and runs over the existing data and settings.

CSCed77992

Action Code 211 does not return group settings to factory defaults

Action Code 211 doesn't work as documented.

Document states, this code "Resets a Group User record back to its original factory defaults". However, some settings are not reset to factory defaults like Shell (exec) and No escape check boxes.

CSCed83628

Replication displays error when nothing to be replicated

In a scheduled replication scheme, a secondary server incorrectly records an error in the replication log when scheduled replication does not occur; because no changes have occurred on the primary server. For example, this error can occur when the primary and secondary servers are only configured to replicate the user database and network configuration, and then a change is made to Network Configuration on the primary server; but no change is made in the user database. At the next scheduled replication, the primary server correctly sends only the network configuration, but the secondary logs an error message that the user database was not received. Disregard this error message.

Workaround: None.

CSCed83648

Renaming of NDG removes it from Selected Items of NAF UI

Once some NDG, which is in the Selected Items window of the NAF UI, changes it's name on Network Devices page, it's being removed from the Selected Items of NAF back to the source NDG window, where its known by its new name.

CSCed93251

Fail to locate ACL for updating when ACL uses the same name as NAF

Procedure to reproduce the problem:

1. Configure one Network Access Filtering (For example, Healthy)

2. Configure one Downloadable IP ACL with the same name as that of NAF (For example, Healthy)

Then the following error message appears:

"Failed to locate the ACL for updating".

Workaround: Create a different name for ACL other than those used by NAF.

CSCed90144

When deleting a NAF it should be deleted from the assigned dACLs

Deleting a NAF removes it from Cisco Secure ACS; however, the NAF is still referenced by any downloadable ACLs that referenced it before the NAF was deleted. This problem causes the downloadable ACLs to fail to download and, as a result, the user to whom the ACLs were to be applied fails to authenticate.

Workaround: When you delete a NAF, examine all downloadble ACL configurations and ensure that the NAF is not referenced by any of them.

CSCee13658

Failed attempts report statement is not clear enough

When user validation fails for any reason (external server down, wrong SSL certificate, or key mismatch with NAS), the csv failed attempts report states that the authentication failure code is 'external db account restriction' or 'CS password invalid'.

Workaround: This problem is cosmetic. No workaround.

CSCee38482

Admin account can see all users who are dynamically mapped

Local admin can see dynamic mapped users.

Workaround: It's a read only. No other workaround at this time until bug is fixed.

CSCee58593

CSAdmin restart during Replication between two ACS SW in slow link

Replication between two Cisco Secure ACSs in slow link (128k), the services of the primary ACS are restart after the timeout that is configured on the CiscoSecure Database Replication page is expired and replication was not completed. The services that restart are:

CSAdmin

CSAuth

CSTacacs

CSRadius

CSCee65671

Need to be able to roll back previously installed older patches

Once you use the CLI on the Appliance, you cannot go back to a previously installed older patch.

CSCee68644

SPC type created by EMBU DLL returns errors in Name field

In case of SPC component that was created by MC-based applications, the "Name" field is not limited to desired 31 chars, and allows entering many more, also returning an error message to the user. The following pattern of errors is received:

If name is less then 28chars - The name is accepted

If name is between 28 and 34 chars - "Internal Error, Failed to locate or create record for update" message appears.

If name is more then 34 chars - "Name is invalid or contains illegal characters" message appears.

The maximum length of the name should be limited in UI

CSCee73004

CSLog handles reach more than 11,000 after failed ODBC connections

The message queue was added to CSAuth for message store and dedicated thread which actually log the messages from the queue. The default message number in queue is 20K, but it can be managed by registry key HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\
CiscoAAAv3.3\CSAuth\MaxMsgInLogQueue

CSCee77099

navigation bar(buttons) disappear after exit from Global Auth page

The navigation bar (button bar on the left) in the HTML interface may disappear after the following sequence:

1. Click System Configuration > ACS Certificate Setup > Certificate Revocation Lists.

2. Click an "Issuer Friendly Name".

3. Click Cancel three times, which returns you to the System Configuration page.

4. Click Global Authenticate Setup.

5. Click Cancel.

6. The navigation bar disappears.

Workaround: Log out of the HTML interface and log in again.

CSCee81070

ACS install fails if installing on machine with running Remote Agent

If Cisco Secure ACS Remote Agent is already installed on a computer on which you later attempt to install Cisco Secure ACS for Windows Server, the installation of Cisco Secure ACS for Windows Server fails.

Workaround: Stop the remote agent service (CSAgent) before beginning the installation of Cisco Secure ACS for Windows Server.

CSCee81203

DataType in SQL of int is different than int displayed in ACS

ACS shows the example of SQL query to create table. The integer field in that example might be not enough, depending on the particular SQl server, because of different integer interpretation (like unsigned int or signed)

So before you use the table creation example you need to check how this particular SQL server interprets the integer field and modify the query accordingly.

CSCee83677

NAC attrs type change can cause NAC GUI error

When an administrator changes the type of an existing NAC attribute by using the CSUtil (or because of backup/restore) and this attribute is used in NAC policies, the Local Policy Configuration page does not appear and error message "An error has occurred while processing the Authen DLL Configure Page because an error occurred in the DLL processing this request" appears.

For example, the attribute Trend:Software-Name is used in one of the rules and then its type was changed to integer. The bug can occur in the following situations:

1. Attribute was deleted and then added with different type by using the CSUtil.

2. Because policies are stored in VarsDB (user database) and dictionaries in registry, administrator can get the different attribute types in dictionary and in policy by doing the restore only on one of the components: user database or configuration.

3. Attribute type was modified do to CSCee83667

Workaround: On the NAC GUI page of the supplier configuration, an administrator can remove the problematic policy from the local policies list and thus the policy page appears without any problems. Go to the supplier config page, press "Local policies" button, remove the problematic policy from the selected list and submit this change.

CSCee83687

Wrong application name is being displayed

When more than one network admission control (NAC) attribute (also known as a credential) has the same application type ID, but the application names are different, Cisco Secure ACS always displays the application name associated with the lowest vendor ID.

For example, if there are two credential types, VENDOR:AV (3000:03) and Cisco:Example (9:3), on the mandatory credentials list for configuring a NAC database, where "VENDOR:AV" should appear, Cisco Secure ACS will display "VENDOR:Example".

This problem is not obvious at first because the default attributes in Cisco Secure ACS that have the same application ID, but different vendor IDs; coincidentally do use the same application name. The problem arises when you add attributes that use a different application name with an application ID that is used by other attributes.

Workaround: Avoid adding NAC attributes whose application name is different than the application name that are used by other NAC attributes with the same application ID.

CSCee83875

Restoring to ACS Win from ACS Sol. Engine lost Interface Cfg. data

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *