Network Admission Control, Release 2.0 (NAC 2.0) is a set of technologies and solutions. It uses the network infrastructure to enforce security policy compliance on devices that try to access network computing resources, thereby limiting damage from security threats.
Customers implementing NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.
This document lists which Cisco components are NAC 2.0 compatible and what limitations these components have.
For information about installation methods, system requirements, and changes from release to release of an individual component, see that component's release notes and documentation in the Technical Support & Documentation area of Cisco Systems's web site.
Cisco Component Versions That Support NAC
Supported Cisco Switches
These devices support either the NAC L2 IP method which uses Extensible Authentication Protocol over User Data Protocol (EAP over UDP), or the NAC L2 802.1X (EAP over IEEE 802.1X) method. These are NAC Release 2.0 devices.
These routers support the NAC L3 IP method (EAP over UDP). These are considered NAC Release 1.0 devices.
Table 2 Cisco Supported Routers
Supported Cisco Router Series
Supported Models
Operating System Image
Cisco 800 Series Routers
831, 836, 837, and 870 Series
Cisco IOS 12.3(8)T or later
Cisco 1700 Series Routers
1701, 1711, 1712,1721, 1751, 1751-V, 1760
Cisco IOS 12.3(8)T or later
Cisco 1800 Series Routers
1841
Cisco IOS 12.3(8)T or later
Cisco 2600 Series Routers
2600XM, 2691
Cisco IOS 12.3(8)T or later
Cisco 2800 Series Routers
2801, 2811, 2821, 2851
Cisco IOS 12.3(8)T or later
Cisco 3600 Series Routers
3640/3640A, 3660-ENTSeries
Cisco IOS 12.3(8)T or later
Cisco 3700 Series
3725, 3745
Cisco IOS 12.3(8)T or later
Cisco 3800 Series
3845, 3825
Cisco IOS 12.3(8)T or later
Cisco 7200 Series
All
Cisco IOS 12.3(8)T or later
Cisco 7500 Series
All
Cisco IOS 12.3(8)T or later
Cisco 7600 Series
All
Cisco IOS 12.3(8)T or later
Supported Cisco Wireless Access Points
The Cisco Wireless Access Points support the NAC L2 802.1X method.
Table 3 Supported Cisco Wireless Access Points
Cisco Wireless Access Points
Supported Models
Operating System Image
350 series
All
12.3(7)JA1 or later
1100 series
All
12.3(7)JA1 or later
1130 AG series
All
12.3(7)JA1 or later
1200 series
All
12.3(7)JA1 or later
1230 AG series
All
12.3(7)JA1 or later
1240 AG series
All
12.3(7)JA1 or later
Supported Cisco Wireless LAN Controllers
The Cisco Wireless LAN Controllers support the NAC L2 802.1X method.
Table 4 Supported Airespace Appliances Devices
Wireless LAN Controllers Models
Cisco Unified Wireless Network Software
Cisco 2000
Release 3.1 or later
Cisco 4100
Release 3.1 or later
Cisco 4400
Release 3.1 or later
Wireless Services Module (WiSM)
Release 3.1 or later
Wireless LAN Services Module (WLSM)
Release 3.1 or later
Wireless LAN Controller Module for Integrated Services Routers
Release 3.1 or later
Supported Cisco Trust Agent Release
Cisco Trust Agent (CTA) 2.0.0.30.
Supported Cisco Secure Access Control Server Release
•Cisco Secure Access Control Server (ACS) 4.0.1.27 for Windows
•Cisco Secure Access Control Server (ACS) Solution Engine
–Build 4.0.1.42 for Quanta (1112)
–Build 4.0.1.43 for HP (1111)
Supported Cisco Security Agent Releases
•Cisco Security Agent (CSA) 4.5.1.639
•Cisco Security Agent (CSA) 5.0.0.176 or later.
Supported Cisco VPN Concentrator Release
Table 5 Supported Cisco VPN Concentrator Release
Cisco VPN Concentrator
Supported Models
Operating System version
3000 series
3005 to 3080
Version 4.7 or later
Known Component Problems
This section describes problems known to exist in release Network Admission Control, Release 2.0.
Note A "—" in the Explanation column means that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)
Known Cisco Switch Problems
Known Catalyst 2000 and 3000 Switch Problems
Unless otherwise stated, these open caveats apply to Catalyst 3750, 3560, 3550, 2970, and 2960 switches running Cisco IOS Release 12.2(25)SED or later, and Catalyst 3550, 2955, 2950, and 2940 switches running Cisco IOS Release 12.1(22)EA6 or later.
These caveats address specific behaviors of the switch that affect a NAC implementation. For a complete list of the features and caveats for a particular switch, see that device's product release notes available at http;//www.cisco.com.
References to a "supplicant" in these caveats refers to any IEEE 802.1X supplicant.
Table 6 Known Problems in Cisco 2000 and 3000 Series Switches
Bug ID
Headline
Explanation
CSCei03545
NAC L2 IP 0.0.0.0 shows up in eou table as a client for 1538M HUB.
Note This caveat applies to Catalyst 3750, 3560, and 3550 switches running Cisco IOS Release 12.2(25)SED or later.
Symptom If NAC L2 IP validation is configured on a port
that is attached to a Cisco 1538M Micro Hub, the
Extensible Authentication Protocol over User Data
Protocol (EAPoUDP) table in the show eou all privileged
EXEC command output might have an invalid entry with
the IP address 0.0.0.0.
Workaround There is no workaround. This does not affect the switch functionality.
CSCei05652
HRPC dot1x request handler traceback from unqueue failure.
Symptom On Catalyst 3750 switches, NAC L2 802.1X
validation repeatedly occurs on many IEEE
802.1X-enabled ports. During validation a message such as
this might appear:
May 26 17:57:03.204: %SYS-2-NOTQ: unqueue didn't
find 3DECB98 in queue 1F266A4 (l3a3-3)
Workaround There is no workaround. This problem does not affect the switch functionality.
CSCei08901
NAC L2 IP:stack master reloaded under stress.
Note This caveat applies to Catalyst 3750, 3560, and 3550 switches running Cisco IOS Release 12.2(25)SED or later.
Symptom If the Extensible Authentication Protocol over
User Datagram Protocol (EoU) table has many host entries
and you enter the clear eou all privileged EXEC command,
messages such as this might appear:
4d01h: %SM-4-BADEVENT: Event 'eouHold' is invalid
for the current state 'eou_abort': eou_auth
8.0.7.170
-Traceback= 6DB0E4 158F74 419B4 41D58 448B4 44AF0
3F27C0 3ECA14 This may be followed by a
software-forced reload of the switch.
After the message appears, the switch might unconditionally force a system reload.
Workaround The workaround is to use the clear eou ip privileged EXEC command to remove specific IP hosts from the EoU table.
CSCei31359
SU05:DAI w/IP address validation discards NAC:NAC L2 IP ARP probes.
Note This caveat applies to Catalyst 3750, 3560, and 3550 switches running Cisco IOS Release 12.2(25)SED or later.
Symptom If dynamic Address Resolution Protocol (ARP)
inspection is enabled on the access VLAN for the NAC host
and the IP address validation option is configured, the
Extensible Authentication Protocol over User Data
Protocol (EoU) session for NAC ends 2 minutes after
validation occurs.
Workaround Use one of these workarounds:
•Disable the IP address validation option.
•Use an ARP access control list (ACL) to allow the IP address 0.0.0.0 but to block the IP address 255.255.255.255.
The ARP ACL must include this access control entry:
permit response ip any host 0.0.0.0 mac any any
CSCei49149
Trace/TCAM msg after cl eou all(48x8 hosts from EST).
Note This caveat applies to Catalyst 3750, 3560, and 3550 switches running Cisco IOS Release 12.2(25)SED or later.
Symptom After the posture of a large number of hosts have
been validated, if you clear the EAPoUDP table by using
the clear eou all privileged EXEC command, this message
about the system running low on TCAM resources might
appear:
%QATM-4-TCAM_LOW: TCAM resource running low for
table Input ACL, resource type TCAM masks, on TCAM
number 1.
Workaround There is no workaround.
CSCei77557
NAC L2 IP:EoU Process trace/bogus ACS msg after cl eou all as 75 NRH.
Symptom If 75 nonresponsive clients are connected to
Catalyst 3750 or 3560 switch and you enter the clear eou
all privileged EXEC command, a traceback appears.
Workaround There is no workaround. You can ignore the traceback.
CSCsb76707
Port still part of VLAN even after unconfiguring auth-fail VLAN.
Note This caveat applies to Catalyst 3750, 3560, 3550, 2970, and 2960 switches running Cisco IOS Release 12.2(25)SED or later.
Symptom If an IEEE 802.1X-enabled port is authorized in
the restricted VLAN, the port might remain in that VLAN
even after you enter the no dot1x auth-fail vlan interface
configuration command to disable the restricted VLAN on
the port.
Workaround The workaround is to shut down the IEEE 802.1X-enabled port by entering the shutdown interface configuration command before you remove the restricted VLAN configuration.
CSCsb79198
dot1x:port fail to authenticate if download acl >= 20
Symptom An IEEE 802.1X supplicant might fail to
complete authentication if the per-user ACL is too large.
During IEEE 802.1X authentication, the RADIUS server
might download a per-user IP or MAC ACL to be applied
to an interface as part of the Access-Accept message. If the
ACL is too large, the switch might not be able to apply it,
and the authentication fails and restarts. Depending upon
the specific access control entries (ACEs) in the ACL, the
maximum ACL size is about 20 ACEs in a Catalyst 3750
switch.
Workaround The workaround is to reduce the size of the per-user ACLs that are downloaded as part of IEEE 802.1X authentication.
CSCsb99249
IEEE 802.1X configured port failed to ping after host mode change.
Symptom On an IEEE 802.1X-enabled port that has the
IEEE 802.1X control direction set to in (unidirectional port
control), if you use the dot1x port-control interface
configuration command to change the port mode
configuration or the dot1x host-mode interface
configuration command to change the host configuration,
the host attached to the port might get authenticated but
might not be able to access the network.
Workaround The workaround is that on an IEEE 802.1X-enabled port, before you change the port mode or the host mode configuration, you should shut down the port (by using the shutdown interface configuration command), use the no dot1x control-direction in, or the dot1x control-direction both interface configuration commands to change the port control to bidirectional.
CSCsc16152
Client with dot1x cannot get DHCP address.
Symptom When a client is connected to a Catalyst 3750
member switch through an interface that is configured for
IEEE 802.1X and DHCP snooping, if the client uses one
MAC address for IEEE 802.1X authentication and a
different MAC address for the DHCP request, the client
does not receive an IP address from the DHCP server. This
problem does not occur when the client is connected to a
Catalyst 3750 master switch or when the client uses the
same MAC address for IEEE 802.1X and DHCP requests.
Workaround The workaround is to connect the client to the master switch in the Catalyst 3750 switches switch stack, or to disable DHCP snooping.
CSCsc26248
SYS-2-BADSHARE: Bad refcount in mem_lock during disabling ports.
Symptom If a Catalyst 3750 switch configured as the
master switch in a stack has a large number of
IEEE 802.1X-enabled ports, a series of rapid link changes
on the switch (for example, when you remove cables from
these ports) might cause this message to appear and the
switch to reload:
Oct 21 12:31:07.446: -Traceback= F8E218 2F376C
2EA71C 2EB674 18C48C 2EAD94 2E9D88 86B7E8 865A2C
Oct 21 12:31:07.446: %SYS-2-BADSHARE: Bad refcount
in mem_lock, ptr=38AAC10, count=0
Workaround There is no workaround available.
Known Catalyst 6500 Series Switch Problems
These limitations are found on Catalyst 6500 series switches running the CatOS 8.5 JAC operating system.
These caveats address specific behaviors of the switch that affect a NAC implementation. For a complete list of the features and caveats for a particular switch, see that device's product release notes at http://www.cisco.com.
Table 7 Known Problems in Catalyst 6500 Series Switches
Bug ID
Headline
Explanation
CSCei90699
ACL mgr stuck in 99% while posture validating 110 hosts.
Symptom With NAC L2 IP, when a host's posture is being
validated, you will see high CPU utilization by the ACL
manager process. This is a transient condition and is
expected.
Workaround There is no workaround.
CSCei15212
Posture validation not happening on PCs having multiple NIC
Symptom With NAC L2 IP, if a PC connected to the switch
has more than one NIC, only one of the NICs is posture
validated.
Workaround There is no workaround.
Known Cisco Secure Access Control Server
There are NAC 2.0 features in both the Cisco Secure Access Control Server for Windows and the Cisco Secure Access Control Server Solution Engine.
Table 8 contains problems known to exist only in Cisco Secure Access Control Server Solution Engine. Table 9 contains problems known to exist in both the Cisco Secure Access Control Server Solution Engine and the Cisco Secure Access Control Server for Windows. Both versions of Cisco Secure Access Control Server are referred to as ACS.
These caveats address specific behaviors of ACS that affect a NAC implementation. For a complete list of the features as well as caveats for ACS, refer to ACS's product release notes available at http://www.cisco.com.
Table 8 Known Problems in ACS Solution Engine (ACS SE) 4.0.1
Bug ID
Summary
Explanation
CSCsd20149
After initial config from Recovery CD, no GUI access.
Symptom This problem occurs on ACS SE 1111 (HP),
when performing a full upgrade including appliance base
image. After installing from the ACS SE 1111 (HP)
Recovery CD, and initial configuration completes, you
cannot access the web interface.
When you log in to CLI, the appliance status indicates
that pfipmon not running.
Conditions On ACS SE 1111 (HP), after installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Use the CLI command, reboot, to restart the appliance.
CSCsc90467
After Install from Recovery CD, no CLI access.
Symptom This problem occurs on ACS SE 1111 (HP),
when performing a full upgrade including appliance base
image. When installing from the ACS SE 1111 (HP)
Recovery CD, after installation completes, the ACS SE
reboots, performs some configurations, and reboots
again. The configurations that occur after the first reboot
take a significant amount of time, during which there is
no feedback, which is normal system behavior. After this
time, the CLI Initial Configuration screen should appear,
but does not.
Conditions On ACS SE 1111 (HP), when installing from the Recovery CD, when performing a full upgrade, including the appliance base image.
Note If you are not upgrading the appliance base image, you do not need to install from the Recovery CD.
Workaround Switch off the appliance, and switch it on again.
CSCsc81981
CSAdmin crashed when edit the RA field after replication
Symptom After replication, if you edit the Remote Agent
field in the Network Configuration page in the slave
machine, the ACS displays the error message "Action
canceled."
Workaround None.
CSCsc80481
Proxy distribution table prevents SNMP from working.
Symptom If you configure ACS SE for SNMP and enable
"Accept SNMP packets from selected hosts", and then
add an entry to Proxy Distribution Table like:
@cisco.com -> local ACS -> strip -> local (Default) ->
local ACS -> no strip -> local, SNMP stops working and
there are no more responses from ACS.
Workaround Uncheck "Accept SNMP packets from selected hosts."
CSCsc77508
Stress with EAP-TLS crashes CSAuth
Symptom During overnight EAP-TLS stress against
CSDB with NAP and RAC, and CRL (30% of all
certificates are revoked), CSAuth crashed a number of
times.
Workaround None.
CSCsc77228
RSA Token is displayed in the external User DB after Upgrade from 3.2.3
Symptom If, in a previous version of ACS, you added
RSA SecurID Token Server to the External User
Database, mapped it to a group, and selected this
Database in the "Unknown User Policy", then, after
upgrading to ACS 4.0, the RSA SecurID Token Server is
still displayed, even though it should be deleted from
everywhere inside the External User Database and not
just from the Database Configuration.
Moreover, the Configuration in the RSA SecurID Token Server should be placed in the RADIUS Token Server after the upgrade to 4.0.
Workaround None.
CSCsc69997
Machine authentication failed on 2003 DC with binary comparison on
Symptom EAP-TLS machine authentication failed if only
binary comparison selected, and 2003 DC is used as the
external database. There are no problems with user
authentication.
Workaround None.
CSCsc63854
ODBC Mapping exists after restoring image created on software
Symptom After restoring the appliance image from the
software version of ACS 4.0.1, there is still ODBC
configuration in Unknown User Policy and in
NAP/Authentication.
Workaround None.
CSCsc52381
ACS SE: console access may not work if NTP synchronization is enabled
Symptom The login prompt might not appear on the CLI
console after rebooting through the CLI or through the
GUI; even if NTP synchronization is enabled and the
NTP server address is set correctly.
Workaround Disable NTP synchronization.
CSCsc03778
ACS SE replicated changes under Admin Control not enforced unless reboot
Symptom If you make a change in the Access Policy
under Administration Control and then replicate the
change to another appliance, the changes are not
enforced on the receiving appliance.
Workaround On the receiving (secondary) appliance, do one of the following:
•Click Submit on the Access Policy page.
•Reboot the secondary appliance.
CSCsc02553
GUI logging change does not affect csadmin until server restarted
Symptom When you change the logging level for an ACS
Appliance via the GUI, you click the button to restart;
however, the csadmin service is not restarted, thus the
csadmin logging level will not change until the csadmin
service is manually restarted.
Workaround Restart the csadmin service manually.
CSCsb83399
ACS SE should save the FTP settings during software upgrade
Symptom ACS appliance does not save the defined FTP
settings during software upgrade, but the defined backup
scheduling is saved. This behavior will cause the backup
problem after software upgrade.
Workaround Reenter the FTP information manually after an upgrade.
CSCsb27597
Limitation on the custom attributes (of 31k as CSAdmin indicates)
Symptom In the T+ Settings per User/group
Configuration page, which is accessed from the Interface
Configuration page, if you add 1201st entry in the
custom attribute field, the browser crashes.
The custom attribute field is currently limited to 31KB (which is around 1200 attributes).
Workaround None.
CSCsb19051
TCP checksum error from Cisco Secure ACS Solution Engine 1111
Symptom A Cisco Secure Access Control Server
Solution Engine (ACS SE) 1111
(CSACSE-1111-UP-K9) may generate transient TCP
Checksum errors which may cause error logging on other
devices in the network. In particular, Cisco switches
would generate the following error message:
%IP-3-TCP_BADCKSUM:TCP bad checksum.
The cause of the error is the NIC Software Driver. Not every packet being transmitted will be affected. Given that TCP will retransmit any unacknowledged packet, the system will recover. Excessive logging of the error message within the network might occur. The problem only affects TCP packets; therefore, TACACS may be affected, while RADIUS will not.
This problem might also occur on an ACS SE 1112 (Quanta).
Workaround A temporary workaround is to reload the server; but, because the problem is transient, it will likely return within days or weeks.
A patch is available from TAC, which will help to reduce the amount of errors; however, since this is a network configuration problem, it cannot resolve the problem completely. Contact your TAC representative for the appropriate TCP_checksum patch for your platform.
CSCsb13998
ACS dialin authorization fails against Win2K active directory
Symptom When ACS is configured to obtain dialin
authorization from a Microsoft Active Directory user
database, the user sometimes fails with the error: "User
does not have dialin permission (needed)."
This defect was found in an environment where Active Directory was being replicated from an NT domain. The same errors occurred when the remote agent was installed on a Member Server or a Domain Controller.
Workaround The problem is caused because replication does not set synchronize the userParameters and msNPAllowDialin. See MS KB article 252398 for possible workaround (run a script to synchronize the attributes).
CSCeh17104
ACS Appliance: Certain Hostname/Admin name cause losing access
Symptom If the administrator name is same as the
hostname, there is no GUI access or CLI access.
Workaround Ensure that the administrator name is different from the hostname.
CSCeh04327
SNMP get and get-next requests for host.hrSystemNumUsers return error
Symptom SNMP 'get' and 'get-next' requests for
host.hrSystemNumUsers return 'Generic error'.
Workaround None.
CSCee89510
Dates are logged in local time instead of GMT
Symptom NAC attributes that are in date format are in
GMT time zone. When ACS logs these attributes, it
converts them to ACS local time zone (the time zone of
the ACS server).
Workaround Configure ACS to use the GMT time zone.
Table 9 Known Problems in both ACS 4.0.1 for Windows and ACS SE 4.01
Bug ID
Headline
Explanation
CSCea91690
Event Viewer errors on startup/shutdown in .NET.
Symptom On Windows .Net Server 2003 or Windows
2003 Enterprise Edition shutdown and startup, you might
see errors that falsely indicate that ACS service have
failed. At startup, you might see a dialog box that
indicates that a service, such as CSLog, encountered a
problem and will close. The same error is logged to
Event Viewer, as in this example:
Reporting queued error: faulting application
CSLog.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address
0x00000000.
In Windows Server 2003, the Service Manager queries the ACS services status during startup and shutdown, but ACS services might not have started yet or might have already stopped. Even though this is normal behavior for ACS services, Windows perceives this as an error and logs it to the Event Viewer.
On startup, the user sees all errors from the event viewer. Therefore, when users log into Windows right after startup, they see errors from the previous login session.
Conditions This behavior is observed on Windows Server 2003 only.
Workaround Verify that ACS services are running by using the Control Panel.
CSCeb78551
When doing LEAP RADIUS proxy between a front-end ACS server and a back end ACS server, problems arise if the configuration is not correct.
Symptom The LEAP Server (back end ACS Server) must
contain an AAA Client entry of the LEAP Proxy Server
(front end ACS Server), and it must be set to use
RADIUS (Cisco IOS/PIX).
The LEAP Server (the back end ACS Server) also must be set to use RADIUS (Microsoft) [026/311/012]MS-CHAP-MPPE-Keys attribute in Interface Configuration and in Group or User Settings (depending on the profile used).
This setting is required to communicate MS MPPE keys, which LEAP usess, between the Proxy LEAP Server (front end ACS Server) and the Proxy Server (back end ACS Server).
This sort of communication is encapsulated in Cisco VSA and this is the reason why the AAA Client must be RADIUS (Cisco IOS/PIX).
Workaround There is no workaround.
CSCec72911
Windows 2003 password aging page display issue.
Symptom ACS is installed on Windows 2003 Server, and
the password aging feature is enabled. Only the option
generate greetings for successful logins option in
Password Aging settings is checked. After pressing
Submit or Submit + Restart, for the first time ACS
displays this valid error message:
Error: Generation of greetings on successful logins requires at least one password aging rule to be configured.
However on the second pressing of one of these buttons, one of these errors appears:
Active canceled
The page cannot be displayed
Conditions Occurs after installation and as long as no changes are made. Occurs only when managing ACS only on the local machine by using IE 6.0.
Workaround Restart ACS.
CSCee64596
During stress tests, ACS does not reduce the size of the CsAdmin file based on the Service Control settings.
Symptom Intensive use of the Logged-In Users report
might lead to significant memory utilization by the
CSAdmin service.
Workaround Restart the CSAdmin service.
CSCef12461
Restoring many administrators on Windows 2000 does not restore them.
Symptom On Windows 2000, if you attempt to restore a
database of over 500 administrators, the ACS
administrators are not restored.
Workaround Manually recreate administrators after the restoration.
CSCef12605
Replication with many administrators does not replicate them.
Symptom When ACS attempts to replicate with 500 or
more administrators, administrators are not replicated
even though ACS reports a successful replication.
Workaround There is no workaround.
CSCef55730
ACS authorization passes even for a disabled user.
Symptom The default administrative user account
defined within the CiscoWorks local (user) database (and
replicated within the Cisco Secure ACS TACACS+ user
database) is granted access to all installed Management
Center applications, even if the user account is disabled
within ACS.
Workaround There is no workaround.
CSCef85310
Group dACL is downloaded if Users dACL content is empty.
It is possible to define an ACL with empty content. Following this defect, if a user with an empty ACL belongs to a group on which a non empty ACL is defined, then authenticates, the ACL of the group is downloaded to the device, instead of the user's. (Although the user's dACL content is not empty, it is downloaded to the device, as it should be.)
Workaround Do not define an empty downloadable ACL.
CSCef85314
Group dACL is downloaded if Users content NAF is not suitable.
Symptom If a user attempts authentication to the device,
which is not part of the NAF specified on the user's
dACL content, the ACL of the group to which the user
belongs is downloaded to the device, instead of being
rejected.
Workaround There is no workaround.
CSCef96208
ACS reports incorrect privilege level
Symptom ACS might report users with the incorrect
authorized privilege level. In particular, when using
TACACS+, users who are correctly authenticated with a
privilege level of 15 are reported with a level of 1.
Workaround None; the error is cosmetic.
CSCeg40355
Authentication failures when remote logging fails.
Symptom If an ACS server configured for remote logging
does not successfully transmit an accounting log to the
remote server, authentication attempts to this ACS server
during this time might fail. The authentication failure
might not be reported at all, or it might be reported
incorrectly (as being successful).
The auth.log file might have output similar to this during an authentication failure:
AUTH 10/13/2005 10:29:55 E 0552 19568 Timeout
waiting for ack from CSlog [logger name] AUTH
10/13/2005 10:29:55 E 0559 19568 Closing CSlog
connection to [logger name] AUTH 10/13/2005
10:29:55 E 0574 19568 Re-sending packet to CSLog
[logger name] AUTH 10/13/2005 10:29:55 E 0546
19568 -ve ack from CSLog [logger name] AUTH
10/13/2005 10:29:55 E 0499 19568 Failed to log
accounting packet to logger [logger name]
Workaround Disable the remote logging functionality, or correct the cause of the logging failure.
CSCeg47441
CRL not preserved when upgrading from 3.3.2 or below to 3.3.3 or later.
Symptom When upgrading from ACS version 3.3.1.16 to
3.3.2.2, the CRL entries are not transferred.
Workaround Create CRL entries manually.
CSCeg50237
Overinstall causes the added AVP Attributes to disappear.
Symptom Adding AVP attributes and then performing
Overinstall causes those attributes to disappear from the
Log Attribute field.
Workaround Add AVP attribute manually after overinstall.
CSCeh00074
GUI/ LDAP group mapping submission failure.
Symptom When adding LDAP groups to be mapped to
ACS groups, the Submit operation sometimes fails and
an empty list error message appears.
This might occur when working on the ACS UI from a remote machine (for example, with Terminal Services), and it might appear in other group mapping pages as well.
Workaround In the Group Mapping page, before you click Submit, move to another window, or click another frame in the ACS HTML interface.
CSCeh10491
Authentication errors on timeout waiting for local logging.
Symptom Authentication takes a lot of time when ACS is
configured to log on remote ACS or to ODBC and the
remote server or ODBC data source is unreachable.
When all worker threads are used, ACS provides no more
authentications.
Conditions The remote ACS or ODBC data source is unreachable.
Workaround Make the remote server or ODBC data source available for logging, or disable logging to it in ACS configuration
CSCeh24979
Users fail to authenticate when upgrading and attempting to access an obsolete database.
Symptom When upgrading from version ACS 3.1 or later
to version 4.0 (these are 2 step upgrades) if a user is
trying to authenticate to a database which was in use
before the upgrade but not in use after the upgrade, the
user will fail to authenticate. This information will be
reported in the Failed Attempts log.
Workaround Select User Setup and then select Remove Dynamic Users after upgrading.
CSCeh35121
Local logging stopped working after ODBC logging removed.
Symptom ODBC logging is enabled for passed and failed
attempts. The ODBC data source is incorrect. After
removing ODBC logging, only local logging remains,
but no local logging is written.
Conditions ODBC data source must be incorrect.
Workaround Specify the correct ODBC data source for logging, and restart ACS.
CSCeh37907
Duplicate IP assignment due to accounting packets reordering.
Symptom Address assignment from IP pools is based on
AccountingStart/Stop records. A duplicate IP address
might be assigned to a user if an Accounting Stop packet
is received out of order following a new access request by
the same user.
If ACS receives a late Stop packet, it might erroneously mark an IP address as free even though it has just been assigned. That might lead to a duplicate address assignment during the next connection.
Such situations can happen in DSL environments where a router starts new PPP connections in less than 1 second after a previous disconnection.
Workaround There is no workaround.
CSCeh52700
AD expired-user passed EAP-TLS authentication; should be rejected.
Symptom EAP-TLS authentication still passes for users
in the Active Directory even if their accounts have
expired. No error is given from ACS.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.
Workaround There is no workaround. Windows 2003 has introduced some new attributes that should help resolve this issue in future.
CSCeh60564
AD locked-out User passed EAP-TLS authentication, should be rejected.
Symptom EAP-TLS authentication will still pass for
users in Active Directory even if their account is locked
out. There is no error indication from ACS.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 environment.
Workaround There is no workaround. Windows 2003 has introduced some new attributes that should help resolve this issue in future.
CSCeh64162
Supplicant attempts to authenticate using UPN format and failure.
Symptom If a supplicant attempts to authenticate by
using EAP-FAST and supplies the username in UPN
format (user@domain.com) and the username before
the at sign (@) is different from the pre-Windows 2000
name, ACS might not be able to locate the user in Active
Directory.
Conditions ACS installed in Windows 2000/2003 Active Directory environment. Authentication with EAP-FAST and UPN usernames.
Workaround Rename the user to have the same username as the pre-Windows 2000 one.
CSCeh68821
LDAP authentication pass after modify subtree node due to DN caching.
Symptom If you change the User Directory Subtree in the
Common LDAP Configuration, users that are already
authenticated using this Generic LDAP instance
(External User Database) are not affected and continue to
pass authentication, even if the users are no longer under
the new User Directory Subtree. ACS does not perform a
new search for the users because of the user-cached
Distinguished Name.
Workaround If you want to enforce a new search on the User Directory Subtree, delete the users from the Cisco Secure internal database.
CSCeh79954
EAP-TLS time of day restriction in AD does not fail user - authentication succeeds.
Symptom EAP-TLS authentication of users in Windows
Active Directory still passes when a user's time-of-day
setting (located in AD) is outside the hours they are
allowed. No error is given from ACS.
Conditions EAP-TLS authentication of users in Active Directory running in Windows 2000 or 2003 environment.
Workaround There is no workaround.
CSCsa79327
Authentications fail for users with the euro symbol in their passwords.
Symptom Authentication fails for users with the euro
symbol in their password.
Workaround Change user password, and remove euro symbol.
CSCsb13998
ACS dial-in authorization fails against Windows 2000 active directory.
Symptom When ACS is configured to obtain dial-in
authorization from a Microsoft Active Directory user
database, the user sometimes fails. The message appears:
User does not have dial-in permission
(needed).
Conditions This defect was found in an environment where Active Directory was being replicated from an NT domain. The same errors occurred when the remote agent was installed on either a Member Server or a Domain Controller.
Workaround The problem is caused because replication does not set synchronize the userParameters and msNPAllowDialin attributes in Active Directory. See MS KB article 252398 for possible workaround. Run a script to synchronize the attributes.
CSCsb15116
Apply and Restart button in NAP page does not release the NAF policy.
Symptom When deleting a Network Access Filter that is
used in a Network Access Profile setup page, an
unexpected behavior occurs, and authentications fail.
Workaround Perform one of the following:
1. Before deleting a Network Access Filter, remove it from the relevant Network Access Profiles.
or
2. After deleting a Network Access Filter for each relevant Network Access Profile, click Submit (without performing changes) in the profile setup page.
CSCsb25151
When AAA client has multiple IP addresses, NAF for DACLs fails.
Symptom When a single AAA client is configured with a
range or list of IP addresses in ACS solution engine, the
Network Access Filter (NAF) under "Shared Profile
Components" cannot correctly determine the IP address
of either the Network Device Group (NDG) or the correct
IP address of the AAA client.
Conditions Must have Network Access Filtering defined and must have multiple IP addresses listed under the AAA client configuration section (under Network Setup) for the AAA client that is supposed to receive the downloadable ACL.
Workaround Perform one of the following:
•Remove all but the correct IP address from the AAA client configuration component for the NAS/NAD.
or
•Configure the ip radius source interface to point to the correct IP address.
CSCsb48683
Log and accounting file locking causes problems with backup software.
Symptom ACS diagnostic and accounting log file locking
results in service problems, when the directories are
backed up by certain software applications (in a reported
case, Veritas software was used).
Workaround Upgrade your backup software.
CSCsb72286
ACS RADIUS proxy uses RADIUS 1645, not current 1812.
Symptom Cisco Secure ACS for Windows uses port 1645
for RADIUS authentication and authorization proxy to
another RADIUS server. Some AAA servers might only
accept connections to port 1812.
Workaround There is no workaround.
CSCsb93223
An internal posture validation policy is created even though a template profile cannot be configured.
Symptom If for any reason you cannot create a profile
(for example, Global Authentication Setup is not
configured properly) using the NAC 802.1X template, an
internal posture validation policy is created in any case.
Workaround There is no workaround.
CSCsb95897
ACS cannot display long list of Disabled accounts correctly.
Symptom ACS 3.3 HTML interface has problems in
displaying Disabled accounts list if it contains several
pages. Next is working as needed, but Previous is
available only once.
Workaround There is no workaround.
CSCsc00788
Password change is not supported in GTC against Windows DB.
Symptom Password change is not supported in EAP-GTC
against the Windows database.
Conditions EAP-GTC authentication of a user in the Windows database whose account has expired or needs to be changed.
Workaround There is no workaround.
CSCsc06942
Failure when EAP-FAST/PEAP credentials or posture data size is greater than 1Kb.
Symptom Failure when EAP-FAST/PEAP credentials or
posture data size is greater than 1Kb.
Conditions This applies only to tunneled protocols that use fragmentation (MS-PEAP, CISCO-PEAP, and EAP-FAST). It happens only when the supplicant uses the tunneled protocol fragmentation option and only if a fragment of an EAP tunnel is larger than 1002 bytes. usually fragmentation threshold is driven from the detected MTU size (Ethernet is 1.5K).
Workaround Set the supplicant size of the fragmentation threshold to be lower than 1002 bytes. If it cannot be configured, another option is to set the MTU size that affects this value.
CSCsc27158
Memory leak during LDAP stress-PAP authentication with legacy LDAP SSL connections.
Symptom A memory leak was found during stress tests of
PAP authentications with LDAP server (OpenLDAP) and
legacy SSL enabled (cert7.db file). For example, memory
usage reached 100MB after about 1.5 million
authentications.
Memory is freed after ACS services are restarted.
No memory leak is found when the configuration is changed to use the new SSL mechanism (select Trusted Root CA).
Workaround In the Generic LDAP configuration in ACS, use the new SSL option (Trusted Root CA) instead of the old option (cert7.db file).
CSCsc27168
User authentication succeeds even though the database was not selected.
Symptom If the external database list in the Network
Access Profile (NAP) authentication settings is empty,
access requests that match the NAP authenticated in the
ACS internal database.
Workaround Before deleting external database configuration be sure that it is not used in any NAP.
CSCsc32154
Upgrade from 3.3 removed APT,SPT, and Reason from Logged Attributes.
Symptom If one or more of the APT, SPT and Reason
attributes were selected to be logged in the Failed or
Passed reports in ACS 3.3, after upgrading to 4.0, they do
not appear in the Logged Attributes column.
Workaround Add those APT, SPT, and Reason attributes manually to the 'Logged Attributes' column after upgrade to ACS 4.0.
CSCsc37464
Updates to external database causes dynamic users to be removed.
Symptom Any updates to the external database cause the
dynamic users linked to that database to be removed from
the user's list.
Workaround There is no workaround. This is a usability bug.
CSCsc39979
An update to NAP deletes the external user in "Logged all users" report.
Symptom When a NAP is being updated, all dynamic
users related to this NAP are deleted from the logged-in
user list. The internally defined users are not deleted.
Workaround There is no workaround.
CSCsc40001
Session resume in EAP-FAST-TLS does not work.
Symptom EAP-TLS inside EAP-FAST always assumes
that the user is trying to authenticate for the first time,
resulting in going to the external DB (if valid) to get the
user credentials instead of permitting the user to resume
a previously used TLS session.
Conditions EAP-TLS as the inner method in EAP-FAST.
Workaround There is no workaround.
CSCsc41129
CSAuth exceptions during EAP-TLS stress vs LDAP external db with SSL connections.
Symptom After a heavy load for a few hours of EAP-TLS
authentications with an LDAP external database and
LDAP connections over SSL (Trusted Root CA option),
CSAuth might experience exceptions and fail.
Symptom For several report types, Reset Columns on the ACS
HTML interface Logging configuration page sets the selected
attributes to log (columns) to a different set of Logged
Attributes than the actual default attributes initially set on a
fresh ACS installation.
Conditions In ACS, when you configure the logged information through the ACS HTML interface by clicking System Configuration > Logging andchoosing one of the listed reports, the Reset Columns sets the selected attributes in the Selected Attributes list box to an incorrect set of attributes.
This occurs on the following reports:
•CSV Failed Attempts
•CSV Passed Authentications
•CSV VoIP Accounting
Workaround Manually select and deselect attributes in the Logged Attributes list from the provided Attributes list.
•CSV Failed Attempts-Remove the Filter Information
•CSV Passed Authentications-Add the cisco-av-pair attribute.
•CSV VoIP Accounting:
–Add the Call Leg Setup Time attribute.
–Add the Gateway Identifier attribute.
–Add the Connection Id attribute.
–Add the Call Leg Direction attribute.
–Add the Call Leg Type attribute.
–Add the Call Leg Connect Time attribute.
–Add the Call Leg Disconnected Time attribute.
–Add the Call Leg Disconnected Cause attribute.
–Add the Remote Gateway IP Address attribute.
CSCsc41638
ACS does not check if the CA certificate that was issued to a user exists in CTL.
Symptom A user that presents a certificate in EAP-TLS
or EAP-FAST/EAP-TLS might be authenticated even
though the certificate issuer is no longer trusted by the
ACS machine.
Workaround Uncheck the CA certificate in question from the ACS HTML interface before removing the CA certificate from the machine storage.
CSCsc41673
CSAuth fails after importing Airespace NAS.
Symptom The CSAuth service occasionally fails after
being restarted if CSUtil was running immediately
beforehand, for example when running csutil -i.
Conditions Starting CSAuth immediately after CSUtil has run an import causes an exception in CSAuth due to a race condition in
Cisco Component Versions That Support NAC
