COMMAND

	Cisco Secure ACS don\'t fails to apply restrictions  set  via  Novell\'s
	NDS

SYSTEMS AFFECTED

	Cisco Secure ACS version 3.0.1, configured for NDS

PROBLEM

	In Cisco Security Advisory [Cisco Bug ID CSCdw46931] :
	

	[http://www.cisco.com/warp/public/707/ciscosecure-acs-nds-authentication-vuln-pub.shtml]

	

	

	--snip--
	

	Specific versions of Cisco Secure Authentication  Control  Server  (ACS)
	allows authentication of users that have  been  explicitly  disabled  or
	expired in the Novell Directory Services (NDS).
	

	--snap--
	

	Users who are marked as \"expired\" or \"disabled\" on the NDS  database
	will still authenticate if their credentials are otherwise correct.  The
	file \"NDSAuth.DLL\" is a module which allows ACS authentication  to  be
	handled by an external NDS server. Versions of this file with  the  date
	2001-Dec-15 ignore the \"Disabled\" or \"Expired\" state of these  users
	on NDS. Authentication attempts by users  with  a  Disabled  or  Expired
	status on the NDS server should be refused, but  are  permitted  due  to
	this vulnerability.
	

	--snip--

SOLUTION

	The patch for this vulnerability can be downloaded  from  the  following
	location if you are logged in with a valid CCO user account:
	

	http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win