This document provides answers to the most frequently asked questions
(FAQ) related to Cisco Secure Access Control System (ACS) 5.x and later.
Authentication Related Issues
Can a few users/groups of the ACS 5.x internal database be excluded from
the user password policy (System Administration > Users > Authentication
A. By default, every internal database user must comply with the user
password policy. Currently, no users/groups of the ACS 5.x internal database
can be excluded.
Can a few GUI administrators of ACS 5.x be excluded from the
administrative user password policy (System Administration > Administrators
> Settings > Authentication)?
A. By default, every GUI administrative user must comply with the
administrative user password policy. Currently, no administrative user of ACS
5.x can be excluded.
Does ACS 5.x provide support for VMWare tools?
A. No. Currently, the VMWare tools are not supported with ACS version 5.x.
Refer to Cisco bug ID
registered customers only)
for more information.
What are the supported EAP authentication protocols for ACS 5.x when LDAP
is configured as the identity store?
A. When LDAP is used as the identity store, ACS 5.2 supports PEAP-GTC,
EAP-FAST-GTC, and EAP-TLS protocols only. It does not support EAP-FAST
MSCHAPv2, PEAP EAP-MSCHAPv2, and EAP-MD5. For more information, refer to
Protocol and User Database Compatibility.
Why did authentication for WLC with the use radius on ACS fail, and why
did ACS not show any failed attempts?
A. An issue exists with ACS 5.0 and WLC interoperability
before patch 4. Download patch 8, and apply the patch on the CLI. Do not use
TFTP in order to fix this issue.
Why I am unable to restore tar.gz files that were backed up with the
backup-log command in ACS
A. You cannot restore log files that are backed up with the
backup-log command. You can restore only those files
backed up for the ACS configuration and ADE-OS. Refer to the
commands in the
Reference Guide for the Cisco Secure Access Control System 5.1 for more
Can I limit the number of unsuccessful password attempts on ACS
A. No. This feature is not available on ACS 5.2, but it is expected to be
integrated in ACS 5.3. Refer to the
Not Supported section of the
Notes for the Cisco Secure Access Control System 5.2 for more
I am unable to use the option to change the password at next login for
internal users in ACS 5.0. How do I resolve this
A. The option to change the password at next login is not supported in ACS
5.0. Support for this feature is available in ACS 5.1 and later
What does this alarm on ACS mean?
Cisco Secure ACS - Alarm Notification
Alarm Name delete 20000 sessions
Cause/Trigger active sessions are over limit
Alarm Details session is over 250000
A. This error means that when the ACS View reaches a limit of 250,000
sessions, it throws an alarm to delete 20,000 sessions. The ACS view database
stores all the previous authentication sessions and when it reaches 250,000, it
gives an alarm to clear the cache and delete 20,000 sessions.
How do I resolve this error message: Authentication failed
: 24407 User authentication against Active Directory failed since user is
required to change his password?
A. This error message appears when there is a problem with the password
management during SDI authentication. ACS 5.x is used as a Radius proxy and the
users must be authenticated by an RSA server. The Radius proxy to RSA will work
only without password management. The reason is that the OTP value must be
recoverable by the Radius server in order to proxy the password value to the
RSA server. When password management is enabled in the tunnel group, the Radius
request is sent with MS-CHAPv2 attributes. RSA does not support the MS-0CHAPv2;
it supports only PAP.
In order to resolve this issue, disable password management. For more
information, refer to Cisco bug ID
registered customers only)
Is it possible to restrict ACS admin to manage only certain devices
within ACS 5.1?
A. No, it is not possible to restrict ACS admin to manage only certain
devices within ACS 5.1.
Does ACS support QoS in authentication so that RADIUS can be prioritized
A. No, ACS does not support QoS in authentication. ACS will not prioritize
RADIUS authentication requests over TACACS or TACACS requests over
Can ACS 5.x proxy TACACS and RADIUS authentications to other TACACS or
A. Yes, all the ACS 5.x versions can proxy the RADIUS authentications to
other RADIUS servers. ACS 5.3 and later can proxy the TACACS authentications to
other TACACS servers.
Can ACS 5.x check the dial-in attributes of an Active Directory user in
order to grant access?
A. Yes, in ACS 5.3 and later you can allow, deny, and control access of
the dial-in permissions of a user. The permissions are checked during
authentications or queries from Active Directory. It is set on the Active
Directory dedicated dictionary.
Does ACS 5.x support CHAP or MSCHAP authentication types for
A. Yes, TACACS+ CHAP and MSCHAP authentication types are supported in ACS
versions 5.3 and later.
Can I set the password type of an ACS internal user to any external
A. Yes, in ACS 5.3 and later you can set the password type of an ACS
internal user. This feature was available in ACS 4.x.
Can I pass/fail an authentication based on the time at which the user was
created in the ACS Internal Identity Store?
A. Yes, in ACS 5.3 and later you can use the Number of Hours Since
User Creation attribute in order to create your policies. This
attribute contains the number of hours since the user was created in the
Internal Identity Store to the time of the current authentication
Can I use wildcards in order to add a new host entry in the ACS internal
A. Yes, ACS 5.3 and later allows you to use wildcards when you add new
hosts into the Internal Identity Store. It also allows you to enter wildcards
(after you enter the first three octets) in order to specify all devices from
the identified manufacturer.
Can I configure IP address pools on the ACS 5.x and assign them from
A. No, it is not currently possible to create IP address pools on the ACS
Can I see the IP address of the AAA client where the request came in the
FAILED AUTHENTICATION report?
A. No, it is not possible to see the AAA client's IP address from where
the request came in.
What is View Log Message Recovery in ACS 5.3?
A. ACS 5.3 provides a new feature to recover any logs that are missed when
the view is down. ACS collects these missed logs and stores them in its
database. Using this feature, you can retrieve the missed logs from the ACS
database to the view database after the view is back up. In order to use this
feature, you must set the Log Message Recovery Configuration to
on. For more details on configuring the View Log Message
Recovery, refer to
& Report Viewer System Operations.
Can I compress the ACS 5.x database by issuing the
database-compress command from the Solution Engine
CLI? This feature was available in ACS 4.x.
A. Yes, in ACS 5.3 and later, the
database-compress command reduces the ACS database
size with an option to delete the ACS Transaction table.ACS administrators can
issue this command in order to reduce the database size. This helps to reduce
the database size and the time taken for backups and full synchronization that
is needed for maintenance.
Can I search an AAA client entry based on its IP
A. Yes, ACS 5.3 and later allows you to search a network device using its
IP address. You can also use wildcards and the range in order to search a
specific set of network devices.
Can I create a condition based on the time at which the user was created
in the ACS Internal Identity Store?
A. Yes, in ACS 5.3 and later you can use the Number of Hours Since
User Creation attribute which enables you to configure the policy rule
conditions, based on the time at which the user was created in ACS Internal
Identity Store. For example: IF
reject. This attribute contains the number of hours since the user was created
in Internal Identity Store to the time of the current authentication
Can I check in which Identity Store the User was authenticated in the
Authorization section of a Service Policy?
A. Yes, in ACS 5.3 and later you can use the Authentication
Identity Store attribute, which enables you to configure the policy
rule conditions based on the Authentication Identity Store. For example: IF
AuthenticationIdentityStore=LDAP_NY then reject. This
attribute contains the name of the Identity Store used and it is updated with
the relevant Identity Store name after successful authentication.
When does the ACS go to the next Identity Store defined in the Identity
A. The ACS goes to the next Identity Store defined in the Identity Store
Sequence in these scenarios:
What is the Account Disablement policy in ACS
A. The Account Disablement Policy allows you to disable the users of
Internal Identity Store when the configured date is beyond the permitted date,
the configured number of days are beyond the permitted days, or the number of
consecutive unsuccessful login attempts exceeds the threshold. The default
value for date exceeds is 30 days from the current date. The default value for
days should not be more than 60 days from the current day. The default value
for failed attempts is 5.
Can I change the password of an internal database user of ACS over
A. Yes, you are allowed to change the password of an internal database
user using TACACS+ over telnet. You need to select Enable TELNET Change
Password under Password Change Control on ACS
Does the primary ACS 5.x instance automatically update the backup
instances periodically, or should it only happen when a configuration has
A. ACS 5.x will immediately replicate to the Secondary ACS whenever you
make changes on the Primary ACS. In addition, if you do not make any changes to
the Primary ACS then, it will do a force replication every 15 minutes. At this
point, there is not an option to control the timer so that ACS can replicate
the information after a specific time.
Can I view/export a report on ACS 5.x of all the users that are currently
logged in and authenticated from ACS on different NAS
A. Yes, it is possible. There are two separate reports for RADIUS and
TACACS+. You can find them under Monitoring & Reports >
Reports > Catalog > Session
Directory > RADIUS Active Sessions and
TACACS Active Sessions. Both reports are based on the
accounting information from the NAS clients since it allows you to track when
the user connects and logs out. Session history even allows you to get
information from the start and stop messages during a specific day.