This document provides answers to the most frequently asked questions (FAQ) related to Cisco Secure Access Control System (ACS) 5.x and later.
Authentication Related Issues
Q. Can a few users/groups of the ACS 5.x internal database be excluded from the user password policy (System Administration > Users > Authentication Settings)?
A. By default, every internal database user must comply with the user password policy. Currently, no users/groups of the ACS 5.x internal database can be excluded.
Q. Can a few GUI administrators of ACS 5.x be excluded from the administrative user password policy (System Administration > Administrators > Settings > Authentication)?
A. By default, every GUI administrative user must comply with the administrative user password policy. Currently, no administrative user of ACS 5.x can be excluded.
Q. Does ACS 5.x provide support for VMWare tools?
A. No. Currently, the VMWare tools are not supported with ACS version 5.x. Refer to Cisco bug ID CSCtg50048 ( registered customers only) for more information.
Q. What are the supported EAP authentication protocols for ACS 5.x when LDAP is configured as the identity store?
A. When LDAP is used as the identity store, ACS 5.2 supports PEAP-GTC, EAP-FAST-GTC, and EAP-TLS protocols only. It does not support EAP-FAST MSCHAPv2, PEAP EAP-MSCHAPv2, and EAP-MD5. For more information, refer to Authentication Protocol and User Database Compatibility.
Q. Why did authentication for WLC with the use radius on ACS fail, and why did ACS not show any failed attempts?
A. An issue exists with ACS 5.0 and WLC interoperability before patch 4. Download patch 8, and apply the patch on the CLI. Do not use TFTP in order to fix this issue.
Q. Why I am unable to restore tar.gz files that were backed up with the backup-log command in ACS 5.2?
A. You cannot restore log files that are backed up with the backup-log command. You can restore only those files backed up for the ACS configuration and ADE-OS. Refer to the backup and backup-logs commands in the CLI Reference Guide for the Cisco Secure Access Control System 5.1 for more information.
Q. Can I limit the number of unsuccessful password attempts on ACS 5.2?
A. No. This feature is not available on ACS 5.2, but it is expected to be integrated in ACS 5.3. Refer to the Features Not Supported section of the Release Notes for the Cisco Secure Access Control System 5.2 for more information.
Q. I am unable to use the option to change the password at next login for internal users in ACS 5.0. How do I resolve this issue?
A. The option to change the password at next login is not supported in ACS 5.0. Support for this feature is available in ACS 5.1 and later versions.
Q. What does this alarm on ACS mean?
Cisco Secure ACS - Alarm Notification
Alarm Name delete 20000 sessions
Cause/Trigger active sessions are over limit
Alarm Details session is over 250000
A. This error means that when the ACS View reaches a limit of 250,000 sessions, it throws an alarm to delete 20,000 sessions. The ACS view database stores all the previous authentication sessions and when it reaches 250,000, it gives an alarm to clear the cache and delete 20,000 sessions.
Q. How do I resolve this error message: Authentication failed : 24407 User authentication against Active Directory failed since user is required to change his password?
A. This error message appears when there is a problem with the password management during SDI authentication. ACS 5.x is used as a Radius proxy and the users must be authenticated by an RSA server. The Radius proxy to RSA will work only without password management. The reason is that the OTP value must be recoverable by the Radius server in order to proxy the password value to the RSA server. When password management is enabled in the tunnel group, the Radius request is sent with MS-CHAPv2 attributes. RSA does not support the MS-0CHAPv2; it supports only PAP.
In order to resolve this issue, disable password management. For more information, refer to Cisco bug ID CSCsx47423 ( registered customers only) .
Q. Is it possible to restrict ACS admin to manage only certain devices within ACS 5.1?
A. No, it is not possible to restrict ACS admin to manage only certain devices within ACS 5.1.
Q. Does ACS support QoS in authentication so that RADIUS can be prioritized over TACACS?
A. No, ACS does not support QoS in authentication. ACS will not prioritize RADIUS authentication requests over TACACS or TACACS requests over RADIUS.
Q. Can ACS 5.x proxy TACACS and RADIUS authentications to other TACACS or RADIUS servers?
A. Yes, all the ACS 5.x versions can proxy the RADIUS authentications to other RADIUS servers. ACS 5.3 and later can proxy the TACACS authentications to other TACACS servers.
Q. Can ACS 5.x check the dial-in attributes of an Active Directory user in order to grant access?
A. Yes, in ACS 5.3 and later you can allow, deny, and control access of the dial-in permissions of a user. The permissions are checked during authentications or queries from Active Directory. It is set on the Active Directory dedicated dictionary.
Q. Does ACS 5.x support CHAP or MSCHAP authentication types for TACACS+?
A. Yes, TACACS+ CHAP and MSCHAP authentication types are supported in ACS versions 5.3 and later.
Q. Can I set the password type of an ACS internal user to any external database?
A. Yes, in ACS 5.3 and later you can set the password type of an ACS internal user. This feature was available in ACS 4.x.
Q. Can I pass/fail an authentication based on the time at which the user was created in the ACS Internal Identity Store?
A. Yes, in ACS 5.3 and later you can use the Number of Hours Since User Creation attribute in order to create your policies. This attribute contains the number of hours since the user was created in the Internal Identity Store to the time of the current authentication request.
Q. Can I use wildcards in order to add a new host entry in the ACS internal database?
A. Yes, ACS 5.3 and later allows you to use wildcards when you add new hosts into the Internal Identity Store. It also allows you to enter wildcards (after you enter the first three octets) in order to specify all devices from the identified manufacturer.
Q. Can I configure IP address pools on the ACS 5.x and assign them from ACS?
A. No, it is not currently possible to create IP address pools on the ACS 5.x.
Q. Can I see the IP address of the AAA client where the request came in the FAILED AUTHENTICATION report?
A. No, it is not possible to see the AAA client's IP address from where the request came in.
Q. What is View Log Message Recovery in ACS 5.3?
A. ACS 5.3 provides a new feature to recover any logs that are missed when the view is down. ACS collects these missed logs and stores them in its database. Using this feature, you can retrieve the missed logs from the ACS database to the view database after the view is back up. In order to use this feature, you must set the Log Message Recovery Configuration to on. For more details on configuring the View Log Message Recovery, refer to Monitoring & Report Viewer System Operations.
Q. Can I compress the ACS 5.x database by issuing the database-compress command from the Solution Engine CLI? This feature was available in ACS 4.x.
A. Yes, in ACS 5.3 and later, the database-compress command reduces the ACS database size with an option to delete the ACS Transaction table.ACS administrators can issue this command in order to reduce the database size. This helps to reduce the database size and the time taken for backups and full synchronization that is needed for maintenance.
Q. Can I search an AAA client entry based on its IP address?
A. Yes, ACS 5.3 and later allows you to search a network device using its IP address. You can also use wildcards and the range in order to search a specific set of network devices.
Q. Can I create a condition based on the time at which the user was created in the ACS Internal Identity Store?
A. Yes, in ACS 5.3 and later you can use the Number of Hours Since User Creation attribute which enables you to configure the policy rule conditions, based on the time at which the user was created in ACS Internal Identity Store. For example: IF group=HelpDesk&NumberofHoursSinceUserCreation>48 then reject. This attribute contains the number of hours since the user was created in Internal Identity Store to the time of the current authentication request.
Q. Can I check in which Identity Store the User was authenticated in the Authorization section of a Service Policy?
A. Yes, in ACS 5.3 and later you can use the Authentication Identity Store attribute, which enables you to configure the policy rule conditions based on the Authentication Identity Store. For example: IF AuthenticationIdentityStore=LDAP_NY then reject. This attribute contains the name of the Identity Store used and it is updated with the relevant Identity Store name after successful authentication.
Q. When does the ACS go to the next Identity Store defined in the Identity Store Sequence?
A. The ACS goes to the next Identity Store defined in the Identity Store Sequence in these scenarios:
Q. What is the Account Disablement policy in ACS 5.3?
A. The Account Disablement Policy allows you to disable the users of Internal Identity Store when the configured date is beyond the permitted date, the configured number of days are beyond the permitted days, or the number of consecutive unsuccessful login attempts exceeds the threshold. The default value for date exceeds is 30 days from the current date. The default value for days should not be more than 60 days from the current day. The default value for failed attempts is 5.
Q. Can I change the password of an internal database user of ACS over telnet?
A. Yes, you are allowed to change the password of an internal database user using TACACS+ over telnet. You need to select Enable TELNET Change Password under Password Change Control on ACS 5.x.
Q. Does the primary ACS 5.x instance automatically update the backup instances periodically, or should it only happen when a configuration has changed?
A. ACS 5.x will immediately replicate to the Secondary ACS whenever you make changes on the Primary ACS. In addition, if you do not make any changes to the Primary ACS then, it will do a force replication every 15 minutes. At this point, there is not an option to control the timer so that ACS can replicate the information after a specific time.
Q. Can I view/export a report on ACS 5.x of all the users that are currently logged in and authenticated from ACS on different NAS clients?
A. Yes, it is possible. There are two separate reports for RADIUS and TACACS+. You can find them under Monitoring & Reports > Reports > Catalog > Session Directory > RADIUS Active Sessions and TACACS Active Sessions. Both reports are based on the accounting information from the NAS clients since it allows you to track when the user connects and logs out. Session history even allows you to get information from the start and stop messages during a specific day.