Guest

Cisco Secure Access Control System

Release Notes for the Cisco Secure Access Control System 5.1

  • Viewing Options

  • PDF (566.9 KB)
  • Feedback
Release Notes for the Cisco Secure Access Control System 5.1

Table Of Contents

Release Notes for the Cisco Secure Access Control System 5.1

Introduction

New and Changed Features

TACACS+ Enhancements

Identity Store Enhancements

Support for Additional Protocols

Administrator Access Feature Enhancements

Policy Condition Enhancements

Monitoring and Troubleshooting Enhancements

Other Feature Enhancements

Features Not Supported

Installation and Upgrade Notes

Installing the CSACS 1121

Running the Setup Program

Licensing in ACS 5.1

Types of Licenses

Auto-Installation of Evaluation License

Upgrading to ACS 5.1

Applying Upgrade Patches

Known Client Issues

Resolved ACS Issues

Resolved Issues in Cumulative Patch ACS 5.1.0.44.1

Resolved Issues in Cumulative Patch ACS 5.1.0.44.2

Resolved Issues in Cumulative Patch ACS 5.1.0.44.3

Resolved Issues in Cumulative Patch ACS 5.1.0.44.4

Resolved Issues in Cumulative Patch ACS 5.1.0.44.5

Resolved Issues in Cumulative Patch ACS 5.1.0.44.6

Known ACS Issues

Documentation Updates

Product Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Supplemental License Agreement

Obtaining Documentation and Submitting a Service Request


Release Notes for the Cisco Secure Access Control System 5.1


Revised: July 18, 2013 OL-18997-01

These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.1, hereafter referred to as ACS 5.1. These release notes provide information on the features, related documentation, resolved issues, and known issues for functionality in this release.

This document contains:

Introduction

New and Changed Features

Features Not Supported

Installation and Upgrade Notes

Known Client Issues

Resolved ACS Issues

Resolved Issues in Cumulative Patch ACS 5.1.0.44.1

Resolved Issues in Cumulative Patch ACS 5.1.0.44.2

Resolved Issues in Cumulative Patch ACS 5.1.0.44.3

Resolved Issues in Cumulative Patch ACS 5.1.0.44.4

Resolved Issues in Cumulative Patch ACS 5.1.0.44.5

Resolved Issues in Cumulative Patch ACS 5.1.0.44.6

Known ACS Issues

Documentation Updates

Product Documentation

Notices

Supplemental License Agreement

Obtaining Documentation and Submitting a Service Request

Introduction

ACS is a policy-driven access control system and an integration point for network access control and identity management.

The ACS 5.1 software runs either on a dedicated Cisco 1121 Secure Access Control System (CSACS-1121) appliance, or on a VMware server. However, ACS 5.1 continues to support CSACS-1120 appliances that you have used for ACS 5.0 and that you would like to upgrade to ACS 5.1.

This release of ACS provides new and enhanced functionality on a standard Cisco Linux-based appliance.

Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers to the ACS software.

New and Changed Features

This release of ACS provides improved parity with 4.x. The following sections briefly describe the new and changed features in the 5.1 release:

TACACS+ Enhancements

Identity Store Enhancements

Support for Additional Protocols

Administrator Access Feature Enhancements

Policy Condition Enhancements

Monitoring and Troubleshooting Enhancements

Other Feature Enhancements

TACACS+ Enhancements

The TACACS+ enhancements include:

TACACS+ Change Password—You can now change user passwords over TACACS+ protocol.

Custom Attributes—You can define additional custom attributes that can be used in authorization responses.

Custom Services—TACACS+ now supports nonshell services.

Identity Store Enhancements

The identity store enhancements include:

Support for RSA SecurID servers—ACS can now authenticate users against RSA SecurID servers. You can also manage configuration-related files on the RSA SecurID server.

Support for RADIUS identity servers—Authentication can be performed against external RADIUS servers using One Time Passwords (OTPs). Apart from authentication, you can use the RADIUS server attributes in policies or authorization profiles or both.

Internal identity store enhancements include support for:

Enumerated attributes.

Password expiry.

Password history—Prevents the users from setting a password that was recently used.

External web services that allow users to change their passwords in the internal identity stores. This process is known as User Change Password (UCP).

Support for Additional Protocols

ACS 5.1 supports the following additional protocols:

EAP-FAST with GTC inner method

PEAP with GTC inner method

LEAP

RADIUS/CHAP

RADIUS/MS-CHAPv1

RADIUS/MS-CHAPv2

Administrator Access Feature Enhancements

The Administrator Access feature is enhanced to provide additional security. You can now:

Configure password expiry and disable administrator accounts based on inactivity or failed login attempts.

Configure a list of IP addresses from which administrators can access your resources.

Configure a server certificate for HTTPS (web interface).

Assign new roles that allow administrators to reset passwords, for either internal users or administrators.

Policy Condition Enhancements

The policy condition enhancements include:

Support for defining network conditions in policies that include a set of endpoints, network devices, network device ports, and device and port combinations. The network conditions provide the same functionality as that of Network Access Restrictions (NARs) in ACS 4.x.

Support for a default device definition that can be used for new devices that connect through ACS.

Monitoring and Troubleshooting Enhancements

The Monitoring and Report Viewer enhancements include the following:

Dashboard—An enhanced dashboard that you can customize to suit your needs. The dashboard provides the five most recent alarms, authentication trends, health status of ACS, and your favorite reports. The dashboard tabs now consist of small windows, called portlets, to which you can add your favorite and most frequently accessed monitoring and reporting applications.

Syslog Event Notification—An option to configure syslog targets for event notification in the form of syslog messages.

Expert Troubleshooter—A new, powerful diagnostic engine for advanced troubleshooting.

Additional Catalog Reports—Several new reports have been added to the catalog, including:

Administrator Entitlement Report—Provides a list of ACS administrators and the access privileges that each of them is entitled to.

TrustSec Reports—ACS 5.1 introduces the following new TrustSec Reports: SGACL Drop Summary, SGT Assignment Summary, Top N SGACL Drops by Destination, Top N SGACL Drops by User, and Top N SGT Assignments.

RADIUS Active Sessions Report—Introduces the Change of Authorization (CoA) feature through the RADIUS Active Sessions Report, which allows you to dynamically control active RADIUS sessions.

Configuration Change Reports—Provides a list of configuration changes done by ACS administrators, for a specific period.

User Change Password Audit Report—Provides a list of all changes made to internal user passwords through any of the interfaces.

ACS Administrator Logins Report—This report is enhanced to include information about administrators whose accounts are disabled.

ACS Operations Audit Report—Provides a list of operations performed on ACS, either done by administrators or done internally by ACS.

Exporting the Monitoring and Report Viewer Data—Provides you an option to export the monitoring and troubleshooting data to a remote database that can support external custom reporting applications.

Incremental Backup and Restore—Provides you an option to perform a full database backup the first time and later, to back up only the updates that are made to the database. However, when you restore data from an incremental backup, ACS restores data from all the backup files starting from the full backup and continuing until the latest one.

Configuring NADs to Send Syslog Messages—You can configure the network access devices (NADs) in your network to send syslog messages to the Monitoring & Report Viewer. To do this, you must configure the logging port on the NAD to UDP 20514. For example, to enable a NAD in your network to send syslog messages to the Monitoring & Report Viewer, you must enter the following commands in the same sequence on the NAD through the CLI configuration mode:

logging monitor informational

logging origin-id ip

logging host ip transport udp port 20514—where ip is the IP address of the Log Collector in your network.

epm logging

The following types of syslog messages are supported by ACS Monitoring and Reports Viewer:

AUTHMGR-5-START

AUTHMGR-5-SUCCESS

AUTHMGR-5-FAIL

AUTHMGR-5-SECURITY_VIOLATION

AUTHMGR-7-FAILOVER

AUTHMGR-7-NOMOREMETHODS

AUTHMGR-7-RESULT

DOT1X-5-SUCCESS

DOT1X-5-FAIL

MAB-5-SUCCESS

MAB-5-FAIL

RADIUS-4-RADIUS_DEAD

RADIUS-4-RADIUS_ALIVE

EPM-6-POLICY_APP_SUCCESS

EPM-4-POLICY_APP_FAILURE

AUTHMGR-SP-5-VLANASSIGN

AUTHMGR-5-VLANASSIGN

DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND

Other Feature Enhancements

Other miscellaneous feature enhancements include:

EAP-TLS—Supports comparison against certificates retrieved from Microsoft Active Directory (AD).

RADIUS Vendor Specific Attributes (VSAs)—Supports configuration of additional RADIUS VSAs.

Browser—Supports Mozilla Firefox 3.

Backup—Supports backup operations from the ACS web interface. You can either schedule the backup or create an immediate request for a backup.

Import and Export—Supports a new scripting interface that allows you to perform Create, Read, Update, and Delete (CRUD) operations on ACS objects.

Web Services—Supports a new web services interface that allows you to:

Create web-based applications using the Python Script downloaded from the ACS web interface to allow users in your organization to change their passwords.


Note You can deploy the sample UCP.war script on any Java servlet container, such as Tomcat or JBoss.



Note The Cisco Technical Assistance Center (TAC) supports only the default Python Script for UCP web services. TAC does not offer any support for modified scripts.


Create custom scripts using the Monitoring and Report Viewer APIs that help you troubleshoot authentication problems in ACS.

Features Not Supported

The following features are not supported in ACS 5.1:

Integration with SQL DB via ODBC, for external authentication and identity information.

TACACS+ Proxy.

Application access control for CiscoWorks applications.

Network access restriction to users whose Windows accounts have Windows dial-in permission.

IP Pools Server feature.

Support for defining the maximum number of simultaneous sessions for a user or user group.

LM hash is not supported for CHAP/MS-CHAP authentications.

Expiry of any user (admin or internal) after certain number of days is not supported.

Support for Multiple Network Interface Card (NIC).

Remote Database with cluster setup is not supported.

Installation and Upgrade Notes

This section provides information on the installation tasks and configuration process for ACS 5.1. This section contains:

Installing the CSACS 1121

Running the Setup Program

Licensing in ACS 5.1

Upgrading to ACS 5.1

Applying Upgrade Patches

Installing the CSACS 1121

This section describes how to install the CSACS 1121 Series appliance. The CSACS 1121 Series appliance comes preinstalled with the software.

To set up and configure the CSACS 1121:


Step 1 Open the box containing the CSACS 1121 Series appliance and verify that it includes:

The CSACS 1121 Series appliance

Power cord

Rack-mount kit

Cisco Information Packet

Warranty card

Regulatory Compliance and Safety Information for the Cisco 1121 Secure Access Control System 5.1

Step 2 Go through the specifications of the CSACS 1121 Series appliance. For more details, refer to Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.

Step 3 Read the general precautions and safety instructions that you must follow before installing the CSACS 1121 Series appliance. For more details, refer to Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1 and pay special attention to all the safety warnings.

Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation. For more details on installing the CSACS 1121 Series appliance, refer to Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.

Step 5 Connect the CSACS 1121 Series appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port. Figure 1 shows the back panel of the CSACS 1121 Series appliance and the various cable connectors.


Note For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.


For more details, refer to Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.

For information on installing ACS 5.1 on VMware, refer to Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.

Figure 1 CSACS 1121 Series Appliance Rear View

The following table describes the callouts in Figure 1.

.

1

AC power receptacle

5

(Blocked) Gigabit Ethernet 1

2

(Blocked) Gigabit Ethernet

6

(In Use) Gigabit Ethernet 0

3

Serial connector

7

USB 3 connector

4

Video connector

8

USB 4 connector


Step 6 After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.


Running the Setup Program

This section describes the setup process that configures the ACS Server.

The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ACS 5.1 server using the setup program. The setup process is a one-time configuration task.

To configure the ACS Server:


Step 1 Power up the appliance.

The setup prompt appears:

Please type `setup' to configure the appliance 
localhost login:

Step 2 At the login prompt, enter setup and press Enter.

The console displays a set of parameters. You must enter the parameters as described in Table 1.


Note You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.


Table 1 Network Configuration Prompts 

Prompt
Default
Conditions
Description

Hostname

<localhost>

First letter must be an ASCII character.

Length must be >2 but <20 characters.

Valid characters are alphanumeric (A-Z, a-z, 0-9), hyphen (-), and the first character must be a letter.

Enter the hostname.

IPv4 IP Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter the IP address.

IPv4 Netmask

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid netmask.

IPv4 Gateway

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid default gateway.

Domain Name

None, network specific

Cannot be an IP address.

Valid characters are ASCII, any digit, hyphen (-), and period (.)

Enter the domain name.

IPv4 Primary Name Server Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid name server address.

Add/Edit another nameserver

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

To configure multiple name servers, enter Y.

Username

admin

The name of the first administrative user. You can accept the default or enter a new username.

Must be >2 and < 9 characters, and must be alphanumeric.

Enter the username.

Admin Password

None

No default password. Enter your password.

The password must be at least six characters in length and have at least one lower case letter, one upper case letter, and one digit.

In addition:

Save the user and password information for the account that you set up for initial configuration.

Remember and protect these credentials because they allow complete administrative control of the ACS hardware, the CLI, and the application.

If you lose your administrative credentials, you can reset your password by using the ACS 5.1 installation CD.

Enter the password.


After you enter the parameters, the console displays:

localhost login: setup
Enter hostname[]: acs-server-1
Enter IP address[]: 209.165.200.225
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 209.165.200.1
Enter default DNS domain[]: mycompany.com
Enter Primary nameserver[]: 209.165.200.254
Add/Edit another nameserver? Y/N : n
Enter username [admin]: admin
Enter password:
Enter password again:
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Appliance is configured
Installing applications...
Installing acs...
Generating configuration...
Rebooting...
 
   

After the ACS server is installed, the system reboots automatically. Now, you can log in to ACS with the CLI username and password that was configured during the setup process.


Note You can use this username and password to log in to ACS via the CLI only. To log in to the GUI, you must use the predefined username ACSAdmin and password default. When you access the GUI for the first time, you will be prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the GUI application.



Licensing in ACS 5.1

To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.


Note Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.


This section contains:

Types of Licenses

Auto-Installation of Evaluation License

Types of Licenses

Table 2 lists the types of licenses available in ACS 5.1.

Table 2 ACS License Support 

License
Description

Base License

The base license is required for all software instances deployed, as well as for all appliances. The base license enables you to use all the ACS functionality except license controlled features, and it enables standard centralized reporting features.

Required for each ACS instance, primary and secondary.

Required for all appliances.

Supports deployments with up to 500 managed devices.

The following are the types of base license:

Permanent—This license does not have an expiration date. Supports deployments with up to 500 managed devices.

Evaluation—Expires 90 days from the time the license is issued. Supports deployments with up to 50 managed devices.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the number of devices is 256.

Add-On Licenses

Add-on licenses can only be installed on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license.


Auto-Installation of Evaluation License

If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ACS server.


Note If you use an ACS server with less than 500 GB hard disk space, Cisco does not provide support for scalability, performance, and disk space-related issues.


For more information on installing ACS 5.1 on VMware, refer to Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.

Upgrading to ACS 5.1


Warning You might lose syslog records during the upgrade process. To maintain the monitoring and troubleshooting data integrity after upgrade, we recommend that you back up the database before you click the Switch Database button. For more information, see CSCtd10767 listed under the Known ACS Issues.

If you have a large database and would like to reduce the upgrade time, see CSCtc12382 listed under the Resolved Issues in Cumulative Patch ACS 5.1.0.44.2.

For step-by-step instructions on how to upgrade from ACS 5.0 to ACS 5.1, refer to the Upgrading the Cisco Secure Access Control System section of the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.

Applying Upgrade Patches

You can download ACS 5.1 cumulative patches from the following location: http://www.cisco.com/public/sw-center/index.shtml

To download and apply the patches:


Step 1 Login to Cisco.com and navigate to Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System > Cisco Secure Access Control System 5.1.

Step 2 Download the patch.

Step 3 Install the ACS 5.1 cumulative patch:

Issue the following acs patch command in the EXEC mode to install the ACS patch:

acs patch install patch-name.tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
 
   

Step 4 Enter yes.


Known Client Issues

This section lists some of the known issues with the Cisco Secure Services Client (CSSC).

Table 3 lists the client issues that might impact your ACS 5.1 experience.

Table 3 Known Client Issues 

Bug ID
Client Name and Version
Protocols
Description of the Problem
Comments

CSCsz77425 CSCtc34974

CSSC 5.1

EAP-FAST-GTC

PEAP-GTC

This issue occurs when you use the RSA SecurID server as an external identity store. If your first authentication fails and does not display a new PIN dialog box, the client keeps resending the same one-time PIN during the course of a single session.

The RSA SecurID server locks out the user or changes the user status to next token. This behavior is not consistent.

CSCsz20850

CSSC 5.1

EAP-FAST-GTC

This issue occurs during EAP-FAST authenticated provisioning. The client does not request PAC v1A after it receives PAC v1 from ACS.

PAC v1A is more protected (PAC-opaque encryption method is used) and could be a security issue.

Note This issue is not seen in CSSC 5.1 on Windows Vista.

CSCsz20866

CSSC 5.1

EAP-FAST-
MS-CHAP

This issue occurs in EAP-FAST MS-CHAP v2 authentication. You cannot select anonymous-only provisioning.

You cannot request the type of provisioning that you need from the client side.

Note This issue is not seen in Windows Vista SDK and CSSC 5.1.0.56 for Vista.

CSCsq24766

CSSC 5.1.1.10 on Windows XP

EAP-FAST

PEAP

This issue occurs when you inadvertently supply an incorrect old password while changing your password at login.

You cannot provide correct credentials in the same session if you have provided an incorrect password during your first attempt.

CSCsx53104

CSSC 5.1 on Windows XP

EAP-FAST

This issue occurs at times in machine authentication. The client requests user PAC instead of machine PAC.

Tunneling PAC should not be used for machine authentication.

Note This issue is also seen in the Intel client. This issue is not seen in CSSC 5.1 on Windows Vista.

CSCsz48360

CSSC 5.1

EAP-FAST, PEAP

This issue occurs when the client performs EAP-FAST authentication using stateless session resume. The client sends PEAP-MS-CHAPv2 error packets on session timeout.

This issue consumes resources and processes.

Note This issue is seen in the Intel client as well.

CSCta26007

CSSC 5.1 on Windows Vista

EAP-FAST-GTC

This issue occurs in the fallback flow. There are two fallback flows for the expired PAC. The first fallback flow stops after ACS sends to the client the last server Hello message. After that, a second fallback flow is begun that completes successfully. After two minutes, ACS displays an EAP timeout message for the first fallback.

The client and ACS perform two fallback flows, consuming time and resources.

Note This issue is not seen in CSSC 5.1 on Windows XP.

CSCtc75371

CSSC 5.1 on Windows Vista

EAP-GTC

Machine authentication fails with EAP-GTC. CSSC Vista attempts to use an inner method of MSCHAPv2 even though it is not configured on CSSC or ACS.

EAP-GTC machine authentication works for ACS with CSSC 5.1 on Windows XP.

Note This issue is not seen with other clients.


Resolved ACS Issues

This section lists the issues that are resolved in the ACS 5.1 release.

Table 4 lists the resolved issues in ACS 5.1.

Table 4 Resolved Issues in ACS 5.1 

Bug ID
Description

CSCsu88426

In ACS 5.0, the SSL web interface certificate used for administrative access via HTTPS is self-signed during installation, and it is not possible to replace it with customer's certificate. ACS 5.1 does support the feature of replacing the self-signed certificate with customer-signed certificate.

CSCsv90055

ACS 5.1 to support network device name length of 64 characters.

CSCsw18800

When a specific identity sequence is selected, authentications fail and replications stop.

CSCsw21781

The web interface of a secondary ACS server displays the following error:

Required container of HierarchyLabel is empty.

CSCsw45207

An ACS server makes use of only one CPU, even if two CPUs are available.

CSCsw49239

An ACS server gets deleted from the AD when the server is restarted.

CSCsw80396

Installation of Certificate Authority (CA) fails if Certificate Revocation List (CRL) cannot be parsed.

CSCsw92788

When an ACS node is deregistered and registered again, the configuration for each instance of log category is lost.

CSCsw95667

If you create a Certificate Authentication Profile (CAP) and use it in a policy, the CAP cannot be deleted.

CSCsx17179

ACS 5.0 overrides the class attribute configured to return after successful authentication.

CSCsx40242

Duplication of Access Service causes the following error:

Required container of HierarchyLabel is empty.

CSCsx54752

Concurrency is violated when updating Posture Server or Custom Condition.

CSCsx54785

Replication stops working after updating the Session Authorization Profile.

CSCsx94072

ACS server displays the following error when authenticating AD users:

Internal error in the ACS Active Directory.

CSCsy03478

Stateless Session Resume does not work.

CSCsy17858

ACS does not work with WLC 4400 and WiSM. All packets that are sent by these devices to ACS get dropped.

CSCsy46036

When ACS attempts to authenticate a PC equipped with Intel AMT client v2.6.6, PEAP/MSCHAPv2 and EAP-FAST/MSCHAPv2 802.1x, the authentication fails with the following error messages:

Invalid EAP payload dropped.
 
        
Invalid inner-EAP payload dropped.

CSCsy52084

When ACS receives RADIUS Access Request message with tunnel-tagged RADIUS attributes and tag=0, the request gets dropped.

CSCsy69217

Tunnel-Password attribute breaks the RADIUS packet when it is in the middle of the packet.

CSCsy71768

When the authen_type argument in a TACACS accounting packet is equal to None or 0, ACS 5.0 fails the accounting packet with the following error message:

Possible mismatched shared secrets.

CSCsy90822

Avaya IP phones fail to authenticate to ACS 5.0 with 802.1x, even though a success message is passed back from ACS.

CSCsz02855

ACS stops servicing TACACS requests under the circumstances of high load of TACACS authentication and authorization requests.

CSCsz20682

Even though the replication stops and authentications using affected service succeed in a distributed environment, ACS displays the following error message in the authentication details:

Incorrect database configuration.

CSCsz24126

ACS throws a runtime exception when an access request is sent with Tunnel-Assignment-ID attribute and tag=0.

CSCsz39114

ACS 5.0 displays the following error message when a CSSC user inserts a wrong password and does not respond to the retry message:

Invalid inner-EAP payload dropped.

CSCsz39174

ACS logs empty message when an EAP message times out.

CSCsz54916

Installation of license fails when the company name includes an ampersand (&) character with it.

CSCsz54975

ACS 5.0 displays the following error message when a user performs PEAP-MS-CHAP user authentication in a Windows XP native client with blank Username and Password:

Invalid EAP payload dropped.

CSCsz63227

When a super admin defines or deletes an attribute, ACS throws an exception. This problem would be noticed when a super admin tries to create a secure LDAP connection that requires reference to a certificate. As a result, invalid configuration would be created, which is not accepted by runtime and would cause the runtime to go offline.

CSCsz79818

The Recent Alarms in ACS Monitoring and Report Viewer displays the following errors:

Failed to insert session : Radius Authentication Event
 
        
Failed to insert Radius Accounting Event to Database.

CSCsz81514

dACL with VPN3K works only if there is a single ACL line. If dACL contains more than one ACL line, the dACL is not downloadable to the device.

CSCsz82564

ACS reports "Invalid EAP payload" error under EAP FAST in the following scenarios:

LDAP identity store.

EAP-FAST authentication with expired Authorization PAC with CSSC 5.1.

CSCsz84976

Invalid EAP payload errors on EAP-FAST idle authentication process.

CSCsz85344

cisco-av-pair details are not displayed in ACS Monitoring and Report Viewer.

CSCta00680

ACS displays the following error when performing EAP-FAST-GTC provisioning against Intel client, where an ACS server is not trusted on the client side:

Invalid EAP Payload.

CSCta05129

Some EAP authentications get dropped due to ACS internal errors and some get rejected when the packets are unexpected or malformed.

CSCta08841

The network device admin is not allowed to read, update, or delete the network device groups.

CSCta26102

PEAP-MS-CHAP authorization stops after numerous EAP session timeouts.

CSCta29941

ACS reaches "hit space limit" on multiple session EAP timeouts.

CSCta29960

ACS does not reject Odyssey request for anonymous provisioning.

CSCta37611

The audit report does not log any configuration changes.

CSCta59109

When performing group selects in searching child domains that are configured with the root or forest admin credential, ACS fails to return neither data or an error message even if trusts exists.

CSCta73912

EAP-TLS fails with CRL checking in tiered CA environment.

CSCta75089

To include an option for manually adding AD groups in AD page of ACS web interface.

CSCta89652

ACS does not populate class attribute to syslog.

CSCta95740

User authentications from ACS to AD fails and displays the following error message when the case of the username does not match:

Mschap user name doesn't match eap identity.

CSCtb83296

ACS with shared-secret key should reject unencrypted TACACS+.


Resolved Issues in Cumulative Patch ACS 5.1.0.44.1

Table 5 lists the issues that are resolved in the ACS 5.1.0.44.1 cumulative patch.

You can download the ACS 5.1.0.44.1 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 5 Resolved Issues in Cumulative Patch ACS 5.1.0.44.1

Bug ID
Description

CSCtc41730

ACS resets SYN packets if Maximum Segment Size (MSS) is not set.

CSCtc20671

On ACS 5.0 deployments on VMware ESX, the ACS file system shows error, or is mounted as read-only.

CSCtd16825

CLI "copy" command is broken when working with "disk."


Resolved Issues in Cumulative Patch ACS 5.1.0.44.2

Table 6 lists the issues that are resolved in the ACS 5.1.0.44.2 cumulative patch.

You can download the ACS 5.1.0.44.2 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 6 Resolved Issues in Cumulative Patch ACS 5.1.0.44.2 

Bug ID
Description

CSCtd24949

TACACS+ authorization failure when authen_type is 0.

CSCte16911

ACS 5.1 shows an error when a TACACS authentication is set to PPP service type.

CSCtd99822

AD users with expired passwords fail authentication attempts even after the password is reset.

CSCte70900

ACS 5.1 rejects access-point to join WDS domain by "LEAP packet validation failed".

CSCte79051

ACS runtime process crashes when it receives and handles several T+ session authorization requests simultaneously.

CSCte81150

ACS reports key mismatch for accounting packets that contain unknown authentication method.

CSCtd57980

EPM Syslogs are not parsed as expected in ACS View collector.

CSCtd69364

AD client fails to start.

CSCtd00585

ACS 5.1 AD client rebuilds the domain info map from scratch each time.

CSCtc12382

ACS View upgrade fails on scale configuration.

Follow these instructions if you have a large database and would like to reduce the upgrade time.

Note The following instructions are not applicable if you have already upgraded to ACS 5.1.

1. Perform a full backup of the ACS 5.0 database.

2. Reimage the machine by installing ACS 5.1.

3. Install the ACS 5.1.0.44.2 upgrade patch.

4. Restore the ACS 5.0 database on the ACS 5.1.0.44.2 server. The upgrade will start automatically.

CSCtd37384

ACS View does not display "Remote Address".


Resolved Issues in Cumulative Patch ACS 5.1.0.44.3

Table 7 lists the issues that are resolved in the ACS 5.1.0.44.3 cumulative patch.

You can download the ACS 5.1.0.44.3 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 7 Resolved Issues in Cumulative Patch ACS 5.1.0.44.3 

Bug ID
Description

CSCte88357

ACS 5.1 TACACS accounting report missing few attributes due to NULL character.

CSCtb94187

Limitation of the characters ` _ or a space during the migration of users.

CSCtd48173

Post upgrade can not create or edit a VSA attribute.

CSCtf06311

All internal users disabled automatically after logging in a single user.

CSCte72751

ACS 5.1 drops authentication with empty password.

CSCsy54062

ACS does not verify SubjectKeyID or AuthorityKeyID in Certificate Chain building.

CSCtf85659

ACS 5 does not distinguish between unique certificates.

CSCtf60490

Windows Mobile 5.0 clients fail LEAP authentication on ACS 5.1.

CSCtf65179

Discovery of host account domain is done several time.

CSCtf62721

Translation of Group SID to Group name is very inefficient.

CSCtf39158

Can not retrieve AD groups in single forest with multiple trees scenarios.

CSCtd00477

Can not retrieve AD groups if forest's name is composed of single word.

CSCtf30684

Password change using web service does not work.

CSCtf75806

ACS 5.1 does not log accounting details for some AAA clients.


Resolved Issues in Cumulative Patch ACS 5.1.0.44.4

Table 8 lists the issues that are resolved in the ACS 5.1.0.44.4 cumulative patch.

You can download the ACS 5.1.0.44.4 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system

.

Table 8 Resolved Issues in Cumulative Patch ACS 5.1.0.44.4 

Bug ID
Description

CSCtf72641

ACS 5.x does not allow LEAP-first authentication

CSCtf08567

ACS 5.1 permits command without arguments where it should deny it.

CSCtg15941

ACS 5.1 high memory usage. More than 90% memory is used when idle or with less load.

CSCtd46884

ACS 5.x AD save changes fail if admin password contains a space.

CSCtg38950

EAP-GTC always use hardcoded password prompt 'password:'

CSCtg52633

ADClient fixed to be able to handle duplicate CLDAP on UDP port 329.

CSCtf78048

Optimize discovery of host's account domain.

CSCtf23507

Support non-MS Kerberos (MIT).

CSCth59823

Replication is broken due to ActiveMQ exception.

CSCtg58234

EAP-FAST do not work if username case is different between PAC, inner method.

CSCtg38987

Password/passcode is not configurable for RSA Identity Store.

CSCtg87278

ACS not able to establish SSL tunnel with LDAP server with CRL verification.

CSCte95063

After "clock set" view log processor goes to 'not monitored' state.

CSCth82664

ACS database needs to be compressed as a maintenance operation.

Follow these steps to compress the ACS database:

1. Move all the secondary nodes to local mode.

2. On the primary node run the command:

acs-config database-compress [truncate_log]

This maintenance operation compresses the ACS database by rebuilding each table in the database and releasing unused space. The command also has the option to release the replication transaction table.

3. After the database compression is completed and all the services are up again, reconnect the secondary nodes one by one.

After reconnecting the secondaries, full-sync between the primary and the secondary will be initiated automatically.

CSCth77468

ACS 5.1 do not include 'C' and 'V' values in MS-CHAP-v2 Failure Packet.

CSCth72626

MS-CHAPv2 responses with bad flag values will not be dropped.

CSCth62273

ACS database can become large due to incomplete user password changes.

CSCth62139

ACS authentication rate decreases with internal user attributes.

CSCtf43054

Group assignment dialog does not allow "+" symbol in group name.

CSCtd14560

GUI session got logged out when Monitoring & Report Viewer is launched.

CSCtg78120

Monitoring & Report Viewer redirects to ACS view using the hostname only.

CSCth66146

Some failure reasons disappear in Failure Reasons Editor.

CSCtg60923

Apostrophe in password causes ACS 5 upgrade to fail.

CSCti93393

Accounts created to expire beyond 24 days are disabled.


Resolved Issues in Cumulative Patch ACS 5.1.0.44.5

Table 9 lists the issues that are resolved in the ACS 5.1.0.44.5 cumulative patch.

You can download the ACS 5.1.0.44.5 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system

Table 9 Resolved Issues in Cumulative Patch ACS 5.1.0.44.5 

Bug ID
Description

CSCti98492

ACS 5 tries to connect only to 3 DC's.

CSCtj15764

ACS 5 does not accept two certificates with same SKI .

CSCti22161

ACS 5.1 AD admin password length too short.

CSCsu69983

Restoring a configuration disconnects deployment and causes replication.

CSCti68031

ACS 5 sees DC= in the certificate subject as invalid DN.

CSCth78269

ACS transactions table is not cleaned properly during bulk operations.

CSCth57441

ACS 5.1 - HDD failure does not prevent RT to process incoming requests.

CSCth59463

Replication fails when remote syslog is configured.

CSCtj31250

Windows 7 PEAP fast reconnect fails with ACS 5.

CSCtj32835

Group fetch does not work for 8 hours after joining a new domain.

CSCtj36382

Find AD global catalog may fail in certain scenrio.

CSCtf69063

ACS backup and ACS restore on distributed environment deletes license-seco.

CSCtj87187

5.1 p5 -Trust for client with EAP-TLS not stored with allow duplicate option.

CSCtj86607

ACS 5.1 HTTP 500 errors, requiring mgmt service restart.

CSCtk08342

ACS becomes disconnected from Active Directory when DNS replies delayed.

CSCtk08423

ACS reconnects to different DCs if AD namespace is disjointed.


Resolved Issues in Cumulative Patch ACS 5.1.0.44.6

Table 10 lists the issues that are resolved in the ACS 5.1.0.44.6 cumulative patch.

You can download the ACS 5.1.0.446 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 10 Resolved Issues in Cumulative Patch ACS 5.1.0.44.6

Bug ID
Description

CSCtl77440

Able to arbitrarily change user account passwords.

CSCtl87993

Although UCP service is disabled, UCP python example can work.

CSCtl71157

ACS runtime does not send system status and health.


Known ACS Issues

This section lists the known issues for the ACS 5.1 release.

Table 11 lists the known issues in ACS 5.1. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.

Table 11 Known Issues in ACS 5.1 

Bug ID
Description

CSCsi71974

When you click the Device Type option in the web interface, ACS displays an HTTP 404 error and a Tomcat error is printed to catalina.out.

Symptom: In the catalina.out (the Tomcat log file), sometimes an HTTP 404 error appears while you are looking for web resource such as images.

Conditions: This occurs when you navigate to the Device Type option in the ACS web interface.

Workaround: None.

CSCsl17897

The Service Selection Rules window may not display the Name column in the Rule-based result selection table.

Symptom: In the Rule-based result selection table of the Access Policies menu, the horizontal scrolling of the table might cause the Name column to not be visible.

Conditions: This may occur when you have a small screen with many conditions and result columns defined.

Workaround: Perform any of the following:

Increase the resolution of the screen

Collapse the left navigation panel

Organize the Rule-based result selection table to have less number of columns

CSCsm00425

ACS does not allow you to create an authorization profile with a maximum value greater than 2147483647 for the unsigned integers.

Symptom: An ACS 5.x administrator cannot create an authorization profile with a maximum value for the unsigned integers.

Conditions: This bug applies to all software releases of 5.x until ACS 5.1.

Workaround: Define maximum values in the range of 0 to 2147483647.

CSCso49849

Long-string attribute names and values are not displayed in the Network Access Profiles and RADIUS attribute pages.

Symptom: For authorization profiles, long-string attribute names and values are not displayed in their entirety.

Conditions: Authorization profiles allow values to be defined for selected RADIUS attributes to be sent in an ACCEPT response. If the value is a string with more than 50 characters, only the start of the string is displayed in the web interface, and the full string is sent in the response. Similarly, for long-string attribute names, the value gets truncated in the web interface.

Workaround: From the attribute list, select a definition that contains the long value and click Edit. The value for this entry is displayed in a text box. You can scroll within the text box to view the attribute name or value.

CSCsq93350

The DenyAccess and PermitAccess options can be enabled simultaneously.

Symptom: In addition to the DenyAccess profile, if you select authorization profiles as results, they are ignored.

Conditions: From the results of the Network Access Profiles, you can select multiple authorization profiles to determine the RADIUS attributes that are to be present in an ACCEPT response. If you simultaneously select the reserved profile DenyAccess, the contents of the other profiles are ignored.

Workaround: To deny access in an authorization, select only the DenyAccess profile.

CSCsr24674

Exporting a report to PDF generates formatting issues.

Symptom: When you click Print to export a report to PDF, you see some formatting issues that include the following:

The page length and width of the PDF report do not match the report as viewed in the browser.

The report parameters do not appear in the PDF report.

Conditions: Printing a report in PDF format causes some formatting issues.

Workaround: Select HTML as the export option, instead of PDF.

CSCsr74090

ADE-OS password recovery returns a 64-bit address space error.

Symptom: When you perform a password recovery using the DVD and type option 3 or 4, the following error appears:

PCI: Unable to handle 64-bit address space. 
 
        

But the password recovery operation succeeds.

Conditions: This error occurs when you use the DVD for password recovery.

Workaround: None.

CSCsr81297

Catalina.out logs CSACS-1120-related errors when you select the Active Directory option.

Symptom: When you select the Active Directory option, a tail -f is used in the catalina.out log file that causes a large number of errors.

Conditions: The errors occur when you select Users and Identity Stores > External Identity Stores > Active Directory.

Workaround: None.

CSCsr83584

Two simultaneous promotions are permitted while the current primary server is down.

Symptom: Two secondary instances can be promoted to be a primary server.

Conditions: This occurs only when the current primary is offline and you try simultaneously to promote two secondary instances to be a primary. When the current primary server is online, it acts as an arbitrator and prevents two secondaries from being getting promoted at the same time. But when it is offline, this problem can occur.

Workaround: Avoid promotion of two secondary instances simultaneously. However, if this problem occurs, you can the use Hardware Replacement to connect the extra primary and any secondary instances to the other primary that was promoted.

CSCsr94065

Log messages cannot be viewed for monitored rules.

Symptom: Cannot view the log messages for monitored rules.

Conditions: Monitor rule logs are not generated even if the monitor-only option is selected.

Workaround: Set the log severity to INFO in the policy diagnostics scope.

CSCsu49059

Cannot stop support bundle processing by using Ctrl-C from the CLI.

Symptom: If you press Ctrl-C when using the CLI to run the acs support command, it may not stop the CLI operation. You must wait until the acs support command completes before you run any other commands, such as acs backup or acs restore.

Conditions: From the CLI, press Ctrl-C when running the acs support command.

Workaround: None. This is an intermittent issue that might not occur every time.

CSCsu69983

Restoring a configuration disconnects deployment and causes replication.

Symptom: After restoring a backup database to a primary database, the deployment is disconnected.

Conditions: When a backup database is restored, the database no longer contains the correct deployment information for the secondary instance that belonged to the previous database. To avoid sending replication updates to the wrong secondary instances, the underlying replication communication system is changed so that only reconnected or newly registered secondaries will receive replication updates.

Workaround: After a database restore, you must perform a hardware replacement for each secondary instance to reconnect to the primary instance.

CSCsv32027

Import progress popup issues with Internet Explorer 6.0.

Symptom: When you import using the Internet Explorer browser, you might see the import monitor popup in a flash window.

Conditions: Using Internet Explorer browser for import.

Workaround: None. This is just a cosmetic issue. However, if the progress popup does not appear, you can bring it to the front manually.

CSCsv39142

An active administrator SSH session closes when a malformed SSH loads.

Symptom: During a heavy load in the SSH interface, a working SSH session might be closed.

Conditions: This happens when there is a heavy load on ACS SSH ports. The applicable ACS versions are ACS 5.x, including 5.1.

Workaround: Block SSH load through other Cisco products or solutions (for instance, Cisco MARS) and then create a new SSH session.

CSCsv45016

An error is generated when special characters are used in report parameters.

Symptom: When specifying report parameters, if you enter special characters in one or more of the parameters, the report is not generated and an error message appears.

Conditions: When specifying special characters such as `~!@#$%^&*()/\{}[];:"' in one or more of the report parameters.

Workaround: None.

CSCsv55503

AD client DEBUG logs change back to INFO after AD rejoin.

Symptom: AD client DEBUG logs change back to INFO after AD rejoin.

Conditions: ACS AD client logs are enabled in DEBUG level [debug-adclient enable], then AD agent rejoins the AD domain (adleave & adjoin). AD agent logs are no longer in DEBUG.

Workaround: Log levels are defined in the /etc/syslog.conf file and default to:

user.debug -/opt/CSCOacs/logs/ACSADAgent.log

Perform the following steps:

1. To open full debug logs, modify the above line to the following:

*.debug -/opt/CSCOacs/logs/ACSADAgent.log

2. Start the syslog daemon: sudo pkill -1 syslogd

3. Start ACS.

4. Issue the following command in CLI:

$/opt/CSCOacs/runtime/adagent/bin/ACS_AD_Runner.sh addebug on

CSCsv65225

The health summary for the secondary ACS instance is not updated.

Symptom: In the health summary of a secondary ACS instance, the process status shows as running even if it is not running. When a process is down, it takes 10 minutes for the report to indicate the process status.

Conditions: This issue occurs when viewing the health summary of the ACS instance.

Workaround: None.

CSCsv65444

Monitoring and Report Viewer log section contains incorrect steps on Advance option.

Symptom: The Monitoring and Report Viewer log section says that ACS continues with Advance options even after the Reject or Drop options are selected. These steps are not correct.

Conditions: Configuring ACS by navigating through Access-services > Identity > Advance option to drop or reject the three drop-down options.

Workaround: None.

CSCsv88662

Reports are not displayed in ACS Monitoring and Reports.

Symptom: When the ACS Monitoring and Reports application is launched, the reports are not displayed in the reports catalog or in the default favorite reports.

Conditions: This issue occurs if the administrator name contains special characters such as !@#$%^&*()\/"'[]{}.

Workaround: Do not use special characters in administrator names.

CSCsv97503

Monitoring and Report Viewer does not change severity for log view based on ACSconfig.

Symptom: When configuring AAA diagnostic logs for a severity level that is different from the default level (WARN), the Monitoring and Report Viewer does not show these logs.

Conditions: Configuring ACS from System Administration and viewing the logs in the Monitoring and Report Viewer by navigating to Reports > Catalog > AAA Protocol.

Workaround: To avoid this issue, perform either of the following procedures:

Procedure 1:

1. Click the radio button next to the report that you need.

2. Click Run and then choose the option Query and Run.

3. From the Run Report window, choose the severity level.

4. Click Run.

Procedure 2:

1. Click the radio button next to the report that you need.

2. Click Add To Favorite.

3. Specify a name for the report.

4. From the drop-down list, choose the desired severity level.

5. Click Add To Favorite.

6. Navigate to Reports > Favorites to view the report.

CSCsw79961

Some records are missing when simultaneously inserting the records from multiple users.

Symptom: When multiple users simultaneously perform a lot of configurations, a small number of objects that are to be added to the ACS configuration are not added.

Conditions: This issue occurs when all of the following are done:

Users are using the automated stress tool.

Ten administrators simultaneously perform a lot of configuration activities.

Some of the administrators add network devices, MABs, and internal users.

Other users view pages or login and logout of ACS.

Workaround: To avoid this issue:

Do not use automated tools via the web interface.

Perform all configurations manually.

CSCsw79994

If Auto Activation is disabled, the secondary server displays incorrect deployment status.

Symptom: When Auto Activation is disabled:

A registered secondary server becomes inactive.

The secondary server contains an odd state when it is viewed from the web interface of the secondary server.

Conditions: When Auto Activation is disabled, a registered secondary becomes inactive and stops receiving Full Replication updates from the primary server. The web interface of the secondary displays the deployment state of the secondary as it was before the registration. Once the secondary is active, this state is replaced with the configuration from the primary.

Workaround: From the web interface of the primary, activate the secondary to update it with the deployment configuration.

CSCsw82472

EAP timeout message is not printed to the local store.

Symptom: Sometimes an EAP timeout log message is not written in the local store.

Conditions: This happens when a timeout occurs for EAP conversations.

Workaround: You can view the EAP timeout messages in the Monitoring and Reports Viewer.

CSCsx06721

ACS web interface does not recognize that the internal database is down.

Symptom: When the database is shut down and does not go up automatically, the web interface displays a general error message, but does not state that the database is down.

Conditions: This occurs when the ACS database process is shut down explicitly through the CLI or killed by the OS.

Workaround: Issue show application status acs in the ACS CLI to verify if the status is "not monitored" or "failed." If it is either, restart the ACS server.

CSCsz30605

Submitting a NAR without filling in a name causes display problems on Internet Explorer 7.0.

Symptom: The End Station Filters tabs overlap with the text fields.

Conditions: This occurs when you perform the following steps:

1. Invoke ACS using the Internet Explorer 7.0.

2. Select Policy Elements > ... > Session Conditions > Network Conditions > End Station Filters.

3. Create a filter with a valid IP.

4. Leave the Name field blank and click Submit.

Workaround: Be sure to fill in the Name field before you click Submit.

CSCsz38686

A NAR end station exception is displayed.

Symptom: The End Station Filters page gets stuck.

Conditions: This occurs when you enter a string with special characters such as ~!@#$%^&*()_+| in the End Station Filters page.

Workaround: Do not use special characters.

CSCsz45821

Ampersand in network device group (NDG) selection breaks the policy property page.

Symptom: NDG selection in the rule table editor appears empty.

Conditions: This occurs when you perform the following steps:

1. Create an NDG with an ampersand (&) in the name.

2. Go to policy identity, and customize it to contain that NDG.

3. Create a new rule, check the NDG check box, and click Select.

Workaround: Do not use the ampersand when creating NDGs.

CSCsz63336

When the local ACS Bind CA Signed Certificate tries to use the same user-friendly name as an existing one for the local certificate, the web interface displays misleading error messages.

Symptom: The errors may appear when binding a certificate with a name that already exists.

Conditions: This occurs when you configure a certificate with the same name in ACS.

Workaround: None. However, it is impossible to insert two certificates with the same name.

CSCsz77025

An NDG with an ampersand (&) trims the log in the ACS local store.

Symptom: When a username attribute contains the ampersand, the log message is truncated.

Conditions: This error occurs when a logged attribute contains an ampersand.

Workaround: None.

CSCsz77412

HTTP 500 and an exception appears when accessing a deleted access service from another browser.

Symptom: A null pointer exception appears when you select an access service from the navigation bar.

Conditions: This error occurs when you access the same access service through two browser windows, delete the access service in one of the windows, try to access the Identity and Authorization submenus, and return to the main access service from the navigation bar on the other window.

Workaround: Do not use two browsers to work with the ACS application. If this error happens, you must collapse the Access Policies drawer and then expand it to reload the navigation bar.

CSCsz81061

Out-of-band provisioning does not support identity names in UTF-8 format.

Symptom: The Protected Access Credential (PAC) name that is generated in the Save As dialog box is not presented well when you use non-English fonts.

Conditions: Under System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC, in the Identity field, fill in an identity in a non-English font. When you click Generate PAC, a Save As dialog box appears, prompting you to save the file. Junk characters appear in the filename.

Workaround: Do either of the following:

For identity attributes, use only English fonts.

If you use non-English fonts, change the filename manually in the Save As dialog box.

CSCta10658

CLI commands that require a restart do not have an audit log in the Monitoring and Report Viewer.

Symptom: CLI commands that require ACS restart do not have an audit log in Monitoring and Report Viewer.

Conditions: This error occurs when you issue CLI commands, such as IP address changes that require ACS to be restarted. The audit message does not appear in the Monitoring and Report Viewer because the Monitoring and Report Viewer Collector goes down when ACS restarts.

Workaround: None.

CSCta12956

When you change the ACS hostname, the server certificate still has the old hostname.

Symptom: After you change the ACS hostname through the CLI, the hostname in the server certificate (management interface certificate) is not changed and the server certificate might block access to the ACS web interface.

Conditions: This issue occurs when you change the ACS hostname.

Workaround: Do either of the following:

When you access the ACS web interface, accept the certificate exception and log in with the old certificate. When you log in, ACS resolves this issue by creating a new self-signed certificate or importing a certificate and associating it with the management interface.

Use the reset-management-interface-certificate command to remove the association between the old certificate and the management interface and create a new self-signed certificate and associate it to ACS. You can then log in to ACS and configure a permanent-signed certificate from the ACS web interface, from the local certificate administration page.

CSCta25997

User is not logged out after session timeout.

Symptom: Super Admin User is not logged out after session timeout.

Conditions: After logging in as a super admin user, configure the session timeout to n minutes. Launch the Monitoring and Report Viewer and wait for n minutes. After n minutes, the Monitoring and Report Viewer returns an error, but is functional. The My Account page in ACS is also active.

Workaround: None.

CSCta30608

Even though the ACS upgrade fails, the ACS CLI displays the following success message:

Application upgrade successful
 
        

Symptom: ACS services do not get started for many hours after the ACS upgrade.

Conditions: This occurs when the ACS database is in an unstable condition during the upgrade.

Workaround: If the ACS services have not started a couple of hours after the upgrade is complete, check the /opt/CSCOacs/logs/acsupgrade.log to verify that the application upgrade was successful.

CSCta33184

UTF-8 is not supported in the acs-config mode.

Symptom: UTF-8 characters are not supported in acs-config mode.

Conditions: When the administrator's username or password consists of UTF-8 characters and this administrator moves into the acs-config mode in the CLI, the authentication fails.

Workaround: Define an administrator username and password with no UTF-8 characters and use that to log in to acs-config mode in the CLI.

CSCta35416

Custom - Does not support UTF-8 characters.

Symptom: When you open the NDG selector from the Rule Edit dialog box, no entries are found even though several entries are defined.

Conditions: Define several NDGs with non-English names and go to the rule table. Ensure that the condition type of the relevant NDG is configured to be displayed, and click the Create, Edit or Duplicate button. Check the check box of the relevant NDG condition, and click the select button next to it. An empty selector appears even though there are several entries defined.

Workaround: Use English names for the NDGs.

CSCta35585

During ADE-OS installation, can enter shell as root user (console only, not SSH).

Symptom: It is possible to enter the ACS appliance's root shell from the console.

Conditions: After you install ADE-OS from the console, pressing Ctrl+Alt+F2 allows you to enter the shell as a root user.

Workaround: None.

CSCta35595

Whenever ADE-OS is rebooted, the appliance is stuck on conntrack version.

Symptom: While rebooting, ACS suspends operations for four to five minutes.

Conditions: This error occurs when your ACS appliance is configured to run the log collector, and you have not defined the Domain Name System (DNS) or you have configured an incorrect DNS.

Workaround: None.

CSCta49062

HTTP is nonresponsive when ACS starts.

Symptom: When ACS starts up, the show application status acs command might display the management running (HTTP nonresponsive) status.

Conditions: This issue occurs when you start ACS. It also happens when you enter the acs start command and follow it up with the show application status acs command.

Workaround: Wait for ACS to start completely and then re-enter this command.

CSCta58436

After CLI replication, the user is logged out of the acs-config mode.

Symptom: When you use replication full sync from a secondary node in a distributed deployment, the acs-config session is closed with an error message.

Conditions: No special conditions.

Workaround: Wait for ACS to restart. You can use the show application status acs command. After ACS restarts, recreate the acs-config session.

CSCta62697

No prevention or warning message appears when you choose the backup or restore option while an upgrade is in progress.

Symptom: No prevention or warning message appears when you choose the backup or restore option while an upgrade is in progress.

Conditions: This issue occurs when you choose to back up or restore while an upgrade is in progress. This can cause the database to be corrupted.

Workaround: Do not begin a backup or restore operation while an upgrade is in progress.

CSCta68251

EGRESS Matrix Scalability— The Edit window is empty when there are 3000 Security Group Access Control Lists (SGACLs).

Symptom: Server error appears when you select the Egress Matrix page.

Conditions: Define 3000 security groups (SGs), where each SG holds 1000 SGACLs, and then open the matrix table (TrustSec).

Workaround: Define fewer SGs and SGACLs, or consider rearranging the structure of the SGs into various groups and SGACLs together.

CSCta75080

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authentication with UTF-8 SAM and NETBIOS does not work.

Symptom: MSCHAP authentication fails against AD when non-English characters are used in usernames.

Conditions: This error occurs when you attempt PEAP/EAP-MSCHAP or RADIUS/MSCHAP authentication against AD, and non-English characters are present in the username, and the username is in the SAM or NETBIOS format.

Workaround: You must perform authentication with the username in the UPN format.

CSCta84904

Authorization policy becomes deformed when the NDG has an ampersand (&) in its name or description.

Symptom: When you access the policy rule table, the page displays a deformed table and the customize button does not display any columns.

Conditions: This error occurs when you define an access service for an NDG with ampersand in its name or description. The access authorization policy in the defined access service is deformed (the create button is dimmed, the custom dialog box does not have any configuration, and so on).

Workaround: Do not configure an NDG with an ampersand in its name or description.

CSCta95615

The ACS web interface accepts creating an LDAP without entering all the mandatory fields.

Symptom: You can click Submit on the LDAP wizard without filling in all the mandatory fields.

Conditions: Choose Users and Identity Stores > External Identity Stores > LDAP. Click Create. Enter a valid name and click Next. Enter a valid hostname, IP address, and port and click Next. In the Directory Organization page, do not enter any values in the mandatory fields (Directory Structure, Subject Search Base, and Group Search Base). Click Finish.

Workaround: Fill in the Directory Structure, Subject Search Base, and Group Search Base fields.

CSCtb00427

EAP-MSCHAP or EAP-TLS host authentication fails with AD multiple forest environment.

Symptom: EAP-MSCHAP or EAP-TLS host authentication fails in a Microsoft AD multiple forest environment.

Conditions: When you attempt a PEAP/EAP-MSCHAP or EAP-FAST/EAP-MSCHAP or EAP-TLS host authentication against a Microsoft AD multiple forest environment, the host performs authentication with its service principal name (DNS). The host's DNS name is not aligned with the AD domain structure.

For example, a host with DNS name myhost.domainA.com is defined on the domainB.com Active Directory DC.

Workaround: Perform authentication with the host's NETBIOS name (for example, domainB\myhost$).

CSCtb00431

EAP-GTC with SPN in multiple forest does not work.

Symptom: EAP-GTC host authentication fails in a Microsoft AD multiple forest environment.

Conditions: When you attempt a PEAP/EAP-GTC or EAP-FAST/EAP-GTC host authentication against a Microsoft AD multiple forest environment, the host performs authentication with its service principal name (DNS name).

Workaround: Perform authentication with the host's NETBIOS name (for example, domain\hostname$).

CSCtb03182

ACS Monitoring and Report Viewer could take several minutes to run the ACS Instance Authentication Summary report, depending on the number of records in the database.

CSCtb05977

GUI framework—Broken listing page found when using the html tags.

Symptom: Listing pages are sometimes broken and have misaligned elements and fields.

Conditions: Go to any listing page. Click Create. Enter the required information. Click Submit. The listing page that appears is sometimes broken.

Workaround: None.

CSCtb18905

Logs are not complete if an administrator with a username that contains an ampersand (&) is edited.

Symptom: In the Monitoring and Reports Viewer, under Reports > Catalog > ACS Instance > ACS Configuration Audit, some fields, such as Administrator, Object Identifier, IP address, Modifications, and so on are empty.

Conditions: This issue occurs if the Administrator username contains an ampersand.

Workaround: Do not define a username with an ampersand.

CSCtb20586

A success message appears for acs backup and acs support CLI commands that have failed.

Symptom: Success message appears for acs backup and acs support commands that have failed. The command output includes both failure and success messages.

Conditions: No write permission is defined on a remote repository.

Workaround: Use a different repository or ensure that write permission is defined on the given repository.

CSCtb40466

There is no indication if two users try to change the password of an account at the same time.

Symptom: No error message appears when change password upon login fails.

Conditions: This error occurs when you access ACS from two browsers, and the administrator changes the password in one of the browsers and tries to log into the other browser with the old password.

Workaround: Work with a single browser per administrator login.

CSCtb49667

GUI page freezes after repeated errors.

Symptom: The Create or Edit Shell Profiles page under Policy Elements > Authorization and Permissions > Device Administration suspends operation.

Conditions: Go to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles and then click Create, or select a shell profile and click Edit. In the Common Tasks tab, for the Access Control List, choose Static and do not provide a value. Click Submit. An error similar to the following appears:

Value is required.
 
        

Select the Not in Use option for the Access Control List and then Static again. Click Submit. The page becomes inactive. You cannot move between the tabs or click Submit or Cancel.

Workaround: Enter the value in the Common Tasks tab before you click Submit.

CSCtb54190

ACS allows you to generate a self-signed certificate with XSS.

Symptom: The Local Certificates table is broken.

Conditions: XSS happens in the Certificate Authority page, and in a certificate where the subject is of the format <script>alert(`Hello')</script>.

Workaround: Do not use <> characters in the subject.

CSCtb62056

Error when trying to retrieve AD groups if AD configuration is cleared while groups are selected.

Symptom: An error appears when trying to retrieve AD groups if AD configuration is cleared while groups are selected.

Conditions: ACS is joined to AD. A policy is configured with AD as the identity store. From the Directory Groups tab, select a few groups and click Clear Configuration. An error message notifying you of references appears. Click OK and then try to retrieve the AD group.

Workaround: Remove AD and then define a new AD before you retrieve the AD group.

CSCtb66701

Login to secondary server takes a long time after the secondary server's status is updated.

Symptom: Login to secondary server takes a long time.

Conditions: This error occurs when you log in immediately after registration is complete and the secondary server's status is changed to UPDATED.

Workaround: Open a new browser and log in to the secondary server.

CSCtb70105

Removing Certificate Authority certificate from the ACS web interface produces null system error message in report.

Symptom: When you remove a CA certificate under Certificate Authority, ACS generates a null system error message in the report. The following message appears:

Encountered invalid or null system message.
 
        

Conditions: This issue occurs when you remove a CA certificate.

Workaround: None. Ignore this message.

CSCtb75010

Left column in the main page of ACS GUI is corrupted after some time.

Symptom: The left navigation panel becomes misaligned.

Conditions: Resizing the left navigation pane several times leads to a misaligned panel.

Workaround: Refresh the application.

CSCtb75556

When the connection is slow, group retrieval throws warning error.

Symptom: When connection is slow between ACS and AD, and AD group retrieval is requested, the browser throws a warning error.

Conditions: Connection is very slow between ACS and AD, and AD group retrieval is requested. The browser throws a warning error.

Workaround: Use a filter to query for the specific group. Only the relevant groups are returned, and communication is saved.

CSCtb82917

Removal of the ACS application shows the following error: ***globed detected ***

Symptom: Removal of the ACS application shows the following message on the CLI:
*** glibc detected *** double free or corruption (out): 0x0807b428 ***

Conditions: This occurs inconsistently on entering the following command from the CLI:
application remove acs

Workaround: None.

CSCtb82970

With Internet Explorer 7, the software update page gets stuck if invalid text is entered.

Symptom: The Centralized Software Updates > Create page gets stuck when submitted.

Conditions: This error occurs if you use Internet Explorer 7 and do the following:

1. Navigate to System Administration > Operations > Centralized Software Updates > Create.

2. Select the Upload SW Update option.

3. Paste some text into the file uploader element.

Workaround: Use the Browse button to select a file instead of pasting the invalid text.

CSCtb95299

Cannot export more than one server certificate at a time.

Symptom: After exporting a certificate from the Local Certificate list, you cannot export another certificate.

Workaround: To export another server certificate:

1. Leave the Local Certificate page.

2. Return to the Local Certificate page.

3. Export a certificate.

CSCtb98071

Launching a shared report in the ACS 5.1 Monitoring and Report Viewer displays an iportal error for a particular scenario.

Symptom: You will see the following iportal error message when you launch a shared report:

iPortal generate report failed.
 
        

Conditions: This error occurs when you add a report to a group in the interactive viewer and save it as a shared report.

Workaround: Avoid using the option Add Group from the interactive viewer for hyperlinked column entries when you save the report as shared.

CSCtc02925

AD GUI page gets stuck when ACS tries to join AD.

Symptom: When you try to join ACS to AD, and DNS is configured incorrectly, the AD GUI page gets stuck for approximately 5 minutes.

Conditions: This happens when ACS is installed and the wrong DNS configuration is defined through the ADE-OS CLI.

Workaround: To avoid this issue, do the following:

1. Click Test Connection before joining AD to diagnose and indicate the DNS resolution error.

2. Fix the error.

3. Click Save Configuration to join ACS to AD.

CSCtc03004

When trying to join with two DNS servers, the connectivity status is disconnect.

Symptom: When ACS is configured with two DNS, ACS successfully joins the AD but the connectivity status is shown as disconnect.

Conditions: This error occurs when two DNS servers are configured, where the first is configured incorrectly and the second is configured correctly. After AD is configured, ACS successfully joins AD, but the connectivity status is shown as disconnect.

Workaround: Make sure that the DNS server is up and valid.

CSCtc09870

Groups are not listed from the LDAP page.

Symptom: If Group Object class is set to the wrong object class in the LDAP configuration page and Test Configuration button is clicked, it shows Groups >100. This is incorrect.

Conditions: This error occurs when you set the wrong object class in the LDAP configuration page and click Test Configuration.

Workaround: If the object class is set incorrectly, the correct number of groups is 0. This is correctly displayed in the Directory Group tab.

CSCtc09973

CLI commands are missing after installing ACS 5.1 on the new ADE-OS machine.

Symptom: Not all ACS-related commands appear in CLI.

Conditions: The ACS CLI commands are missing after installing ACS 5.1 on the new ADE-OS machine, using the same login shell.

Workaround: Close the shell in which you installed ACS 5.1 and log in again. All commands appear in the new shell.

CSCtc14191

[AD agent] Authentication fails after UPN user name is edited in AD.

Symptom: Plain password authentication fails against the Windows Server AD.

Conditions: The authentication fails under the following conditions:

1. RADIUS/PAP or TACACS+ PAP/ASCII or EAP-GTC user authentication is attempted.

2. The authentication is attempted against Windows Server 2008 Active Directory.

3. The correct username and password are used during authentication.

4. The user login name has been changed without changing the user password.

Workaround: Change the user password.

CSCtc19231

Error message appears while creating ACS support bundle.

Symptom: While executing the following CLI command:

<CmdBold>decrypt-support-bundle</CmdBold>
 
        

The following error message appears:

gpg: can't open `/gnupg/options.skel': No such file or directory
 
        

Conditions: This message appears regardless of any condition.

Workaround: No workaround is needed, because the command completes successfully regardless of the error message.

CSCtc22063

ACS restore fails for large ACS database when using Windows File Transfer Protocol (FTP) server.

Symptom: When trying to restore the ACS configuration to a remote Windows FTP server, an ACS database error occurs, and ACS does not start properly.

Conditions: This error occurs in the following conditions:

1. Using Windows FTP server.

2. Backup scaled ACS configuration with more than 100,000 internal users.

3. ACS backup file size is larger then 4 GB.

4. Windows FTP server does not show the real size of the backup (tar.gpg) file.

Workaround: Choose either of the following two options:

Use a Linux FTP server.

In case using Windows FTP server:

Ensure that you use a known user rather than an anonymous user.

Ensure that Windows shows the real physical size of the file. If the size is different, the restore will fail.

CSCtc24654

Expired users (Password Aging Rules) enabled after import.

Symptom: Users whose accounts expired in ACS 4.x are enabled in ACS 5.1 after migration.

Conditions: Users whose accounts have expired due to Password Aging Rules in ACS 4.x are enabled in ACS 5.1 after migration.

Workaround: Manually disable these users after migrating to ACS 5.1 or before migration in, ACS 4.x.

CSCtc27869

Users are not imported if enable password is fewer than four characters.

Symptom: Users from ACS 4.x who have an enable password of less than four characters are not migrated.

Conditions: Internal users in ACS 4.x who have enable password of fewer than four characters are not migrated, and this is reported in the import report.

Workaround: Update the enable password and rerun the migration for such users.

CSCtc28096

ACS GUI page is not accessible; HTTP is not responsive.

Symptom: The ACS web interface is not accessible after the system has been in a stale connection for a while.

Conditions: ACS is in a stale mode for a long period.

Workaround: Restart ACS if it has not recovered after a short while.

CSCtc29082

Using an existing hostname in the deployment should display a warning.

Symptom: Deployment stops working correctly if the primary hostname is changed to be the same as the secondary hostname. The secondary with the same hostname stops working, while the primary does not show the real changed name.

Conditions: The primary hostname is changed by the ACS administrator to be the same as the secondary hostname.

Workaround: Rename the primary hostname to the former name, and then give it a new name that does not already exist in the deployment and, preferably, does not duplicate entries in the DNS server.

CSCtc34937

If ACS is not restarted after changing the DNS, ACS still works on the old DNS.

Symptom: When ACS is not restarted after changing the DNS, the ACS agent may still validate the old DNS name, and the authentication passes.

Conditions: This error occurs when ACS is not restarted after changing the DNS. The ACS agent may still validate the old DNS name, and the authentication passes.

Workaround: Restart ACS after changing the DNS.

CSCtc39922

Migration of 300,000 users takes more than 11 hours.

Symptom: The migration takes more than 11 hours.

Conditions: When the ACS 4.x database is large (300,00 users, 50,000 MABs, 45.000 devices), it takes about 11 hours to complete the import to ACS 5.1.

Workaround: Run migration on a standalone ACS 5.1 server using groups, migration of all users, migration of all devices, and so on.

CSCtc40582

If NFS staging URL is used, backup or restore job copies a set of files to the NFS staging location.

Symptom: ACS, Monitoring and Report Viewer, and ADE-OS-related files are available at the NFS staging location.

Condition: This issue occurs if you use an NFS staging URL for a backup or restore job.

Workaround: Do not use an NFS staging URL for backup or restore jobs.

CSCtc41730

ACS resets SYN packets if Maximum Segment Size (MSS) is not set.

Symptom: TACACS+ authentication attempts from some devices fail with no response from ACS. Packet capture shows TCP reset being sent immediately by ACS.

Conditions: This issue occurs if the TCP SYN packet does not have the MSS option set.

Workaround: Configure the device to include the MSS option in the SYN packet.

CSCtc47793

During import process, ACS displays the NullPointerException and generates no audit messages.

Symptom: The import process completes and the relevant objects get added or updated to the database, but no audit messages are generated.

Conditions: This problem occurs when two attributes with the same name belonging to different dictionaries are in the database. For example, if you define an attribute called Description in both the user and host dictionaries.

Workaround: None.

CSCtc48245

Unable to open the second calendar when two date attributes are selected.

Symptom: Having two date conditions defined in the rule table and selected to be configured triggers the following in the rule edit dialog box:

Unless the first date condition is activated, the second date panel does not appear.

Only after the first date condition is activated will the second date panel be displayed.

Conditions: This error occurs under the following conditions:

1. Two date conditions are defined and visible in the rule table as part of the rule itself.

2. You have selected to create, edit, or duplicate a rule.

3. You have tried to display the date panel of the second condition while the first date condition

is not selected.

Workaround: Do the following, in this order:

1. Select the first date condition.

2. Select and configure the second date condition.

3. Remove the activation of the first date condition.

CSCtc49185

Socket error in migration.log when you import 300,000 users.

Symptom: The migration log includes exceptions.

Conditions: When you migrate a large database of about 300,000 users, 50,000 MABs, 45,000 devices, and so on, you might encounter some connection errors with the ACS 5.1 server. These problems are exposed as SSL and connection timeout exceptions in the migration logs.

Workaround: Run the migration in groups and not all objects at once. For example, first run for users, then devices, and so on.

It is recommended to run the migration against the primary server, which is a standalone server and has no secondary connected to it.

CSCtc60425

Primary secondary MGMT GAP after migration.

Symptom: Migration from ACS 4.x is complete; however, secondary ACS appliances are in pending state.

Conditions: This issue occurs in a distributed deployment where there are more than three secondary servers that consist of CSACS-1120 and CSACS-1121. This happens when there are a large number of user, device, and MAB objects. Tested on 300000 users and 50000 devices.

Workaround: This happens because the secondary servers are processing the data while the primary server has completed data processing. Allow the secondary servers to continue processing the data and monitor their statuses from the primary distributed status page. If a secondary server's status moves to updated, it indicates that this secondary server has completed the processing. This activity might take an additional 2 to 5 hours depending on the size of your deployment.

CSCtc75332

Full binary comparison is performed in EAP-TLS at the time of session resume.

Symptom: ACS performs full binary comparison against LDAP at the time of session resume instead of performing only user lookup.

Conditions: This issue occurs when you use the EAP-TLS protocol, configure LDAP identity store for the service, and the client performs a successful TLS session resume.

Workaround: None.

CSCtc75375

No reports are available in Favorites list after upgrading with a specific database.

Symptom: Favorite reports do not appear in the ACS web interface.

Conditions: After you upgrade from ACS 5.0 to ACS 5.1, the favorite reports might not appear in the ACS web interface.

Workaround: Choose the Reset Reports option from any of the Catalog Reports to view your favorite reports again.

CSCtc78971

Proactive PAC update does not correctly generate PAC v1.

Symptom: Proactive PAC update sends an invalid Tunnel PAC to the client.

Conditions: This issue occurs if ACS receives Tunnel PAC v1 that will expire soon and requires proactive PAC update and ACS receives authorization PAC along with this Tunnel PAC v1.

Workaround: When invalid PAC is provided to the client, the client tries to authenticate it and ACS falls back to provisioning. If the client supports provisioning, a new PAC will be provided to the client. If not, the client might force start provisioning (on some clients, you must start provisioning manually).

CSCtc79113

UTF-8 for alarm syslog target displays an error for providing name in Japanese.

Symptom: The Monitoring & Reporting Viewer web interface displays an error when UTF-8 characters are used.

Conditions: This issue appears only when you use UTF-8 characters.

Workaround: None.

CSCtc79155

Promotion during import should be blocked.

Symptom: Replication stops between nodes in a deployment and cannot log in to a new promoted secondary server.

Conditions: Start an import process of users, hosts, or devices. While the import is in progress, promote one of the secondary servers in your deployment to be the primary server. This issue will most likely occur in a long import process where you have a large number of objects.

Workaround: In general, promoting a server in a deployment should not be done while there are ongoing configuration activities. Specifically, you can determine if an import process is in progress using the following command from the ACS CLI:

import-export-status-all

If this issue occurs, promote the original server to be the primary server again in the deployment. Perform full replication for the secondary server that had been promoted earlier when the problem occurred.

CSCtc81452

RT core file created for large scale configuration after installing ADE-OS 1.2 patch.

Symptom: RT core file is created in /opt/CSCOacs/runtime directory after you install the ADE-OS upgrade patch 5-0-0-21-adeos-1_2_upgrade.tar.gpg and restart ACS.

Conditions: This issue occurs if you have ACS version 5.0.0.21, you have applied the following patches, and there is a large scale configuration:

ACS patch 5.0.0.21.9

ADE-OS patch 5.0.0.21.ADEOS_UPGRADE

Workaround: ACS Watchdog restarts RT daemon automatically. ACS functionality is not affected.

CSCtc81695

Permission not granted properly for administrators.

Symptom: Security administrators have read-only permission for the administrator access setting pages. Policy administrators do not have permission to add or delete LDAP databases. The following administrator roles, User, ChangeUserPassword, ChangeAdminPassword, and other roles that grant the privilege to change user password and administrator password has only read-only access permission for the administrator access setting pages.

Workaround: Use other administrator roles that have the privileges to configure administrator access settings.

CSCtc81704

Internet Explorer (IE) 6: Unable to create network conditions as policy admin

Symptom: Cannot create network conditions in the ACS web interface.

Conditions: This issue occurs when you use IE 6 to configure a network condition.

Workaround: Use IE 7 or FireFox version 3.

CSCtc81929

Import and export processes are not functioning with IE 6 as expected.

Symptom: Cannot see the progress of import or export from the ACS web interface.

Conditions: This issue occurs when you use IE 6 for import and export operations through the ACS web interface.

Workaround: Even though the progress is not displayed in the ACS web interface, the import and export processes work. We recommend that you use FireFox version 3.

CSCtc84751

ACS 5.1 has an issue with incremental backup across multiple repositories.

Symptom: ACS does not display the recent incremental backups to restore in the Restore page under Monitoring Configuration > System Operations > Data Management.

Conditions: This error occurs when you use one repository for a full backup and a different one for the subsequent incremental backups.

Workaround: If you generate a full backup on one repository, you must continue to generate all the subsequent incremental backups on the same repository.

You can create a new full backup with incremental backups on a different repository, so long as all backups exist on the same repository.

CSCtc87079

Top N SGT Assignment report displays an error message for custom time range.

Symptom: Top N SGT Assignment report displays an error message for custom time range.

Conditions: This issue occurs only if you run the report for a custom time range.

Workaround: Use the predefined time ranges when you run this report. Do not choose the Query and Run option.

CSCtc89566

Authentication using alternative UPN suffix fails in AD multiforest.

Symptom: ACS does not support user authentication in AD when a username is supplied with an alternative UPN suffix configured in multiforest.

Conditions: This issue occurs when you:

1. Configure a trust between two AD domains. For example, oceania.acs.com and amer.acs.com.

2. Configure an alternative UPN suffix in one domain. For example, alternative.com in australia.oceania.acs.com.

3. Create a user with alternative suffix in the domain. For example, upn-test@alternative.com.

4. Configure ACS to join another domain. For example, rio.brazil.south.amer.acs.com.

5. Perform an authentication with the user given alternative UPN suffix. For example, upn-test@alternative.com.

This authentication fails.

Workaround: Configure ACS to join the forest or domain where an alternative UPN suffix is configured. Install different ACS instances to join different AD forests.

CSCtc90954

Support bundle download URL contains hostname only.

Symptom: When you choose to download the support bundle on ACS, the browser is referred to an URL that contains only the hostname instead of the fully qualified domain name. When SSL certificates are in use for the web interface, the browser displays a warning that the certificate subject name does not match the hostname in the URL.

Conditions: This issue occurs in ACS 5.0 and ACS 5.1.

Workaround: Choose to proceed past the warning that is displayed in the web interface.

CSCtd00477

Can not retrieve AD groups if forest's name is composed of single word.

Symptom: Cannot retrieve AD groups from the AD group retrieval page.

Conditions: This issue occurs if the global catalog is located in the top domain. For example, if the domain is x.y and the global catalog is located in y, then this issue occurs.

Workaround: Add the AD groups manually instead of selecting them from the retrieval list.

CSCtd06227

SafeWord: No lookup with caching using special format.

Symptom: In SafeWord, fast reconnect in PEAP-GTC/stateless session resume in EAP-FAST-GTC fails for users with username in special format (username, password).

Conditions: This issue occurs in SafeWord user authentication when the username is in special format (username, password) and caching is enabled for SafeWord identity store (stores only the username and not the password), and this is followed by a fast reconnect in PEAP-GTC/stateless session resume in EAP-FAST-GTC with username in special format (username, password).

Workaround: None.

CSCtd06290

System failure error when submitting Change Password request with the enum attribute.

Symptom: Cannot perform change password operations for an internal user from the user's record. When such operations are performed, a system error appears.

Conditions: This issue occurs when an internal user has an enumerated identity attribute defined.

Workaround: None.

CSCtd07787

PEAP—Misleading EAP session timeout error message with identity sequence.

Symptom: Misleading error message for EAP session timeout.

Conditions: This issue occurs when you:

1. Configure an identity sequence in the following order: AD1, Internal User, and LDAP (password based).

2. Use this identity sequence as the identity source.

3. Configure session resume (timeout 180) and authenticate against an internal user.

4. Wait for session timeout. The following EAP session timeout message appears in the RADIUS Authentication report:

24008 User not found in LDAP Server

Workaround: Drill down to the details in this report to find the EAP session timeout message.

CSCtd09816

Sometimes onActivate is not called for notification extensions.

Symptom: EAP certificate updates are not applied correctly sometimes, especially when authentications happen concurrently.

Conditions: An EAP certificate update is not applied to ACS Runtime.

Workaround: Resubmit the certificate for update through the ACS web interface.

CSCtd10767

Syslog data loss during upgrade.

Symptom: When you perform an upgrade, it might take some time to upgrade the Monitoring and Report Viewer database. While this upgrade is in progress, ACS continues to receive syslog messages. However, the syslog data that is collected during upgrade might not be available in the database after upgrade.

Conditions: This problem occurs when you run the upgrade process.

Workaround: After upgrade is complete, before you click the Switch Database button, you must take a manual backup of the database. Apply the ACS 5.1.0.44.1 upgrade patch.

Following scenarios are tested:

Scenario 1

1. Back up the ACS View 5.0 database. If the ACS View database size is more than or equal to
100 GB, you need to run the backup and configure the destination repository as an external FTP, TFTP or NSF server.

2. Reimage the appliance with ACS 5.1.

3. Download the patch from the following download location and install it on your system: http://www.cisco.com/public/sw-center/index.shtml

Refer to Applying Upgrade Patches for instructions on how to apply the patch to your system.

4. Restore ACS View 5.0 database—Database upgrade happens automatically. If the ACS View database size is more than or equal to 100 GB, you need to run the backup and configure the destination repository as the external FTP, TFTP or NSF server.

5. Wait for the upgrade to complete. After the upgrade is complete the following message is displayed on the ACS View GUI:

Click the Switch Database button below to activate the converted database. You may need to scroll down to make it visible.

The ACS processes will restart in order to switch the database. It will be necessary to log back in after the restart has completed.

6. Click Switch Database.

Data from the temporary database is restored to the main database.

Expected results:

Upgrade takes less than 36 hours.

There is no significant data loss.

Scenario 2

1. Upgrade from ACS 5.0 to ACS 5.1.

2. Wait for the upgrade to complete. After the upgrade is complete the following message is displayed on the ACS View GUI:

Click the Switch Database button below to activate the converted database. You may need to scroll down to make it visible.

The ACS processes will restart in order to switch the database. It will be necessary to log back in after the restart has completed.

 

3. Download the patch from the following download location and install it on your system: http://www.cisco.com/public/sw-center/index.shtml

Refer to Applying Upgrade Patches for instructions on how to apply the patch to your system.

4. After the patch is installed, click Switch Database.

Data from the temporary database is restored to the main database.

Expected result:

There is no significant data loss.

Scenario 3

1. Upgrade from ACS 5.0 to ACS 5.1.

2. Wait for the upgrade to complete. After the upgrade is complete the following message is displayed on the screen:

Click the Switch Database button below to activate the converted database. You may need to scroll down to make it visible.

The ACS processes will restart in order to switch the database. It will be necessary to log back in after the restart has completed.

3. Back up the ACS View database (ACS backup).

4. After you back up the ACS View database, click Switch Database.

5. Download the patch from the following download location and install it on your system: http://www.cisco.com/public/sw-center/index.shtml

Refer to Applying Upgrade Patches for instructions on how to apply the patch to your system.

6. Go to Monitoring Configuration > System Operations > Data Upgrade Status page and specify the location of the previous backup (restart required).

The backup is downloaded and the data from the backup file is restored to the main database.

Expected result:

Data that is collected during the upgrade process is restored without significant data loss.

For further links to information on the upgrade process, see Upgrading to ACS 5.1.

CSCtd14560

GUI session is logged out when launching the Monitoring & Report Viewer.

Symptom: GUI session logs out when you launch the Monitoring and Report Viewer.

Conditions: This issue occurs when you log in to ACS after a session timeout and immediately launch the Monitoring & Report Viewer and you must log in to ACS again.

Workaround: None.

CSCtd16392

ACS uses AD agent user's group caching during authorization.

Symptom: When authenticating against AD, the user might be considered a member of a group to which he no longer belongs to and this might impact the policy and rule conditions.

Conditions: If a user is removed from certain groups within the AD server and if this user has authenticated through ACS against AD within the past 30 minutes, the changes made in the AD server is not updated in the cache.

Workaround: Wait for 30 minutes until the cache is updated or install the root patch and clear cache with the help of support.

CSCtd16825

CLI "copy" command is broken when working with "disk."

Symptom: The CLI command, copy disk: fails.

Conditions: This issue occurs when the CLI copy command contains the full path along with the filename. For example, copy file:/opt/SCSO/logs/acsRuntime.log ftp://a.b.c.d

Workaround: Use the command with the relative path instead of the full path.

CSCtd16850

Dropped reports do not appear in the Monitoring & Report Viewer when AD is disconnected.

Symptom: Dropped reports do not appear in the Monitoring & Report Viewer when AD is disconnected.

Conditions: This issue occurs when authenticating against an AD that is disconnected.

Workaround: None.

CSCtd24949

TACACS+ authorization failure when authen_type is 0.

Symptom: When you attempt to log in to a switch that runs a network assistant, authentication succeeds, but authorization fails. You get the following error:

13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets

Conditions: This issue occurs when you use network assistant on a switch.

Workaround: Use SSH or Telnet to access the switch.

CSCtd24978

UCP—When primary server is down, the secondary server will not update the primary server.

Symptom: Changes to internal user password does not take effect on all the servers in the deployment and takes effect only on the secondary server that processed the change.

Conditions: This issue occurs if you change internal user password while the primary server is down.

Workaround: Do not change internal user password if the primary server is down. If you encounter this issue, then manually change the password through the ACS web interface on the primary server.

CSCtd83913

After or during upgrading from ACS 5.0 to 5.1, SSH stops working if closed or disconnected.

Symptom: Cannot open SSH session after upgrading from ACS 5.0 to ACS 5.1.

Conditions: This issue occurs after you upgrade from ACS 5.0 to ACS 5.1 and restore the ACS 5.0 database. If SSH connection is lost or timed out, you cannot open another SSH session.

Workaround: Reboot the ACS appliance.

CSCtd52207

The Monitoring and Report Viewer does not send Alarms or e-mails when working in distribution mode.

Symptom: When working in distribution mode, Monitoring and Report Viewer does not send Alarms or e-mails.

Conditions: Monitoring and Report Viewer does not send e-mails even when there is a rule to monitor ACS process status on primary ACS server and the log collector is on secondary server.

Workaround: Monitor alerts from the Monitoring and Report Viewer GUI page.

CSCtd48969

Schedule View Database backup to local-disk is not working.

Symptom: Scheduled Monitoring and Report Viewer database backup to local-disk is not working.

Conditions: Scheduled Monitoring and Report Viewer database backup to local-disk is not working even after submitting and successfully saving the settings.

Workaround: None.

CSCtd51443

Thresholds do not present Identity Store Sequences database.

Symptom: Thresholds do not show the Identity Store Sequences database.

Conditions: The issue occurs when:

1. You go to Monitoring and Reports Viewer.

2. Select Thresholds.

Identity Store Sequences data is not present in the list.

Workaround: None.

CSCte20853

View Troubleshooting traceroute does not show traceroute information.

Symptom: The Monitoring and Report Viewer traceroute does not show traceroute information.

Conditions: The issue occurs when:

1. You go to Monitoring and Report Viewer > Troubleshooting > Connectivity Tests.

2. Give the IP address and traceroute a device.

The traceroute information is not displayed.

Workaround: Traceroute the device from the ACS CLI.

CSCte20871

View Troubleshooting ping device by DNS hostname does not work.

Symptom: Pinging device by DNS hostname is not working.

Conditions: The issue occurs when:

1. You go to Monitoring and Report Viewer > Troubleshooting > Connectivity Tests.

2. Give the DNS host name of the device and ping.

There is no response. DNS of the device and ACS are same.

Workaround: Ping the device from the ACS CLI.

CSCtd14560

GUI session gets logged out when launch monitoring.

Symptom: When you launch the Monitoring and Report Viewer, the GUI session gets logged off.

Conditions: This issue occurs when you log in to the ACS server after a session timeout and immediately launch the Monitoring & Report Viewer.

Workaround: To overcome this issue:

1. Go to System Administration > Settings > Session > Session Idle Timeout.

2. Set the session timeout to a large number (in minutes).

CSCtd39360

Changing Identity from AD to Identity with wildcard, "System Failure" occurs.

Symptom: When trying to change Policy Identity Store to Identity Sequences, the following error appears:

This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page.

Conditions: This issue occurs when using Identity Sequences with wildcard.

Workaround: Create Identity Sequences without wildcard (such as &% ,.!+ -).

CSCtj81255

Two MAC addresses detected on neighbooring switch of ACS 1121 Appliance.

Symptom: Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth 0.

Conditions: Only one Ethernet interface, eth 0 is connected between ACS and Switch.

Workaround: Disable BMC (Baseboard Management Controller) feature using BIOS setup.


Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

CSCua99537

Network Time Protocol Daemon (NTPD) running with ACS, sometimes, does not synchronize its clock with the windows time service.

Symptom: When AD domain is used as a NTP server, the clcok on ACS and AD does not synchronize with the windows time service.

Conditions: This problem occurs often when ACS or AD is running as a virutal machine.

Workaround: None.


Documentation Updates

Table 12 lists the updates to Release Notes for the Cisco Secure Access Control System 5.1.

Table 12 Updates to Release Notes for the Cisco Secure Access Control System 5.1 

Date
Description

08/24/2012

Added a known issue CSCua99537 in the Known ACS Issues section and not supporting multiple NIC in Features Not Supported section.

06/08/2011

Added caveat CSCtj81255 to "Known ACS Issues" section.

04/25/2011

Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.6" section.

01/27/2011

Updated "Features Not Supported" section.

01/12/2011

Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.5" section.

09/20/2010

Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.4" section.

08/24/2010

Updated the following sections:

Features Not Supported

Monitoring and Troubleshooting Enhancements

06/08/2010

Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.3" section.

05/21/2010

Added the following to the list of Known ACS Issues:

CSCtd83913

CSCtd52207

CSCtd48969

CSCtd51443

CSCte20853

CSCte20871

CSCtd14560

CSCtd39360

04/12/2010

Added the following sections:

Applying Upgrade Patches

Resolved Issues in Cumulative Patch ACS 5.1.0.44.1

Resolved Issues in Cumulative Patch ACS 5.1.0.44.2

Updated the "Upgrading to ACS 5.1" section.

Updated description of the bug CSCtd10767.

02/22/2010

Added a note stating that no TAC support is available for modified python scripts in the "Other Feature Enhancements" section

12/02/09

Added the following to the list of Known ACS Issues:

CSCtd09816

CSCtd16825

CSCtd16850

11/30/09

Added Configuring NADs to Send Syslog Messages to the list of Monitoring & Report Viewer feature enhancements.

11/26/09

Added the following to the list of Known ACS Issues:

CSCtd14560

CSCtd00477

CSCtc81929

CSCtc81704

CSCtc81695

CSCtc60425

CSCtc41730

CSCtb00431

CSCtd24978

CSCtd06290

CSCtc79155

CSCtd24949

CSCtd06227

CSCtc78971

CSCtc75332

CSCtc75375

CSCtc79113

CSCtc87079

CSCtc90954

CSCtd07787

CSCtc81452

11/11/2009

Cisco Secure Access Control System Release 5.1.


Product Documentation

Table 13 describes the product documentation that is available for ACS 5.1 on Cisco.com. To find end-user documentation for all products on Cisco.com, go to:

http://www.cisco.com/go/techdocs

Table 13 Product Documentation 

Document Title
Available Formats

License and Documentation Guide for the Cisco Secure Access Control System, Release 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
license_doc/guide/acs_51_lic_doc_gd.html

Regulatory Compliance and Safety Information for Cisco 1121 Secure Access Control System 5.1 and Cisco NAC Appliance 4.7

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
regulatory/compliance/csacsrcsi.html

User Guide for the Cisco Secure Access Control System 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/user/
guide/acsuserguide.html

Installation and Upgrade Guide for the Cisco 1121 Secure Access Control System 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
installation/guide/acs5_1_install_guide.html

Migration Guide for the Cisco Secure Access Control System 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
migration/guide/Migration_Book.html

CLI Reference Guide for the Cisco Secure Access Control System 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
command/reference/acs5_1_cli.html

Supported and Interoperable Devices and Software Tables for the Cisco Secure Access Control System 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
device_support/sdt51.html

Release Notes for the Cisco Secure Access Control System 5.1

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html


Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)".

The word `cryptographic' can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)".

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Supplemental License Agreement

END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE:

IMPORTANT: READ CAREFULLY

This End User License Agreement Supplement ("Supplement") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence.

In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

1. Product Names

For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are:

A. Advanced Reporting and Troubleshooting License

Enables custom reporting, alerting and other monitoring and troubleshooting features.

B. Large Deployment License

Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise.

C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release)

Enables TrustSec policy control functionality and other advanced access features.

2. ADDITIONAL LICENSE RESTRICTIONS

Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco 1121 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco 1121 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1121 Hardware Platform.

Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control System Software upgrades for the 1121 Hardware Platform as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each Cisco 1121 Hardware Platform. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract.

Reproduction and Distribution. Customer may not reproduce nor distribute software.

3. DEFINITIONS

Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x].

Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].

4. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.