Guest

Cisco Secure Access Control System

Release Notes for the Cisco Secure Access Control System 5.2

  • Viewing Options

  • PDF (511.6 KB)
  • Feedback
Release Notes for the Cisco Secure Access Control System 5.2

Table Of Contents

Release Notes for the Cisco Secure Access Control System 5.2

Introduction

New and Changed Features

Cryptographic Module

Support RADIUS KeyWrap

Machine Key Zeroization

SHA-2

CoA Port

SFTP Copy

Features Not Supported

Known Limitations in ACS 5.2

Installation and Upgrade Notes

Installing, Setting up and Configuring CSACS 1121

Running the Setup Program

Licensing in ACS 5.2

Types of Licenses

Auto-Installation of Evaluation License

Upgrading an ACS Server from 5.0 to 5.2

Applying Upgrade Patches

Resolved ACS Issues

Resolved Issues in Cumulative Patch ACS 5.2.0.26.1

Resolved Issues in Cumulative Patch ACS 5.2.0.26.2

Resolved Issues in Cumulative Patch ACS 5.2.0.26.3

Resolved Issues in Cumulative Patch ACS 5.2.0.26.4

Resolved Issues in Cumulative Patch ACS 5.2.0.26.5

Resolved Issues in Cumulative Patch ACS 5.2.0.26.6

Resolved Issues in Cumulative Patch ACS 5.2.0.26.7

Resolved Issues in Cumulative Patch ACS 5.2.0.26.8

Resolved Issues in Cumulative Patch ACS 5.2.0.26.9

Resolved Issues in Cumulative Patch ACS 5.2.0.26.10

Resolved Issues in Cumulative Patch ACS 5.2.0.26.11

Known ACS Issues

Documentation Updates

Product Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Supplemental License Agreement

Obtaining Documentation and Submitting a Service Request


Release Notes for the Cisco Secure Access Control System 5.2


Revised: J uly 18, 2013 O L-21576-01

These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.2, hereafter referred to as ACS 5.2. These release notes provide information on the features, related documentation, resolved issues, and known issues for functionality in this release.

This document contains:

Introduction

New and Changed Features

SFTP Copy

Features Not Supported

Known Limitations in ACS 5.2

Installation and Upgrade Notes

Resolved ACS Issues

Resolved Issues in Cumulative Patch ACS 5.2.0.26.1

Resolved Issues in Cumulative Patch ACS 5.2.0.26.2

Resolved Issues in Cumulative Patch ACS 5.2.0.26.3

Resolved Issues in Cumulative Patch ACS 5.2.0.26.4

Resolved Issues in Cumulative Patch ACS 5.2.0.26.5

Resolved Issues in Cumulative Patch ACS 5.2.0.26.6

Resolved Issues in Cumulative Patch ACS 5.2.0.26.7

Resolved Issues in Cumulative Patch ACS 5.2.0.26.8

Resolved Issues in Cumulative Patch ACS 5.2.0.26.9

Resolved Issues in Cumulative Patch ACS 5.2.0.26.10

Resolved Issues in Cumulative Patch ACS 5.2.0.26.11

Known ACS Issues

Documentation Updates

Product Documentation

Notices

Supplemental License Agreement

Obtaining Documentation and Submitting a Service Request

Introduction

ACS is a policy-driven access control system and an integration point for network access control and identity management.

The ACS 5.2 software runs either on a dedicated Cisco 1121 Secure Access Control System (CSACS-1121) appliance, or on a VMware server. However, ACS 5.2 continues to support CSACS-1120 appliances that you have used for ACS 5.0 and that you would like to upgrade to ACS 5.2.

This release of ACS provides new and enhanced functionality on a standard Cisco Linux-based appliance.

Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers to the ACS software.

New and Changed Features

This release of ACS provides improved parity with 4.x. The following sections briefly describe the new and changed features in the 5.2 release:

Cryptographic Module

Support RADIUS KeyWrap

Machine Key Zeroization

SHA-2

CoA Port

Cryptographic Module

The cryptographic module enhancements include:

PKI Key Generation—The ACS 5.1 Public Key Infrastructure (PKI) credentials and the local certificates and outstanding certificates are restored in ACS 5.2 by reimporting the certificates.

RADIUS KeyWrap—ACS 5.2 supports configuration and usage of Key Encryption Key (KEK) and Message Authentication Code Key (MACK).

Key Zeroization—ACS 5.2 supports zeorization of all key as part of key zeroization.

Support RADIUS KeyWrap

The RADIUS KeyWrap feature enhancements include:

Shared Secrets

KEK—ACS 5.2 supports configuration and usage of Key Encryption Key (KEK). This is used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.

MACK—ACS 5.2 supports configuration and usage of Message Authentication Code Key (MACK). It is used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message.

In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40 characters.

Cisco AV-Pair

The RADIUS KeyWrap feature in ACS 5.2 introduces the following three new AVPs for the Cisco AV-pair RADIUS Vendor-Specific-Attribute:

Random Nonce—ACS 5.2 supports Random Nonce, generated by the NAS. It is used for adding randomness to the key data encryption and authentication, and for linking between requests and response packets (prevent replay attacks).

Key—ACS 5.2 supports session key distribution, to replace the use of MS-MPPE-xxxx-KEY attributes [RFC2548].

Message Authenticator Code—ACS 5.2 supports the use of Message Authentication Code for ensuring the authenticity of the RADIUS message (including the EAP-Message and Key attributes).

When RADIUS KeyWrap is enabled, ACS 5.2 allows the use of these three RADIUS KeyWrap AVPs for message exchanges and key delivery. According to the KeyWrap attribute requirements, ACS will reject all RADIUS requests that contain both RADIUS KeyWrap AVPs and the standard RADIUS Message Authenticator attribute [RFC2869].

Configuration—ACS 5.2 supports enabling and disabling of RADIUS KeyWrap for AAA clients. Configuration of RADIUS KeyWrap shared keys for AAA clients and default network devices is also supported.

Migration—ACS 5.2 supports migration of KeyWrap network device configuration from ACS 4.x to 5.2.

Machine Key Zeroization

ACS 5.2 introduces a new CLI command acs zeroize-machine to trigger the zeroization. Zeroization deletes any key and sensitive files. It also deletes the running memory and the swap files.

This command securely deletes the partition on which ACS is installed. It also securely deletes the swap partition and restarts the machine to clear all information in the RAM. After the command has completed running, ACS will not function on the appliance. You have to re-install ACS on the appliance.

For more information on this command, see the CLI Reference Guide for the Cisco Secure Access Control System 5.2.

SHA-2

ACS 5.2 supports SHA-2 signatures as follows:

Supports importing of SHA-2 signed certificates.

Supports SHA-2 signed certificates in TLS protocols.

Supports SHA-2 in CSR generation. You have an option to choose SHA-2 signature.

Supports SHA-2 in Self-Signed certificate generation. You have an option to choose SHA-2 signature.

Only SHA2 256-bit certificate digest algorithm is supported by ACS 5.2.

CoA Port

ACS 5.2 allows you to configure Change of Authorization (CoA) port through the GUI. It is used to set up the RAIUS CoA port for session directory, for user authentication. You can launch this session directory from the Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700.

SFTP Copy

In ACS 5.2, SSH File Transfer Protocol (SFTP) is implemented by Secure Copy Protocol (SCP).

Features Not Supported

The following features are not supported in ACS 5.2:

ACS upgrade through GUI is not available in ACS 5.2. For more information, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.

Expiry of any user (admin or internal) after certain number of days is not supported.

Support for defining the maximum number of simultaneous sessions for a user or user group.

Wildcard certificate is not supported in ACS 5.2.

Multiple Network Interface Card (NIC) is not supported in ACS 5.2.

Remote Database with cluster setup is not supported.

Known Limitations in ACS 5.2

The following are the affected areas in ACS 5.2 as a result of FIPS certification:

SSH client

The SSH client should support the following FIPS compliant cipher suits:

Key exchange cipher: diffie-hellman-group14-sha1

Encryption ciphers: aes256-cbc, aes128-cbc, 3des-cbc

MAC: hmac-sha1


Note ACS 5.2 does not follow the given cipher suite if you upgrade using acs.tar.gz method. It is recommended to do the backup/re-image/restore method and it is necessary for FIPS compliance.


Browsers

ACS 5.2 supports the following Web Client/Browser Platforms in Windows XP Professional (Service Pack 2 and 3) and Windows Vista.

Internet Explorer version 6.x

Internet Explorer version 7.x

Internet Explorer version 8.x

Mozilla Firefox version 3.x

The above mentioned browsers are supported only with one of the following cipher suits:

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

RSA_WITH_3DES_EDE_CBC_SHA

You should install Windows XP SP3 to use SHA2 256-bit certificates as management certificates.

Logs

ADE logs added the following repetitive log message because of FIPS requirements:

Crypto::notifyStateTransition

Installation and Upgrade Notes

This section provides information on the installation tasks and configuration process for ACS 5.2. This section contains:

Installing, Setting up and Configuring CSACS 1121

Running the Setup Program

Licensing in ACS 5.2

Upgrading an ACS Server from 5.0 to 5.2

Applying Upgrade Patches

Installing, Setting up and Configuring CSACS 1121

This section describes how to install, set up and configure the CSACS 1121 Series appliance. The CSACS 1121 Series appliance is preinstalled with the software.

To set up and configure the CSACS 1121:


Step 1 Open the box containing the CSACS 1121 Series appliance and verify that it includes:

The CSACS 1121 Series appliance

Power cord

Rack-mount kit

Cisco Information Packet

Warranty card

Regulatory Compliance and Safety Information for the Cisco 1121 Secure Access Control System 5.1

Step 2 Go through the specifications of the CSACS 1121 Series appliance.

For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.

Step 3 Read the general precautions and safety instructions that you must follow before installing the CSACS 1121 Series appliance.

For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2 and pay special attention to all the safety warnings.

Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation.

For more details on installing the CSACS 1121 Series appliance, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.

Step 5 Connect the CSACS 1121 Series appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.

Figure 1 shows the back panel of the CSACS 1121 Series appliance and the various cable connectors.


Note For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.


For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.

For information on installing ACS 5.2 on VMware, see Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.

Figure 1 CSACS 1121 Series Appliance Rear View

The following table describes the callouts in Figure 1.

.

1

AC power receptacle

5

(Blocked) Gigabit Ethernet 1

2

(Blocked) Gigabit Ethernet

6

(In Use) Gigabit Ethernet 0

3

Serial connector

7

USB 3 connector

4

Video connector

8

USB 4 connector


Step 6 After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.


Running the Setup Program

This section describes the setup process that configures the ACS Server.

The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and enter the initial administrator credentials for the ACS 5.2 server that is using the setup program. The setup process is a one-time configuration task.

To configure the ACS Server:


Step 1 Power up the appliance.

The setup prompt appears:

Please type `setup' to configure the appliance 
localhost login:
 
   

Step 2 At the login prompt, enter setup and press Enter.

The console displays a set of parameters. You must enter the parameters as described in Table 1.


Note You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.


Table 1 Network Configuration Prompts 

Prompt
Default
Conditions
Description

Hostname

localhost

First letter must be an ASCII character.

Length must be >2 but <20 characters.

Valid characters are alphanumeric (A-Z, a-z, 0-9), hyphen (-), and the first character must be a letter.

Enter the hostname.

IPv4 IP Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter the IP address.

IPv4 Netmask

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid netmask.

IPv4 Gateway

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid default gateway.

Domain Name

None, network specific

Cannot be an IP address.

Valid characters are ASCII, any digit, hyphen (-), and period (.)

Enter the domain name.

IPv4 Primary Name Server Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid name server address.

Add/Edit another nameserver

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

To configure multiple name servers, enter Y.

Username

admin

The name of the first administrative user. You can accept the default or enter a new username.

Must be >2 and < 9 characters, and must be alphanumeric.

Enter the username.

Admin Password

None

No default password. Enter your password.

The password must be at least six characters in length and have at least one lower case letter, one upper case letter, and one digit.

In addition:

Save the user and password information for the account that you set up for initial configuration.

Remember and protect these credentials because they allow complete administrative control of the ACS hardware, the CLI, and the application.

If you lose your administrative credentials, you can reset your password by using the ACS 5.2 installation CD.

Enter the password.


After you enter the parameters, the console displays:

localhost login: setup
Enter hostname[]: acs-server-1
Enter IP address[]: 209.165.200.225
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 209.165.200.1
Enter default DNS domain[]: mycompany.com
Enter Primary nameserver[]: 209.165.200.254
Add/Edit another nameserver? Y/N : n
Enter username [admin]: admin
Enter password:
Enter password again:
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Appliance is configured
Installing applications...
Installing acs...
Generating configuration...
Rebooting...
 
   

After the ACS server is installed, the system reboots automatically. Now, you can log in to ACS with the CLI username and password that was configured during the setup process.

You can use this username and password to log into ACS using only the CLI. To log into the GUI, you must use the predefined username ACSAdmin and password default.

When you access the GUI for the first time, you will be prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the GUI application.


Licensing in ACS 5.2

To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.

Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.

This section contains:

Types of Licenses

Auto-Installation of Evaluation License

Types of Licenses

Table 2 lists the types of licenses available in ACS 5.2.

Table 2 ACS License Support 

License
Description

Base License

The base license is required for all deployed software instances, as well as for all appliances. The base license enables you to use all ACS functions except license controlled features, and it enables standard centralized reporting features.

The base license:

Is required for all primary and secondary ACS instances.

Is required for all appliances.

Supports deployments that have a maximum of 500 managed devices.

The following are the types of base licenses:

Permanent—Does not have an expiration date. Supports deployments that have a maximum of 500 managed devices.

Evaluation—Expires 90 days from the time the license is issued. that have a maximum of 50 managed devices.

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure.

For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the number of devices is 256.

Add-On Licenses

Add-on licenses can only be installed on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license.

The TrustSec feature licenses are of two types: Permanent, Eval, and NFR. However, the permanent TrustSec feature license can be used only with a permanent base license.


Auto-Installation of Evaluation License

If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ACS server.

If you use an ACS server with less than 500 GB hard disk space, Cisco does not provide support for scalability, performance, and disk space-related issues.

For more information on installing ACS 5.2 on VMware, see Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.

Upgrading an ACS Server from 5.0 to 5.2

To upgrade your ACS 5.0 server to ACS 5.2:


Step 1 Backup the ACS 5.0 database by entering the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name


Note Ensure that you use a nonlocal repository for the ACS 5.0 data backup. Otherwise, you might lose the configuration data after you install 5.1.


Step 2 Install ACS 5.1 using the recovery DVD.

Step 3 Install the latest ACS 5.1 patch available on Cisco.com.

Step 4 Restore the ACS 5.0 database by entering the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

ACS upgrades the 5.0 configuration data and Monitoring and Report Viewer data to the 5.1 format.

Step 5 Backup the ACS 5.1 database by entering the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name


Note Ensure that you use a nonlocal repository for the ACS 5.1 data backup. Otherwise, you might lose the configuration data after you install 5.2.


Step 6 Install ACS 5.2 using the recovery DVD.

Step 7 Install the latest ACS 5.2 patch, if available.

Step 8 Restore the ACS 5.1 database by entering the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

ACS upgrades the 5.1 configuration data and Monitoring and Report Viewer data to the 5.2 format.


Applying Upgrade Patches

You can download ACS 5.2 cumulative patches from the following location: http://www.cisco.com/cisco/web/download/index.html

To download and apply the patches:


Step 1 Login to Cisco.com and navigate to Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System > Cisco Secure Access Control System 5.2.

Step 2 Download the patch.

Step 3 Install the ACS 5.2 cumulative patch. To do this:

Enter the following acs patch command in the EXEC mode to install the ACS patch:

acs patch install patch-name.tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
 
   

Step 4 Enter yes.


Resolved ACS Issues

Table 3 lists the issues that are resolved in ACS 5.2.

Table 3 Resolved issues in ACS 5.2 

Bug ID
Description

CSCtc12382

ACS View upgrade failed after scale configuration.

CSCtc89581

Legacy machine PAC did not refresh after migrating to ACS 5.1.

CSCtd48173

Post upgrade could not create or edit a VSA attribute.

CSCte75993

ACS sent the same server list name and gen-ID when NAD switched to ACS.

CSCte79051

ACS 5.1 crashed after concurrent TACACS+ session authorization requests.

CSCtf06311

All internal users were automatically disabled if you logged in as a single user.

CSCtf33152

Restoring corrupted backup file caused ACS to stop functioning.

CSCtf60490

Windows Mobile 5.0 Clients failed LEAP on ACS 5.1.

CSCtf62721

Translation of Group SID to Group name was very inefficient.

CSCtf85659

ACS 5 did not distinguish between unique certificates.

CSCtg58234

EAP-FAST did not work if different username cases were used in PAC and inner method.

CSCtg78076

ACS 5 replaced separator ';' in dACL .csv file import with CR-LF.

CSCth15868

ACS 5 migration tool truncated DACL name.

CSCth42292

There was a security problem in OpenSSL.

CSCtc20671

ACS 5 developed file system problems with SAN over fiber.

CSCtc41730

ACS reset SYN packets if MSS was not set.

CSCtc90954

Support bundle download URL contained only the host name.

CSCtd00477

Could not retrieve AD groups if forest's name was composed of a single word.

CSCtd14560

GUI session got logged out when tried to launch Monitoring and Reports Viewer.

CSCtd16825

CLI command copy disk: failed if full path to the file was provided.

CSCtd24949

TACACS authorization failed when authen_type=0.

CSCtd46884

ACS 5.x - AD save changes failed if admin password contained a space.

CSCtd52207

View did not send any alarms or mails if you were working in distribution mode.

CSCtd69364

ADClient did not restart.

CSCtd99822

AD users with expired passwords fail authentication.

CSCte16911

ACS 5 did not support the PPP TACACS service type for authentication.

CSCte70900

ACS 5.1 did not allow AP to join WDS domain. A message appeared, LEAP packet validation failed.

CSCte72751

ACS 5.1 dropped authentication requests if the password was blank.

CSCte81150

ACS 5.x reported key mismatch for unknown authentication method.

CSCte88357

ACS5.1 TACACS Accounting Report missed a few attributes caused by NULL characters.

CSCtf08567

ACS5.1 permitted commands without arguments, instead of denying them

CSCtf23507

ACS 5.1 authenticated AD users by querying attribute altSecurityIdentifier.

CSCtf30684

The system could not change the password by using the User-Change-Password web service through a python-based web page.

CSCtf33226

ACS EAP-MSCHAP sometimes failed and a message appeared, User has no dialing permissions.

CSCtf39158

Could not retrieve AD groups in single forest with multiple trees scenarios.

CSCtf43054

Group assignment dialog box did not allow "+" symbol in group name.

CSCtf46139

After deregistering or deleting, primary server still communicated with the deregistered box.

CSCtf65179

Discovery of host account domain was done several time.

CSCtf75806

ACS 5.1 did not log accounting details for some AAA clients.

CSCtf79183

Domain name was not appended when redirected to the primary server.

CSCtg15941

ACS 5 high memory usage - memory usage was more than 90% when idle or with less load.

CSCtg38950

EAP-GTC always used hardcoded password prompt 'password:'.

CSCtg38987

Password and passcode were not configurable for RSA Identity Store.

CSCtg52633

ADClient could not handle duplicate CLDAP on UDP port 329.

CSCtg60736

Exporting command sets on ACS 5 created an invalid file.

CSCtg77168

Page could not be displayed for support logs if the ACS name was not resolved.

CSCtg78120

Monitoring & Report Viewer could be redirected to ACS view using only the host name.

CSCth08243

Aggregation errors appeared after upgrading from ACS 5.0 to 5.1.

CSCth55074

The `put' method was enabled in ACS 5.x webserver.

CSCth62273

ACS database could become large because of incomplete user password changes.

CSCtd37384

ACSView 5.0 and 5.1 did not display "Remote Address".

CSCtg04259

ACS 5.1 took a long time to fetch group lists from AD.

CSCsy54062

ACS did not verify SubjectKeyID / AuthorityKeyID in CertChain building.

CSCtb94187

Migration of users - Apostrophe ('), space, or underscore (_) characters not supported.

CSCtc42936

Support bundle contents was encrypted.

CSCtc61819

The CoA port in ACS was not configurable and default port mismatch to SW.

CSCtf72641

ACS 5.x did not allow LEAP-first authentication.

CSCtg12399

ACS 5.1 did not support 2008 R2 Server for AD.

CSCtg67722

Users with apostrophes could not be edited.

CSCtd10767

Syslog data loss during upgrade.

CSCtc19231

Error message while creating ACS support bundle.

CSCte30267

ACSView: Authentication Fail (EAP timed out) entries did not contain client information.

CSCtd68974

ACS upgrade did not start.

CSCtd57980

EPM Syslogs were not parsed as expected in View collector.

CSCtd39360

Change Identity from AD to Identity with wildcard. System failure occurred.

CSCtd00725

Important TLS/SSL security update.

CSCsl45043

Upgrade OpenSSH.

CSCsk52006

Weak SSL ciphers supported, should be turned off.

CSCth95632

Browser crashed when left in Live Authentication screen for a long time.

CSCth66146

Some failure reasons disappeared in Failure Reasons Editor.

CSCth33629

802.1X VLAN not found. Interface info was populated along with session ID.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.1

Table 4 lists the issues that are resolved in the ACS 5.2.0.26.1 cumulative patch.

You can download the ACS 5.2.0.26.1 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 4 Resolved Issues in Cumulative Patch ACS 5.2.0.26.1 

Bug ID
Description

CSCtg87278

ACS is not able to establish SSL tunnel with LDAP server with CRL verification.

This resolution allows to establish SSL tunnel with LDAP server with CRL verification.

CSCth82664

ACS DB needs to be compressed as a maintenance operation.

A new CLI command is introduced in the ACS config that should be used only on the primary node. The CLI command is:

acs-config database-compress [truncate_log]

This command compresses the ACS database by rebuilding each table in the database and releasing unused space.

The command also has the option to release the replication transaction table.

Before initiating the command, you should move all the secondary nodes to local mode. Then, initiate the command on the primary node.

When the DB compress is completed and all the services are up, you should reconnect the secondary nodes, one by one. On re-connecting the secondaries, full-sync between the primary and the secondary is initiate automatically.

CSCth78269

ACS transactions table is not cleaned properly during bulk operations.

The cleaning of the ACS transaction table (table which stores configuration change logs) is changed to be more intensive.

Only the last 2000 configuration transactions are stored.

CSCth62139

ACS authentication rate decreases with internal user attributes.

This resolution includes:

Read only attributes value on request from DB (without user information like UserName, Password, EnablePassword, LastLoginTime).

Check default attribute value without try-catch mechanism.

CSCti90973

Adding "User is in management hierarchy" flag to TACACS+ authorization policy.

In this resolution a hierarchical label is assigned to each device that represent the administrative location of this device within the organizations management hierarchy.

For example, "All:US:NY:MyMgmtCenter" denotes that the device is in "MyMgmtCenter", in NY, which is in the US.

Permissions are granted to the user based on their assigned level within the management hierarchy.

For example, if a user has an assigned level of "All:US:NY", that user is granted permission when accessing through any device with a hierarchy that starts with "All:US:NY".

CSCsu69983

Restoring a configuration disconnects deployment and causes replication.

In the distributed setup, when you restore the backup on CLI, it shows a warning message and you have to configure each secondary to reconnect with primary.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.2

Table 5 lists the issues that are resolved in the ACS 5.2.0.26.2 cumulative patch.

You can download the ACS 5.2.0.26.2 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 5 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 2

Bug ID
Description

CSCth57441

ACS 5.1: HDD Failure does not prevent RT to process incoming requests .

CSCtg49699

ACS 5 fails to join AD Domain.

CSCti22161

ACS 5.1 AD admin password length is too short.

CSCti98492

ACS 5 tries to connect only to three DCs.

CSCtj15764

ACS 5 does not accept two certificates with same SKI.

CSCtj32663

Most significant bit is not set on the MS MPPE Keys.

CSCtj31250

Windows 7 PEAP fast reconnect fails with ACS 5.

CSCtj32835

Group fetch does not work for eight hours after joining a new domain.

CSCtj36382

Find AD Global catalog may fail in certain scenario.

CSCtj87187

Trust for client with EAP-TLS not stored with allow DUP option.

CSCtj86607

ACS 5.1 HTTP 500 errors, requiring management service restart.

CSCtk08342

ACS gets disconnected from Active Directory when DNS reply is delayed.

CSCtk08423

ACS reconnects to different DCs if AD namespace is disjoined.

CSCtk32168

Add an option to change password when password expires (TACACS+ and RADIUS).

CSCtk32178

Add an option for password never expired for specific users.

CSCtk32664

ACS sends change-password request to a wrong ID store in the sequence.

CSCtk32683

Add option for checking user existence in internal before authenticate.

CSCtl12831

Superadmin role has no permissions for authentication settings.

CSCtj34574

Change and view speed/duplex settings via CLI in ACS.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.3

Table 6 lists the issues that are resolved in the ACS 5.2.0.26.3 cumulative patch.

You can download the ACS 5.2.0.26.3 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 6 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 3

Bug ID
Description

CSCti68031

ACS 5 sees `DC=' in the certificate subject as invalid DN.

With this resolution, `DC=' is allowed as part of the certificate subject when generating a certificate signing request.

CSCti42591

NDG Locations disappeared from GUI.

This resolution enables the NDG locations to appear on the NDG GUI even after adding an attribute with name "location" for internal users.

CSCth77468

ACS 5.1 not including `C' and `V' values in MS-CHAP-v2 Failure Packet.

CSCth72626

MS-CHAPv2 responses with bad flag values will not be dropped.

CSCtf78048

Discovery of host's account domain is very inefficient.

CSCtk32073

Network device groups are not evaluated properly in device filters.

Already created device filter using ACS 5.2, before installing patch 3 should be removed and created again.

CSCtj38410

ACS sends TLS SessionTicket which can break compatibility with LDAPs.

CSCtk31968

Getting exception while doing user attribute retrieval in AD.

CSCtj89705

ACS 5 import of internal user attribute fails for attribute with default.

CSCth68051

Network devices import/update does not work after migration.

CSCtl71157

ACS runtime does not send system status and health.

CSCtl84134

Network Device Authentication summary does not have any information about failed authentication. This bug is resolved in patch 6.

CSCtk34409

Node should be removed from secondary instance list after deregistration. This bug is resolved in patch 6.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.4

Table 7 lists the issues that are resolved in the ACS 5.2.0.26.4 cumulative patch.

You can download the ACS 5.2.0.26.4 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 7 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 4

Bug ID
Description

CSCth12406

ACS 5 does not have option to disable local account on failed attempts.

CSCtl75467

ACS 5.2 High CPU usage due to failure in startup of ADclient.

CSCsz74681

Distribution Management MGM replication execution failed.

CSCtk96981

Import process fails with FATAL error after importing high volume of devices.

CSCth66302

RADIUS authentication request rejected due to critical logging error.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.5

Table 8 lists the issues that are resolved in the ACS 5.2.0.26.5 cumulative patch.

You can download the ACS 5.2.0.26.5 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 8 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 5

Bug ID
Description

CSCtl97325

UserInManagementHierarchy should also be applied for internal hosts.

CSCto34685

Speed/duplex settings not persistent across reboots.

CSCtn97709

ACS 5.2 acs-config mode was hung.

CSCtn25264

acsLocalStore.logs are unexpectedly deleted when restarting services.

CSCto62144

ACS 5 import should support none strict .csv file header.

CSCtk16271

ACS5: CLI DNIS values switch columns when Submit is clicked.

CSCtc36013

ESX secondaries can not handle transactions gap during large users import.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.6

Table 9 lists the issues that are resolved in the ACS 5.2.0.26.6 cumulative patch.

You can download the ACS 5.2.0.26.6 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 9 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 6

Bug ID
Description

CSCth08274

ACS Monitoring not loading next page in IE if usernames contains character \u.

CSCtq38322

ACS does not retry LDAP connection after silent drop.

CSCto99380

ACS failing to retrieve non-local groups from AD while authenticating.

CSCtq26661

ACS 5 fails import certificate with serial number in subject.

CSCto15691

ACS runtime process restarts intermittently under heavy TACACS load.

CSCto76026

RT crash on PAP RSA stress.

CSCtq64670

Incorrect password prompt when using RSA authentication.

CSCtq59282

AD Perf impact 50% and more due to large amount of groups assigned to user.

CSCto47203

ACS 5 runs out of disk space.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.7

Table 10 lists the issues that are resolved in the ACS 5.2.0.26.7 cumulative patch.

You can download the ACS 5.2.0.26.7 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 10 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 7

Bug ID
Description

CSCtk83179

Exporting ACS 5 Monitoring to a remote SQL database is not working.

CSCtn25508

Administrative and Operational Audit logs becomes unrecorded.

CSCtk52607

In ACS 5.2, high memory usage is more than 90%.

CSCtq94551

The Port filter and Device name gets reversed after saving and submitting.

CSCtq93902

Port filters are not working properly in ACS 1121.

CSCtr95901

Remote DataBase SQL schema needs to be changed for export run failed.

CSCtq69032

Resubmitting remote database configuration creates an extra instance.

CSCts17763

ACS may crash when shell profile name contains special characters.

CSCtr32335

Secondary node fails to register to the primary with a large database.

CSCtr32511

Sybase transaction log file acsxxxx.log grows infinitely.

CSCts38010

ACS crashes during the runtime while processing of TACACS+ request.

CSCto11378

ACS 5.2 AD pre-authentication failures for AD with SAMAccountName format.

CSCtr01798

Unchanged records in Import updates causing transaction log growth.

CSCtr77850

ACS does not try next GC if LDAP service is not available.

CSCtr86413

ACS incremental configuration replication fails.

CSCtq76960

Can not modify internal user password after adding Enumerate-Type Attribute.

CSCtn06060

ACS 5 inefficiently handles packets when EAP state attribute is invalid.

CSCtq81172

Admin interface takes a long time to load large NDG tree.

CSCtr32120

Replication is not working for large amount of data.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.8

Table 11 lists the issues that are resolved in the ACS 5.2.0.26.8 cumulative patch.

You can download the ACS 5.2.0.26.8 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 11 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 8

Bug ID
Description

CSCts60512

A core file is generated under combined T+ and EAP-TLS authentications.

CSCtt04461

Updating the .csv file is not working in Device type and location under NDG.

CSCtt07904

Authorization success instead of failure under non-default configuration.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.9

Table 12 lists the issues that are resolved in the ACS 5.2.0.26.9 cumulative patch.

You can download the ACS 5.2.0.26.9 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 12 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 9

Bug ID
Description

CSCtr78192

Multiple vulnerabilities in the Cisco ACS 5.x web interface.

CSCts85741

Possible SQL Injection point in ACS 5.2.

CSCtr78143

Multiple cross-site request forgery and stored XSS in ACS 5.2.

CSCtu02752

ACS 5.2 patch 8 cannot display long lists of NDGs.

CSCtu04594

In ACS 5.2.0.26.7 only 50 NDGs are shown on the GUI while more than 100 are configured.

CSCtu06690

ACS network devices display broken filter broken.

CSCtu89783

ACS 5 password expiration policy triggered for token users.

CSCtg51846

Enum values are not shown in compound conditions in rule.

CSCtt14745

Can not add group to LDAP identity store.

CSCtt17019

ACS 5.x issue in retrieving additional AD groups when referenced in rules.

CSCtt21122

Can not import command sets with slash ( / ) in the argument.

CSCto95888

sh acs-logs details command does not display the localstore log file name.

CSCtw64212

view-logprocessor process gets stuck and shows as not monitored.

CSCte39351

ACS appliance SNMP agent process daemon stops.

CSCtu36357

ACS 5 cannot duplicate user account.

CSCtw56498

TACACS+ enable request is dropped on unknown authen_type.

CSCtw67208

Administrative and Operational Audit logs are not getting recorded in ACS.

CSCto88134

Temporary table was missing in 5.2 database after restoring 5.1 backup.

CSCtu21456

Password change is not working in secondary ACS 5, intermittenly.

CSCtx19470

ACS 5 runtime error while trying to login to GUI, but all other processes are running successfully.

CSCtx68133

In VA, some of the Secondary machines are going offline when the setup is idle.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.10

Table 13 lists the issues that are resolved in the ACS 5.2.0.26.10 cumulative patch.

You can download the ACS 5.2.0.26.10 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 13 Resolved Issues in Cumulative Patch ACS 5.2.0.26.10

Bug ID
Description

CSCtx57296

Fails to open the view Logcollector with unresolvable hostname.

CSCtx72675

Repository user name with domain name support in ACS.

CSCtx55824

ACS5 SQL schema file for view DB export is incorrect.

CSCtx18638

Cannot add custom shell attribute with keyword alert.

CSCtx83260

NDG locations are not showing up on the web interface.

CSCtx39704

Information is missing in TACACS Accounting logs.

CSCtx32481

Description is shown as null while importing NDG without description.

CSCtz03943

ACS exposes the AD account username and password.


Resolved Issues in Cumulative Patch ACS 5.2.0.26.11

Table 14 lists the issues that are resolved in the ACS 5.2.0.26.11 cumulative patch.

You can download the ACS 5.2.0.26.11 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.

Table 14 Resolved Issues in Cumulative Patch ACS 5.2.0.26.11

Bug ID
Description

CSCuc65634

Password vulnerability occurs in ACS 5 while using external LDAP store and TACACS+ protocol.


Known ACS Issues

This section lists the known issues for the ACS 5.2 release.

Table 15 lists the known issues in ACS 5.2. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.

Table 15 Known Issues in ACS 5.2 

Bug ID
Description

CSCtf00575

Error occurs if you select a Boolean type, Migrated User attribute.

Symptom: An error appears if you choose the Migrated User attribute with Boolean type.

Condition: This problem occurs if you select any Migrated User attributes with Boolean type.

Workaround: None.

CSCtf11100

Null pointer exception while migrating NDG

Symptom: A Nullpointer exception occurs while migrating NDG, if there are any invalid characters in keywrap.

Condition: This problem occurs if invalid characters are used in ACS 4.x NDG and migrated. A Nullpointer exception appears.

Workaround: None.

CSCtf25265

Invalid user password ranges are not reported while migrating and the migration fails.

Symptom: Invalid user password range is not reported while migration.

Condition: This problem occurs if you migrate a user with more that 32 characters and authenticate with that user. The migration will fail.

Workaround: None.

CSCtg62673

Cannot load a feature license with ampersand (&) in the company name.

Symptom: You cannot load a feature license if it has an ampersand (&) in the name. An error message does not appear for this problem.

Conditions: This problem occurs on ACS 5.0 and ACS 5.1 if the company name in the license contains an ampersand (&) character.

Workaround: Re-issue the license without an ampersand (&) in the company name.

CSCtg49699

ACS 5 fails to join AD Domain.

Symptom: If ACS was configured with an AD domain, it will fail to rejoin the domain if there are any changes in the AD infrastructure, such as IP addresses of the AD servers.

Conditions: This problem occurs if you move the ACS from one domain to another domain without clearing the AD configuration page.

It also occurs when ACS is joined with a DC in the lab and then it is moved to the production environment on the same domain. ACS will not rejoin the live DC.

Workaround:

1. Clear the configuration of AD on ACS and the old DC should be reachable while clearing

2. Reconfigure the AD part and ACS will rejoin the domain.

3. Reset the ACS to factory defaults.

Make sure you still have the ACS license before doing that because after the reset, ACS will prompt you for the license.

CSCth08274

ACS 5: View does not load next page in IE if the username contains a "\u" character.

Symptom: While viewing a report an error is displayed in Internet Explorer and the navigation buttons for the report get disabled.

Conditions: The error Expected Hexadecimal Digit is displayed for users with a "\u" in the username or domain name. This happens because"\u" is a unicode escape character.

Workaround: This problem occurs only on Internet Explorer. Try using other browser like FireFox.

CSCth26298

Machine accounts with many ACE entries cause AD domain join to fail.

Symptom: ACS 5.1 cannot join a Windows AD domain.

Conditions: This problem occurs when the machine account used by ACS to join the domain contains a large number of Access Control Entries (ACE).

Workaround:

1. Ensure that there is no other account for the ACS from earlier failed attempts to join the domain.

2. Create a temporary container or OU with no ACEs.

3. Create an account for ACS.

4. Join the domain.

5. Move the ACS machine account to the normal/required container or OU if needed.

This symptom only affects the Join operation.

CSCth31525

Live authentication report does not show TACACS+ data.

Symptom: The TACACS+ live authentication report is missing data on some columns, including NAS and IP address.

Conditions: This problem occurs only on ACS 5.1.

Workaround: Use one of the other available reports to view this data.

CSCte57427

ACS 5.1 - SNMP location and contact information is not saved when you reboot the system.

Symptom: The following commands in ACS 5.1 may disappear from the config after you reboot the system:

snmp-server contact

snmp-server location

Conditions: This problem occurs in ACS 5.1 if you use spaces in the contact or location string.

For example:

snmp-server contact "my name"

Workaround: Remove any blank spaces from the configured string.

For example:

snmp-server contact my_name

CSCte98032

ACS 5 partitions are not properly aligned when installed on VMWare.

Symptom: VMWare tools report that ACS 5 partitions are not properly aligned.

Conditions: This problem occurs when you install ACS 5 on VMWare ESX 4.0.

Workaround: None.

CSCtf09891

Remote log targets does not accept classless IP format.

Symptom: You cannot set Remote Log Target using IP address 131.123.246.255 on ACS 5.1 appliance. The following error appears:

IP Address format violation.

Conditions: This problem occurs if a classless IP address is configured.

Workaround: Use classfull IP address.

CSCtf78048

[AD PERF] Discovery of host's account domain is very inefficient.

Symptom: Slow host authentications against Active Directory with host name format host/machine.domain.com.

Conditions: This problem occurs if ACS is configured to perform authentications against Active Directory and to fetch groups from Active Directory.

Workaround: Use domain machine$ host name format.

CSCtc61926

Active directory NetBIOS authentication passes when user is defined as UPN.

Symptom: User authentication passed with illegal username format.

Conditions: This problem occurs if the UPN name and the NetBIOS username are different. For example, NetBIOS username = somename and UPN = Some Name.

Workaround: Do not use the UPN form of username.

CSCtc70071

MSCHAP v2 & PEAP NetBIOS authentication fails if there are special characters in the username.

Symptom: MSCHAP v2 user authentication fails if the SAM name or NetBIOS name contains '@'.

Conditions: This problem occurs if you create a user in Active Directory and the SAM name contains '@' sign (with ADSI edit)

Workaround: Do not use '@' sign on SAM names or authenticate using the UPN name.

CSCtc36013

ESX secondaries cannot handle transactions gap during large users import.

Symptom: Secondary appliances are not updated even after the import process has completed on the primary appliances.

Conditions: Some secondary appliances are defined on VMWare ESX and the primary appliance is defined on ACS 5.1. The import is done from the primary appliance. In this case 300,000 users are imported into the primary node through the import/export utility.

Workaround: Do one of the following:

·Wait until the secondary nodes are updated with the information from the primary appliance. You can check the secondary nodes status in the Distributed System Management page.

·Wait until the primary appliance finished importing the 300,000 users and then issue a full sync request on each secondary node. By doing this you can make sure that the secondary nodes are updated.

CSCtf52072

MAB inconsistent username formats for access-request and access-accept.

Symptom: When authenticating a supplicant using MAC Authentication Bypass (MAB) the Authenticator and the Authentication Server (ACS), use different formats for the username within the RADIUS Access-Request and Access-Accept messages.

Conditions: This problem occurs under the following conditions:

The Authenticator sends a RADIUS Access-Request message with the MAC address as the username with no dashes and all lowercase alpha-numeric characters.

The Authentication server replies with a RADIUS Access-Accept message with the user's MAC address as the username but uses a different format.

The RADIUS Access-Accept packet has all uppercase alpha-numeric characters and dashes between each octet of the MAC address.

This anomaly should not have any negative impact while authenticating using MAB.

Workaround: None.

CSCte93628

An error message %AAA-3-DROPACCTFAIL: appears when you boot up a Switch.

Symptom: System accounting record is rejected by ACS with the following message on box:

"TPLUS: Received accounting response with status FAIL"

00:04:27: %AAA-3-DROPACCTFAIL: Accounting record dropped, send to server

failed: system

Conditions: This problem occurs during system accounting start after reload of the device.

Workaround: None.

CSCtf71065

If you set the debug-log to debug level, it enables debug-adclient even for unauthorized administrators.

Symptom: Unauthorized administrators can enable the debug-adclient log in CLI.

Conditions: This problem occurs if you change the debug-log command.

Workaround: None.

CSCtc34967

An incorrect message appears when ACS is configured with PEAP-GTC and the supplicant is configured with PEAP-MSCHAP.

Symptom: Authentication fails and shows an incorrect error message.

Conditions: This problem occurs when supplicant is configured as PEAP-GTP and ACS is configured to accept PEAP-MSCHAP only. Authentication fails and the following message is displayed:

Authentication failed : 12727

Workaround: None

CSCtc70023

Identity groups - display names are truncated after upgrade.

Symptom: If a database with 500 Identity groups is migrated from ACS 4.x and then upgraded from ACS 5.0 to 5.1, the names of the groups are truncated.

Conditions: This problem occurs only in Internet Explorer 6.0

Workaround: Use another browser such as Firefox 3.

CSCtc78550

During RADIUS authentication against AD, some messages are duplicated on the customer log.

Symptom: While running RADIUS authentication with AD as database, some messages' text is duplicated on customer log.

Conditions: Authorization message ID duplicated:

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

Workaround: None.

CSCtg70874

Connection times out while creating server certificates.

Symptom: An error message appears while creating server certificates.

Conditions: This problem occurs if you try to create a large certificate.

Workaround: Reduce the size of the certificate.

CSCtc83623

All groups are not shown in Directory Group in LDAP.

Symptom: The LDAP group selection page shows only a maximum of 100 groups.

Conditions: This problem occurs when you search for a group and there are more than 100 groups.

Workaround: Use search criteria to filter groups.

CSCtd53402

Policy Element RADIUS attribute editing does not work.

Symptom: Attribute value does not get saved correctly when creating a RADIUS attribute.

Conditions: This problem occurs when you:

1. Go to the Authorization Profiles page under Policy Elements > Authorization and Permissions > Network Access

2. Duplicate a group which has three entries, with a new tag

3. Highlight the first entry and click Edit

4. Modify the tag

5. Click Add

6. Do the same for the second and third entry

Three new entries are displayed.

7. Click Submit.

The fifth entry is wrong. The value is Decnet IV instead of 802.

Workaround: Create new profile, do not use duplicate.

CSCtg65300

User command set in users with apostrophe (') is not migrated successfully.

Symptom: ACS 4.x command sets on the user level are not migrated.

Conditions: This problem occurs when the username includes an apostrophe (').

Workaround: Manually migrate the user command set.

CSCtf19736

Not able to register to primary server with Host name.

Symptom: Cannot register to primary server.

Conditions: This problem occurs when you use the primary server host name.

Workaround: Use the primary server IP address.

CSCtd53435

Error occurs while editing a RADIUS Attribute.

Symptom: While editing a RADIUS attribute, the GUI displays the following error:

An unexpected error has occurred.

Conditions: This problem occurs when you:

1. Go to the Authorization Profiles page under Elements > Authorization and Permissions > Network Access

2. Select a VLAN name

3. Click Edit

4. Click Replace

5. Click Submit

Workaround: Reselect the option in the left navigation bar.

If you continue to receive the unexpected error message, close your browser and log in to ACS again.

If you still receive the unexpected error message, contact your system administrator or technical assistance.

CSCtf22214

Invalid characters appear in the migration tool and an error message is not displayed in the CLI if you enter an invalid value.

Symptom: No error message appears if you enter a wrong value for the CLI command acs config-web-interface migration.

For example,

acs config-web-interface migration asdf

It will not show that the interface is not enabled.

Conditions: This problem occurs if you use the CLI command acs config-web-interface migration, and enter a value other than [enable | disable].

Workaround: None.

CSCtg87278

ACS not able to establish SSL tunnel with LDAP server with CRL verification.

Symptom: When you use Secure LDAP and uncheck the Bypass CRL Verification if CRL is not Received check box, the authentications fail. This is because CS is not able to establish SSL tunnel.

The following errors appear:

Unknown CA - error unable to get issuer certificate locally

Unknown CA - Unable to get CRL

ACS is sending TLS Alert "Level: Fatal" and "Description: Unknown CA"

This happens even if all CA certificates are installed on ACS and the CRL URLs are properly configured.

Conditions: This problem occurs if you use Secure LDAP and uncheck Bypass CRL Verification if CRL is not Received.

Workaround: Select the check box Bypass CRL Verification if CRL is not Received.

CSCtc90865

Errors during PEAPv0 stress.

Symptom: When primary instance is set with Monitoring & Reports Viewer, there are no secondaries attached to it. After installation, restore a large database. The following two issues are shown during stress.

About 15% of the authentications resulted with error.

In Runtime.log, after every few thousand authentications, there is the following error:

ConfigNotificationFlow,02/11/2009,18:04:56:852,ERROR,3014974368,cntx=0000450988,ConfigNotificationFlow::onMBSendEventResponse: MB error, status=TIMEOUT, msg=, state=ListenSync,ConfigNotificationFlow.cpp:700

MessageBus,02/11/2009,18:04:56:880,ERROR,3016510368,A response arrived for a non related message id: 880cd6eb-61e9-460a-811c-2c98d5df42b0:0:0:146,MessageBusSender.cpp:303

Conditions: This problem occurs during PEAPv0 stress.

Workaround: Use two or more ACS instances.

CSCtf77292

Evaluation of domain local groups causes authentication delays.

Symptom: Slow authentications against Active Directory.

Conditions: This problem occurs if ACS is configured to perform authentications against Active Directory and to fetch groups from Active Directory.

Workaround: None.

CSCtd54069

The ACS UI does not allow you to edit the authorization rule in case of LDAP/AD.

Symptom: The Select button is grayed out if you select AD1 from the dictionary on the Authorization Rule page.

Conditions: This problem occurs when you:

1. Create authorization rule with LDAP and select a few groups in list

2. Select the authorization rule to edit the rule

3. Select AD1 in dictionary and external groups attributes

4. Try to add groups by using the Select button

Workaround: Create new authorization rule instead of editing an existing one.

CSCtf65218

Simultaneously promoting of two secondaries when primary is offline.

Symptom: Simultaneous promotion of secondaries when primary is offline causes unexpected behavior when primary is brought online again.

Condition: This problem occurs when the secondaries have been promoted while primary was offline.

Workaround: Primary must be online when promoting secondaries.

CSCtg51846

Enum values are not shown in compound conditions in rule.

Symptom: Enum values are not shown in compound conditions in rule.

Conditions: This problem occurs in compound conditions if you add an attribute with enum values The enum values are not displayed.

Workaround:

1. Create a Policy condition display name to the enum attribute.

2. Customize the GUI policy to use this name.

3. Use this name instead of using compound condition.

CSCtd49251

ADE 2120 fails AD test connection because of an NTP error.

Symptom: AD test connection fails.

Conditions: This problem occurs during normal operation when ACS and AD are up, running and the authentications are working.

If you:

1. Go to Users and Identity Stores > External Identity Stores > Active Directory.

2. Click the Test Connection button to ensure that the credentials are correct and Active Directory Domain is reachable.

3. Click the AD Test Connection button.

It displays the following error:

Connection test to 'ibns.com' failed. Further information on status: - Network Time Protocol status error.

Workaround: Ignore the failure since authentications are working and the clocks between the ACS and AD are the same.

CSCtf64833

Filtering in service selection rule do not filter the device filter.

Symptom: Filtering in service selection rule does not work.

Conditions: This issue occurs when you go to Access Policies > Access Services > Service Selection Rules. Filtering a rule based on device filter does not work.

Workaround: None.

CSCtf71535

Wrong connection status on ACS GUI when admin user is disabled in AD.

Symptom: Wrong connection status on ACS GUI when admin user is disabled in AD.

Conditions: This problem occurs if you disable the Administrator user (used for configuring AD on ACS GUI) is disabled in AD. The authentications against AD still succeed.

Workaround: None.

CSCtg29788

No failure reason if the value for attributes mismatch.

Symptom: No failure reason if the value for attributes do not match.

Conditions: This problem occurs if you enter a wrong attribute value during authentication. The log will not show any failure reason.

Workaround: None.

CSCtg36142

Node Secret set - indication of secureid file exists does not work properly.

Symptom: The GUI indication whether the secureid file exists, does not work properly.

Conditions: This problem occurs even if you set the node secret, many hours earlier and capture and the image. The status continues to display, Not Cached.

Workaround: None.

CSCtc79341

The acs reset-config command does not remove ACS Patches.

Symptom: The acs reset-config command does not remove the installed ACS patches.

Conditions: This problem occurs if the patch contain changes to ACS database. This may cause problems with the original ACS database.

Workaround: Uninstall all ACS patches manually after running the command acs reset-config and then install them again.

CSCte09557

Restore with different CARS admin username creates problems.

Symptom: You cannot perform a Restore operation with a different CARS admin username.

Conditions: This problem occurs if you try to perform a Restore operation with a username that is not the same as the username that you used for the backup.

Workaround: Restore with the same admin username.

CSCtf27416

Incorrect information displayed while importing .csv file with null values.

Symptom: Incorrect result displayed while importing .csv file with null values.

Conditions: This problem occurs when you install ACS with 5.2 and import the .csv file configured with null values for the mandatory fields. Incorrect information is displayed.

Workaround: Enter default values in the null fields.

CSCtg71016

Cannot add the same server certificate in primary and secondary servers.

Symptom: An error appears if you add the same server certificates in both primary and secondary servers.

Conditions: This problem occurs if you add the same server certificates in both primary and secondary servers.

Workaround: None

CSCth13070

If there is no space left on the device, backup file should not be created.

Symptom: Restoring configuration from backup file, fails.

Conditions: This problem occurs if the backup file is empty or invalid. This happens when ACS machine disk does not have enough space left for the system to create the backup file.

Workaround: None.

CSCth25903

CARS setup accepts invalid characters during installation.

Symptom: During ACS installation, when CARS is being set up, ACS accepts other letters besides Y (yes) or N (no) regarding the host name.

Conditions: This problem occurs during ACS installation, CARS setup in the hostname dialog.

Workaround: Make sure to respond only by typing Y or N.

CSCtd46841

Clock/TZ/NTP/nameserver changes can damage AD functionality.

Symptom: ACS AD functionality may be severely damaged and possibly there will be little evidence visible to the user.

Conditions: This problem occurs if you apply changes to system services that AD connectivity relies upon, such as TZ, NTP and DNS settings.

Workaround: Restart ACS services after applying changes to change the TZ, NTP & DNS settings.

CSCte39351

ACS appliance SNMP agent process daemon stops.

Symptom: ACS SNMP daemon stops.

Conditions: This problem occurs when you run the following command:

acs/admin#show port

!

Process : snmpd (2319)

udp: 0.0.0.0 (161)

Workaround:

1. Reboot the ACS appliance

2. Restart the ACS SNMP daemon

CSCtg32596

ACS server error while changing the log collector in a distributed deployment.

Symptom: Error in the ACS server.

Conditions: This problem occurs when you try to change the log collector in distributed deployment.

Workaround: Restart the ACS Monitoring & Reports Viewer processes.

CSCtg47711

TACACS authorization fails if the custom attribute value is more than 175.

Symptom: TACACS+ authorization fails if length for the customer attributes value exceed 175.

For example, if two custom attributes are configured and length of the value of the two custom attributes put together exceeds 175, the authorization will fail. This is also true for single custom attributes.

Conditions: This problem occurs if the length for the customer attributes value exceed 175.

Workaround: Make sure the length of value given for custom attributes does not exceed 175.

CSCtc64472

ACS Instance Health Summary - Data for details such as CPU figures are not updated.

Symptom: ACS Instance Health Summary report in ACS Monitoring & Reports Viewer does not get updated frequently.

Conditions: This problem occurs when you launch ACS Instance Health Summary report in ACS Monitoring & Reports Viewer.

Workaround: Check the status shown in tool tips for the ACS instance under ACS Health tab in the Dashboard.

CSCtc81268

Report links for authentication inactivity alarm authentication trend does not work.

Symptom: The link to Authentication Trend report given inside the alarm generated for Authentication inactivity does not work.

Conditions: This problem occurs with the link inside the alarm generated for Authentication inactivity.

Workaround: Launch the Authentication Trend report from Monitoring and Reports > Reports > Catalog > AAA Protocol > Authentication trend.

CSCtc86337

Favorite report launched from the dashboard displays an error.

Symptom: Favorite report cannot be launched from the dashboard.

Conditions: This problem may occur when you launch a favorite report that has special characters in the name from the dashboard.

Workaround: Launch the report from Monitoring and Reports > Reports > Favorites.

CSCtd36180

When you run CoA re-auth, accounting shows a stop record.

Symptom: For a given active session on ACS when CoA is run with the Re-Auth, ACS accounting records for the session display a "Stop" record followed by "Interim-Update".

Conditions: This problem occurs when the device is authenticated using MAB and then a CoA re-auth is run from the ACS Monitoring & Reports Viewer.

Workaround: None.

CSCtd44318

ACS Monitoring & Reports Viewer logs an error for non-existing service "NDAC_SGT_Service" with EAP-FAST.

Symptom: RADIUS authentication report for EAP-FAST has undefined Access Service type as "NDAC_SGT_Service".

Conditions: This problem occurs with RADIUS authentication report with EAP-FAST.

Workaround: None.

CSCtd46268

ACS Monitoring & Reports Viewer does not log records when changed from distributed to standalone.

Symptom: ACS instance that is changed in the distributed environment from a log collector to the stand alone mode, does not log any new authentication records.

Conditions: This problem occurs when you change an ACS instance from a log collector in a distributed environment to the stand alone mode.

Workaround: Restart the view processes.

CSCte20853

Traceroute information is not shown when you trace a device from Monitoring and Reports > Troubleshooting.

Symptom: Traceroute information is not shown from Monitoring and Reports > Troubleshooting.

Conditions: This problem occurs when you go to Monitoring and Reports > Troubleshooting and try to do a Traceroute for a device.

Workaround: Do the traceroute from ACS CLI.

CSCte20871

When you ping a device by DNS hostname from Monitoring and Reports > Troubleshooting, it does not work.

Symptom: When you try to ping a device by DNS hostname, it does not work.

Conditions: This problem occurs when you ping a device by DNS hostname from Monitoring and Reports > Troubleshooting. The DNS of the device and ACS are the same.

Workaround: Ping the device from ACS CLI.

CSCte84824

ACS Monitoring & Reports Viewer's Expert Troubleshooter does not compare assigned Device SGT.

Symptom: ACS Monitoring & Reports Viewer's Expert Troubleshooter does not compare Device SGT that is assigned to the device.

Conditions: This problem occurs with Device SGT.

Workaround: None.

CSCte94293

ACS Monitoring & Reports Viewer's Expert Troubleshooter does not compare IP user SGT.

Symptom: ACS Monitoring & Reports Viewer's Expert Troubleshooter does not compare IP user SGT.

Conditions: This problem occurs with IP user SGT.

Workaround: None.

CSCtf18322

Expert Troubleshooter tool's Egress Policy failed to compare the policies

Symptom: Expert Troubleshooter tool's Egress Policy does not compare the ACS policy and the policy that is on the switch.

Conditions: This problem occurs with Egress Policy.

Workaround: None.

CSCtc65305

ACS Monitoring & Reports Viewer displays ServSelect Rule # instead of Authorization Rule #.

Symptom: ACS Monitoring & Reports Viewer interchanges the service selection rule and authorization rule in the report.

Conditions: This problem occurs with service selection and authorization rule.

Workaround: None.

CSCth57441

ACS 5.1HDD failure does not prevent RT from processing incoming requests.

Symptom: A hardware failure that causes the ACS appliance's file system to be mounted in read-only, does not prevent the runtime component to load and start processing the incoming RADIUS requests.

However, if critical logging is enabled, the authentication attempts fail. The authentication attempts cannot be logged on the local hard-drive because it is mounted in read-only mode

Since the runtime process remains active but does not process the authentication requests, it prevents the AAA client from falling back to the secondary server.

Conditions: This problem occurs when ACS 5.1 appliance is running with a failed HDD and the critical logger is enabled.

Workaround: Manually shut down the failed ACS appliance until it is replaced.

CSCth62139

ACS authentication rate decreases with internal user attribute.

Symptom: ACS authentication rate decreases disproportionately to the with new internal user attributes.

Conditions: This problem occurs when you add many new attributes for users in the internal database. The sustainable authentications rate of ACS 5.1 decreases disproportionately.

For example, with 10 attributes and a single internal user, the sustainable rate can go up to 300-400 RADIUS PAP authentications per second.

By adding up to 96 attributes to that single internal user, the sustainable rate decreases to 30 RADIUS PAP authentications per second.

Workaround: None.

CSCth68051

Migrated devices cannot update the location through the import from CSV file.

Symptom: After migration from ACS 4.x the network devices cannot be updated using the File Operations update CSV.

Conditions: This problem occurs if you try to update the location or device-type. Update completes without errors, but nothing changes.

Workaround:

1. Export the migrated or all devices to a CSV file.

2. Remove all devices from ACS 5.x.

3. Import/add the devices again from the CSV file.

After the import you will be able to update the devices through import.

CSCth72626

MS-CHAPv2 responses with bad flag values are not dropped.

Symptom: If the NAS sends an MS-CHAP-v2 response with the flags field not set to '0' (0x00), ACS 5.1 drops RADIUS access requests for MS-CHAP-v2 with the following error message:

Flags in radius attribute MSCHAP2_Response MUST be zero, but now is - 1

Conditions: This problem occurs if the flags in the fourth byte of the MS-CHAP-v2 response is not 0x00 (the only mandatory value allowed by RFC 2548).

Workaround: None.

CSCth72779

ACS 5 sends EAP-failure message as a challenge rather than as an access-reject.

Symptom: When a supplicant sends a bad MSCHAP message inside a PEAP tunnel ACS 5.x server responds with an EAP-failure message encapsulated in a RADIUS-challenge packet.

Conditions: This problem occurs when you are running ACS 5.x with PEAP-MSChapV2.

Workaround: None.

CSCth77468

ACS 5.1 do not include 'C' and 'V' values in MS-CHAP-v2 failure packet.

Symptom: ACS 5.1 does not include 'C' and 'V' values in MS-CHAP-v2 failure packet.

Conditions: This problem occurs while sending a RADIUS access-reject for PPP MS-CHAP-v2 authentication. ACS 5.1 includes the following values in the MS-CHAP-v2 failure:

'E' = 691 to indicate the authentication failure

'R' = 0 to indicate that a retry is not allowed

The "cccccccccccccccccccccccccccccccc" is the ASCII representation of a hexadecimal challenge value. This field must be exactly 32 octets long

Because of this, some NASs, such as an ASA do not honor the RADIUS access-reject because of the missing values. This sends further RADIUS access-request retries.

Workaround: None.

CSCth68006

Process status not updated after restarting runtime in distributed environment.

Symptom: In distributed environment process, the status alert is generated continuously.

Conditions: This problem occurs when you:

1. Configure secondary server as Log collector.

2. Configure alarm threshold to monitor process status of primary.

3. Stop and start runtime in primary.

Workaround: Restart ACS.

CSCth66212

CLI command show tech-support displays an error message.

Symptom: The CLI command show tech-support displays the following error:

% Error: acs manifest has no TAC information.

Conditions: This problem occurs when you run the following commands in admin mode:

ACS52-227/admin# show tech-support file file1

% Error: acs manifest has no TAC information

ACS52-227/admin# show tech-support

******* support- Information***********

!

!

....

% Error: acs manifest has no TAC information.

At the end file1 is created in localdisk as file1.tar.gz.

Workaround: None

CSCth66302

RADIUS authentication request rejected because of a critical logging error.

Symptom: Running stress PEAP MS-CHAPV2 against primary ACS machine fails with the following error message:

Radius Authentication Request Rejected due to critical logging error

Conditions: This problem occurs when there is a large deployment setup with one primary connected to seven secondary machines.

Workaround: None.

CSCth42890

ID store names containing HTML control characters cause error while saving ID policy.

Symptom: ID store names containing HTML control characters cause error while saving ID policy changes. The following error appears:

This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page.

Conditions: This problem occurs when you:

1. Create an Identity Store Sequence like under Users and Identity Stores > Identity Store Sequences

2. Select the created Identity Store Sequence under Access Policies > Access Services > Default Network Access > Identity

3. Click Save Changes

4. Edit Identity Store Sequence

5. Click Save Changes

Workaround: Do not use HTML control character percentage (%) in names of ID stores.

CSCtg87211

Primary management process fails during large user import.

Symptom: Primary management process fails during large user import.

Conditions: The problem occurs when you import more than 50,000 users in a scaled ACS deployment (7 secondaries and more).

Workaround: The management process is restarted automatically by watchdog. Repeat the import procedure.

When importing a large number of users (more than 5000) in distributed deployment it is recommended to deregister all secondary nodes and perform the import to single primary. Then re-register the secondary nodes.

CSCtl01880

User password expiry reminder message is not shown for RADIUS authentication.

Symptom: No reminder is shown for RADIUS authentication.

Condition: No reminder is shown for RADIUS authentication even when the option for reminder is enabled, if the password is not changed in N number of days.

Workaround: None.

CSCtk02959

Cannot use a % in password on CLI.

Symptom: Get error if trying to add a % in the password on the CLI.

Conditions: On the CLI, create a user with a % any where in the password.

Workaround: Do not use % in password.

CSCtn17779

ACS 5 migration utility aborts with errors on Windows 2008 64 bit

Symptom: The ACS 5 migration utility aborts with errors.

Conditions: This is seen when the migration utility runs on Windows 2008 64 bit.

Workaround: Run the utility on Windows 2003.

CSCtj81255

Two MAC addresses detected on neighbooring switch of ACS 1121 Appliance.

Symptom: Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth 0.

Conditions: Only one Ethernet interface, eth 0 is connected between ACS and Switch.

Workaround: Assign a static IP address to disable the DHCP function of the BMC (Baseboard Management Controller) feature using BIOS setup.


Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

CSCua99537

Network Time Protocol Daemon (NTPD) running with ACS, sometimes, does not synchronize its clock with the windows time service.

Symptom: When AD domain is used as a NTP server, the clcok on ACS and AD does not synchronize with the windows time service.

Conditions: This problem occurs often when ACS or AD is running as a virutal machine.

Workaround: None.


Documentation Updates

Table 16 lists the updates to Release Notes for the Cisco Secure Access Control System 5.2.

Table 16 Updates to Release Notes for the Cisco Secure Access Control System 5.2 

Date
Description

11/19/2012

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.11" section

08/24/2012

Added a known issue CSCua99537 in the Known ACS Issues section and not supporting multiple NIC in Features Not Supported section.

04/10/2012

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.10" section.

02/14/2012

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.9" section.

10/12/2011

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.8" section.

10/04/2011

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.7" section.

09/22/2011

Added the two bugs CSCtl84134 and CSCtk34409 in"Resolved Issues in Cumulative Patch ACS 5.2.0.26.3" section.

08/10/2011

Added a line in "Features Not Supported" section to fix the bug CSCtr60378.

07/29/2011

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.6" section.

06/07/2011

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.5" section.

05/04/2011

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.4" section.

04/26/2011

Added bug CSCtn17779 to the "Known ACS Issues" section.

03/03/2011

Added the following bugs to the "Known ACS Issues" section:

CSCtl01880

CSCtk02959

CSCtj81255

Updated "Features Not Supported" section.

02/15/2011

Added "Resolved Issues in Cumulative Patch ACS 5.2.0.26.3" section

01/20/2011

Added Expiry of Users under "Features Not Supported" section

01/12/2011

Added:

"Resolved Issues in Cumulative Patch ACS 5.2.0.26.1" section

"Resolved Issues in Cumulative Patch ACS 5.2.0.26.2" section.

11/09/2010

Added "SFTP Copy" section.

08/19/2010

Cisco Secure Access Control System, Release 5.2.


Product Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 17 lists the product documentation that is available for ACS 5.2. To find end-user documentation for all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs

Select Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System.

Table 17 Product Documentation 

Document Title
Available Formats

License and Documentation Guide for the Cisco Secure Access Control System 5.2

http://www.cisco.com/en/US/products/ps9911/
products_documentation_roadmaps_list.html

Migration Guide for the Cisco Secure Access Control System 5.2

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

User Guide for the Cisco Secure Access Control System 5.2

http://www.cisco.com/en/US/products/ps9911/
products_user_guide_list.html

CLI Reference Guide for the Cisco Secure Access Control System 5.2

http://www.cisco.com/en/US/products/ps9911/
prod_command_reference_list.html

Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.2

http://www.cisco.com/en/US/products/ps9911/
products_device_support_tables_list.html

Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

Software Developer's Guide for the Cisco Secure Access Control System 5.1

Note The ACS 5.1 Software Developer's Guide is applicable for ACS 5.2 as well.

http://www.cisco.com/en/US/products/ps9911/
products_programming_reference_guides_list.html

Regulatory Compliance and Safety Information for the Cisco 1121 Secure Access Control System 5.1

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html


Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)".

The word `cryptographic' can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)".

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Supplemental License Agreement

END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE:

IMPORTANT: READ CAREFULLY

This End User License Agreement Supplement ("Supplement") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence.

In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

1. Product Names

For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are:

A. Advanced Reporting and Troubleshooting License

Enables custom reporting, alerting and other monitoring and troubleshooting features.

B. Large Deployment License

Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise.

C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release)

Enables TrustSec policy control functionality and other advanced access features.

2. ADDITIONAL LICENSE RESTRICTIONS

Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco 1121 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco 1121 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1121 Hardware Platform.

Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control System Software upgrades for the 1121 Hardware Platform as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each Cisco 1121 Hardware Platform. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract.

Reproduction and Distribution. Customer may not reproduce nor distribute software.

3. DEFINITIONS

Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x].

Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].

4. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.