Guest

Cisco Secure Access Control System

Release Notes for Cisco Secure Access Control System 5.3

  • Viewing Options

  • PDF (446.9 KB)
  • Feedback

Table of Contents

Release Notes for Cisco Secure Access Control System 5.3

Introduction

New and Changed Features

Dial-In Attribute Support

PEAP(EAP-TLS)

Policy and Identity Enhancements

New CLI Commands

View Log Message Recovery

Programmatic Interface Enhancements

SFTP Copy

Features Not Supported

Supported Virtual Environments

Supported Web Client/Browsers

Installation and Upgrade Notes

Installing, Setting up and Configuring CSACS 1121

Running the Setup Program

Licensing in ACS 5.3

Types of Licenses

Auto-Installation of Evaluation License

Upgrading an ACS Server

Applying Cumulative Patches

Resolved ACS Issues

Resolved Issues in Cumulative Patch ACS 5.3.0.40.1

Resolved Issues in Cumulative Patch ACS 5.3.0.40.2

Resolved Issues in Cumulative Patch ACS 5.3.0.40.3

Resolved Issues in Cumulative Patch ACS 5.3.0.40.4

Resolved Issues in Cumulative Patch ACS 5.3.0.40.5

Resolved Issues in Cumulative Patch ACS 5.3.0.40.6

Resolved Issues in Cumulative Patch ACS 5.3.0.40.7

Resolved Issues in Cumulative Patch ACS 5.3.0.40.8

Resolved Issues in Cumulative Patch ACS 5.3.0.40.9

Limitations in Different ACS Deployments

Known ACS Issues

Documentation Updates

Product Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Supplemental License Agreement

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Secure Access Control System 5.3

Revised: August 13, 2014 OL-24203-01

These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.3, hereafter referred to as ACS 5.3. These release notes provide information on the features, related documentation, resolved issues, and known issues for functionality in this release.

This document contains:

Introduction

ACS is a policy-driven access control system and an integration point for network access control and identity management.

The ACS 5.3 software runs either on a dedicated Cisco 1121 Secure Access Control System (CSACS-1121) appliance, or on a VMware server. However, ACS 5.3 continues to support the CSACS-1120 appliances that you have used for previous releases of ACS that you can upgrade to ACS 5.3.

This release of ACS provides new and enhanced functionality. Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers to the ACS software.


NoteWhen you install ACS 5.3 or upgrade any older version of ACS to ACS 5.3, you are strongly recommended to install the cumulative patch 5.3.0.40.4 or a later patch as a part of this installation or upgrade process. This patch includes some important fixes that are related to the upgrade process and Active Directory operations. You must install this patch if you are using Active Directory as the identity store in ACS.
You can upgrade ACS using two methods. For more information on the upgrading ACS, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1194859.
If you use Re-imaging and Upgrading ACS Server method to upgrade ACS, then you must install the cumulative patch 5.3.0.40.4 or a later patch before restoring the backed up data from ACS 5.1 or 5.2 versions.
If you use Upgrading an ACS Server Using Application Upgrade Bundle method to upgrade ACS, then you must install the cumulative patch 5.3.0.40.4 or a later patch after the successful completion of the upgrade process.
Note that, while upgrading ACS with upgrade bundle method, some log collection related processes may not be restarted successfully. The log collection related processes will be restarted after installing the cumulative patch 5.3.0.40.4 or later. See Applying Cumulative Patches to install the cumulative patch in ACS.



NoteACS 5.3 does not retrieve domain local groups of users when you install patch 3 or a later patch.



NoteWhen you import or export a .csv file from ACS 5.x, you need to turn off the popup blocker.



NoteCisco runs a security scan on the ACS application during every major release. We do not recommend you to run vulnerability scanning in ACS Production Environment because such an operation carries risks that could impact the ACS application. You can execute the vulnerability scan operation in a preproduction environment.


New and Changed Features

This release of ACS provides improved parity with 4.x. The following sections briefly describe the new and changed features in the 5.3 release:

Dial-In Attribute Support

The Dial-In Attribute feature enhancement includes:

  • Dial-in permissions

You can allow, deny, and control access of dial-in permissions of a user. The permissions are checked during authentications or queries from Active Directory. It is set on the Active Directory dedicated dictionary.

  • Callback

You can set up callback options. The server calls the caller back during the connection process if this option is enabled. The phone number that is used by the server, is set either by a the caller or the network administrator.

PEAP(EAP-TLS)

The Protocol enhancements in ACS 5.3 includes:

  • TACACS+ Proxy

You can use the proxy server to relay requests to remote AAA servers and return the responses from them to Network Devices.

  • TACACS+ CHAP and MSCHAP authentication types are supported in ACS 5.3
  • Attribute Substitution for TACACS+ shell profiles

Allows you to substitute a value of TACACS+ attribute to the value of another attribute from one of the available dynamic dictionaries on the shell profile configuration. For more information related to TACACS + Authentications, see User Guide for Cisco Secure Access Control System 5.3

  • EAP Authentication Protocols

Supports EAP-TLS inner method for PEAP, in addition to EAP-MSCHAPv2 and EAP-GTC.

Policy and Identity Enhancements

The Policy and Identity enhancements in ACS 5.3 include:

  • Display RSA node secret missing

Reports the status of a RSA Node Secret on the ACS Instance Setting section.

  • Maximum user sessions

Allows you to restrict the user from too many concurrent user sessions. The permitted number of concurrent user sessions is between 1 and 65535.

For more information on this see, User Guide for Cisco Secure Access Control System 5.3

  • Account Disablement

Allows you to disable the users of Internal Identity Store when the configured date is beyond the permitted date, the configured number of days are beyond the permitted days, or the number of consecutive unsuccessful login attempts, exceeds the threshold.

The default value for date exceeds is 30 days from the current date. The default value for days should not be more than 60 days from the current day. The default value for failed attempts is 5.

For more information on this, see User Guide for Cisco Secure Access Control System 5.3

  • User Check Attributes

Allows you to create conditions that compares the values of two different attributes.

  • Identity Sequence Advanced Options

ACS 5.3 authenticates the user in a sequence against the Identity Store. Now, it is possible to configure whether to proceed to the next identity source in a sequence when it is not possible to connect to the identity store. ACS goes to the next Identity Store when:

A user is not found in the first Identity Store.

An Identity Store is not available in the sequence

  • User Password Type

Allows you to set the password type of users in internal identity stores. You can select any one of the external identity store names along with internal users, to indicate against which identity store, this user needs to be authenticated.

For more information on User Password Type, see

User Guide for Cisco Secure Access Control System 5.3.

  • Additional Attributes available in the policy condition

Supports two new additional attributes in the policy condition. The administrator should customize the Simple or Compound Condition option in the rule table to use these two attributes.

Authentication Identity Store

Enables you to configure the policy rule conditions based on the Authentication Identity Store.

For example: IF AuthenticationIdentityStore=LDAP_NY then reject”

This attribute contains the name of the Identity Store used and it is updated with the relevant Identity Store name after successful authentication.

Number of Hours Since User Creation

Enables you to configure the policy rule conditions, based on the time at which the user was created in ACS Internal Identity Store.

For example: IF group=HelpDesk&NumberofHoursSinceUserCreation>48 then reject”

This attribute contains the number of hours since the user was created in Internal Identity Store to the time of the current authentication request.

  • Wildcards for Hosts

Allows you to use wildcards while you add new hosts into the Internal Identity Store. It also allows you to enter wildcards (after you enter the first three octets) to specify all devices from the identified manufacturer. For more information on this, see

User Guide for Cisco Secure Access Control System 5.3.

  • Network Device Ranges

Allows you to configure single or multiple ranges of IP address, using wildcards. The Exclude Range option allows you to exclude a set of IP address from the configured range. You can also filter devices, based on IP addresses.

  • Look up Network Device by IP address

Allows you to search a network device, using its IP address. You can also use wildcards and the range to search a specific set of network devices.

New CLI Commands

The following are the new CLI commands in ACS 5.3:

  • database-compress

database-compress reduces the ACS Database size with an option to delete the ACS Transaction table.

ACS administrators can run this command to reduce the database size. This helps to reduce the database size and the time taken for backups and full synchronization that is needed for maintenance. For more information on this command, see the CLI Reference Guide for Cisco Secure Access Control System 5.3

  • acsview-db-compress

acsview-db-compress reduces the Monitoring and Report viewer database size. ACS administrator can run this command to reduce the Monitoring and Report viewer database size.

This command compresses the ACS Monitoring and Report viewer database by rebuilding each table in the database and releases the unused space. This reduces the physical size of the view database. For more information on this command, see CLI Reference Guide for Cisco Secure Access Control System 5.3.

View Log Message Recovery

ACS 5.3 provides a new feature to recover any logs that are missed when the view is down. ACS collects these missed logs and stores them in its database. Using this feature, you can retrieve the missed logs from the ACS database to the view database after the view is up.

To use this feature, you must set the Log Message Recovery Configuration as on. For more details on configuring the View Log Message Recovery, see

User Guide for Cisco Secure Access Control System 5.3.

Programmatic Interface Enhancements

ACS 5.3 provides a new configuration web service. This interface allows you to perform the CRUD (Create, Read, Update, and Delete) methods. The Configuration web services are implemented as REST interfaces over HTTPS. This support is only for the user definitions.

For more information on this, see

Software Developer’s Guide for Cisco Secure Access Control System 5.3.

SFTP Copy

In ACS 5.3, SSH File Transfer Protocol (SFTP) is implemented by Secure Copy Protocol (SCP).

Features Not Supported

The following features are not supported in ACS 5.3:

  • The Create, Read, Update, and Delete (CRUD) operations for network device objects in REST PI.
  • The Create, Read, Update, and Delete (CRUD) operations for end devices (hosts) in REST PI.
  • Ability to provide IP addresses from IP address pools defined in ACS.
  • Additional comparison operators for policy definitions such as full range or string and integers matching operators.
  • Instance specific configuration
  • Ability to show the IP address from where the request came, in the Failed Authentications report
  • Ability to authenticate the users against an external ODBC database.
  • RDBMS support for synchronization of user accounts with an external database.
  • Online certificate status protocol (OSCP).
  • Support for on VMware installations with less than 500 GB hard disk.
  • Support for VMware Tools.
  • Support for Multiple Network Interface Card (NIC).
  • Remote Database with cluster setup is not supported.

Supported Virtual Environments

ACS 5.3 supports the following virtual environment platforms:

  • VMware ESX 3.5
  • VMware ESX 4.0
  • VMware ESXi 4.1
  • VMware ESXi 5.0

Supported Web Client/Browsers

You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:

  • Windows 7 32 bit
  • Windows XP Professional (Service Pack 2 and 3)
  • Windows Vista
  • Internet Explorer version 7.x
  • Internet Explorer version 8.x
  • Internet Explorer version 9.x
  • Mozilla Firefox version 3.x
  • Mozilla Firefox version 4.x

The above mentioned browsers are supported only with one of the following cipher suits:

  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • RSA_WITH_3DES_EDE_CBC_SHA

You should install Windows XP SP3 to use SHA2 256-bit certificates as management certificates.

Installation and Upgrade Notes

This section provides information on the installation tasks and configuration process for ACS 5.3. This section contains:

Installing, Setting up and Configuring CSACS 1121

This section describes how to install, set up and configure the CSACS 1121 Series appliance. The CSACS 1121 Series appliance is preinstalled with the software.

To set up and configure the CSACS 1121:


Step 1 Open the box containing the CSACS 1121 Series appliance and verify that it includes:

  • The CSACS 1121 Series appliance
  • Power cord
  • Rack-mount kit
  • Cisco Information Packet
  • Warranty card
  • Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

Step 2 Go through the specifications of the CSACS 1121 Series appliance.

For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3 .

Step 3 Read the general precautions and safety instructions that you must follow before installing the CSACS 1121 Series appliance.

For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3 and pay special attention to all safety warnings.

Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation.

For more details on installing the CSACS 1121 Series appliance, see

Installation and Upgrade guide for the Cisco Secure Access Control System 5.3.

Step 5 Connect the CSACS 1121 Series appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.

Figure 1 shows the back panel of the CSACS 1121 Series appliance and the various cable connectors.


Note For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.


For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3 .

For information on installing ACS 5.3 on VMware, see Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.

Figure 1 CSACS 1121 Series Appliance Rear View

 

The following table describes the callouts in Figure 1.

.

1

AC power receptacle

5

(Blocked) Gigabit Ethernet 1

2

(Blocked) Gigabit Ethernet

6

(In Use) Gigabit Ethernet 0

3

Serial connector

7

USB 3 connector

4

Video connector

8

USB 4 connector

Step 6 After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.


 

Running the Setup Program

The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and enter the initial administrator credentials for the ACS 5.3 server that is using the setup program. The setup process is a one-time configuration task.

To configure the ACS Server:


Step 1 Power up the appliance.

The setup prompt appears:

Please type ‘setup’ to configure the appliance
localhost login:
 

Step 2 At the login prompt, enter setup and press Enter .

The console displays a set of parameters. You must enter the parameters as described in Table 1 .


Note You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.


 

Table 1 Network Configuration Prompts

Prompt
Default
Conditions
Description

Hostname

localhost

First letter must be an ASCII character.

Length must be more that 2 but less than 20 characters.

Valid characters are alphanumeric (A-Z, a-z, 0-9), hyphen (-), and the first character must be a letter.

Enter the hostname.

IPv4 IP Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter the IP address.

IPv4 Netmask

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid netmask.

IPv4 Gateway

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid default gateway.

Domain Name

None, network specific

Cannot be an IP address.

Valid characters are ASCII, any digit, hyphen (-), and period (.)

Enter the domain name.

IPv4 Primary Name Server Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid name server address.

Add/Edit another nameserver

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

To configure multiple name servers, enter Y .

Username

admin

The name of the first administrative user. You can accept the default or enter a new username.

Must be more than 2 but less than 9 characters, and must be alphanumeric.

Enter the username.

Admin Password

None

No default password. Enter your password.

The password must be at least six characters in length and have at least one lower case letter, one upper case letter, and one digit.

In addition:

  • Save the user and password information for the account that you set up for initial configuration.
  • Remember and protect these credentials because they allow complete administrative control of the ACS hardware, the CLI, and the application.
  • If you lose your administrative credentials, you can reset your password by using the ACS 5.3 installation CD.

Enter the password.

After you enter the parameters, the console displays:

localhost login: setup
Enter hostname[]: acs-server-1
Enter IP address[]: 209.165.200.225
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 209.165.200.1
Enter default DNS domain[]: mycompany.com
Enter Primary nameserver[]: 209.165.200.254
Add/Edit another nameserver? Y/N : n
Enter username [admin]: admin
Enter password:
Enter password again:
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Appliance is configured
Installing applications...
Installing acs...
Generating configuration...
Rebooting...
 

After the ACS server is installed, the system reboots automatically. Now, you can log into ACS with the CLI username and password that was configured during the setup process.

You can use this username and password to log into ACS using only the CLI. To log into the GUI, you must use the predefined username ACSAdmin and password default .

When you access the GUI for the first time, you are prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the GUI application.


 

Licensing in ACS 5.3

To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.

Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.

This section contains:

Types of Licenses

Table 2 lists the types of licenses available in ACS 5.3.

Table 2 ACS License Support

License
Description

Base License

The base license is required for all deployed software instances, as well as for all appliances. The base license enables you to use all ACS functions except license controlled features, and it enables standard centralized reporting features.

The base license:

  • Is required for all primary and secondary ACS instances.
  • Is required for all appliances.
  • Supports deployments that have a maximum of 500 managed devices.

The following are the types of base licenses:

  • Permanent—Does not have an expiration date. Supports deployments that have a maximum of 500 managed devices.
  • Evaluation—Expires 90 days from the time the license is issued. that have a maximum of 50 managed devices.

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure.

For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the number of devices is 256.

Add-On Licenses

Add-on licenses can only be installed on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license.

The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. However, the permanent Security Group Access feature license can be used only with a permanent base license.

Auto-Installation of Evaluation License

If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ACS server.

If you use an ACS server with less than 500 GB hard disk space, Cisco does not provide support for scalability, performance, and disk space-related issues.

For more information on installing ACS 5.3 on VMware, see Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.

Upgrading an ACS Server

See Installation and Upgrade Guide for Cisco Secure Access Control System 5.3 for information on upgrading your ACS Server.

Applying Cumulative Patches

Periodically, patches will be posted on Cisco.com that provide fixes to the ACS 5.3. These patches are cumulative. Each path includes all the fixes that were included in previous patches for the release.

You can download ACS 5.3 cumulative patches from the following location: http://www.cisco.com/cisco/web/download/index.html

To download and apply the patches: Network Management > Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.3.


Step 1 Log into Cisco.com and navigate to Network Management > Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.3 .

Step 2 Download the patch.

Step 3 Install the ACS 5.3 cumulative patch. To do this:

a. Enter the following acs patch command in the EXEC mode to install the ACS patch:

acs patch install patch-name .tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.

Would you like to continue? yes/no

Step 4 Enter yes .

The ACS version is upgraded to the applied patch. Check whether all services are running properly, using the CLI show application status acs from the EXEC mode.


 

Resolved ACS Issues

Table 3 lists the issues that are resolved in ACS 5.3.

 

Table 3 Resolved issues in ACS 5.3

Bug ID
Description

CSCtg36142

Indication of secureid file did not work properly in the Node Secret set. This problem is resolved now.

CSCta75080

MSCHAP authentication with UTF8 SAM & NETBIOS did not work against AD in Centrify configuration. This problem is resolved now.

CSCtb99448

An error was displayed in ACS Management log while performing PAP Authentication. This problem is resolved now.

CSCte57427

SNMP location and contact information were not saved on reboot in ACS 5.1. This problem is resolved now.

CSCte70665

An error message was displayed while launching the Authentication Trend page from the Dashboard. This problem is resolved now.

CSCte98032

ACS 5 partitions were not aligned properly when they were installed on VMware. This problem is resolved now.

CSCtf09891

Remote log targets did not accept classless IP formats. This problem is resolved now.

CSCtf77292

The Evaluation of domain local groups resulted in delayed authentication [AD PERF]. This problem is resolved now.

CSCtg62673

The Feature license with & character in the company name could not be loaded. This problem is resolved now.

CSCtg71016

Primary and Secondary servers did not accept same server certificates. This problem is resolved now.

CSCth66492

Recovery mechanism was required while reconnecting the log-collector. This problem is resolved now.

CSCti00159

Network did not function properly when the MAC address of the host was changed in ACS 5 on VMware. This problem is resolved now.

CSCti30276

Admin users could not log in after a password reset. This problem is resolved now.

CSCti36058

The user authentication is ACS 5.1 failed while searching for the server in a remote domain. This problem is resolved now.

CSCti70509

In ACS 5, Restored DB from TFTP may result in corrupted configuration. This problem is resolved now.

CSCti95750

The filter did not show any result in ACS 5.1 while using a filter for AD groups in AD1:ExternalGroups. This problem is resolved now.

CSCtj58965

AD page did not load when there were issues in DNS or DCs. This problem is resolved now.

CSCtj61100

When adding three IP name-server through CLI, you were prompted to restart ACS three times. This problem is resolved now.

CSCtj68184

Evaluation License for AM&R was not being overwritten. This problem is resolved now.

CSCtk32478

CPU utilized high memory related to CDPD process in VMware. This problem is resolved now.

CSCtk32664

ACS sent change-pass request to a wrong ID -store in the sequence. This problem is resolved now.

CSCtk76151

Changing NIC's IP address caused NTP to go out of synchronization. This problem is resolved now.

CSCtk82961

RADIUS Proxy did not forward unknown attributes. This problem is resolved now.

CSCtl05923

Remote DB sql schema related information has to be updated for export run failed operation in ACS 5.3 documents. This problem is resolved now.

CSCtl07445

Negative integer in AV pair caused exception for ACS Log Collector. This problem is resolved now.

CSCtl07664

Unable to change the Error code. This problem is resolved now.

CSCtl11307

SNMP preferences setting existed in a wrong place on the ACS VIEW. This problem is resolved now.

CSCtl42972

Runtime process restarted after adding Shell Profile. This problem is resolved now.

CSCtl52327

ACS LDAP authorization was case sensitive. This problem is resolved now.

CSCtl84778

Sometimes two processes did not run after ACS reboot. This problem is resolved now.

CSCtl85457

The unreachable servers from DNS SRV resulted in a delay in ACS. This problem is resolved now.

CSCtn05827

The enable password option in TACACS did not work properly. This problem is resolved now.

CSCtn13731

Importing or updating TACACS+ devices need COA field to be filled. This problem is resolved now.

CSCtn18359

When ACS CLI password expires with password policy cannot be reset. This problem is resolved now.

CSCtn21381

CDP data containing & character resulted in show run to fail. This problem is resolved now.

CSCtn26604

ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.

CSCtn62214

Could not import the .CSV file when the custom attribute was defined for local user/hosts. This problem is resolved now.

CSCtn67457

Dynamic attributes in authorization profiles stopped working after it was changed. This problem is resolved now.

CSCtn76469

Setting RADIUS accounting on got rejected with 11014 msg. This problem is resolved now.

CSCtn78315

Backing up data failed while using SFTP if it was not transferred within 60 seconds. This problem is resolved now.

CSCtn81510

ACS 5 documents did not have clear information on getACSViewWebServicesPort() for M&R. This problem is resolved now.

CSCto09231

ACS Interpreted Username in NetBIOS Format with Dot in DOMAIN as DNS. This problem is resolved now.

CSCto09337

ACS had problems with Network device filter using location or dev type.This problem is resolved now.

CSCto42187

EAP Authentication Method was not available for policy during PEAP fast reconnect. This problem is resolved now.

CSCto72525

Writing a Custom application to integrate M&R generated errors. This problem is resolved now.

CSCto72918

ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.

CSCto77214

When ACS was overloaded, an error server workspace storage appeared. This problem is resolved now.

CSCtq07534

ACS 5 did not verify RSA keys for SFTP repositories. This problem is resolved now.

CSCtq15610

ACS Intermittent was Disconnected from AD. This problem is resolved now.

CSCtq17598

Runtime services failed to start in a shell profile attribute. This problem is resolved now.

CSCtq46433

ACS 5: Web page errors were found while filtering the device using IE8 if the device contain \u. This problem is resolved now.

CSCtq61094

AD configuration affected the ACS Runtime process. This problem is resolved now.

CSCtq61125

ACS did not follow the identity store sequence. This problem is resolved now.

CSCtq61267

The password was not accepted after installing ESXi 4.x. This problem is resolved now.

CSCtq62007

Unable to save AD configuration when only user name or password was changed. This problem is resolved now.

CSCtq64672

Failure reason editor under System Configuration displayed an error for COD. This problem is resolved now.

CSCtq65124

ACS 5.2: Boolean LDAP attribute was incorrectly interpreted by ACS. This problem is resolved now.

CSCtq76307

CLI documentation did not have the updated SFTP information. This problem is resolved now.

CSCtq78681

Group Queries to Virtual Directory Server failed to return results. This problem is resolved now.

CSCtr23536

ACS 5.2: Appending domain name to SAN when trying to match account in AD resulted in the user not being found in external store database and a failed authentication. This problem is resolved now.

CSCtr24473

Radius Request were dropped by ACS without any explanation. This problem is resolved now.

CSCtr43053

The port attribute could not be used to match the rule if you used ASCII as authentication type for TACACS + authentications. This problem is resolved now.

CSCtr57687

ACS 5.x documents did not have the information on Replicated Items. This problem is resolved now.

CSCts55739

ACS 5.2Configuration Guide did not explain the failover scenarios. This problem is resolved now.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.1

Table 4 lists the issues that are resolved in the ACS 5.3.0.40.1 cumulative patch.

You can download the ACS 5.3.0.40.1 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 4 Resolved Issues in Cumulative Patch ACS 5.3.0.40.1

Bug ID
Description

CSCtn94094

Web interface for compound rules uses non-standard boolean notation.

CSCts38477

In ACS 5.2 Compound Condition, replacing "And" logic with "Or" Duplicate of CSCtn94094.

CSCtq81172

Admin Wen interface takes time to load for large NDG tree.

CSCtg51846

Enum values are not shown in compound conditions in the rule.

CSCto73527

Network Device Filter fails with AND Condition while using Location and Device Type.

CSCts17763

ACS may crash when Shell Profile name contains special characters.

CSCtq76294

Need an alert to be triggered when backup operation fails.

CSCts40901

Shared secret key is displayed in clear text.

CSCtq80926

Select option is not working in Compound condition> LDAP > External groups.

CSCts61733

Bulk CRUD operations for Shell Profile Custom Attributes.

CSCtr78192

Multiple vulnerabilities in the Cisco ACS 5 web interface.

CSCts85741

Possible SQL injection point in ACS 5.2.

CSCtr78143

Multiple Cross--Site Request Forgery and stored XSS in ACS 5.2.

CSCtu15651

ACS view upgrade failure.

CSCtu07065

ACS 5.2 to 5.3 upgrade fails.

CSCts23451

ACS 5.x needs to update the RSA SecureID API.

CSCtu36433

ACS 5.3 web interface gives very slow access after an upgrade from ACS5.2

Resolved Issues in Cumulative Patch ACS 5.3.0.40.2

Table 5 lists the issues that are resolved in the ACS 5.3.0.40.2 cumulative patch.

You can download the ACS 5.3.0.40.2 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 5 Resolved Issues in Cumulative Patch ACS 5.3.0.40.2

Bug ID
Description

CSCtw97686

Could not edit the ACS 5.2 users after upgrading the system to AS 5.3.

CSCtu74476

MAC address format is inconsistent in activity reports.

CSCtn26538

EAP-TLS reauthentication fails - principal username is missing.

CSCte39351

The SNMP agent process in ACS appliance daemon stops.

CSCtu89783

ACS 5 password expiration policy triggered for token users.

CSCtt14745

Cannot add groups to LDAP identity store.

CSCtt17019

ACS 5.x has issues while retrieving additional AD groups when referenced in rule.

CSCtt21122

Cannot import the command sets if you have the character slash ( / ) in the argument.

CSCto95888

sh acs-logs details command does not display local store log file names.

CSCtw64212

view-logprocessor Process gets stuck and the status is shown as not monitored.

CSCtu36357

ACS 5 cannot duplicate user accounts.

CSCtw67208

Administrative and Operational Audit logs are not getting recorded in ACS.

CSCtw56498

TACACS+ "enable" request is dropped in unknown authentication type.

CSCtw97877

Installing a patch after 5.3 upgrade did not reduce the network device page loadtime.

CSCtx19470

ACS 5 shows an runtime error while trying to login to the GUI when all process are running properly.

CSCtx53340

NIL-CONTEXT error causes TACACS+ failure in ACS 5.3 TCP Listener Process.

CSCto88134

Temporary table was missing in 5.2 database after the restoring 5.1 backup.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.3

Table 6 lists the issues that are resolved in the ACS 5.3.0.40.3 cumulative patch.

You can download the ACS 5.3.0.40.3 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 6 Resolved Issues in Cumulative Patch ACS 5.3.0.40.3

Bug ID
Description

CSCtx11180

Sometimes, ACS fails to fetch the group info for users in trusted domain

CSCty19628

Unassigning MS-CHAPV2 group retrieval fails. It is a duplicate of the bug CSCtx11180.

CSCtw59129

ACS5 tries to contact the domains which are not in trusted list, based on the username.

CSCty11627

ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets.

CSCtw71563

ACS gets disconnected from AD if it receives duplicate A records for DC.

CSCtx90637

ACS MS-CHAPV2 is not hashing the MS-CHAP success correctly.

CSCtu15832

ACS 5.2 does not recover from an RPC failure with a domain controller.

CSCtx71254

ACS 5.3 is disconnecting from AD and unlatch is seen in ADclient logs.

CSCtx18638

Cannot add custom shell attribute with the keyword alert.

CSCtx83260

NDG locations are not showing up on the web interface.

CSCts14694

Accounting requests are seen as authentication requests.

CSCty60512

User authentication fails when having Authorization rule with built-in group.

CSCty60915

ACS 5.3 pre-authentication gets failed with AD for some users.

CSCtz03041

AD Agent cores management.

CSCty88457

ACS support bundle does not include ADclient core files.

CSCtz03084

/opt and /var full-Large AD Agent file contains file descriptor errors.

CSCtz03036

AD Agent cache should be flushed when core is generated.

CSCtz03943

ACS exposes the AD account username and password.

CSCtz03211

ACS 5.3 sends multiple authentication attempts to Active Directory.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.4

Table 7 lists the issues that are resolved in the ACS 5.3.0.40.4 cumulative patch.

You can download the ACS 5.3.0.40.4 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 7 Resolved Issues in Cumulative Patch ACS 5.3.0.40.4

Bug ID
Description

CSCtz35383

Restoring ACS 5.1 and 5.2 backup on ACS 5.3 patch 3 fails.

CSCtz35418

Unexpected error occurs while selecting the maximum user session after restoring the backup.

CSCua46796

LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.5

Table 8 lists the issues that are resolved in the ACS 5.3.0.40.5 cumulative patch.

You can download the ACS 5.3.0.40.5 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 8 Resolved Issues in Cumulative Patch ACS 5.3.0.40.5

Bug ID
Description

CSCtu21456

ACS 5.x: Intermittent password change is not working in secondary ACS.

CSCtx12249

ACS 5.x: ACS does not support TACACS Service 0x1a (Auth-Proxy).

CSCty48702

ACS 5.3 cannot export data to Oracle.

CSCtx68133

Some Secondary ACS machines show status as offline when the setup is idle.

CSCtx57296

ACS fails to open the view log collector with an irresolvable hostname in the primary machine.

CSCtx72675

ACS supports repository user name with domain name.

CSCtx55824

ACS 5.x: SQL schema file for view database export is incorrect.

CSCtu19690

Random Parse error alarms are triggered due to the radius accounting messages.

CSCtx90623

ACS web server is vulnerable to the HTTP slow header attack.

CSCty80996

Admin user with ResetUserPassword privilege cannot reset user passwords.

CSCty18371

Users without enable password option are able to set their own authentication password.

CSCtx40345

MAC addresses shown on end station filter list are incorrect.

CSCtx32481

Description is shown as null while importing NDG without a description.

CSCty16614

Resource not found or internal server error is seen with bulk filter option in ACS.

CSCtx71963

ACS 5.2: Bulk update of users ignores the changes that are made in the custom boolean attribute.

CSCtz31830

In some scenarios, Active Directory web interface group retrieval feature takes a long time to respond.

CSCtz42111

Password expiry timer is not replicated after changing the password using TACACS+.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.6

Table 9 lists the issues that are resolved in the ACS 5.3.0.40.6 cumulative patch.

You can download the ACS 5.3.0.40.6 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 9 Resolved Issues in Cumulative Patch ACS 5.3.0.40.6

Bug ID
Description

CSCtz24314

ACS 5.x runs out of disk space.

CSCtz49470

In ACS 5.3, you can create and restore the ACS View database from a support bundle without the help of a root patch.

CSCty53608

Core file with 4000 users is generated in TACACS+ proxy.

CSCty75050

In ACS 5.3, CHAP authentication for TACACS+ fails.

CSCtx03590

Adding NDG filter with “Replace from File” fails.

CSCty92102

RADIUS proxy does not process the response from an external RADIUS server.

CSCtz09614

Validation error that results in an ACS runtime crash occurs while editing the end station filters.

CSCtz91356

Evaluation of Local groups lead to an increase in time delay during authentication.

CSCtz83523

AD client crashes because of the passwords with non-UTF-8 characters in it.

CSCty64763

Multiple groups are selected in authorization policy.

CSCua01925

SNMP monitoring cron job is deleted when you configure a scheduled backup.

CSCua51373

Support for On Demand Purge in ACS View.

CSCua60625

ACS View database restore fails when there is enough space available in /opt.

CSCua51804

ACS View backup fails even when there is enough disk space available.

CSCua60611

Runtime service memory utility is increasing during TACACS+ authentication and accounting requests.

CSCty97947

Importing large scale configurations in ACS results in runtime memory errors upon restart.

CSCub17638

Replication fails when you import devices in to the primary server.

CSCua69912

Config database gets corrupted after changing the authorization profile name which results in an internal error while accessing the web interface.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.7

Table 10 lists the issues that are resolved in the ACS 5.3.0.40.7 cumulative patch.

You can download the ACS 5.3.0.40.7 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 10 Resolved Issues in Cumulative Patch ACS 5.3.0.40.7

Bug ID
Description

CSCua66744

The ACS view database transaction log reaches more than 50 GB, which fills the /opt partition size.

CSCtq46211

The Lexmark Printer works fine with ACS 4.x, but it is not working properly with ACS 5.x versions.

CSCtx53223

ACS 5.3 fails to join AD domain, and the Centrify license is missing when you upgrade ACS from its previous versions.

CSCtx63760

Scalability issue: ACS drops TACACS+ requests due to a high connection rate.

CSCtx56129

The ACS 5.x replication service fails because it cannot bind to port 2030.

CSCua67150

The network device is not recorded in the RADIUS Authentication logs.

CSCub15396

ACS 5.3 does not support blank spaces in the TACACS shared secret key.

CSCua90369

ACS 5.x is creating the error message: ShellProfile..ERROR...DeviceAttrFactory.cpp:29.

CSCtw84073

Unable to enter acs-config in the ACS CLI.

CSCua81734

In ACS 5.x, Identity groups are truncated when you use Internet Explorer 8.x version.

CSCty57491

ACS health logs are purged incorrectly.

CSCub46074

ACS 5.3 response is very slow with a large number of identity groups.

CSCub40278

XSS vulnerabilities were found in ACS view pages.

CSCub40291

CSRF vulnerabilities were found in ACS 5.3.

CSCub40498

The password field in ACS 5.3 has the autocomplete operation enabled.

CSCub40527

Unauthenticated download flaws were found in ACS 5.3.

CSCub40480

Cookie vulnerabilities were found in ACS 5.3.

CSCuc65634

TACACS+ authentication bypass vulnerabilities were found in ACS 5.3.

CSCub98158

The replication is not working when you register or deregister a secondary ACS instance.


NoteInternet Explorer and Mozilla Firefox have a password auto completion option to remember the passwords entered via browsers. This operation is disabled in ACS 5.3 Patch 7 due to security issues. If you have enabled the password auto completion option, then you must install patch 7 and clear the cache manually to overcome this security issue.


Resolved Issues in Cumulative Patch ACS 5.3.0.40.8

Table 11 lists the issues that are resolved in the ACS 5.3.0.40.8 cumulative patch.

You can download the ACS 5.3.0.40.8 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 11 Resolved Issues in Cumulative Patch ACS 5.3.0.40.8

Bug ID
Description

CSCuc31452

In ACS 5.3, exporting users to .csv file is not working properly.

CSCtn99545

Administrators with numerical username are unable to use the dashboard.

CSCuc80049

Editing device filters results in validation error and ACS runtime to crash.

CSCuc28306

Unable to export the ACS_Log_Information from ACS view to a .csv file.

CSCub98880

Sometimes, the details icon in the troubleshooting reports page is not shown.

CSCuc68843

Secondary ACS server is reported to be in Local mode incorrectly

CSCuc93106

Upgrading from ACS 5.3 to ACS 5.4 fails.

CSCuc11436

In ACS 5.3, promoting a secondary ACS remotely from a primary ACS fails.

CSCuc06451

ACS cannot find the global catalogs.

CSCub82913

ADclient cache issue - Authentication fails when you change the OU in multiple domain controller environment.

CSCud06310

TCP socket exhaustion causes ACS 5.x to crash.

CSCub60424

Unable to register ACS in the deployment while the import operation is in progress.

CSCuc08568

Unable to register machines to the deployment.

CSCtx45515

PI REST support for Network Devices, Device Groups, and Hosts.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.9

Table 12 lists the issues that are resolved in the ACS 5.3.0.40.9 cumulative patch.

You can download the ACS 5.3.0.40.9 cumulative patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 12 Resolved Issues in Cumulative Patch ACS 5.3.0.40.9

Bug ID
Description

CSCud40928

The secondary instance management process remains in initializing state after deregistering it from the deployment.

CSCue86879

Added NTP service as a part of ACS services in ACS 5.3.

CSCud88921

NTP fails for some time after changing the local clock time.

CSCue35765

An invalid alarm is shown that says,”DBPurge is not running for the past two days.”

CSCue43289

Rules in Access Policies are pushed to the end of the list when you use filter to search or make any changes in them.

CSCud75174

Client-side filtering option in ACS leads to XSS Attack

CSCud75177

CSRF vulnerabilities found in ACS admin and ACS view pages.

Limitations in Different ACS Deployments

ACS 5.3 has the following limitations with respect to Small, Medium, and Large deployment scenarios.

Table 13 Limitations in Different ACS Deployments

Object Type
Small
Medium
Large

Users

1000

10000

300000

Hosts

100

1000

50000

Identity Group

10

200

1000

Network Devices

100

5000

50000

Device Types

2 (default)

2 (default)

2 (default)

Device Hierarchies

2

3

6

Device Groups

5

10

20

Services

2

5

25

Authorization Rules

5

25

320

Conditions

3

5

8

Authorization Profile

--

--

600

SSP

5

25

50

Result Sets

1

2

3

NARs

50

500

3000

ACS Instances

1-2

3-6

7-10

ACS Admins

5

15

50

2 roles

5 roles

9 roles

dACLs

1K Size

1K Size

600 dACL with 100 ACEs each

Known ACS Issues

This section lists the known issues for the ACS 5.3 release.

Table 14 lists the known issues in ACS 5.3. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.

 

Table 14 Known Issues in ACS 5.3

Bug ID
Description

CSCtl08320

AD is down in Add Attribute list, PEAP/EAP-fast MSCHAP auth marked fail

The PEAP-GTC and EAP-FAST-GTC authentications are marked as Passed (green line in log) when attribute retrieval phase fails, and the FailOpen option is configured as DROP.

This problem occurs when Identity Sequence configured in such a way that authentication phase passes but attribute retrieval phase fails. The default FailOpen option for a failed process is DROP'

Workaround:

None

CSCtl10839

Break sequence fails for the same User authentication when AD is down (because of cache)

Attribute retrieval tries to retrieve groups from AD which is Down, and then continues to Next ID store in the Additional Attribute retrieval list. This occurs although you have selected the break sequence option.

This problem occurs when you:

1. Configure ACS as:

AD with groups, with no attributes.

Identity Sequence: Authentication ID Stores list is Internal

Additional Attribute retrieval list is {AD, Internal, Radius server (or any other)}

2. Select the break sequence option.

3. Authenticate using AD.

4. Shut down AD.

5. Authenticate using Identity Sequence.

Workaround:

None

CSCtl93760

Search option does not work for MAC Address

Unable to list out the MAC addresses that are in the database.

This problem occurs when you create MAC addresses using wildcards and then try to list a single MAC address while searching.

Workaround:

Use other options such as starts with.

CSCtl95969

Sometimes Machine Authentication fails in Odyssey supplicant

Odyssey supplicant sometimes fails in machine authentication.

The authentication fails and displays the message Subject not found in the identity store (AD).

Workaround:

1. Select the EAP-TLS authentication as authentication type in Odyssey supplicant.

EAP-TLS authentication passes.

2. Change the authentication type to PEAP-TLS.

This makes the machine work well with Odyssey supplicant.

CSCtn19739

TLS Session Resume fails in PEAP-TLS with CSSC/Odyssey supplicant.

TLS Session Resume fails in PEAP-TLS with CSSC/Odyssey supplicant.

This problem occurs when you enable the TLS session resume in ACS and perform an authentication with the CSSC/Odyssey client.

Workaround:

None

CSCtn49931

Management processes do not come up after the application upgrade

Management processes are not restored when ACS services gets restarted. This issue is not consistent.

This problem occurs sometimes when you restart ACS services. For example, after upgrading ACS 5.2 to 5.3.

Workaround:

Restart the ACS services manually.

CSCto29474

Bulk edit is not supported for maximum session group value.

There is no option for bulk editing groups.

This problem occurs when there are many identity groups. (For example. 50 or more) It is difficult to edit the values for the groups one by one and there is no option to update many groups together.

Workaround:

Use the Import option to update the maximum session value for many groups at the same time.

CSCto52767

Centrify: Wrong user is being authenticated.

The wrong AD user is authenticated.

This problem occurs when you mix and match UPN and NetBios names for two given user. For example:

1. Enter user 1 as:

UPN: a1

NETBIOS:a2

psw : www123!@#

user 2:

UPN: a2

NETBIOS:a1

psw : ttt123!@#

2. Authenticate the first user as

user : a1

psw: www123!@#

3. Authenticate the second user as

user : a2

psw: ttt123!@#

Any one of the above two authentications fails.

Workaround:

Make sure AD user names are consistent and avoid naming conventions such that UPN and NetBios of different users are identical.

CSCto56190

AD interface operations take a long time if LDAP SSL is not enabled in AD.

AD interface operations (test connect, select groups, and select attributes) take a long time if LDAP SSL is not enabled in AD. The delay time in such cases, is the number of domain controllers in the domain in the same site as ACS * 15 seconds

This problem occurs if:

  • LDAP SSL is not configured or enabled in AD domain controllers.
  • There are many domain controllers in the domain in the same site as ACS.

Workaround:

Configure or enable LDAP SSL on AD domain controllers

CSCtq12058

Log level set to debug for Monitoring and Collector log but it shows the warning logs.

The Debug logs are not displayed in the Monitoring and Collector log.

Default warning logs are displayed even after the log level is set to Debug. This problem also occurs while the system performs Authentication.

Workaround:

Restart ACS

CSCtq34427

CARS: Centrify imposed host name limitation of 15 characters

AD account is created only for the latest machine that is joined to the AD, while joining multiple hosts.

This problem occurs if hosts have:

  • Names longer than 15 characters
  • The same 15 character prefix

Workaround:

When working with AD, the hostname length should not be more than 15 characters or the 15 character prefix for each host name should be unique.

CSCtq45439

Core file of management is generated while running stress in ACS

The management process crashes on a secondary ACS server in a distributed deployment and a core file is generated.

This problem occurs when a heavy authentication stress is applied to the primary server for a long time (one or two days).

Workaround:

None.

CSCtq52001

It is possible to install non CA certificates under CTL.

ACS allows you to install non CA certificates under Certificate Authorities.

This problem occurs because a CA certificate has the keyCertSign bit under Key Usage attribute. It is possible to install a non CA certificate without this bit.

Workaround:

Make sure the installed certificate is indeed a CA certificate.

CSCtq52032

No checks for the type of certificate while installing the server certificate

Invalid server certificate (such as, one that can be used for client authentication only) can be installed as a server certificate in ACS

This problem occurs when you install a client certificate (such as, extended key usage set to be "Client Authentication" only) as a server certificate in ACS

Workaround:

Verify the extended key usage, manually.

CSCtq61557

Cannot create AAA client after an error message appears in the Network Device Ranges.

Unable to create AAA client, after an error message appears.

This problem occurs if you:

1. Create an AAA client with IP Ranges and enter an invalid character in the Exclude option.

The interface displays an error.

2. Delete the Exclude value and add the IP and click Submit.

The AAA client is not created.

Workaround:

1. Edit the IP and enter a proper Exclude value

2. Add the AAA client.

3. Click Cancel and create the AAA client with the proper Exclude value.

CSCtq67174

The username in the view displays an invalid escape character at line 1 column 2.

If you click on a username that contains the character ! in it, an error appears.

This problem occurs if the username contains the ! character in it.

Workaround:

Remove the character! from the username.

CSCtq80926

Select option gets disabled while selecting the string enum attribute.

The Select option is disabled and you cannot select the groups configured under Compound Condition and LDAP External Groups.

This problem occurs if you select Authorization > Customize selected compound condition, under Compound condition > LDAP > External groups..

This applies to LDAP and AD External groups configuration.

Workaround1:

Select some other attribute with a different dictionary, to enable the Select option for all types of attributes.

Workaround 2:

Select the external groups under Customize > LDAP: External groups in both Authorization and Group mapping.

CSCtr56396

Filtering Network Devices according to the new NDG type.

You do not get the correct records that match the filter, if you try to filter Network Devices according to the value of the Network device group that is added after adding the Network Devices.

This problem occurs when a new NDG is created after adding the Network Devices.

Workaround:

Create the NDG before adding the Network Devices

CSCtr74964

Wrong error message is displayed when you try to change the password of an LDAP user.

An error message Subject not found in the particular identity stores is displayed. This is wrong. The correct error message is Current identity store doesn't support changing password .

This problem occurs if you change the password while performing TACACS+ authentication for a user account located on an LDAP server

Workaround:

Ignore the incorrect error message.

CSCtr95923

Log messages are recovered after Restore.

Log recovery feature retrieves the missing logs after Restore.

This problem occurs when you take a backup of the view with the Log recovery feature enabled and then restore the backup in same setup.

Workaround:

Disable the feature for 5 minutes and then enable it. This prevents it from restoring the old logs.

CSCts07491

NDG: Duplicate option does not work

You cannot create a duplicate for an existing NDG.

This problem occurs if you want to create a new NDG by duplicating the existing NDG. In this case, the duplication does not work properly.

Workaround:

Create a new NDG using the Create option.

CSCts08356

ACS follows internal identity sequence twice when Fast Reconnect is enabled.

ACS performs the attribute retrieval twice in Internal ID store for a non-existent user. This occurs when authenticating by PEAP with fast reconnect enabled with W7 supplicant.

This problem occurs when ACS is configured with the following identity store sequence:

AD + Internal and PEAP-MSCHAP with fast reconnect.

Here a user is configured in AD but not in the Internal ID store.

When you are negotiating PEAP fast reconnect, the supplicant returns the result as TLV failure and then an inner method is invoked. The user is successfully authenticated in AD.

The attribute retrieval is performed twice in Internal ID store (both unsuccessful since the user is not found). The following log messages appear in the log:

22023 Proceed to attribute retrieval

22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

24210 Looking up User in Internal Users IDStore - ram

24216 The user is not found in the internal users identity store.

22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

22015 Identity sequence continues to the next IDStore

24210 Looking up User in Internal Users IDStore - ram

24216 The user is not found in the internal users identity store.

22016 Identity sequence completed iterating the IDStores

Workaround:

Configure the PEAP fast reconnect in the W7 supplicant correctly, so Fast Reconnect is enabled.

CSCts31991

AD join may fail when there are multiple DNS entries in ACS

ACS fails to join to AD

This problem occurs when there are multiple IP name-server entries configured in an ACS configuration CLI, but not all of the IP name-server entries are configured with Active Directory DNS Records.

It occurs where the AD DNS responds slower than the corporate DNS or if there is a DNS that does not resolve in AD DC/GC SRVs

Workaround1:

Ensure that all IP name-server entries have the required configuration for Active Directory. This way, the fastest responding name server will have the required Active Directory configuration.

Workaround 2:

Configure ACS 5.3 to use only a specific name server that has the required Active Directory configuration. Use the ACS 5.3 CLI to do this.

The ACS administrator should:

1. Log into the ACS configuration mode using the command acs-config.

2. Use ad-agent-configuration dns.servers to set the IP of the correct IP name-server to use.

For example, if the name of the server to use is 10.56.60.150, then the following commands should be entered, using the ACS 5.3 CLI:

cd-acs5-13-50/admin# acs-config

Escape character is CNTL/D.

Username: acsadmin

Password:

cd-acs5-13-50/acsadmin(config-acs)# ad-agent-configuration dns.servers 10.56.60.150

Performing AD agent internal setting modification is only allowed with ACS support approval. continue (y/n)?

cd-acs5-13-50/acsadmin(config-acs)# show ad-agent-configuration dns-servers

dns-servers: 10.56.60.150

cd-acs5-13-50/acsadmin(config-acs)# exit

This operation should be performed when the ACS machine is joined to the required domain for each server in the deployment.

CSCts52687

Centrify service gets frozen while starting and does not move to the next available DC.

AD functionality is down

This problem occurs when the joined DC is offline. There are other DCs online but ACS will not join one of them.

Workaround:

Bring the joined DC online or resubmit the AD configuration

For further problem description, see the guidelines discussed in http://nmtg2.cisco.com/wiki/index.php/RNE_Template

CSCto50246

CentrifyDC mode is displayed as "connected" when the current DC is shutdown.

ACS takes a long time to update the DC details to which it is currently connected.

This problem occurs when ACS is connected to another fastest reachable DC, while the previously connected DC is down.

Workaround -

None

CSCts95867

The View database processes freeze when the system gets restarted while upgrading.

ACS view database process gets frozen if you restart the services while upgrading.

This problem occurs if you:

1. Configure the data in ACS 5.2 patch 6 when the machine is in a distributed setup where it has a primary server and a secondary server. The secondary server is the log collector.

2. Change the log collector to the primary server.

3. Deregister the secondary server from the primary server.

4. Upgrade the secondary server using the CLI command application upgrade acs.tar.gz repo to ACS 5.3 build #38.

The following message is displayed.

application upgraded successfully.

5. Check the process status now using the CLI command show app upgrade acs.

The View Database process gets frozen for more than six hours while restarting the application

6. Upgrade the primary server using the CLI command application upgrade acs.tar.gz repo to 5.3 build #38.

The following message is displayed.

application upgraded successfully .

The View Database process gets frozen for more than six hours while restarting the application

Workaround:

Use acs stop and acs start commands in CLI and restart the ACS services manually.

CSCts79921

Authentication fails if you miss the UPN attribute.

Authentication fails against the Active Directory.

This problem occurs when you try to add users using the command NET USER aaa qqq123!@# /ADD.

Workaround:

Add the users through the Active web interface.

CSCtq29587

Radius Authentication fails in Switch with same VSA name and different data type.

Authentication fails in switch.

This problem occurs while creating VSA attributes in Proxy and Remote ACS that have the same name, but different types.

Workaround:

Define the VSA attributes with the same names and types.

CSCtq60960

Could not close the frames in the Authentication reports.

Expand and Collapse of Authentication results in Authentication details page are not working in both Mozilla in 4.x and 5.x versions.

This problem occurs when you use third party tools like Actuate BIRT. Since, by default, the html5 stricter parsing engine is enabled in Mozilla 4.x and 5.x versions. You will face this issue if the validation is not proper in the third party tools.

Workaround:

When you are using Mozilla 4.x and 5.x versions, complete the following steps.

1. Open a new tab.

2. Enter about:config in the address bar and press Enter.

3. Click I will be careful, I promise!.

4. Enter html5 in the Filter box.

5. Double-click the html5.parser.enable to change its value to false.

6. Now, reload Authentication results in Authentication details page.

The expand and collapse option of Authentication results in Authentication details page works fine.

CSCts04765

Switching from IP ranges to single IP address displays an error message.

An error message is displayed while switching from IP ranges or IP ranges by mask to single IP option when you are creating AAA clients.

This problem occurs when you switch from IP ranges or IP ranges by mask to single IP option in the network range multi column list box. The following error message is displayed.

There is more than one IP address defined. You cannot switch to Single IP Address mode.

This error is shown even after deleting the IP range and switched to single IP option.

Workaround:

Click Cancel and create a new AAA client.

CSCtt04675

Repositories are missing from the Global backup after restoring it.

The changes that you made to the running configuration through CLI are not available after a global restore.

For example,

1. Configure a repository.

2. Take a global backup.

3. Now, restore the backedup data. You can observe that the newly configured repository is not available in the running configuration.

This problem occurs if the new configuration was not saved to startup configuration.

Workaround:

You should make sure that the changes are saved to the startup configuration whenever you make changes to the running configuration.

CSCts67174

Database fail (TACACS Accounting) alarms are caused due to decimal value in AV pair.

Critical system alarms are caused in TACACS Accounting [Collector]: Database failure (<acs hostname >, TACACS Accounting).

This problem occurs when you use a decimal value in the AV pair elapsed time in TACACS Accounting packet sent by NAS.

Workaround:

None

CSCtr40972

Could not launch ACS with new IP address after a global Backup during upgrade.

Could not launch ACS using the new IP address after restoring a global backup.

This problem occurs when you restore a global back up of one ACS machine in to another ACS machine.

Workaround:

None

CSCua46796

LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration.

LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration. The connection is automatically re-established after the TGT renewal.

This problem occurs when you use AD or LDAP as an external database.

Workaround:

None

CSCua99537

Network Time Protocol Daemon (NTPD) running with ACS sometimes does not synchronize its clock with the windows time service

Network Time Protocol Daemon (NTPD) running with ACS, sometimes, does not synchronize its clock with the windows time service

This problem occurs often when ACS or AD is running as a virtual machine.

Workaround:

None.

Documentation Updates

Table 15 lists the updates to Release Notes for the Cisco Secure Access Control System 5.3.

 

Table 15 Updates to Release Notes for the Cisco Secure Access Control System 5.3

Date
Description

03/29/2013

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.9” section.

11/21/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.8” section.

10/22/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.7” section.

08/24/2012

Added a known issue CSCua99537 in the Known ACS Issues section and not supporting multiple NIC in Features Not Supported section.

08/21/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.6” section.

08/10/2012

Updated Known ACS Issues and “Resolved Issues in Cumulative Patch ACS 5.3.0.40.4” section.

05/29/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.5” section.

05/18/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.4” section.

04/17/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.3” section.

02/28/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.2” section.

12/16/2011

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.1” section.

12/01/2011

Fixed the bug CSCts96708.

10/04/2011

Cisco Secure Access Control System, Release 5.3.

Product Documentation


NoteWe sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 16 lists the product documentation that is available for ACS 5.3. To find end-user documentation for all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs

Select Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System .

 

Table 16 Product Documentation

Document Title
Available Formats

License and Documentation Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_documentation_roadmaps_list.html

Migration Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

User Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_user_guide_list.html

CLI Reference Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
prod_command_reference_list.html

Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_device_support_tables_list.html

Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

Software Developer’s Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_programming_reference_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
regulatory/compliance/csacsrcsi.html

Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ ).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ )”.

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ )”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.

The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Supplemental License Agreement

END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE:

IMPORTANT: READ CAREFULLY

This End User License Agreement Supplement ("Supplement") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence.

In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

1. Product Names

For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are:

A. Advanced Reporting and Troubleshooting License

Enables custom reporting, alerting and other monitoring and troubleshooting features.

B. Large Deployment License

Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise.

C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release)

Enables Security Group Access policy control functionality and other advanced access features.

2. ADDITIONAL LICENSE RESTRICTIONS

  • Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco 1121 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco 1121 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1121 Hardware Platform.
  • Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control System Software upgrades for the 1121 Hardware Platform as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each Cisco 1121 Hardware Platform. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract.
  • Reproduction and Distribution. Customer may not reproduce nor distribute software.

3. DEFINITIONS

Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x].

Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].

4. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.