Guest

Cisco Secure Access Control System

Release Notes for Cisco Secure Access Control System 5.5

  • Viewing Options

  • PDF (672.2 KB)
  • Feedback

Table of Contents

Release Notes for Cisco Secure Access Control System 5.5

Introduction

Mandatory Upgrade Instructions

Cisco SNS-3495 Hardware Appliance Support

New and Changed Features

Enabling and Disabling IPv6 for Network Interfaces

Enhanced Monitoring and Troubleshooting Reports

Identity Store Enhancements

Network Access Protocol Enhancements

Security Enhancements

System Administration Enhancements

System Operation Enhancements

Upgrade Paths

Supported Virtual Environments

Monitoring and Reports Data Export Compatibility

Supported Browsers

Installation and Upgrade Notes

Installing, Setting Up, and Configuring CSACS-1121

Installing, Setting Up, and Configuring Cisco SNS-3495 or Cisco SNS-3415

Running the Setup Program

Licensing in ACS 5.5

Types of Licenses

Upgrading an ACS Server

Applying Cumulative Patches

Resolved ACS Issues

Resolved Issues in Cumulative Patch Pointed-PreUpgrade-CSCum04132-5.4.0.46.0a

Resolved Issues in Cumulative Patch Pointed-PreUpgrade-CSCum04132-5.3.0.40

Resolved Issues in Cumulative Patch ACS 5.5.0.46.1

Resolved Issues in Cumulative Patch ACS 5.5.0.46.2

Resolved Issues in Cumulative Patch ACS 5.5.0.46.3

Resolved Issues in Cumulative Patch ACS 5.5.0.46.4

Resolved Issues in Cumulative Patch ACS 5.5.0.46.5

Resolved Issues in Cumulative Patch ACS 5.5.0.46.6

Resolved Issues in Cumulative Patch ACS 5.5.0.46.7

Limitations in ACS Deployments

Known ACS Issues

Documentation Updates

Product Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Supplemental License Agreement

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Secure Access Control System 5.5

Revised: November 17, 2014

Part Number: OL-28607-01

These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.5, hereafter referred to as ACS 5.5. These release notes provide information on the features, related documentation, resolved issues, and known issues for functionality in this release.

This document contains:

Introduction

ACS is a policy-driven access control system and an integration point for network access control and identity management.

The ACS 5.5 software runs on a dedicated Cisco SNS-3495 appliance, on a Cisco SNS-3415 appliance, on a Cisco 1121 Secure Access Control System (CSACS-1121) or on a VMware server. ACS 5.5 ships on Cisco SNS-3495 and Cisco SNS-3415 appliances. However, ACS 5.5 continues to support CSACS-1121 and CSACS-1120 appliances. You can upgrade to ACS 5.5 from any of the previous releases of ACS that runs on CSACS-1121 and CSACS-1120 appliances. For more information on upgrade paths, see Upgrade Paths.

This release of ACS provides new and enhanced functionality. Throughout this document, Cisco SNS-3495, Cisco SNS-3415 and CSACS-1121 refer to the appliance hardware, and ACS server refers to ACS software.


Note Cisco runs a security scan on the ACS application during every major release. We do not recommend you to run vulnerability scanning in ACS Production Environment because such an operation carries risks that could impact the ACS application. You can execute the vulnerability scan operation in a preproduction environment.


Mandatory Upgrade Instructions

This section provides the mandatory instructions to be followed before you start upgrading ACS 5.3 or 5.4 to ACS 5.5 version using “Upgrading an ACS server using the Application Upgrade Bundle” method.


Note When you upgrade from ACS 5.4 to ACS 5.5, it is mandatory to install the “Pointed-PreUpgrade-CSCum04132-5.4.0.46.0a” patch before you start upgrading from ACS 5.4 version. You can install this patch directly on any cumulative patch version.



Note When you upgrade from ACS 5.3 to 5.5, it is mandatory to install the following patches one by one in the order specified:

1 Install ACS 5.3 patch 8 (ACS 5.3.0.40.8) or a subsequent patch. You need to install patch 8 or a subsequent patch prior to the upgrade or the upgrade may fail.

2 Install the “Pointed-PreUpgrade-CSCum04132-5.3.0.40” patch over patch 8 or a subsequent patch before you start upgrading from ACS 5.3 version.


Cisco SNS-3495 Hardware Appliance Support

ACS 5.5 supports both Cisco SNS-3495 and Cisco SNS-3415 hardware appliances. The Cisco SNS-3495 appliance is shipped with two 600-GB hard disk drives that are resilient, 32 GB RAM memory, and two power supply units. The SNS-3495 appliance combines these two hard disk drives and makes a virtual disk with RAID 0 and RAID 1 while installing ACS. For more information on RAIDs, see http://www.cisco.com/en/US/docs/unified_computing/ucs/c/hw/C220/install/raid.html.

The Cisco SNS-3415 appliance is shipped with one 600-GB hard disk drive, 16 GM RAM, and one power supply unit. The main advantage of using the Cisco SNS-3495 or SNS-3415 hardware appliances is that you can migrate to Cisco ISE from a migration-supported version of ACS without changing the hardware appliance. This protects your investment in future. The SNS-3495 appliance provides a disk redundancy solution for ACS and the same platform can also be utilized in ISE. Besides the disk redundancy, the SNS-3495 appliance provides additional memory (32GB) as compared to the memory (16 GB) of SNS-3415 appliance. Both the SNS-3495 and SNS-3415 hardware appliances can also be leveraged for installing ISE. For more information on the Cisco SNS-3495 and SNS-3415 hardware appliances, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5.

New and Changed Features

The following sections briefly describe the new and changed features in the 5.5 release:

Enabling and Disabling IPv6 for Network Interfaces

ACS 5.5 provides the capability to disable the IPv6 stack for all interfaces or for a specific interface. By default, IPv6 is enabled for all interfaces.

You can enable or disable the IPv6 stack from the ACS CLI in configuration mode. You should restart the ACS services to reflect correct IPv6 behavior even though the CLI prompts for a confirmation.

For more information on the ipv6 enable command and its usage, refer to the CLI Reference Guide for Cisco Secure Access Control System 5.5 .

Enhanced Monitoring and Troubleshooting Reports

  • Support for Secure Syslog—ACS 5.5 allows you to send log messages to a remote syslog target over a secure TCP connection. You can configure the CA and server certificates in both ACS and the remote syslog target. ACS verifies the certificates from the remote syslog server, and if the certificates are valid, it establishes a secure TCP connection between ACS and the remote syslog target to send the log messages. For more information on how to send syslog messages to a remote log target over a secure TCP connection, see the User Guide for Cisco Secure Access Control system 5.5 .
  • Supporting 500 pages of AAA reports—ACS 5.5 displays a maximum of 500 pages per report with 50 records per page for RADIUS and TACACS+ AAA reports. ACS 5.5 can display 25,000 records instantly from the ACS database. ACS displays the following message to users while generating reports.

“Launching the report would take time depends on the number of pages that are exist in the report. The report will fetch the maximum of 500 pages. Do you want to continue?”

ACS takes a reasonable time to fetch the 25,000 records from its database. This support is applicable only for the following AAA reports:

RADIUS Accounting

RADIUS Authentication

TACACS+ Accounting

TACACS+ Authentication

TACACS+ Authorization

  • Enhanced ACS configuration audit reports—ACS 5.5 allows you to generate time-stamped ACS configuration audit reports. You can specify the start time and end time in HH:MM:SS format to generate reports for the specified time range.
  • Support for scheduled reports with email notification—ACS 5.5 allows you to schedule reports for a future date. This feature is available only for the RADIUS authentication, RADIUS accounting, TACACS+ accounting, TACACS+ authentication, and TACACS+ authorization reports. ACS generates the scheduled reports based on the specified time range, exports it as a .csv file, and stores it in the specified remote repository. Also, an email notification is sent whenever a scheduled report is generated successfully. ACS does not generate any alarms or email notifications if a scheduled report fails to generate. To know the status of the scheduled reports, you must go to the Monitoring Configuration > System Operations > Scheduler page and check for the status. For more information on scheduled reports, see the User Guide for Cisco Secure Access control System .
  • Support for detailed Policy Configuration Audit Reports—ACS generates an ACS configuration audit report for any configuration change that you make to access service policies. Earlier releases of ACS 5.x display a simple message, such as “New/Updated” in the Modified Properties column and do not display the details of what changes have been made to the policies. In ACS 5.5, this feature is enhanced to display a detailed report of the changes that are made to the policy configurations. For any policy that you create, edit, or re-order, in ACS 5.5, you get a detailed report in the ACS configuration audit reports page. When you edit the access service policies, ACS displays both the existing and the modified policy details in configuration audit reports.

ACS summarizes the changes that are made on access service policies before you click Save Changes and displays a detailed summarized report of the changes that are made in the ACS Configuration Audit reports page. This enhancement ensures that the user can view, in detail, the configuration changes that are made on the access policies. In ACS distributed deployment, you can see the detailed report in a log collector server.

Identity Store Enhancements

Active Directory (AD) Identity Store Enhancements

  • msRADIUSFramedIPAddress attribute in IP Address Format—ACS 5.5 allows you to configure the msRADIUSFramedIPAddress attribute only as an IP address. When you configure AD in ACS, ACS retrieves the directory attributes from AD. You can use these AD attributes in authorization profiles to authorize AD users who are trying to access the Internet. The attribute msRADIUSFramedIPAddress, which holds the static IP address of the dial-in users, is retrieved as a part of the attribute retrieval operation. AD returns the static IP address assigned to a dial-in user in IP address format. In ACS 5.5, the attribute msRADIUSFramedIPAddress can be configured only as an IP address in the following page: Users and Identity Stores > External Identity Stores > Active Directory.
  • MAR Cache Enhancements—ACS 5.5 stores the MAR cache content, calling-station-ID list, and the corresponding timestamps to a file on its local disk when you manually stop the ACS runtime services. ACS does not store the MAR cache entries of an instance when there is an accidental restart of its runtime services. When the ACS runtime services gets restarted, ACS reads the MAR cache entries from the file on its local disk based on the cache entry time to live. For more information on Distributed MAR Cache, see the User Guide for Cisco Secure Access Control System 5.5.
  • Support for Windows 2012 and 2012 R2 Servers—ACS 5.5 now supports Windows 2012 and 2012 R2 Servers. The Windows 2012 R2 server is supported after ACS 5.5 patch 1. Windows 2012 server has enhanced security and added functionalities. For more information, refer to Microsoft Windows documentation.

LDAP Identity Store Enhancements

  • Support for Configuring LDAP Server per ACS node—ACS 5.5 supports configuring different LDAP servers for different ACS instances in your deployment. Configuring all ACS instances in your deployment to communicate to a singe LDAP server may affect the performance of that LDAP server. Also, if your LDAP servers are deployed in different locations, you can configure the ACS instance with the LDAP server that is deployed geographically closer to it. This type of configuration results in better response times. Therefore, to balance the load and improve the performance, you need to configure in such a way that different ACS instances communicate to different LDAP servers, preferably with the LDAP server deployed in your local geographical location.

ACS introduces a new tab called Deployment Configuration to configure different LDAP hostnames for every ACS instance. Configure the LDAP server hostnames in the Deployment Configuration page. For more information on LDAP server hostnames per ACS node, see the User Guide for Cisco Secure Access Control System .

  • Support for LDAP Server Identity Check—ACS allows anonymous access and authenticated access against an LDAP external identity store. Anonymous access against an LDAP server allows any client server to read the data present in LDAP servers. Authenticated access against an LDAP server validates the Admin DN and Password fields to provide read only access to the LDAP server. Therefore, to secure communication between ACS and LDAP servers, ACS 5.5 allows you to use the LDAP server certificate during authentication. This option ensures that the LDAP server communicates with the ACS server securely.

ACS retrieves the server certificate from the LDAP server during authentication. ACS extracts the SAN and CN attribute from the server certificate that it received and compares those attributes with the LDAP hostname configured in ACS. ACS performs the server identity check while establishing the connection with the LDAP server. For more information on the LDAP server identity check feature, see the User Guide for Cisco Secure Access Control System .

RSA Identity Store Enhancement

  • Support for RSA passcode caching—User authentication against the RSA or RADIUS identity server uses an RSA passcode token. The user cannot use the same passcode for another authentication. The RSA Secure ID token has some configured amount of time to create a next password. Therefore, the user cannot log in to multiple devices within the specified time period. ACS 5.5 provides a new feature called passcode caching, where ACS 5.5 stores user credentials and their passcodes in a cache. The passcode cache in ACS is available for a configurable amount of time from 1 to 300 seconds. After a first successful authentication against an RSA Secure ID token server, ACS stores the user credentials in its cache. The RSA passcode cache will be available for the amount of time that you have configured. If the user accesses the network within this time period again, ACS checks for the user credentials in its cache and processes the request. For more information on RSA Secure ID Server, see the User Guide for Cisco Secure Access Control System .

Identity Store Enhancements common to both AD and LDAP

  • Support for Multivalue attributes in AD and LDAP Identity Stores—ACS 5.5 allows you to configure multivalue attributes in the AD or LDAP Directory Attributes page and retrieves the multivalue attribute from AD or LDAP during authentication against an AD or LDAP identity store. ACS retrieves the attributes specific to a user who is trying to authenticate against an AD identity store. ACS supports the following AD or LDAP attribute types for multivalue attributes:

String

Integer

IP Address

You can configure multivalue attributes in the AD or LDAP Directory Attributes page in ACS and use them in policy conditions.

ACS supports the following operators for String type multi-value attributes:

Equals

Not Equals

Starts with

Ends with

Contains

Not contains

ACS supports the following operators for Integer type multi-value attributes:

=

!=

>

>=

<

=<

ACS supports the following operators for IP Address type multi-value attributes:

Equals

Not Equals

When an “equals” type operation is performed between a single and multiple value attributes, the condition is considered true if one or more multiple values match the single value ones. When a “not equals” type operation is performed, the condition is considered true if none of the multiple values matches the single value ones. For more information on all other operations, see the User Guide for Cisco Secure Access Control System .

  • Support for Boolean attributes in AD and LDAP Identity Stores—ACS 5.5 allows you to configure Boolean attributes in the AD or LDAP Directory Attributes page and retrieves Boolean attribute from AD or LDAP during authentication against an AD or LDAP Identity Store. ACS retrieves the attributes specific to a user who is trying to authenticate against an AD or LDAP Identity Store. ACS supports the following values for Boolean attributes:

True—t, T, true, TRUE, True, and 1.

False—f, F, false, FALSE, False, and 0.

  • After you configure the Boolean attributes in the AD or LDAP Directory Attributes page in ACS, you can use them in policy conditions. ACS disregards any values of the attribute other than the supported values listed above and the attribute will be treated as having an empty value. For more information, see the User Guide for Cisco Secure Access Control System.

Network Access Protocol Enhancements

  • RADIUS Proxy Request-Attribute Rewrite support—In ACS 5.5, you can define additional RADIUS attributes or update the existing RADIUS outbound requests. You can update the outgoing RADIUS responses and rewrite them before the requests are sent to the client devices. You can rewrite the attribute values for a specific proxy access service. When this service is selected, ACS performs the operation on the access accept response and forwards the updated access accept response to the client devices. This feature is applicable only for RADIUS access accept responses and is not enabled for accounting requests. For more information, see the User Guide for Cisco Secure Access Control System 5.5 .
  • TACACS+ Password Policy Violation Message—ACS 5.5 displays an appropriate error message when an internal identity store user enters a password that does not meet the minimum requirements of the password policy during the user password change for TACACS+ authentication. ACS provides the option to configure this error message in the change password failed reason message (for TACACS+ only) field on the System Administration > Users > Authentication Settings page. For more information, see the User Guide for Cisco Secure Access Control System 5.5 .
  • Maximum user sessions—In prior releases of ACS, you can configure the maximum number of sessions that users from a particular identity group can create. This option sometimes resulted in all user sessions being used by a few users from a group. ACS 5.5 allows you to configure the maximum number of sessions that a user can create. You can use this option along with the maximum session per identity group option to ensure that all sessions are not used by the same users. You can limit the number of concurrent sessions that a user from a group can create. You can configure the maximum number of sessions allowed for each user from the ACS web interface. The ACS 4.x migration utility supports migrating the maximum session configuration. For more information, see the User Guide for Cisco Secure Access Control System 5.5 .

Security Enhancements

  • FIPS Compliance—ACS 5.5 is compliant with Federal Information Processing Standard (FIPS) 140-2 Level 1. ACS uses an embedded FIPS 140-2 Level 1 implementation using validated C3M and NSS modules, per the FIPS 140-2 Implementation Guidance section G.5 guidelines. The key size of Certificate Authority certificates and server certificates that are used in ACS should be greater than or equal to 2048 bits. The key size of client certificate should be greater than or equal to 1024 bits. In FIPS mode, ACS does not support PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-MD5, LEAP, and Anonymous PAC Provisioning in EAP-FAST protocols. For more information on how to enable FIPS in ACS, see the User Guide for Cisco Secure Access Control System 5.5 .
  • Support for encrypted ACS Backup—ACS prompts for an encryption password when you run a backup that contains ACS data. This release of ACS allows you to encrypt the ACS data using a dynamic encryption password and save it as a separate .gpg file. When you run a full backup in ACS, ACS uses the static key to encrypt the ADE-OS and ACS view data, whereas for ACS data, ACS uses a dynamic encryption password and creates a separate encrypted .gpg file and saves it inside the full backup .gpg file. When you restore the full backup, ACS prompts for the decryption password to decrypt the ACS backup data. ACS decrypts the ADE-OS data and ACS view data using the static key. For more information on running backups from the ACS web interface, see the User Guide for Cisco Secure Access Control System 5.5 . For more information on running backups from the ACS CLI, see the CLI Reference Guide for Cisco Secure Access Control System 5.5.
  • Support for downloading Certificate Revocation Lists (CRLs) through a secure connection or a proxy server—ACS 5.5 supports the use of HTTPS URL for a CRL distribution server. ACS 5.5 accepts both HTTP and HTTPS URLs for a CRL distribution server.

ACS 5.5 allows you to proxy requests and responses from the CRL distribution server for greater security. The proxy server receives the request from ACS and forwards it to the CRL distribution server. The CRL distribution server, upon receiving the request from the proxy, processes it and forwards the CRLs to the proxy server. The proxy server receives the CRLs from the CRL distribution server and forwards them to ACS. For more information on how to configure HTTP proxy settings for CRL Download, see the User Guide for Cisco Secure Access Control System 5.5 .

System Administration Enhancements

  • IP Address Overlap for IP Subnets—In ACS 5.4, the administrator cannot define a specific IP address if it is contained within a subnet included in an existing network device definition. In ACS 5.5, this restriction is relaxed and a specific IP address may be defined in such a case, providing there are no other devices that contain a definition for the same IP address. This allows common values to be defined for all devices in a subnet with the exception of specific devices, with specific IP addresses, within that subnet that can be given different specific values. ACS 5.5 allows you to use single static IPv4 or IPv6 address that is also part of IP subnets and single static IPv4 address that is part of IP ranges. For more information, see the User Guide for Cisco Secure Access Control System .
  • Support for Importing RADIUS Vendors and RADIUS Vendor-Specific Attributes—ACS 5.5 supports importing RADIUS vendors and RADIUS vendor-specific attributes (VSAs) from a text file. This text file is based on the Free RADIUS format. For more information on the Free RADIUS format, see http://linux.die.net/man/5/dictionary . The ACS 5.5 web interface provides you an option to download the Import template. You must enter the vendor and its attributes in the same file. For more information on importing RADIUS vendors and RADIUS VSAs, see the User Guide for Cisco Secure Access Control System 5.5 .
  • Support for exporting ACS administrator accounts from the ACS web interface and ACS CLI—
    ACS 5.5 allows you to export the administrator accounts to a .csv file using the export option available on the Administrator Accounts page. This option exports all the administrator accounts that are created and listed on the Administrator Accounts page to a .csv file. You can export administrator accounts from the ACS web interface and ACS CLI, but you cannot export the administrator accounts using the REST PI. You cannot import the exported administrator account details back into ACS. You can save the exported file in a client machine and use it for audit purposes. For more information, see the User Guide for Cisco Secure Access Control System 5.5.
  • Support for exporting ACS Message Catalog from the ACS web interface and ACS CLI—ACS 5.5 provides you the option to download syslog messages with message codes and descriptions in the form of a CSV file from the ACS web interface. ACS exports all syslog messages that are available in the Log Message Catalog page. For more information see the User Guide for Cisco Secure Access Control System. You can also use the export-data-message-catalog command to export the syslog messages that are available in the Log Message Catalog. For more information, see the CLI Reference Guide for Cisco Secure Access Control System.
  • Support for updating or modifying ACS base licenses—ACS allows you to upgrade or modify a base license from the ACS web interface without resetting the configuration in ACS 5.5. You can navigate to the Base Server License page and modify the base license using the Upgrade/Modify option. You can update a base permanent license with a base permanent license, an NFR license, or an evaluation license without resetting the configuration. Similarly, you can update an evaluation license with another evaluation license, an NFR license, or a permanent license. You can update an NFR license with another NFR license or a permanent license. For more information on licenses, see the User Guide for Cisco Secure Access control System .
  • Distributed System Management Page Auto Refresh—ACS 5.5 allows you to select the time interval in seconds for the Distributed System Management page to be refreshed automatically. The available options are No Refresh, 15 seconds, 30 seconds, and 60 seconds. The default value is 30 seconds. The selected interval works only when you are in the Distributed System Management page. If you navigate to any other page, ACS resets the refresh interval to its default value. The refresh interval does not work when you delete a deregistered secondary instance or instances from the Distributed System Management Page.
  • Support for deleting or disabling the default acsadmin account—The acsadmin account in ACS 5.5 is similar to any other admin account with the Super Admin role. The default acsadmin account can now be disabled or deleted, provided that you have another recovery admin account with the Super Admin role. The account disablement criteria, such as password lifetime, account disablement, and exceeding failed authentication attempts also apply to the default acsadmin account.
  • Support for running Migration Utility with any Administrator Account with a Super Admin role—ACS 5.5 allows you to run the Migration Utility with any administrator account with Super Admin role.

System Operation Enhancements

  • NIC Bonding—ACS supports the bonding of two physical interfaces into a single virtual interface. This feature is called Network Interface Card (NIC) Bonding. This bonding of two physical interfaces into one virtual interface helps ACS process the authentication requests when one of the two interfaces go down. When one physical interface in the bond goes down, the other physical interface in the same bond works as a standby and processes all the requests that comes to this bonding. The NIC bonding feature in ACS provides a backup of one physical interface only when the other interface is down; the other general features of NIC bonding, such as load balancing, are not supported. In ACS 5.5, you can create two bonds with the available four Ethernet interfaces.

For more information on creating interface bonding, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 .

  • SNMP Traps—ACS 5.5 allows you to send SNMP traps to a configured SNMP host. SNMP traps help you monitor the status of ACS processes when you do not have access to an ACS server. You can request that the ACS administrator configure a MIB browser as an SNMP host in ACS to receive the SNMP traps. The SNMP server generates a unique ID for every object, and a value is assigned to the OID. You can find the object with its OID value in the SNMP server. For more information on SNMP traps, see the User Guide for Cisco Secure Access Control System 5.5 .
  • New and Enhanced CLI commands—ACS 5.5 introduces the following new CLI commands:

conn-limit —This command is used to configure a limit for TCP, UDP, or ICMP packets from a source IP address. For more information, see the CLI Reference Guide for Cisco Secure Access Control System.

rate-limit —This command is used to configure a limit to TCP connection from a source IP address. For more information, see the CLI Reference Guide for Cisco Secure Access Control System .

synflood-limit —This command is used to configure a limit to TCP SYN packets from a source IP address. For more information, see the CLI Reference Guide for Cisco Secure Access Control System .

The following CLI commands are enhanced in ACS 5.5:

acs reset-password—This command is used to reset any administrator account password to its default setting (default). In ACS 5.5, you need to specify the username of the administrator account next to the acs reset password command to provide additional security to the command. For more information, see the CLI Reference Guide for Cisco Secure Access Control System .

show logging —This command is used to display the state of system logging (syslog) and the contents of the standard system logging buffer. In ACS 5.5, this command allows you to view log messages from a specific log file within the ACS application log directory. You can now view any logs in the path /var/log/ or /opt/CSCOacs/logs/. For more information, see the CLI Reference Guide for Cisco Secure Access Control System .

tech —This command is used to dump a TCP package to the console. In ACS 5.5, this command is enhanced to provide troubleshooting information for I/O and CPU operations. For more information, see the CLI Reference Guide for Cisco Secure Access Control System .

  • Signature Verification—ACS 5.5 verifies the MD5 and SHA256 values when you install the ACS application bundle, ACS upgrade bundle, or ACS patch bundle. After you download these software bundles to your local drive, ACS provides you an option to verify if the downloaded packages are free of any errors. You must check the MD5 and SHA256 values that are displayed with the value displayed on Cisco.com at the download site. You can avoid installing erroneous or corrupted packages and save time.
  • Support for Trust Communication between Nodes in a Deployment—ACS introduces the Trust Communication feature to provide additional security for communication between the ACS instances in your deployment. When you enable trust communication in an ACS deployment, the primary and the secondary ACS instances verify their respective CA certificates before establishing a secure tunnel for communication. If the corresponding CAs are valid, they establish a secure tunnel between them. After a successful registration, the primary instance database is replicated to the newly added secondary instance. If the CA of an ACS instance is invalid, the ACS deployment rejects that ACS instance. You can enable trust communication on both the primary and secondary ACS instances. Or, you can enable it on either the primary ACS instance or the secondary ACS instance. However, for increased security, Cisco recommends that you enable trust communication on all the nodes in your deployment. For more information, see the User Guide for Cisco Secure Access Control System .
  • Support for new diagnostic messages and alarms for replication failures—ACS 5.5 triggers new replication-related diagnostic messages and alarms to alert the administrator of replication issues in a deployment.

New Diagnostic Messages

Secondary node cannot establish communication channel against primary node on Heartbeat/Replication/Replay topic.

Primary node cannot establish communication channel against secondary node on Heartbeat/Replication/Replay topic.

Heartbeat from primary/secondary indicates that secondary is not synchronized with primary for long time.

No heartbeat status is received from secondary during certain amount of time.

No heartbeat status is received from primary node during certain amount of time.

New Alarms

Secondary node stopped from processing replications.

Secondary node cannot establish communication channel against Primary node on Heartbeat/Replication/Replay topic.

Primary node cannot establish communication channel against secondary node on Heartbeat/Replication/Replay topic.

Heartbeat from Primary/Secondary indicates that Secondary is not synchronized with Primary for a long time.

No heartbeat status is received from secondary during certain amount of time.

No heartbeat status is received from primary node during certain amount of time.

You can view these alarms in your Alarms Inbox from the ACS web interface. The new messages and alarms allow you to easily identify the root cause of the replication issue. ACS displays a workaround for the replication issues along with the alarm messages. You can use the workaround to fix the replication issues.

In ACS 5.5, the following diagnostic message is changed to display the appropriate error message:

Communication channel on Heartbeat/Replication/Replay topic was re-established after failure.

For more information on alarms, see the User Guide for Cisco Secure Access Control System .

  • Additional Node Support: ACS 5.5 supports one additional ACS instance in a deployment. The ACS 5.5 medium deployment supports 14 ACS instances and the large deployment supports 22 ACS instances. You can designate this additional ACS instance as a dedicated instance that can be promoted to a primary instance when the actual primary instance goes down.

Upgrade Paths

You can use the following upgrade paths to upgrade ACS server from 5.x versions to 5.5:

Path 1: ACS 5.4 to ACS 5.5.

To upgrade from ACS 5.4 to 5.5, see Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 .

Path 2: ACS 5.3 to ACS 5.5.

To upgrade from ACS 5.3 to 5.5, see Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 .

Path 3: ACS 5.0/5.1/5.2 to ACS 5.3/5.4 to ACS 5.5.

To upgrade from 5.0/5.1/5.2 to ACS 5.3, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.3 . After upgrading to ACS 5.3, you can use Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 to upgrade from ACS 5.3 to ACS 5.5.

To upgrade from 5.0/5.1/5.2 to ACS 5.4, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.4 . After upgrading to ACS 5.4, you can use Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 to upgrade from ACS 5.4 to ACS 5.5.

Supported Virtual Environments

ACS 5.5 supports the following VMware versions.

  • VMware ESXi 5.0
  • VMware ESXi 5.0 Update 2
  • VMware ESXi 5.1
  • VMware ESXi 5.5 Update 1 after you install patch 3 or a subsequent patch.

For information on VMware machine requirements and installation procedures, see the “ Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5.

Monitoring and Reports Data Export Compatibility

Exporting monitoring and troubleshooting records to a remote database does not work if the remote database is an Oracle database and it is configured in a cluster setup.

Supported Browsers

You can access the ACS 5.5 administrative user interface using the following browsers:

  • MAC OS

Mozilla Firefox version 28.x

Mozilla Firefox version 29.x

Mozilla Firefox version 24.4 ESR

  • Windows 7 32-bit, Windows 7 64-bit, and Windows 8

Internet Explorer version 10.x

Internet Explorer version 11.x

Mozilla Firefox version 17.x

Mozilla Firefox version 21.x

Mozilla Firefox version 22.x

Mozilla Firefox version 25.x

Mozilla Firefox version 26.x

Mozilla Firefox version 28.x

Mozilla Firefox version 29.x

Mozilla Firefox version 31.x

Mozilla Firefox version 17.0.6 ESR

Mozilla Firefox version 24.1.1 ESR

Mozilla Firefox version 24.4 ESR

Mozilla Firefox version 24.5 ESR

Mozilla Firefox version 24.7.0 ESR

Mozilla Firefox version 31.0 ESR


Note When you import or export a .csv file from ACS 5.x, you must turn off the pop-up blocker.



Note You can launch the ACS web interface using IPv6 addresses only in Internet Explorer 7.x or later and Mozilla Firefox 3.x versions.


Installation and Upgrade Notes

This section provides information on the installation tasks and configuration process for ACS 5.5.

This section contains:

Installing, Setting Up, and Configuring CSACS-1121

This section describes how to install, set up, and configure the CSACS-1121 series appliance. The CSACS-1121 series appliance is preinstalled with the software.

To set up and configure the CSACS-1121:


Step 1 Open the box containing the CSACS-1121 Series appliance and verify that it includes:

  • The CSACS-1121 Series appliance
  • Power cord
  • Rack-mount kit
  • Cisco Information Packet
  • Warranty card
  • Regulatory Compliance and Safety Information for Cisco Secure Access Control System 5.5

Step 2 Go through the specifications of the CSACS-1121 Series appliance.

For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 .

Step 3 Read the general precautions and safety instructions that you must follow before installing the CSACS-1121 Series appliance.

For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 and pay special attention to all safety warnings.

Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation.

For more details on installing the CSACS-1121 Series appliance, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5.

Step 5 Connect the CSACS-1121 Series appliance to the network, and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.

Figure 1 shows the back panel of the CSACS-1121 Series appliance and the various cable connectors.


Note For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal emulation software.


For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5.

For information on installing ACS 5.5 on VMware, see the “ Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5.

Figure 1 CSACS 1121 Series Appliance Rear View

 

The following table describes the callouts in Figure 1.

.

1

AC power receptacle

5

Gigabit Ethernet 1

2

Gigabit Ethernets

6

Gigabit Ethernet 0

3

Serial connector

7

USB 3 connector

4

Video connector

8

USB 4 connector

Step 6 After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.


 

Installing, Setting Up, and Configuring Cisco SNS-3495 or Cisco SNS-3415

The Cisco SNS-3495 and Cisco SNS-3415 appliances do not have a DVD drive. You must use the CIMC on the appliance or a bootable USB to install, set up, and configure ACS 5.5 on this appliance. For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.5 .

This section describes how to install, set up and configure the Cisco SNS-3495 and Cisco SNS-3415 appliance. The Cisco SNS-3495 and Cisco SNS-3415 appliance are preinstalled with the software.

To set up and configure the Cisco SNS-3495 and Cisco SNS-3415:


Step 1 Open the box containing the Cisco SNS-3495 and Cisco SNS-3415 appliances and verify that it includes:

  • The Cisco SNS-3495 and Cisco SNS-3415 appliance
  • Power cord
  • KVM cable
  • Cisco information packet
  • Warranty card
  • Regulatory Compliance and Safety Information for Cisco Secure Access Control System 5.5

Step 2 Go through the specifications of the Cisco SNS-3495 or Cisco SNS-3415 appliance.

For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.5 .

Step 3 Read the general precautions and safety instructions that you must follow before installing the Cisco SNS-3415 or Cisco SNS-3495 appliance.

For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.5 and pay special attention to all safety warnings.

Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation.

For more details on installing the Cisco SNS-3495 or Cisco SNS-3415 appliance, see the

Installation and Upgrade guide for the Cisco Secure Access Control System 5.5.

Step 5 Connect the Cisco SNS-3495 or Cisco SNS-3415 appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.

See the Installation and Upgrade guide for Cisco Secure Access Control System 5.5 for illustrations of the front and back panel of the Cisco SNS-3495 and Cisco SNS-3415 appliance and the various cable connectors.


Note For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.


For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.5 .

For information on installing ACS 5.5 on VMware, see the” Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.5.

Step 6 After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.5 .


 

Running the Setup Program

The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and enter the initial administrator credentials for the ACS 5.5 server that is using the setup program. The setup process is a one-time configuration task.

To configure the ACS server:


Step 1 Power up the appliance.

The setup prompt appears:

Please type ‘setup’ to configure the appliance
localhost login:
 

At the login prompt, enter setup and press Enter .

The console displays a set of parameters. You must enter the parameters as described in Table 1 .


Note You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.


 

Table 1 Network Configuration Prompts

Prompt
Default
Conditions
Description

Hostname

localhost

The first letter must be an ASCII character.

The length must be from 3 to 15 characters.

Valid characters are alphanumeric (A-Z, a-z, 0-9) and the hyphen (-), and the first character must be a letter.

Note When you intend to use the AD ID store and set up multiple ACS instances with the same name prefix, use a maximum of 15 characters as the hostname so that it does not affect the AD functionality.

Enter the hostname.

IPv4 IP Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter the IP address.

IPv4 Netmask

None, network specific

Must be a valid IPv4 netmask between 0.0.0.0 and 255.255.255.255.

Enter a valid netmask.

IPv4 Gateway

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid IP address for the default gateway.

Domain Name

None, network specific

Cannot be an IP address.

Valid characters are ASCII characters, any numbers, the hyphen (-), and the period (.).

Enter the domain name.

IPv4 Primary Name Server Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid name server address.

Add Another Name Server

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Note You can configure a maximum of three name servers from the ACS CLI.

To configure multiple name servers, enter Y .

NTP Server

time.nist.gov

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255 or a domain name server.

Note You can configure a maximum of three NTP servers from the ACS CLI.

Enter a valid domain name server or an IPv4 address.

Time Zone

UTC

Must be a valid local time zone.

Enter a valid system time zone.

SSH Service

None, network specific

None.

To enable SSH service, enter Y .

Username

admin

The name of the first administrative user. You can accept the default or enter a new username.

Must be from 3 to 8 characters and must be alphanumeric (A-Z, a-z, 0-9).

Enter the username.

Admin Password

None

No default password. Enter your password.

The password must be at least six characters in length and have at least one lower-case letter, one upper-case letter, and one digit.

In addition:

  • Save the user and password information for the account that you set up for initial configuration.
  • Remember and protect these credentials, because they allow complete administrative control of the ACS hardware, the CLI, and the application.
  • If you lose your administrative credentials, you can reset your password by using the ACS 5.5 installation CD.

Enter the password.

After you enter the parameters, the console displays:

localhost login: setup
Enter hostname[]: acs54-server-1
Enter IP address[]: 192.0.2.177
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 192.0.2.1
Enter default DNS domain[]: mycompany.com
Enter primary nameserver[]: 192.0.2.6
Add secondary nameserver? Y/N : n
Add primary NTP server [time.nist.gov]: 192.0.2.2
Add secondary NTP server? Y/N : n
Enter system timezone[UTC]:
Enable SSH Service? Y/N [N] : y
Enter username [admin]: admin
Enter password:
Enter password again:
Bringing up network interface...
Pinging the gateway...
Pinging the primary nameserver...
Virtual machine detected, configuring VMware tools...
File descriptor 4 (/opt/system/etc/debugd-fifo) leaked on lvm.static invocation
Parent PID 3036: /bin/bash
Do not use `Ctrl-C' from this point on...
debugd[2455]: [2809]: config:network: main.c[252] [setup]: Setup is complete.
Appliance is configured
Installing applications...
Installing acs...
Generating configuration...
Rebooting...
 

After the ACS server is installed, the system reboots automatically. Now, you can log into ACS with the CLI username and password that was configured during the setup process.

You can use this username and password to log in to ACS only through the CLI. To log in to the web interface, you must use the predefined username ACSAdmin and password default .

When you access the web interface for the first time, you are prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the web interface.


 

Licensing in ACS 5.5

To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.

Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.

This section contains:

Types of Licenses

Table 2 lists the types of licenses that are available in ACS 5.5.

Table 2 ACS License Support

License
Description

Base License

The base license is required for all deployed software instances and for all appliances. The base license enables you to use all ACS functions except license-controlled features, and it enables standard centralized reporting features.

The base license:

  • Is required for all primary and secondary ACS instances.
  • Is required for all appliances.
  • Supports deployments that have a maximum of 500 NADs.

The following are the types of base licenses:

  • Permanent—Does not have an expiration date. Supports deployments that have a maximum of 500 NADs.
  • Evaluation—Expires 90 days from the time the license is issued. Supports deployments that have a maximum of 50 NADs.

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure.

For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses; thus the number of devices is 256.

Add-On Licenses

Add-on licenses can be installed only on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license.

The Security Group Access feature licenses are of two types: Permanent and NFR. However, the permanent Security Group Access feature license can be used only with a permanent base license.

ACS 5.5 does not support auto installation of the evaluation license. Therefore, if you need an evaluation version of ACS 5.5, then you must obtain the evaluation license from Cisco.com and install ACS 5.5 manually.

If you do not have a valid SAS contract with any of the ACS products, you will not be able to download the ISO image from Cisco.com. In such case, you need to contact your local partner or the Cisco representative to get the ISO image.

Upgrading an ACS Server

If you have either ACS 5.3 or ACS 5.4 installed on your machine, you can upgrade to ACS 5.5 using one of the following two methods:

  • Upgrading an ACS server using the Application Upgrade Bundle
  • Reimaging and upgrading an ACS server

You can perform an application upgrade on a Cisco appliance or a virtual machine only if the disk size is greater than or equal to 500 GB. If your disk size is lesser than 500 GB, you must reimage to ACS 5.5, followed by a restore of the backup taken in ACS 5.3 or ACS 5.4, to move to ACS 5.5 Release.


Note When you upgrade from ACS 5.4 to ACS 5.5 using the “Upgrading an ACS server using the ApplicationUpgrade Bundle” method, it is mandatory to install the “Pointed-PreUpgrade-
CSCum04132-5.4.0.46.0a” patch before you start upgrading from ACS 5.4 version. You can install this patch directly on any cumulative patch version.



Note When you upgrade from ACS 5.3 to 5.5 using the “Upgrading an ACS server using the ApplicationUpgrade Bundle” method, it is mandatory to install the following patches one by one in the order specified:

1 Install ACS 5.3 patch 8 (ACS 5.3.0.40.8) or a subsequent patch. You need to install patch 8 or a subsequent patch prior to the upgrade or the upgrade may fail.

2 Install the “Pointed-PreUpgrade-CSCum04132-5.3.0.40” patch over patch 8 or a subsequent patch before you start upgrading from ACS 5.3 version.


See the Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 for information on upgrading your ACS server.


Note Upgrading to ACS 5.5 may fail if any LDAP identity store is configured without groups or attributes in it and AD identity store is not configured. To avoid this issue, before upgrading to ACS 5.5, you need to either add groups or attributes to the LDAP identity store or configure an AD identity store.



Note You must provide full permission to NFS directory when you configure the NFS location using the backup-stagging-url command in ACS 5.5 to perform a successful On Demand Backup.


Applying Cumulative Patches

Periodically, patches will be posted on Cisco.com that provide fixes to ACS 5.5. These patches are cumulative. Each patch includes all the fixes that were included in previous patches for the release.

You can download ACS 5.5 cumulative patches from the following location:

http://software.cisco.com/download/navigator.html

To download and apply the patches:


Step 1 Log in to Cisco.com and navigate to Products > Security > Access Control and Policy > Policy and Access Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.5 .

Step 2 Download the patch.

Step 3 Install the ACS 5.5 cumulative patch. To do so:

Enter the following acs patch command in EXEC mode to install the ACS patch:

acs patch install patch-name .tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.

Would you like to continue? yes/no

Step 4 Enter yes.

ACS displays the following:

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...

md5: aa45b77465147028301622e4c590cb84

sha256: 3b7f30d572433c2ad0c4733a1d1fb55cceb62dc1419b03b1b7ca354feb8bbcfa

% Please confirm above crypto hash with what is posted on download site.

% Continue? Y/N [Y]?

Step 5 The ACS 5.5 upgrade bundle displays the md5 and sha256 checksum. Compare it with the value displayed on Cisco.com at the download site. Do one of the following:

    • Enter Y if the crypto hashes match. If you enter Y, ACS proceeds with the installation steps.

% Installing an ACS patch requires a restart of ACS services.

Would you like to continue? yes/no

    • Enter N if the crypto hashes do not match. If you enter N, ACS stops the installation process.

Step 6 Enter yes.

The ACS version is upgraded to the applied patch. Check whether all services are running properly, using the show application status acs command from EXEC mode.

Step 7 Enter the show application version acs command in EXEC mode and verify if the patch is installed properly or not.

ACS displays a message similar to the following one:

acs/admin# show application version acs

CISCO ACS VERSION INFORMATION
------------------------------
Version: 5.5.0.46.1
Internal Build ID: B.225
Patches:
5-4-0-46-1
acs/admin #


 


Note During patch installation, if the patch size exceeds the allowed disk quota, a warning message is displayed in the ACS CLI, and an alarm is displayed in the ACS Monitoring and Reports page.


Resolved ACS Issues

Table 3 lists the issues that are resolved in ACS 5.5.

 

Table 3 Resolved Issues in ACS 5.5

Bug ID
Description

CSCud06310

ACS 5.x crashes due to TCP socket exhaustion. This issue is now resolved.

CSCud79530

ACS does not manage the root Certificate Authorities properly. This issue is now resolved.

CSCud17220

The username of Maximum user session is case-sensitive. But, it should not be case-sensitive. This issue is now resolved.

CSCue85453

ACS 5.4 cannot restore a backup file that is created from ACS web interface. This issue is now resolved.

CSCuf48152

ACS loose the NTP configuration during ACS 5.4 upgrade. This issue is now resolved.

CSCug29901

ACS 5.4 patch 2 breaks EAP or TLS if the root or client certificate of ACS does not have SKI or AKI. This issue is now resolved.

CSCuh47237

Unable to login to ACS with the base license or evaluation license with more than 500 AAA devices. This issue is now resolved.

CSCuh98939

ACS 5.4 displays the complete domain as down when only one of its subdomain is not reachable. This issue is now resolved.

CSCui55934

ACS 5.4 cannot find the ACS machine with the Domain Name Server suffix not on the Domain Controller Groups. This issue is now resolved.

CSCub98880

ACS does not display the details icon always on the troubleshooting reports. This issue is now resolved.

CSCuc09367

The alarm “Could not complete monitoring all thresholds” is displayed in ACS view due to SMTP misconfiguration. This issue is now resolved.

CSCuc28306

Unable to export the ACS log information from ACS View. This issue is now resolved.

CSCuc56873

A CryptoLibrary message is logged in ACS at warning level whenever you try to ACS using SSH. This issue is now resolved.

CSCuc68843

The secondary ACS instance is reported to be in Local mode incorrectly. This issue is now resolved.

CSCud33106

ACS 5.x web interface does not display the web pages properly when you use Firefox version 16.x. This issue is now resolved.

CSCud40928

After deregistering the secondary instance from the deployment, the management process of that instance is in initializing state. This issue is now resolved.

CSCud56657

In ACS 5.4, the user import template page is missing the “date exceeds” fields. This issue is now resolved.

CSCud62070

The MAR Cache in ACS is not updated after removing a machine from Active Directory. This issue is now resolved.

CSCud74421

A incorrect error message is displayed when the Domain Name Server is down. The authentication fails even after the Domain Name Server is up and running. This issue is now resolved.

CSCud78248

The Administrative Access Control System fails in ACS 5.4. This issue is now resolved.

CSCud86933

The CoA value is replaced with zero while importing RADIUS clients using a CSV file. This issue is now resolved.

CSCue15242

The ACS process status alarm does not display the process status information. This issue is now resolved.

CSCue35765

ACS displays an invalid alarm “DBPurge is not running for the past two days”. This issue is now resolved.

CSCue43289

The policy is moved to end of the list when you use filer to find a policy and edit or change it. This issue is now resolved.

CSCue60864

Some system timezones are not working in Monitoring and Reports. This issue is now resolved.

CSCue70923

ACS 5.x cannot authenticate users when you harden the Microsoft Active Directory. This issue is now resolved.

CSCte09557

Restoring ACS backup with different CARS admin username fails. This issue is now resolved.

CSCuf02607

Aggregation takes a very long time to complete. This issue is now resolved.

CSCuf31396

On Demand data purging is now working in ACS 5.4. The “Purge Now’ becomes a display only field. This issue is now resolved.

CSCuf44685

In ACS 5.4, an incorrect host entry is added while adding a new interface. This issue is now resolved.

CSCuf77905

The Network Device Group search takes too long to complete when you have many Network Device Groups. This issue is now resolved.

CSCug28561

The Alarm “System Alarm [Database Purging]” is not generated in ACS. This issue is now resolved.

CSCug49129

ACS 5.x dashboard authentication trend broken. This issue is now resolved.

CSCtx25162

in ACS 5.x, exporting to a remote database fails with table locked error. This issue is now resolved.

CSCug55528

In ACS 5.4, the error message "Resource not found" is displayed when you add Active Directory Groups. This issue is now resolved.

CSCug79920

ACS 5.3 drops authentication when the username field has less than three characters. This issue is now resolved.

CSCug80101

In ACS, the SQL export to MSSQL database fails when the administration users have more than one role. This issue is now resolved.

CSCuh14898

ACS 5.4 Patch 2 fails to join Active Directory Domain. This issue is now resolved.

CSCuh22440

Service selection that references device filters fails after upgrading from ACS 5.3 to 5.4. This issue is now resolved.

CSCuh30964

ACS 5.4 is not recognizing Subject Alternate Name value with UID. This issue is now resolved.

CSCuh59288

Authentications fail randomly in ACS 5.x and displays the 24429 and 24444 errors. This issue is now resolved.

CSCuh60741

The outer identity is used on PEAP authentications after upgrading from ACS 5.3 to 5.4. This issue is now resolved.

CSCuh69887

Filters are not working on the internal user identity store. This issue is now resolved.

CSCuh87325

Network Device Groups options and the dropdown lists are not displayed properly. This issue is now resolved.

CSCub15246

ACS fails to update the UPN suffix list. This issue is now resolved.

CSCui65823

ACS 5.x does not identify the MS-CHAP properly in bundled attributes. This issue is now resolved.

CSCuj27463

DOS vulnerability is found in Open SSH version.

CSCuf16233

ACS provides an option to avoid syslog fragmentation when you use external syslog servers.

CSCuj70537

The EAP-FAST authenticated provisioning with Android does not work properly. This issue is now resolved.

Resolved Issues in Cumulative Patch Pointed-PreUpgrade- CSCum04132-5.4.0.46.0a

Table 4 lists the issues that are resolved in the Pointed-PreUpgrade-CSCum04132-5.4.0.46.0a cumulative patch.

You can download this patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.


Note It is mandatory to install this patch before you start upgrading ACS 5.4 to 5.5 version using the “Upgrading an ACS server using the Application Upgrade Bundle” method to avoid upgrade issues.


 

Table 4 Resolved Issues in Pointed-PreUpgrade-CSCum04132-5.4.0.46.0a

Bug ID
Description

CSCum04132

Upgrading ACS 5.4 to 5.5 version leaves the system in an unbootable state. This issue is now resolved.

Resolved Issues in Cumulative Patch Pointed-PreUpgrade- CSCum04132-5.3.0.40

Table 5 lists the issues that are resolved in the Pointed-PreUpgrade-CSCum04132-5.3.0.40 cumulative patch.

You can download this patch from the following location:

http://www.cisco.com/public/sw-center/index.shtml

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.


Note It is mandatory to install this patch before you start upgrading ACS 5.3 to 5.5 version using the “Upgrading an ACS server using the Application Upgrade Bundle” method to avoid upgrade issues.


 

Table 5 Resolved Issues in Pointed-PreUpgrade-CSCum04132-5.3.0.40

Bug ID
Description

CSCum04132

Upgrading ACS to 5.3 to 5.5 version leaves the system in an unbootable state. This issue is now resolved.

Resolved Issues in Cumulative Patch ACS 5.5.0.46.1

Table 6 lists the issues that are resolved in the ACS 5.5.0.46.1 cumulative patch.

You can download the ACS 5.5.0.46.1 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 6 Resolved Issues in Cumulative Patch ACS 5.5.0.46.1

Bug ID
Description

CSCuj91631

Launching secondary instance's web interface from primary ACS instance does not work if the secondary hostname is not resolvable. This issue is now resolved.

CSCuj53935

The Certificate Authority edit page is susceptible to XSS. This issue is now resolved.

CSCuj80866

Collecting support bundle from the web interface does not work if the ACS instance is not a log collector server. This issue is now resolved.

CSCul09022

ACS does not respond when the TACACS requests are sent in segmented packets. This issue is now resolved.

CSCth35755

Group mapping in Active Directory fails if the group name has a “/” character. This issue is now resolved.

CSCul29675

Newly created authorization rule does not hold the customized position. This issue is now resolved.

CSCul32497

The clear filter option in ACS does not display more than 200 authorization rules. This issue is now resolved.

CSCul64484

ACS View NBAPI must have better debug logs. This issue is now resolved.

CSCuh63873

ACS View should implement syslog messages over TLS or TCP protocols. This issue is now resolved.

CSCum03625

Scripting Vulnerability is found in ACS. This issue is now resolved.

CSCum13044

Active Directory looses its connectivity with ACS after a password change. This issue is now resolved.

CSCuj94585

Active Directory authentications fails in ACS when same user is present in two different Organizational Units. This issue is now resolved.

CSCum26584

After upgrading to ACS 5.5, a few features on ACS web interface does not work properly when you had multiple CLI administrators in ACS 5.4. This issue is now resolved.

CSCuj01135

Active Directory client restarts frequently with an exceptional error while communicating with LDAP server. This issue is now resolved.

Resolved Issues in Cumulative Patch ACS 5.5.0.46.2

Table 7 lists the issues that are resolved in the ACS 5.5.0.46.2 cumulative patch.

You can download the ACS 5.5.0.46.2 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 7 Resolved Issues in Cumulative Patch ACS 5.5.0.46.2

Bug ID
Description

CSCum68228

Changing the internal user password fails while importing the user details using a CSV file in ACS 5.5. This issue is now resolved.

CSCum86948

In ACS 5.5, the minimum password length is changed to 4. This issue is now resolved.

CSCum86626

Cannot register the secondary ACS instances to primary ACS instance over WAN after upgrading to ACS 5.5. This issue is now resolved.

CSCum51180

In ACS 5.4, display an alarm when the configuration database size is over 1GB. This issue is now resolved.

CSCty13296

Importing users with same password does not display an error message. This issue is now resolved.

CSCum67932

ACS 5.5 does not start after upgrading from ACS 5.4 due to a unknown encryption algorithm. This issue is now resolved.

Resolved Issues in Cumulative Patch ACS 5.5.0.46.3

Table 8 lists the issues that are resolved in the ACS 5.5.0.46.3 cumulative patch.

You can download the ACS 5.5.0.46.3 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 8 Resolved Issues in Cumulative Patch ACS 5.5.0.46.3

Bug ID
Description

CSCun37608

Secondary ACS instance ignores the new primary ACS instance when the old primary instance comes back Online.This issue is now resolved.

CSCun85949

ACS 5.5 fails to start its services when the RADIUS attributes 150, 151, and 152 are configured. This issue is now resolved.

CSCun71995

ACS web interface does not display the network device group locations when you click on NDG:Location option. This issue is now resolved.

CSCun67769

Creating or editing the Favorites option fails when the length of the attribute is big in size. This issue is now resolved.

CSCun81726

Unable to retrieve the user attribute “userAccountControl” from Active Directory in ACS 5.5. This issue is now resolved.

CSCun92213

ACS 5.x opens too many TCP connections with remote DB at a time. This issue is now resolved.

CSCun98622

Exporting MAC address from the End Station filter logs out the user from ACS web interface. This issue is now resolved.

CSCtx99385

ACS displays an incorrect alert report that the incremental backup is not configured. This issue is now resolved.

CSCun84823

In ACS, non-authenticated users can see the input validation code. This issue is now resolved.

Resolved Issues in Cumulative Patch ACS 5.5.0.46.4

Table 9 lists the issues that are resolved in the ACS 5.5.0.46.4 cumulative patch.

You can download the ACS 5.5.0.46.4 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 9 Resolved Issues in Cumulative Patch ACS 5.5.0.46.4

Bug ID
Description

CSCuo54517

Overriding the global log configuration option fails in ACS. This issue is now resolved.

CSCuo88797

ACS 5.x should display an appropriate error message if you use a unsupported browser to access ACS web interface. This issue is now resolved.

CSCuj41395

After restarting the ACS services, you can find that the scheduled backup is added twice when you run the “show running configuration” command in ACS CLI. This issue is now resolved.

CSCuo93378

ACS database gets corrupted when you make configuration changes through ACS web interface using Chrome and Safari browsers. This issue is now resolved.

CSCuo82841

It is mandatory to have a shared secret key while adding AAA clients for TACACS+ authentication. This issue is now resolved.

CSCuo60270

ACS fails to join AD domains with a very large number of domain controllers. This issue is now resolved.

CSCum60476

ACS 5.4 does not fetch the internal groups. This issue is now resolved.

CSCun05712

The RSA agent in ACS gets exhausted if the load is too heavy. This issue is now resolved.

CSCuo68704

Improving the check status monitoring functionality in ACS 5.x. This issue is now resolved.

CSCuo78625

ACS 5.5 does not allow the special characters in the shared secret of TACACS+ and RADIUS authentications. This issue is now resolved.

CSCuo88163

Fetching the user information using the programmatic interface is not working properly in ACS 5.5. This issue is now resolved.

CSCuo63302

Changing the user password through the REST services fails if the user is created using the duplicate option. This issue is now resolved.

CSCuo19733

The customized reports based on start and end dates of ACS 5.5 View displays the last 500 pages of records for the end date. This issue is now resolved.

Resolved Issues in Cumulative Patch ACS 5.5.0.46.5

Table 10 lists the issues that are resolved in the ACS 5.5.0.46.5 cumulative patch.

You can download the ACS 5.5.0.46.5 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 10 Resolved Issues in Cumulative Patch ACS 5.5.0.46.5

Bug ID
Description

CSCuo89864

In ACS 5.5, there are issues in cross frame scripting and session tokens in the URL. This issue is now resolved.

CSCuo89889

In ACS 5.5, the session related cookies does not use a HTTP only or secure keywords. This issue is now resolved.

CSCuo89946

In ACS 5.5, unapproved hash algorithm is used to store sensitive data. This issue is now resolved.

CSCuo93378

Using the Chrome and Safari web browsers results in database corruption. This issue is now resolved.

CSCup00818

ACS 5.5 CLI interface displays an error when you execute the show application status acs command. This issue is now resolved.

CSCup10509

A security administrator can change his role to be a super administrator in ACS 5.5. This issue is now resolved.

CSCup32287

In ACS 5.5, the TCP port 6514 for Syslog messages is open by default. This issue is now resolved.

CSCup34695

In ACS 5.5, exporting data to a remote database fails with error due to data type mismatch between the ACS server and the remote database. This issue is now resolved.

CSCup77077

ACS does not retrieve “userAccountControl” attribute from Active Directory when you use Active Directory “userAccountControl” as a condition in authorization rules. This issue is now resolved.

CSCuq00890

An unexpected behavior is observed in a deployment when you execute the halt command in ACS command line interface. This issue is now resolved.

CSCtx65471

ACS fails to send syslog messages to the remote database when you restart log collector server multiple times in a deployment. This issue is now resolved.

CSCup75144

The authorization policy page in ACS web interface is not displayed properly when you use Internet Explorer 11.x version. This issue is now resolved.

CSCuq64564

Configuration issues are identified when you use Internet Explorer 11.x to open ACS 5.5 web interface. The issues are now resolved.

Resolved Issues in Cumulative Patch ACS 5.5.0.46.6

Table 11 lists the issues that are resolved in the ACS 5.5.0.46.6 cumulative patch.

You can download the ACS 5.5.0.46.6 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

 

Table 11 Resolved Issues in Cumulative Patch ACS 5.5.0.46.6

Bug ID
Description

CSCur00511

ACS evaluation for CVE-2014-6271 and CVE-2014-7169.


Note It is highly recommended to execute the Reboot operation when the patch installation process prompts for it.


Resolved Issues in Cumulative Patch ACS 5.5.0.46.7

Table 12 lists the issues that are resolved in the ACS 5.5.0.46.7 cumulative patch.

You can download the ACS 5.5.0.46.7 cumulative patch from the following location:

http://software.cisco.com/download/navigator.html?a=a&i=rpm

Refer to “Applying Cumulative Patches” section for instructions on how to apply the patch to your system.

Table 12 Resolved Issues in Cumulative Patch ACS 5.5.0.46.7

Bug ID
Description

CSCup40317

ACS View job manager processes are restarted unexpectedly while calculating disk space.

CSCuq10821

Scheduled reports in ACS are executed after deleting it from the ACS web interface.

CSCuq11378

ACS 5.5 displays IP addresses or IP ranges overlapping error message when first, second, and third octets are same.

CSCuq13294

ACS 5.3 nodes are automatically registered in ACS 5.5 standalone node while retrieving the database back that was taken from ACS 5.4 deployment ACS 5.5 standalone node.

CSCuq22495

ACS displays an error message when you click on Troubleshoot Authentication tab in RADIUS authentication log details page.

CSCuq26876

In ACS 5.5, remote database export to Microsoft SQL for accounting table fails.

CSCuq35410

Unable to search for usernames that contains the“ ’” character.

CSCuq63334

Timestamps are not attached to the resultant comma separated values file when the scheduled reports are executed.

CSCuq67241

The “Disable account if date exceeds” feature does not work in ACS 5.5.

CSCur30345

SSLv3 Poodle vulnerability evaluation is found in ACS.

CSCur44131

ACS 5.5 does not display the installed patch version after installing patch 6.

Limitations in ACS Deployments

Table 13 describes the limitations in ACS deployments.

Table 13 Limitations in ACS Deployments

Object Type
ACS System Limits

ACS Instances

22

Hosts

150,000

Identity Groups

1,000

Active Directory Group Retrieval

1,500

Network Devices

100,000

Network Device Groups

12

Device Hierarchies

6

All Locations

10,000

All Device Types

350

Services

25

Authorization Rules

320

Conditions

8

Authorization Profile

600

Service Selection Policy (SSP)

50

Network Conditions (NARs)

3,000

ACS Admins

50

9 static roles

dACLs

600 dACL with 100 ACEs each

Known ACS Issues

Table 14 lists the known issues in ACS 5.5. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.

 

Table 14 Known Issues in ACS 5.5

Bug ID
Description

CSCtx42811

An error message is displayed while importing a CA certificate into ACS.

An error message is displayed while importing a CA certificate into ACS.

This problem occurs when you import a CA certificate with an empty naming constraint.

Workaround:

Recreate the certificate without any empty constraint value.

CSCtz22307

ACS displays a script error in the secondary instance when you view the “ACS Instance Settings” under RSA.

ACS displays an RSAInstance_edit.jsp error when you view the “ACS Instance Settings” under RSA.

This problem occurs when you do the following:

a. Configure RSA (RSA SecurID Token Servers) in the distributed deployment.

b. In the Secondary instance, select RSA Configuration and go to ACS Instance Settings page.

c. Select any of the ACS nodes and click View.

Workaround:

None.

CSCtz69725

Unable to set a value for the date attribute in a compound condition.

Unable to set a value for the date attribute in a compound condition.

This problem occurs when you do the following:

a. Create a date attribute under Dictionary > Internal Users.

b. Now, try to create a compound condition in Internal Users > Date Attribute > Static.

Workaround:

None.

CSCua91354

TACACS+ proxy accounting requests are not logged properly in the ACS view.

TACACS+ proxy accounting requests are not logged in ACS logs. The requests are sent to a remote server. However, the requests are logged in the remote server.

This problem occurs when you use TACACS+ proxy accounting.

Workaround:

None.

CSCub15472

The user update operation with change password option enabled is not working properly when you import or export the internal users.

When you import or export internal users, only one user out of the group of internal users has the change password option enabled.

This problem occurs when you do the following:

a. Create a Network Device Group (NDG), for example, Migrated_NDG, under Network Device Groups.

b. Import the users (for instance, from internal_user_import_template-add).

c. Update the same users in ACS with the change password option enabled or disabled.

The result is that the change password option is enabled for a single user alone. For all the other users, it is disabled.

Workaround:

Manually enable the change password option.

CSCtz82993

Unable to launch the ACS web interface using IPv6 addresses in Firefox version 4 or later.

You cannot launch the ACS web interface using IPv6 addresses in Firefox version 4 or later.

This problem occurs when you use Firefox version 4 or later to launch the ACS web interface using an IPv6 address.

Workaround:

Use the Internet Explorer browser version 8.x and 9.x or Firefox version 3.x to launch the ACS web interface using an IPv6 address.

CSCub31167

ACS shows the wrong replication status during full replication over WAN.

The status of the secondary ACS instance is shown as updated when full synchronization is running.

This problem occurs when you run full synchronization on a secondary ACS instance.

Workaround:

None.

CSCtz40538

ACS 5.x rejects PAC- based EAP-FAST authentication.

ACS 5.x rejects the expired tunnel PAC if the user's identity has a different format.

This problem occurs when the EAP-FAST client sends an expired tunnel PAC and the user identity in different forms. The PAC contains a plain user name, while the authentication request contains the user identity in UPN form - user@domain.com.

Workaround:

Clean the expired PAC and retry the authentication.

CSCtq12058

Debug logs are not displayed in the Monitoring and Report Viewer log.

Debug logs are not displayed in the Monitoring and Reports log. The default warning logs are displayed even after the log level is set to Debug.

This problem occurs when you set the log level to Debug and view the reports in the Monitoring and Reports log. It also occurs when the system performs Authentication.

Workaround:

Restart ACS after you set the log level to Debug.

CSCtx42758

ACS configuration changes using REST are not shown in the audit reports.

When you update the Identity Group, Network Device Group, or Network Device Group Type, using REST, the ACS configuration updates are not shown in the audit report.

This problem occurs when you update Identity Groups, Network Device Groups, or the Network Device Groups Type using REST.

Workaround:

None.

CSCtx42763

Unable to edit the parent Network Device Group name after creating it.

After creating the parent Network Device Group name, you cannot edit it.

This problem occurs when you try to edit a newly created parent Network Device Group. Workaround:

None.

CSCtx83716

Unable to launch the interactive viewer for reports from the dashboard in the Internet Explorer 8.x and 9.x browsers.

The interactive viewer for reports cannot be launched from the dashboard when you use Internet Explorer versions 8.x and 9.x.

This problem occurs when you try to open the interactive viewer for reports using Internet Explorer versions 8.x and 9.x.

Workaround:

Enable the compatibility view from the Tools menu in Internet Explorer versions 8.x and 9.x.

CSCtx95500

Opening certain ACS View pages in a large deployment setup takes a long time.

Opening the following ACS View pages in a large deployment that consists of 20 or more secondaries takes a long time to load the page.

  • Dash Board ACS authentication trend: 4 minutes.
  • Dashboard Health status: 3 minutes.
  • Log collection page: 4 minutes
  • AAA RADIUS authentication report page: 2 minutes
  • Catalog > AAA Protocol > Authentication Trend: 3 minutes.

The specified time may vary depending on the load and network latency.

This problem occurs when you open the above-mentioned pages in a large deployment setup.

Workaround:

None.

CSCty35640

The timestamps in the ACS Monitoring and Reports Viewer web interface and the ACS Monitoring and Reports viewer reports are different.

There is a big difference observed in the timestamp shown in the ACS View reports and the timestamp in the ACS View web interface. This occurs only when log recovery is enabled.

This problem occurs when there are active session database transaction log files opened that are large in size.

Workaround:

Restart ACS and remove all the large active session database transaction log files that were created.

CSCty40513

The ACS Application upgrade fails, showing a file transfer error.

The ACS application upgrade fails, showing a file transfer error.

This problem occurs in the following scenarios:

  • When there is a problem in the network connectivity between ACS and the remote repository.
  • When the file transfer server has problems sending a large amount of data.

Workaround:

  • Make sure that the network connectivity is working fine before executing the application upgrade procedure.
  • Make sure that the remote repository is capable of sending a large amount of data.

If the problem still exists, then try using a different remote repository.

CSCty53666

The Network Device Group location filter is not working properly.

The Network Device Group location filter does not work properly when you execute a query where the name "Equals" a value and the condition "Starts With" a value.

This problem occurs when you try to filter a list with a network device group location.

Workaround:

Refresh the page once.

CSCtz79960

The administrator authentication settings page displays an error.

In ACS, the administrator authentication settings page displays the "Unexpected error has occurred" error message.

This problem occurs when you access the System Administration > Administrators > Settings > Authentication page soon after accessing the System Administration > Administrators > Settings > Access page.

Workaround:

None.

CSCua13802

The system status and the AAA status are shown as not available and zero in the dashboard.

The system status and the AAA status of all the other secondary instances shown in the ACS log collector dashboard does not display correctly.

This problem occurs when you process the status of each secondary instance from the ACS log collector using the path Monitoring and Reports > Dashboard > ACS Health Status.

Workaround:

None.

CSCua20683

Unable to reset the admin password using the CLI.

The application password is not reset when you try to reset it using the application reset-passwd acs acsadmin command in the CLI.

This problem occurs when you execute the application reset-passwd acs acsadmin command in the CLI.

Workaround:

Use the acs reset-password command in acs-config mode.

CSCua95069

Need to reduce the time taken to export the ACS View logs to a .csv file.

The time that is takes to export the ACS View logs to a .csv file should be reduced.

This problem occurs when you export the ACS View logs to a .csv file from the ACS web interface.

Workaround:

None. However, you can export a smaller amount of data.

CSCub67627

The show ad-agent-configuration-changes command does not retrieve the latest changes made in the AD agent configuration.

The command show ad-agent-configuration-changes does not retrieve the latest changes that were made to the AD agent configuration parameters.

This problem occurs when you do the following:

a. Configure the ad-agent parameter.

b. Execute the show ad-agent-configuration-changes command.

This shows the configured parameters with the current values.

c. Now, execute the ad-agent reset-config command.

This resets the value of the ad-agent configuration parameters.

d. Now, execute the show ad-agent-configuration-changes command.

This does not show the parameter value after reset. Instead, it shows the old value.

Workaround:

None.

CSCub71249

An incomplete command error is displayed when you execute the ad-agent command partially in the CLI.

An incomplete command error is displayed when you only partially execute the ad-agent command in CLI.

This problem occurs when you only partially execute the ad-agent command.

Workaround:

Execute the full command.

CSCub74889

There is a mount issue when upgrading to ACS 5.4 with the customer database.

The system does not reboot after the application upgrade and displays the following error in CLI:

Error 17: cannot mount selected partition

This problem occurs when you change the hard disk order in the CAM server.

In the CAM server, you have a configuration in BIOS to change the hard disk order. HD0 should be selected first, and HD1 should be selected next. You should not change this order.

Workaround:

You can correct the hard disk order and reimage the CAM server with ACS 5.3, and then upgrade to ACS 5.4. Cisco does not provide support if the customer manually changes the BIOS configuration.

CSCuc16427

Exporting records to a .csv file using the timestamp option does not work properly.

The export of records to a .csv file using the timestamp option does not work properly. ACS exports all the records instead of exporting the records for the selected timestamp.

This problem occurs when you export records to a .csv file using the timestamp option.

Workaround:

None.

CSCud34459

Unable to run a shared report with colon and semicolon in the shared report name.

You cannot run a shared report when you save that report with either colon or semicolon in the report name.

This problem occurs when you use colon or semicolon in the shared report name.

Workaround:

Do not use colon or semicolon in shared report names.

CSCuf24867

The vendors list page is not refreshed automatically after importing the vendor-specific attributes.

The Navigation path and the vendors list are not refreshed automatically after importing the vendors and vendor attributes to ACS.

This problem occurs after you import the vendors and vendor attributes to ACS.

Workaround:

Navigate to some other page and then click this page to view the Vendors list page.

CSCuf59319

Able to import vendor-specific attributes without vendor name prefix.

You can import vendor-specific attributes without the vendor name prefix.

This problem occurs when you import vendor-specific attributes without the vendor name prefix.

Workaround:

Add the vendor name prefix before importing vendor-specific attributes.

CSCuf89786

Unable to import vendors with a blank space in the vendor name.

Importing vendors fails when you import vendors with a blank space in one of the given vendor names.

This problem occurs when you import vendors with an empty space in one of the vendor names.

Workaround:

Make sure that the vendor names does not have a blank space.

CSCug94436

Need to display a proper error message when there is no time synchronization between two or more ACS machines.

ACS does not display a proper error message when there is no time synchronization between two or more ACS machines.

This problem occurs when you register two or more ACS machines with different time zones in a deployment.

Workaround:

Make sure that different ACS machines have the same time before you start registering the machines to the deployment.

CSCuh32602

ACS displays the warning message “Limit not set - a rate limit for this ip or port already exists” multiple times.

The warning message “Limit not set - a rate limit for this ip or port already exists” is displayed multiple times when you rate limit.

This problem occurs when you configure rate limit for the second time with rate limit configured already.

Workaround:

Use the show run command to check if a rate limit is already configured. If a rate limit is already configured, then remove the configured rate limit and configure the new value.

CSCuh89466

Unable to login to ACS web interface after resetting the password.

You cannot login to ACS web interface after you reset your password using the acs reset password command from ACS CLI if the new password contains special characters.

This problem occurs when you change the ACS web interface password to have special characters in it.

Workaround:

Do not use the special characters ! and @ in the new password.

CSCui08325

Creating identity store with RT configuration version ID as suffix results in fatal error.

A fatal error occurs when you create an identity store with the RT configuration version ID as the suffix and the system fails to respond.

This problem occurs when you create an identity store with RT configuration version ID as the suffix.

For example, if the configuration version ID is 12, creating an identity store with name LDAP_test_12 results in runtime failure.

Workaround:

Avoid using the RT configuration version ID as suffix for identity stores.

CSCui24534

Attribute value with “*” is not getting reflected in ACS View multivalue attribute field.

AD attribute value which contains a “*” in it is not shown in ACS View reports. For example, the attribute value is *1234*.

This problem occurs when you try to authenticate an AD user with attribute value having special character “*”.

Workaround:

Make sure that attribute values do not contain special character "*".

CSCue13197

Not able to enter single and double quotes in the Directory Attribute page in AD.

Single and double quotes cannot be entered in Directory Attribute page of AD.

This problem occurs when you enter single (‘) or double (“) quotes in the AD Directory Attributes page.

Workaround:

Use a different username with similar attributes without single or double quote.

CSCui76204

IPv6 route is removed after rebooting the appliance.

IPv6 static route is removed from the running configuration.

This problem occurs when the appliance is rebooted.

Workaround:

Reconfigure a static route after the server is assigned with auto config IPv6 address.

CSCuj22360

No validation for port with special characters in device port filter.

No validation error is thrown in the Device Port Filter field while adding a port with special characters.

This problem occurs when you add a port with special characters

Workaround:

Recreate the device filter with a value without special characters.

CSCuj76893

Auto email report is not generated if you edit the name of the job.

No report is generated for the scheduled job configuration.

This problem occurs when you edit the job name that was created earlier.

Workaround:

Instead of editing the job name, delete and create a new job.

CSCuj87923

No validation for invalid ACS hostname of UCP.

No error message is displayed when you connect to ACS with invalid hostname using the UCP web application.

This problem occurs if you specify an invalid host name.

Workaround:

Use a correct ACS hostname or IP address.

CSCul17229

The exported network device .csv file is empty.

Exported .csv file does not contain any data although the export is successful.

This problem occurs when you use the “Equals” filter operator while filtering the recordings.

Workaround:

Use any other operator such as "Contains" and export.

CSCul21493

Management process of ACS runtime remains in “Changed” state for more than a day.

ACS management process status is displayed as “Changed” for a long time when you run the show application status acs command.

This problem occurs when you run the show application status acs command after stopping or starting the management process.

Workaround:

Restart the management process.

CSCul26348

The secondary ACS instance goes offline during full synchronization though the activation is successful.

ACS distributed management is broken and the primary or secondary instance goes offline during full synchronization.

This problem occurs when the primary and secondary ACS instances have a significant time difference and the secondary instance is registered right after upgrading the primary instance to ACS 5.5.

Workaround:

Synchronize the ACS instance’s time and retry registration and activation. Alternatively, you can retry registration and activation after the time difference is elapsed.

CSCul26742

Unable to add rate limit or connection limit in ACS 5.5.

ACS 5.5 displays error messages and the rules are not configured when you try to add rate limit and connection limit.

This problem occurs when you execute the rate-limit or conn-limit commands to from ACS CLI to set rate limit or connection limit.

Workaround:

Restart ACS.

CSCul26912

Able to see some fatal error messages on ACS logs after performing Migration.

ACS displays fatal error messages (exceptions) on the management log file when you perform migration from 4.x versions to ACS 5.5.

This problem occurs when you migrate from ACS 4.x to 5.5 with an object attributes having null value.

Workaround:

None. (ACS displays the exceptions on log messages and does not have any impact on the migration process.)

CSCul26970

Unable to import files from ACS CLI.

Importing files from ACS CLI fails when you use the symbols “(“ and “)” in the CSV filename.

This problem occurs when you import a CSV file and the file name contains “(“ and “)” symbols.

Workaround:

  • Import files from ACS web interface.
  • Do not use the symbols “(“ and “)” in CSV filenames while importing from ACS CLI.

CSCul32141

Unable to query a desired Domain Controller from ACS CLI in a distributed deployment.

The Active Directory client which is responsible for Active Directory authentications, could not use the desired Domain Controller.

This problem occurs when you configure the Domain Controller in distribute mode option from ACS CLI. The distribute option will replicate the configuration from the primary instance to the secondary instance.

Workaround:

Restart the Active Directory client manually from ACS CLI using the acs restart adclient command.

CSCul14650

Unable to enable FIPS mode on a secondary ACS instance after deregistering it from the deployment.

Enabling FIPS mode does not work on a secondary ACS instance after deregistering it from the deployment.

This problem occurs when the primary instance had non FIPS compliant certificates that have been replicated to the secondary instance before deregistering it from the deployment. The same is not removed from the secondary instance after deregistering it.

Workaround:

1. Delete the deregistered secondary instance in the Distributed Management Page.

2. If the above workaround does not work, then restart the secondary ACS instance.

CSCul38146

LDAP hostname details per ACS instance are not replicated to Secondary ACS instances.

The LDAP hostname details per ACS instance are not replicated to the Secondary ACS instances in a deployment.

This problem occurs when you use the LDAP hostname per ACS instance in a distributed deployment.

Workaround:

Clear the browser cache.

CSCul56017

On Demand Backup to a NFS repository failed due to permission error.

On Demand Backup fails after configuring the NFS location from ACS CLI due to NFS file permission error.

This problem occurs when you trigger an On Demand Backup from ACS view after configuring the NFS location using the backup-stagging-url command.

Workaround:

Provide full permission to NFS directory.

chmod -R 777 nfs-directory-name

CSCul54934

Unable to export the message catalog messages to a remote SFTP repository.

Exporting message catalog messages to a remote SFTP repository does not work properly in ACS.

This problem occurs when you export the message catalog messages to a SFTP repository from ACS CLI.

Workaround:

Perform an On Demand Backup to the SFTP repository and export the message catalog messages.

CSCum04132

ACS does not boot after upgrading to ACS 5.5 version.

ACS does not boot after you upgrade from ACS 5.3 or 5.4 versions to ACS 5.5 version.

This problem occurs when you upgrade ACS from 5.3 or 5.4 versions to ACS 5.5 version.

Workaround:

1. Boot the Red Hat 5.4 or CentOS 5.10 (32 bit version).

2. At the boot prompt, enter the following command:

linux rescue

3. In rescue mode, run the following command:

chroot/mnt/sysimage

4. Run the following command:

/sbin/grub-install/dev/sda

5. Reset the appliance or virtual machine. ACS 5.5 must boot now and completes the upgrading process.

If you use CentOS, the ISO image “CentOS-5.10-i386-bin-1of8.iso” for the first disc is required. The ISO image of CentOS is available at many mirror servers. For the updated list of ISO images, see http://isoredirect.centos.org/centos/5/isos/i386.

CSCul38172

SNMP walk does not work properly after configuring the interface bonding.

The SNMP walk does not work properly when you edit the SNMP configuration or restart ACS after configuring the interface bonding in ACS.

This problem occurs when you make any changes to the SNMP configuration or restart ACS after configuring interface bonding.

Workaround:

1. Remove NIC bonding configuration.

2. Reconfigure SNMP or add another snmp server configuration from CLI.

3. Now it will start working.

4. Now enable NIC bonding again.

CSCuo70920

The secondary ACS instance’s status is wrongly displayed as pending in the old primary instance’s web interface in a deployment.

In a distributed deployment, when a primary instance is down, the status of the secondary instance (new primary) is displayed as pending in the old primary instance after it is restored.

This problem occurs when a primary ACS instance is down and a secondary ACS instance is promoted as a primary instance in a deployment. After the inactive primary instance is restored, it tries to communicate with the secondary instances that are registered in it. During such communication, the secondary instances fails to identify the correct primary instance and it leads to the complete deployment going down.

Workaround:

We need to deregister and delete the old primary instance from the new primary instance in the deployment.

If you want to configure the old primary instance as a secondary to the new primary instance, you have to deregister and delete the secondary instances from the old primary instance so that the old primary becomes a stand alone instance. Subsequently, you can register this stand alone instance as a secondary to the new primary instance in the same deployment.

CSCum00128

The submit and cancel buttons in Alarms page are inactive when you use Internet Explorer 11.x to open ACS web interface.

Using Internet Explorer 11.x to edit an alert in ACS web interface results in inactive submit and cancel buttons.

This problem occurs when you use Internet Explorer 11.x to edit an alert in the ACS web interface Alarms page.

Workaround:

You need to enable the compatibility mode from the Tools menu. To enable compatibility settings:

  • Choose Tools > Compatibility View Settings in Internet Explorer 11.x.
  • On the Compatibility View Settings pop up window, enter the IP address or the Hostname of the ACS instance in the “Add this website” field.

Documentation Updates

Table 15 lists the updates to Release Notes for Cisco Secure Access Control System 5.5.

 

Table 15 Updates to Release Notes for Cisco Secure Access Control System 5.5

Date
Description

11/17/2014

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.7.

10/07/2014

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.6.

08/12/2014

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.5.

06/20/2014

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.4.

05/13/2014

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.3.

03/17/2013

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.2.

02/05/2014

Added Resolved Issues in Cumulative Patch ACS 5.5.0.46.1.

01/31/2014

Added Resolved Issues in Cumulative Patch Pointed-PreUpgrade- CSCum04132-5.3.0.40.

01/29/2014

Added Resolved Issues in Cumulative Patch Pointed-PreUpgrade- CSCum04132-5.4.0.46.0a.

11/25/2013

Cisco Secure Access Control System, Release 5.5.

Product Documentation


Note It is possible for the printed and electronic documentation to be updated after original publication. Therefore, you should review the documentation on http://www.cisco.com for any updates.


Table 16 lists the product documentation that is available for ACS 5.5. To find end-user documentation for all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs.

Select Products > Security > Access Control and Policy > Policy and Access Management > Cisco Secure Access Control System.

 

Table 16 Product Documentation

Document Title
Available Formats

Cisco Secure Access Control System In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps9911/
products_documentation_roadmaps_list.html

Migration Guide for Cisco Secure Access Control System 5.5

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

User Guide for Cisco Secure Access Control System 5.5

http://www.cisco.com/en/US/products/ps9911/
products_user_guide_list.html

CLI Reference Guide for Cisco Secure Access Control System 5.5

http://www.cisco.com/en/US/products/ps9911/
prod_command_reference_list.html

Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.5

http://www.cisco.com/en/US/products/ps9911/
products_device_support_tables_list.html

Installation and Upgrade Guide for Cisco Secure Access Control System 5.5

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

Software Developer’s Guide for Cisco Secure Access Control System 5.5

http://www.cisco.com/en/US/products/ps9911/
products_programming_reference_guides_list.html

Regulatory Compliance and Safety Information for Cisco SNS-3415 and Cisco SNS-3495 Appliances

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.5/
regulatory/compliance/csacsrcsi.html

Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ ).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ )”.

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ )”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.

The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Supplemental License Agreement

END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE:

IMPORTANT: READ CAREFULLY

This End User License Agreement Supplement ("Supplement") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence.

In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

1. Product Names

For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are:

A. Advanced Reporting and Troubleshooting License

Enables custom reporting, alerting and other monitoring and troubleshooting features.

B. Large Deployment License

Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise.

C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release)

Enables Security Group Access policy control functionality and other advanced access features.

2. ADDITIONAL LICENSE RESTRICTIONS

  • Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms are preinstalled. CDs containing tools to restore this Software to the SNS 3495, SNS 3415, and CSACS 1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms designed for its use. No unsupported Software product or component may be installed on the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platform.
  • Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control System Software upgrades for the Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each Cisco SNS 3495, SNS 3415, and CSACS 1121 Hardware Platforms. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract.
  • Reproduction and Distribution. Customer may not reproduce nor distribute software.

3. DEFINITIONS

Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x].

Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].

4. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.