Cisco Secure Access Control Server Express

Table Of Contents

Release Notes for Cisco Secure ACS Express 5.0.1

Contents

Introduction

Supported Protocols

Exceptions To TACACS+ Draft 1.78 Support

Installation Notes

Running the setup Program

Upgrade Notes

Resolved Bugs

Related Documentation

Release Notes for Cisco Secure ACS Express 5.0.1

---

September 25, 2009

OL-20149-01

Cisco Secure ACS Express 5.0.1 (ACS Express) is a Linux-based hardware platform that is pre-installed with the ACS Express server software. The ACS Express appliance leverages the Cisco Application Deployment Engine (ADE) 1010 hardware platform.

For information on ADE 1010, refer to http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5734/ps8340/ps8348/product_data_sheet0900aecd806d39ff.html.

---

Note ACS Express 5.0.1 provides support for Windows 2008 AD.

---

These release notes provide general information about ACS Express, resolved bugs in this release, and related documentation.

Contents

This release note contains the following sections:

•Introduction

•Supported Protocols

•Installation Notes

•Running the setup Program

•Upgrade Notes

•Resolved Bugs

•Related Documentation

Introduction

Cisco Secure ACS Express (referred to as ACS Express from here on) is an easy to use access control server that operates as a centralized RADIUS and TACACS+ server. It extends access security by combining authentication and authorization within a centralized identity networking solution, allowing greater flexibility and user-productivity gains. ACS Express supports a broad variety of access connections, including wired and wireless LAN, firewalls, and VPNs.

ACS Express is an entry-level RADIUS AAA and TACACS+ server addressing the small-to-medium sized business (SMB) such as retail branches and enterprise branch market segments. ACS Express controls user and machine access to various networks including wireless, wired, and virtual private networks. ACS Express also controls administrative access to network devices using RADIUS and TACACS+. ACS Express ships as an appliance with easy-to-use management interfaces to facilitate deployment and configuration.

The primary function of ACS Express is to control user access and client machines requesting access to protected resources within a corporate network. ACS Express interacts with AAA-enabled network devices to authenticate a user or device and authorize the user or device with entitlements granted to the user or device.

ACS Express controls user and client access to an enterprise network by way of various transports including wireless, wired, and VPN (Network Access) using RADIUS. For network access, ACS Express and the AAA-enabled devices such as a Network Access Server (NAS) communicate using the RADIUS protocol. ACS Express supports various NASs including Cisco IOS/PIX devices, Cisco VPN concentrators, Cisco Airespace controllers, Cisco Aironet access points, Juniper and Microsoft devices, and any IETF RADIUS-compliant NAS. ACS Express supports various authentication methods including CHAP, PAP, MS-CHAPv2, EAP-TLS, PEAP, EAP-FASTv0, and LEAP.

After a NAS submits a user's credentials to ACS Express, it can validate them against various user databases. ACS Express can communicate with Active Directory (AD), LDAP, and One-Time-Password user databases. ACS Express also provides its own user database to manage local users. During the credential validation process, the user database might return data describing a user's profile within an enterprise (such as a User Group). When using AD, ACS Express can also process machine authentication requests and enforce that both the machine and user are successfully authenticated prior to gaining network access.

After the credentials are validated, ACS Express then determines the entitlements granted to the user. For network access, an entitlement is a RADIUS authentication response returned to the originating NAS. An administrator can define rules to determine the returned entitlements. Conditions for the rules might include a user's profile (user group), how (wireless, wired, or other) and when (time of day) a user attempts to access the enterprise network.

ACS Express also controls network administrator access to configure a network device (Device Administration Access). For device administration, ACS Express supports NASs that communicate using TACACS+ or RADIUS. Credential validation and entitlement determination are processed in the same manner as described for network access. Entitlements for device administration specify the maximum administrative privilege level allowed. Conditions for the rules might include a user's profile (user group), the device being configured, and when (time of day) a user attempts to configure a network device.

ACS Express supports up to 50 NASs and is aimed at small-to-medium businesses requiring 350 or fewer successful user authentications per twenty-four hour period.

ACS Express is delivered as an appliance. You use the command line interface (CLI) to set up the ACS Express appliance. You use the GUI to configure the ACS Express server. ACS Express can be deployed in pairs where the configuration from the primary Express server is replicated to the secondary server.

Supported Protocols

ACS Express supports both Radius and TACACS+ protocols concurrently. ACS Express conforms to the latest TACACS+ specification (draft 1.78) from Cisco with some exceptions.

ACS Express conforms to the RADIUS protocol as defined in the draft of April 1997 and conforms substantially to the following Requests for Comments (RFCs):

•RFC 2138

•RFC 2139

•RFC 2284

•RFC 2865

•RFC 2866

•RFC 2867

•RFC 2868

•RFC 2869

The ports used for authentication and accounting have changed in RADIUS RFC documents. To support the older and newer RFCs, ACS Express accepts authentication requests on port 1645 and port 1812. For accounting, ACS accepts accounting packets on port 1646 and port 1813.

In addition to support for standard Internet Engineering Task Force (IETF) RADIUS attributes, ACS Express supports vendor-specific attributes (VSAs). The following VSAs are supported out of the box:

•Cisco IOS/PIX 6.0

•Cisco VPN 3000/ASA/PIX 7.x+

•Cisco VPN 5000

•Cisco Airespace

•Cisco Aironet

•Juniper

•Microsoft

ACS Express also enables you to add and modify VSAs from the vendors listed above. ACS Express supports up to additional ten vendors. After a new RADIUS VSA is defined, you can use it as if it were a predefined ACS Express RADIUS VSA.

Exceptions To TACACS+ Draft 1.78 Support

The following lists exceptions to TACACS+ Draft 1.78 that are not supported in ACS Express 5.0.

•Command Authorization or command authorization sets are not supported.

•Only Service type shell is supported; different service types such as PPP, SLIP, ARAP, and EAP over TACACS+ are not supported.

•Only ASCII TACACS+ password type is supported. Other password types such as PAP, CHAP, and ARAP are not supported.

•TACACS+ password change sequence is only supported for local database and not for external databases like LDAP or AD.

•Only TACACS+ attribute-value pairs, priv_lvl, timeout, idletime, service are supported. Attribute-value pairs such as acls, route, autocmd, and some others are not supported.

•TACACS+ Single-connection is not supported.

Installation Notes

The Cisco Secure ACS Express product comprises an appliance, the Cisco Application Deployment Engine (ADE) 1010, and the ACS Express server software. The software for ACS Express is already installed on the appliance.

This section provides an overview of installation tasks required to install the ACS Express appliance.

---

Step 1 Open the box and check the contents.

The package containing your ACS Express appliance includes the following:

•ACS Express appliance

•Hardware accessory kits

•Software accessory kits

•Rack mount kit

•Power cord

Step 2 Read Chapter 2 of the Installation and Setup Guide for Cisco Secure ACS Express and pay special attention to all safety warnings.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
installation/guide/prepare.html

Step 3 Install the appliance in either a two-post or four-post rack, and complete the rest of the hardware installation.

See Chapter 3 of the Installation and Setup Guide for Cisco Secure ACS Express for more details about installing the ACS Express appliance.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
installation/guide/instll.html

Figure 1 shows the rear of the ACS Express appliance and the various cable connectors. Ensure that you connect the Ethernet cable to the NIC 1 connector (#6 in Figure 1).

---

Note Use the NIC 1 connector for your Ethernet connection. Using the NIC 2 port is not supported and attempting to use the NIC 2 connector will cause an unstable environment.

---

Figure 1 Cable Connectors on Rear of ACS Express Appliance

Table 1 describes the rear panel connectors called out in Figure 1:

Table 1 Cable Connectors on Rear of ACS Express Appliance

#	Connector	#	Connector
1	AC power connector	5	Video connector
2	Mouse	6	NIC 1 (10/100/1000 Mb) port
3	Keyboard	7	Unsupported NIC 2 port
4	Serial port	8	USB ports

After completing the hardware installation, you are ready to turn power on.

The first time you turn power on you must run the setup program. See Running the setup Program for more detailed information.

---

Running the setup Program

The setup program launches an interactive command-line interface (CLI) that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ACS Express server using the setup program.

After you turn on power to the ACS Express appliance and it boots up for the first time, a login prompt like the following displays on the console:

*************************************************

Please log in as setup to configure the appliance

*************************************************

localhost login: 

Enter setup at the login prompt to launch the setup program, and the ACS Express appliance will prompt you for the setup parameters. Table 2 lists and describes the setup program parameters. You must provide a response for each parameter before you advance to the next.

Table 2 Setup Command Parameters

Parameter	Description
Hostname	Hostname of the ACS Express server
IP Address	Must be a valid IP address
Network Mask	Must be a valid mask
Default Gateway IP	Must be a valid IP address
Domain Name	Domain name of the valid IP address server
DNS Server Address	Must be a valid IP address
Administrator Password	Must adhere to password policy for administrators
Time	Must be a valid time

Figure 2 provides an example of the setup program interaction. Entries in bold font are administrator entries.

Figure 2 Sample Output of setup Command

localhost.localdomain login: setup

Press 'Ctrl-C' to abort setup

Enter hostname[]: acsexpress1

Enter IP address[]: 209.165.200.225

Enter IP default netmask[]: 255.255.255.0

Enter IP default gateway[]: 209.165.200.1

Enter default DNS domain[]: yourcompany.com

Enter Primary nameserver[]: 209.165.200.254

Add/Edit another nameserver? Y/N : n

Enter username[admin]: admin

Enter password: 

Enter password again: 

Pinging the gateway...

Pinging the primary nameserver...

Do not use 'Ctrl-C' from this point on...

---

Note If you use CTRL-C to interrupt the setup program at this point, you might have to reimage the ACS Express appliance.

---

Appliance is configured

Installing applications...

Installing acsexpress ... 

Generating configuration...

Rebooting...

---

You can abort from setup by pressing CTRL-C. After providing the required input for each parameter, the new settings are applied. You can also use CTRL-C to abort from setup if you happen to enter an incorrect setting.

After you run the setup program and provide the initial settings, the ACS Express server reboots. After the ACS Express server reboots, use the username and password you entered during setup to log in.

---

Note After you complete the initial setup, it is no longer possible to rerun the setup program unless you reimage the ACS Express appliance using the recovery CD.

---

Upgrade Notes

Follow the steps below to upgrade an ACS Express server from 5.0 to 5.0.1:

---

Note The first two steps in the following procedure are optional. These steps are used to back up the configuration and system data, which can be used when you lose the data or whenever you need to restore the old backup.

---

---

Step 1 Enter the acsexport command in the EXEC mode to export the ACS Express 5.0 configuration data:

acsexport <export_file> repository <repository_name> secret <secret_key_min_8_chars>

ACS Express displays the following message:

Successfully exported.

Step 2 Enter the backup command in the EXEC mode to back up the ACS Express server data and place the backup file in a repository:

backup <backup_filename> repository <repository_name>

ACS Express creates a backup file with the name backup_filename.tar.gpg in the repository.

Step 3 Copy the ACS Express 5.0.1 upgrade software from the Cisco Software Download Site to a remote repository.

To get the ACS Express 5.0.1 upgrade software, from the Cisco Software Download Site, select Network management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server Express > Cisco Secure Access Control Server Express 5.0.

Step 4 Enter the application upgrade command in the EXEC mode to upgrade to ACS Express 5.0.1:

application upgrade <upgrade_bundle> <remote_repository_name>

ACS Express requests you to confirm if you want to save the current configuration:

Do you want to save the current configuration ? (yes/no) [yes] ?

Enter yes.

You will see the following message:

Saved the running configuration to startup successfully

Application upgrade successful.

---

---

Note ACS Express preserves the existing configuration during the upgrade process. Hence, you can perform the following procedure based on your needs.

---

When you want to restore the configuration and system data to the ACS Express 5.0.1 server, follow the steps below:

---

Step 1 You can validate the ACS Express 5.0 configuration data using the following command:

acsimport <import_file> repository <repository_name> validateonly

This command validates the import file without modifying the configuration stored in the database. It also displays the errors that occurs during the validation. For example, this command displays an error when an XML file misses a reference to an object from another object.

ACS Express displays the following output:

% acsimport in progress...

% Validating EAP Settings 

Validating Network Device Group - Routers

Validating Network Device Group - Switches

Validating Network Device Group - Wireless Controllers

.

.

.

Validating RADIUS Access Profile rule - peap-eapgtc-ad-nap

Validating RADIUS Access Profile rule - peap-eapgtc-ldap-nap

Validating before system Update.

Updating the system. Please wait ...

Imported Successfully.

Step 2 Import the configuration data using the following command:

acsimport <import_file> repository <repository_name> flushconfig

This command flushes the objects that have root elements in the XML file. For example, if <DeviceGroups> is in the XML file, all existing Device Groups will be deleted before importing the Device Groups in the XML file.

ACS Express displays the following output:

% acsimport in progress...

% Validating EAP Settings 

Validating Network Device Group - Routers

Validating Network Device Group - Switches

Validating Network Device Group - Wireless Controllers

.

.

.

Validating RADIUS Access Profile rule - peap-eapgtc-ad-nap

Validating RADIUS Access Profile rule - peap-eapgtc-ldap-nap

Validating before system Update.

Updating the system. Please wait ...

Imported Successfully.

Step 3 Restore the system data using the following command:

restore <backupfile> repository <repository_name>

ACS Express requests you to confirm if you want to reboot the server:

Restore requires a reboot to successfully complete. Continue? (yes/no) [yes] ?

Enter yes.

---

For more information on ACS Express commands, refer to Command Line Interface Reference Guide for Cisco Secure ACS Express, 5.0.

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/command/
reference/guide/cmdref.html

Resolved Bugs

Table 3 lists bugs that are resolved in ACS Express 5.0.1.

Table 3 Resolved Bugs in ACS Express 5.0.1 

Bug ID	Description
CSCsu36577	Occasionally, ACS Express freezes and does not respond when used with an AD. Symptom: ACS Express goes into a frozen state and does not respond when used with an AD. Conditions: This occurs when there are issues with Domain Name System (DNS) or AD connectivity. Workaround: Ensure AD or DNS connectivity is fine from ACS Express, and try to rejoin the AD with different accounts.
CSCsw29387	ACS Express fails to join an AD domain. Symptom: ACS Express fails to join the AD domain in a single-domain, multi-domain-controller environment. Conditions: This occurs when ACS Express attempts to join an AD domain in a multi-domain-controller environment and one of the domain controllers is down. Workaround: Contact Cisco Technical Assistance Center (TAC).
CSCsy55874	The group mapping process results in a timeout. Symptom: The ACS Express GUI displays the following error when you try to set up group mapping: Timeout occurred communicating with AD Domain Controller Conditions: When ACS Express is integrated with AD and if you try to set up group mapping, the group retrieval process invokes the adinfo CLI command and if it encounters Domain Controllers (DC) that are down or their User Datagram Protocol (UDP) are non-responsive, it results in a timeout. Workaround: Contact Cisco TAC. The workaround for this defect requires TAC to modify scripts on the ACS Express appliance.
CSCsu58365	The acsimport CLI command causes an error while importing a config file that has radius response attributes whose names have more than 32 characters. Symptom: The acsimport CLI command throws an error while importing config with large radius response attribute names. Conditions: The config file being imported has radius response attributes whose names are greater than 32 characters. Workaround: Remove the large attributes from import file, then import using the acsimport CLI command. Choose Access Policies > Policy Elements > RADIUS from the ACS Express GUI to add the large attributes responses.
CSCsu84366	When you replicate an EAP RADIUS Access Service and if you log in to a secondary server, the RADIUS Access Policy is shown up as a PAP/CHAP/MSCHAPv2 Access service. Symptom: The replicated ACS Express server and the secondary server display the Radius Access Policy incorrectly. Conditions: This occurs when you replicate an ACS Express server with EAP RADIUS Access Service. Workaround: None. This is a cosmetic GUI bug. Authentication is still successful to the secondary ACS as the policy is correct in the database. The GUI is all that displays incorrectly, even though ACS Express correctly authenticates as EAP.
CSCsq35353	The EAP-Message attribute in the Access-Reject packet contains code for EAP-Success. Symptom: EAP-Success is sent inside the Access-Reject packet. Conditions: This occurs when there is an access request to ACS Express and if the authentication succeeds but the authorization fails. Workaround: None.
CSCsq39647	The ACS Express Server sends an incomplete certificate chain in PEAP response. Symptom: The ACS Express Server with EAP-PEAP does not send a complete certification chain to the client and hence, the client sends the following TLS alert that causes the authentication to fail. unknown CA Conditions: This problem occurs when ACS Express is used in a three-certificate hierarchy where the server is also loaded with an intermediate certificate. This happens only for PEAP. Workaround: Do not use a three-certificate hierarchy for PEAP.
CSCsk58317	Partial replication does not update the Default Rule for a TACACS+ Access Service. Symptom: In a replicated configuration, changes to the Default Response for TACACS+ Access Services are not replicated to the secondary server. Conditions: This limitation for Default Response of TACACS+ Access Services applies to configuration changes made from the GUI and when using the CLI command acsimport. Workaround: Do a full synchronization between the primary and secondary. On the primary or secondary, synchronize the servers by clicking Synchronize Servers on the Replication window.
CSCsk66746	Entering the show version CLI command as a read-only administrator causes an error. Symptom: The CLI command show version does not display ACS Express version information and displays an error like the following: Error: Must have admin privilege to run this script. Aborting.... Conditions: This occurs when a read-only administrator issues the CLI command show version. Workaround: Use the CLI command show version as a read-write administrator.
CSCsm03402	The filter query of ACS Express displays an LDAP error if you do not provide the domain name during device-admin authentication. Symptom: In Windows 2000, LDAP lookup fails with domain authentication. Conditions: This occurs when you use an AD datastore with AD environment server version as Windows 2000, and enter an invalid username for a device-admin authentication. Workaround: At the login prompt, enter the fully qualified domain name for the user.
CSCsm19194	CLI time zone change not reflected in GUI. Symptom: When you change the time zone setting from the command line, the ACS Express GUI does not reflect the time zone change. Conditions: Universal. Workaround: Reboot the ACS Express appliance.
CSCsq97476	Few ACS Express appliances may have manufacturing issues. Symptom: ACS Express fails to perform fine installation, boot sequence, or Unique Device Identifier (UDI) check. Conditions: This happens during the appliance startup. Workaround: To resolve the boot failure problem, reimage the appliance with the recovery CD. The UDI string mismatch should not be an issue unless you have to reimage the box using the recovery CD. Reimaging fails for such units as the UDI check will fail. The only resolution for this issue is to return the appliance to Return Material Authorization (RMA).
CSCsx29652	The ACS Express server core dumps due to invalid EAP packets. Symptom: The stack trace displays Protected Identity as being NULL. Condition: ACS Express server core dumps when invalid EAP packets are received. Workaround: A fix has been added into the code base for a NULL check on the protected identity.
CSCta37930	Opening command accounting logs throws ArrayIndexOutOfBoundsException. Symptom: When you try to view the command accounting logs on ACS Express, the Java exception "ArrayIndexOutOfBoundsException" is displayed. Condition: This happens when ACS Express 5.0.0.17 with a device sends a corrupt command accounting message to the ACS Express server. Workaround: View the accounting data by downloading the accounting logs instead of viewing them through the GUI.
CSCsu51127	For better troubleshooting of issues, the output of the following commands are added to the ACS Express tech support log to provide elaborate information on hardware and AD diagnostics. •fdisk -l—Displays the hard disk and partition information. •adinfo --diag domainname—Displays AD diagnostics-related information. •adinfo --support—Displays AD diagnostics-related information.
CSCso60692	The backup and backup-logs CLI command sections of Command Line Interface Reference Guide for Cisco Secure ACS Express, 5.0 document is updated with cross-references to repository creation steps. This will help to refer the repository creation steps before backing up the files.
CSCsu72951	This bug is related to the Customer Embedded Feedback Survey notifying the PDF download of Cisco Secure ACS Express Installation and Setup Guide, 5.0 failed. This PDF document download was double-checked and seems to be working fine.
CSCsw16874	The Cisco Secure ACS Express Troubleshooting Guide, 5.0 inadvertently included the note "How much is too much?". This note was removed from the guide.
CSCsw19984	The hostname of ACS Express appliance should not be set to longer than 15 characters. This limitation information is included in the Cisco Secure ACS Express Installation and Setup Guide, 5.0.
CSCsm11074	To avoid the acsxp_server.log file being continuously filled up with frequent logging of timed out authentication sessions information, these messages are now being logged to acsxp_server_trace.log. ACS Express logs the elaborative message into acsxp_server_trace.log and logs the message into acsxp_server.log only when the server detects a timed out session and tries to delete it. ACS Express logs the information into acsxp_server_trace.log every one hour since SessionPurgeInterval is one hour and the server tries to find any timed out sessions every hour.
CSCsm17575	The preface section of the Cisco Secure ACS Express User Guide, 5.0 is updated with OpenSSL acknowledgement information.
CSCsm37847	The Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 is updated with console settings information.
CSCsw28868	ACS Express fails to contact all of the DC when you try to install ACS Express in an environment that consists of multiple AD controllers and hence, ACS Express 5.0.1 provides a UI component for joining AD with a preferred DC server.
CSCsu83194	ACS Express fails to join an AD due to timeout. This problem occurs if there are one or more domain controllers or global catalog servers exist that ACS Express cannot query or contact. AD Domain with inter-domain trusts contain trees that ACS Express does not need to access and hence, it fails to return successful lookups for all domain controllers within the forest. In ACS 5.0.1, a new feature has been developed to allow only the domain controllers from the trusted cross-forests. To activate this property for a domain, choose Users & Identity Stores > External User Databases > Active Directory and in the Active Directory Domain Configuration window, check Enable Cross Forest Trusts check box.
CSCta03160	When you delete the default user group that is the only user group available in ACS Express, and if you attempt to create a new user by choosing Internal Database > User, ACS Express throws an exception to indicate that it is not possible to add a user. ACS Express 5.0.1 restricts you on deleting the default user group.
CSCsy85384	ACS Express 5.0.1 provides support for Windows 2008 AD.
CSCtb43985	The User Guide for Cisco Secure ACS Express, 5.0 is updated with the following note: "ACS Express 5.0 is not fully compliant with the latest EAP-FAST RFC, including EAP-FASTv1 and EAP-FASTv1a."

Related Documentation

This section provides a list of the ACS Express product documentation with links to the online documentation.

You can find links to all ACS Express product documentation at the following URL:

http://www.cisco.com/en/US/products/ps8543/tsd_products_support_series_home.html

The following documents comprise the ACS Express documentation set and should be read in the following order:

•Quick Start and Documentation Guide for Cisco Secure ACS Express 5.0 (78-17961-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
roadmap/xpguide.html

•Cisco Secure ACS Express Installation and Setup Guide, 5.0 (OL-11671-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
installation/guide/install.html

The Installation and Setup Guide for Cisco Secure ACS Express is an online only document that provides information about how to set up the ACS Express appliance including location, internet connection, and initial configuration.

•User Guide for the Cisco Secure ACS Express, 5.0.1 (OL-20148-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0.1/
user/guide/acs_express_5_0_1_user_guide.html

The User Guide for Cisco Secure ACS Express is an online only document that provides information about how to use the ACS Express GUI and how to perform routine tasks associated with the features and functionality of Cisco ACS Express.

•Command Line Interface Reference Guide for Cisco Secure ACS Express, 5.0 (OL-11673-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
command/reference/guide/cmdref.html

The Cisco Secure ACS Express Command Reference focuses on the following topics:

–Command-line interface configurations

–Command-line interface reference

Each topic provides a high-level summary of the tasks required for using the CLI in the Application Deployment Engine OS 1.0.1, and the procedures for performing these tasks.

•Troubleshooting Guide for Cisco Secure ACS Express, 5.0 (OL-14650-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
troubleshooting/guide/trouble.html

This guide provides information about troubleshooting strategies and shows example ACS Express logs with pointers to things to look for when experiencing difficulties.

•Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Express, 5.0 (OL-14842-01)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/
devices/devices.html

This guide provides information about support device types and supported browsers.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

---

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco  IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007-2009 Cisco Systems, Inc. All rights reserved.