Table Of Contents
Release Notes for Cisco Secure ACS View 4.0.1
Contents
Introduction
System Specifications
System Requirements
Key Features
Reports with Local Time Zone Timestamp
Enhanced User Status Information
Mozilla Firefox 3.0 Support
Group Profile Report
Upgrade Notes
Prerequisites for ACS View 4.0.1 Upgrade
Recommendations Before ACS View 4.0.1 Upgrade
Upgrading to ACS View 4.0.1
Verifying the Upgrade
Recommendations After ACS View 4.0.1 Upgrade
Licensing Requirements
Caveats
Known Issues in ACS View 4.0.1
Resolved Issues in ACS View 4.0.1
Known Issues in ACS Versions
Resolved Issues in ACS Versions
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Secure ACS View 4.0.1
September 15, 2009 , OL-19767-01
These release notes describe the features and fixes to the software issues for Cisco Secure Access Control Server (ACS) View, release 4.0.1.
Contents
This document contains:
•
Introduction
•System Specifications
•System Requirements
•Key Features
•Upgrade Notes
•Licensing Requirements
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
ACS View provides reporting, monitoring, and, troubleshooting capabilities for administrators of ACS networks. Using ACS View, you can extract consolidated log and configuration data from the ACS servers in your network for advanced reporting and troubleshooting purposes.
ACS View provides reports and configurable threshold to generate alerts on data collected from ACS servers. You can use this data to manage your network efficiently and resolve applicable network-related problems.
This release of ACS View provides reporting capabilities for ACS 4.1.4, ACS 4.2, and ACS 4.2.1 deployments.
System Specifications
ACS View comprises an appliance, the Cisco Application Deployment Engine (ADE) 2120 Series, which runs on a Linux operating system, and the ACS View server software. The software for ACS View is preloaded on the appliance.
For more information on the installation process, see the User Guide for Cisco Secure Access Control Server View 4.0.
System Requirements
Table 1 lists the system requirements for the server from which you access the ACS View GUI.
Table 1 System Requirements for ACS View
Component
|
Requirement
|
Operating System
|
•Windows Vista Business Edition
•Windows XP
|
Supported Browsers
|
•In Windows Vista Business Edition:
–Mozilla Firefox 3.0
–Microsoft Internet Explorer 7.0
•In Windows XP:
–Mozilla Firefox 3.0
–Microsoft Internet Explorer 6.0
–Microsoft Internet Explorer 7.0
|
For more information on system configuration, see the User Guide for Cisco Secure Access Control Server View 4.0.
Key Features
This section briefly describes the key features in this ACS View release:
•Reports with Local Time Zone Timestamp
•Enhanced User Status Information
•Mozilla Firefox 3.0 Support
•Group Profile Report
Reports with Local Time Zone Timestamp
In ACS View 4.0, the report data is shown in GMT time zone, irrespective of the time zone configured in the ACS server or in the ACS View server.
After you upgrade to ACS View 4.0.1, all reports are stored and shown with respect to the time zone configured in the ACS View server.
Enhanced User Status Information
In this release of ACS View, the User Status report has been enhanced to display additional and accurate information like:
•User account status
•Password status
•User-Defined fields (if configured in ACS)
These enhancements are dependent on the corresponding changes made in ACS 4.2.1. If you are using an ACS version older than ACS 4.2.1, the report will display data similar to ACS View 4.0.
Mozilla Firefox 3.0 Support
This release of ACS View provides support for Mozilla Firefox 3.0.
Group Profile Report
In this release of ACS View, Group Profile report is added to show the detailed list of configuration for each Group Profile. This report displays the following information:
•Group configurations such as group status, network access restrictions, and session limitations.
•Group profile information that includes TACACS+ settings.
•User list.
Availability of the Group Profile report is dependent on the settings done in ACS 4.2.1.
Upgrade Notes
This section provides an overview of the tasks required to upgrade the ACS View appliance:
•Prerequisites for ACS View 4.0.1 Upgrade
•Recommendations Before ACS View 4.0.1 Upgrade
•Upgrading to ACS View 4.0.1
•Verifying the Upgrade
•Recommendations After ACS View 4.0.1 Upgrade
Prerequisites for ACS View 4.0.1 Upgrade
The ACS View 4.0 bundle should be installed before you upgrade to ACS View 4.0.1.
Recommendations Before ACS View 4.0.1 Upgrade
In ACS View 4.0, the report data is shown in GMT time zone, irrespective of the time zone configured in the ACS server or in the ACS View server. After ACS View 4.0.1 upgrade, reports will display the timestamp with respect to the time zone configured on the ACS View server.
To see the report data in the local time zone, reset the clock to the required local time zone in the ACS View server.
Follow the instructions given in the below links to check and set the correct time zone:
•http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/
guide/appendixB.html#wp1056146
•http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/
guide/appendixB.html#wp1056552
Note We recommend you to set your time zone prior to ACS View 4.0.1 upgrade. If you update the time zone after upgrade, some of the report data may still be correlated to the old timestamp and may be inconsistent. If you still want to see the report data in the GMT time zone, set the ACS View server time zone as GMT/UTC.
We recommend backing up the ACS View 4.0 data before you upgrade to ACS View 4.0.1. Follow the instructions given in the below link to back up and restore the ACS View 4.0 data:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/
guide/admin.html#wp1065963
Upgrading to ACS View 4.0.1
Note You must first upgrade the Application Deployment Engine Operating System (ADE-OS) to
ADE-OS 1.2 before you upgrade from ACS View 4.0 to ACS View 4.0.1.
To upgrade to ADE-OS 1.2 and ACS View 4.0.1:
Step 1 Log in to the Cisco Software Download Site at: http://www.cisco.com/public/sw-center/index.shtml.
Step 2 Choose Security > Identity Management > Cisco Secure Access Control System View > Cisco Secure Access Control System View 4.0.1.
Step 3 Download the acsview4.0.1.zip upgrade bundle from Cisco.com. The acsview4.0.1.zip file contains the following:
•acsview401-adeos-patch-1-2-0-146.tar.gz— ADE-OS 1.2 upgrade patch.
•acsview401-appbundle.tar.gz— ACS View 4.0.1 upgrade bundle.
•README.txt— Readme file.
Step 4 Use the checksum to ensure that the downloaded file is not corrupt.
Step 5 Configure the repository to place the ADE-OS acsview401-adeos-patch-1-2-0-146.tar.gz patch file. Follow the instructions given in the following link to configure the repository:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/
guide/appendixB.html#wpmkr1057637
To copy the patch file to the local repository, execute the following command:
copy ftp://<ftp-machine-ip>/<image-name> disk://
For example:
copy ftp://10.77.202.251/acsview401-adeos-patch-1-2-0-146.tar.gz disk://
Note We recommend that you place the acsview401-adeos-patch-1-2-0-146.tar.gz patch file in the local repository instead of a remote repository.
Note We recommend that you copy the running configuration of the appliance to a repository before the ADE-OS upgrade.
Step 6 Install the patch file by executing the following command:
patch install acsview401-adeos-patch-1-2-0-146.tar.gz <repostioryName>
The following prompts appear during the upgrade process:
Do you want to save the current configuration ? (yes/no) [yes] ? yes
Generating configuration...
Saved the running configuration to startup successfully
This installation will take approximately 5 minutes to complete.
Upon completion of the ADE-OS patch, the system will reload automatically.
Installing ADE-OS patch 1.2.0.146. Please wait...
* DO NOT USE CNTRL-C BEYOND THIS POINT *
ADE-OS 1.2 Patch installation completed successfully.
System reload in progress...
After successful installation, the appliance will reboot.
Step 7 Configure a repository to place the acsview-4_0_1.tar.gz bundle. Follow the instructions given in the following link to configure the repository:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/
guide/appendixB.html#wpmkr1057637
Note We recommend that you place the acsview-4_0_1.tar.gz bundle in the local repository instead of a remote repository.
Step 8 Execute the following command:
application upgrade acsview-4_0_1.tar.gz <repositoryName>
The following prompts appear during the upgrade process:
acsvw141/admin# application upgrade acsview-4_0_1.tar.gz test
Do you want to save the current configuration ? (yes/no) [yes] ? yes
Generating configuration...
Saved the running configuration to startup successfully
Application upgrade successful
Verifying the Upgrade
To verify that the ADE-OS patch upgrade is successful, execute the following command:
show version
The result of the show version command is:
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.146
ADE-OS System Architecture: i386
To verify that the ACS View 4.0.1 upgrade is successful, execute the following command:
show application
The result of the show application command is:
acsview Cisco Secure ACS View 4.0.1
Recommendations After ACS View 4.0.1 Upgrade
After you upgrade to ACS View 4.0.1, ACS View stores and shows reports with respect to the time zone configured in the ACS View server for the new syslog data and the Package.cab upload data.
However, the previous ACS View 4.0 report data would still appear with respect to GMT time zone. If you want the older ACS View 4.0 data to appear in the local time zone, use the following CLI utility:
#database convertTZ DateRange <startDate in yyyyMMdd> <endDate in yyyyMMdd>
Note You can convert only seven days of data. Converting previous ACS View 4.0 data is a time-consuming process, as the conversion process manipulates the records.
Licensing Requirements
You must have a valid license to add the ACS servers in your network to ACS View. ACS View performs a license check to verify that the total number of ACS servers that are registered with ACS View falls within the number of ACS servers specified in the license file. If the number of ACS servers registered with ACS View are higher than the ACS servers that you are licensed to use, ACS View stops collecting data from the additional ACS servers, starting from the first ACS server that you registered with ACS View.
Note If you have an ACS View 4.0 bundle license, you do not require a new license to upgrade to ACS View 4.0.1.
For information on the licensing requirements, see the User Guide for Cisco Secure Access Control Server View 4.0.
Caveats
This section provides a list of issues that exist in this ACS View release.
•Known Issues in ACS View 4.0.1
•Resolved Issues in ACS View 4.0.1
•Known Issues in ACS Versions
•Resolved Issues in ACS Versions
Known Issues in ACS View 4.0.1
Table 2 describes the known issues in this ACS View release.
Table 2 Bugs Open in ACS View
CDETS ID
|
Symptom/Condition
|
Workaround
|
CSCsl42864
|
When you configure a threshold from My Workspace > Alerts > Threshold, by configuring the time duration, ACS View generates Alerts considering the time duration only for the current day.
For example, when you configure time duration as 20:00 Hrs to 21:00 Hrs, it refers to monitoring threshold between 20:00 Hrs and 21:00 Hrs for each of the chosen days. This time duration configuration cannot span over days.
|
This is the intended behavior. When you specify time duration while defining a threshold, ACS View considers the time range only for the current day.
|
CSCsl58951
|
Some syslog messages are not logged at the ACS View syslog collector.
This error occurs when the size of a syslog message that ACS generates exceeds the limit configured in the ACS server, consequently splitting the message. ACS View, in some instances, drops the split message.
|
Recover the dropped split message using the package.cab download, which runs once a day.
|
CSCsl97337
|
Logs that contain special characters that are not enclosed in single (` and ') or double quotation marks (" and ") are not processed.
This error occurs when the username or other keys contain CSVs.
|
Currently, there is no work around for this issue.
|
CSCsm00926
|
When space is given after the page number in the Go To Page field in the Report output page, an error appears.
|
Remove the space after the page number and click Go To Page.
|
CSCsm50283
|
Following a backup, restore, or backup replication operation, alerts are generated even when the threshold is not reached.
|
Create a trigger before the backup, restore, or the replication event starts in ACS. This way, you can ensure that ACS View does not miss the necessary logs.
|
CSCsm84962
|
When running reports for extensive records, the reports take an extended period of time to launch.
|
Change the query parameter to run report for a lesser dataset.
|
CSCsm09711
|
System alerts do not appear in your Alerts Inbox.
This happens if you have not configured the Notify Users field in the System Administration > Server Management > System Settings page.
You must configure at least one user for alert notification.
|
Configure the E-mail IDs of the users you want to notify when generated alerts appear in their Alerts Inbox, or when alerts are forwarded through E-mail. To configure notification:
1. Access the ACS View GUI.
2. Go to System Administration > Server Management > System Settings.
3. Click Select corresponding to the Notify Users field.
The system user popup appears.
4. Select the user IDs in the Available pane, and move them to the Selected pane using the forward arrow ( ) icon.
5. Click Submit.
|
CSCso01580
|
ACS View has been tested with five concurrent users. Depending on the concurrent operations and the system load, you might experience slowness or occasional failures for some operations.
|
Retry the operation.
|
CSCso02072
|
When background color is applied to the Reports page, the change applies only to alternate rows. This does not happen to the NAP Summary, Network Client Summary, User Status, Admin Entitlement, and Admin Status reports.
Printing a report in HTML format opens the report output with all the titles center-aligned and font size that is bigger than the original size.
The alignment in the date-wise Authentication Details drill-down reports is not proper.
|
Currently, there is no workaround for this behavior.
|
CSCso35019
|
Unable to add a user with the username `Operator' from the GUI and CLI.
|
Add the user with a different username.
|
CSCso38049
|
When you save a report, the Save dialog box does not point to the appropriate folder. By default, it points to the /admin folder.
|
Navigate to the appropriate folder.
|
CSCso48676
|
After creating and saving a Public report, the content pane does not return to the page for creating Public reports.
|
Choose Reports & Troubleshooting > Public Reports to refresh the page.
|
CSCso52305
|
Unable to save a system or custom report that has special characters in the filename.
|
Ensure that you do not use special characters in report names.
|
CSCso64481
|
• When ACS Server is added with software edition and Remote Logging Configuration is configured as Remote, Log Server in the Server List page is prepopulated with Self.
•While adding the ACS Server, the default Syslog time zone selection is not same as the default value configured in ACS.
|
•Run the edit operation on the ACS Server to change the Log Server.
•There is no option to retrieve the ACS time zone. You must specify the time zone while adding the ACS Server in ACS View.
|
CSCta11119
|
When the ACS View time zone is modified and another backup is schedule, the recent backup history time value is updated.
|
Currently, there is no workaround for this issue.
|
CSCta62122
|
The username in ACS View is locked as per the password policy set in the ACS View server.
|
Reset the password with the help of the admin.
|
CSCta61574
|
Existing reports can be overwritten.
|
Use the CLI command resetReports to restore the default reports.
|
CSCta30541
|
While creating charts in custom reports in the Insert Chart window, the tabs and Close button are hidden.
|
•Remove additional toolbars from the browser.
•Increase the screen resolution.
|
None
|
If using Windows Internet Explorer 7.0, launching the ACS View reports takes some time.
|
Install the most current cumulative security update for Windows Internet Explorer 7.0.
|
Resolved Issues in ACS View 4.0.1
Table 3 describes the resolved issues in this ACS View 4.0.1 release.
Table 3 Resolved Issues in ACS View 4.0.1
CDETS ID
|
Description
|
CSCta13157
|
System memory utilization always shows more than or equal to 90%.
|
CSCsm64368
|
Users and repositories are lost when the appliance is restarted.
|
CSCta13433
|
Report for group profile information needs to be added.
|
CSCsy69962
|
ACS View throws misleading exception while report generation.
|
CSCsz81583
|
Local time zone timestamp feature needs to be supported.
|
CSCso48673
|
Time range should be localized if configured in report query.
|
CSCsl87107
|
Unable to reset administrator password using the CD.
|
CSCsm11923
|
Process management CLI changes.
|
CSCso01574
|
Radius Summary Details report shows lexical error.
|
CSCso44603
|
System administration usability issues.
|
CSCso77497
|
Configuration issue after restore across servers.
|
CSCso82598
|
Minor issue in config changes the records in Auth detail report.
|
CSCso85027
|
Inactivity report shows additional Report On informations.
|
Known Issues in ACS Versions
Table 4 lists the known issues in ACS 4.1.4 and 4.2 versions that impact the functioning of this ACS View release.
Table 4 Known Issues in ACS Impacting ACS View
CDETS ID
|
Symptom/Condition
|
Found In ACS Version
|
Workaround
|
4.1.4
|
4.2
|
CSCsb88295
|
When you enable the ExtDBInfo attribute, ACS Authentication logs do not contain a value for the attribute in some cases; for example, when you use an external Lightweight Directory Access Protocol (LDAP) server.
When using ACS View, the Authentication Summary and Authentication Summary Details reports (Reports & Troubleshooting > My Reports > Authentication) do not display data related to the ExtDBInfo attribute.
|
P
|
P
|
Currently, there is no workaround for this issue.
|
CSCse25423
|
MAC Authentication Bypass related field (Bypass Info) and External DB information are not populated for certain scenarios in ACS logs. As a result, certain sections of the reports (especially, Authentication reports) related to these might appear as empty.
|
P
|
P
|
Currently, there is no workaround for this issue.
|
CSCso27875
|
The changes in the user groups in ACS does not get reflected in the Admin Entitlement Reports.
|
|
P
|
Currently, there is no workaround for this issue.
|
None
|
The AAA-Server attribute logs as DELIVERENCE, instead of using the hostname, in the ACS appliance.
When using ACS View, messages from the ACS appliance that have the AAA-Server attribute populated as DELIVERENCE are discarded.
|
P
|
|
1. Reimage the appliance using the ACS 4.1.1.23 Recovery CD.
Note Do not connect network cables to the appliance during this process.
2. When the reimaging process is complete, reboot the appliance, and connect to it from the console.
3. Configure the required information, such as hostname, domain name, and console admin. Do not configure the IP address at this time.
The appliance reboots.
4. When the console is available, connect the network cable to the appliance. We recommend that you use the lower network port.
5. Using the set ip command, configure the IP address.
Note In case the console throws an error stating that it cannot change the NIC IP, change the hostname of the appliance, and repeat Step 5. Do not restart the appliance after you change the hostname.
6. After you change the hostname and have configured the IP address, reboot the appliance for the changes to take effect.
|
None
|
The Response Time attribute in the ACS Passed/Failed Authentication logs does not display a value.
When using ACS View to generate an Authentication Summary from the Reports & Troubleshooting > My Reports > Authentication page, the report does not display a value for the Response Time attribute.
Additionally, if you create a custom report using the Response Time attribute, data relating to this attribute is not available.
|
P
|
|
Currently, there is no workaround for this issue.
|
Resolved Issues in ACS Versions
Table 5 lists the resolved issues in ACS 4.1.4 and ACS 4.2 versions that were resolved in the later patches or releases.
Table 5 Resolved Issues in ACS Versions
CDETS ID
|
Found in ACS Versions
|
Description
|
4.1.4
|
4.2
|
CSCsj38193
|
P
|
|
User and Administrator Entitlement reports are not available as part of the package.cab download.
|
CSCsk84672
|
P
|
|
CSLog-CPU-usage attribute CSV log value differing from syslog.
|
CSCsl06068
|
P
|
|
CSAdmin-CPU-usage attribute CSV log value differing from syslog.
|
CSCsl06122
|
P
|
|
CSLog-Thread-Count attribute CSV log value differing from syslog.
|
CSCsl06145
|
P
|
|
CSTacacs-CPU-Usage attribute CSV log value differing from syslog.
|
CSCsk84720
|
P
|
|
AAA-Server attribute not logged in Backup-Restore log for backup action.
|
CSCsl03768
|
P
|
|
Package.cab download issue.
|
CSCsl27496
|
P
|
|
Package.cab download for X number of days not working correctly.
|
CSCsl43316
|
P
|
|
Cisco-av-pair value in RADIUS Account log not fully sent as syslog message.
|
CSCsl36771
|
P
|
|
NAP attribute missing in RADIUS accounting.
|
CSCsl43431
|
P
|
|
Status-class field in database replication log is not sent as syslog.
|
Related Documentation
Table 6 describes the related documentation that is available for ACS View 4.0.1.
Table 7 describes the additional documentation that you can refer to:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Release Notes for Cisco Secure ACS View 4.0.1
© 2009 Cisco Systems, Inc. All rights reserved.
