Table Of Contents
Release Notes for Cisco Secure ACS View 4.0
Contents
Introduction
System Specifications
System Requirements
Key Features
Comprehensive Report Generation
Configurable Thresholds to Generate Alerts
Troubleshooting
Scheduled and On-Demand Data Collection
Optimum Security
Administrative Capabilities
Flexible User Interface
Installation Notes
Installing the ACS View Appliance
Running Setup to Configure ACS View Appliance
Licensing Requirements
Evaluation License
Purchase License
How to Obtain and Install Your Licenses
Notices
OpenSSL/Open SSL Project
License Issues
Caveats
Known Issues in ACS Versions
Known Issues in ACS View 4.0
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Secure ACS View 4.0
These release notes describe the features and fixes to software issues for Cisco Secure Access Control Server (ACS) View, release 4.0.
Contents
This document contains:
•
Introduction
•System Specifications
•System Requirements
•Key Features
•Installation Notes
•Licensing Requirements
•Notices
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
ACS View provides reporting, monitoring, and troubleshooting capabilities for administrators of ACS networks. Using ACS View, you can extract consolidated log and configuration data from the ACS servers in your network for advanced reporting and troubleshooting purposes.
ACS View provides reports and configurable threshold to generate alerts on data collected from ACS servers. You can use this data to manage your network efficiently and resolve applicable network-related problems.
This release of ACS View provides reporting capabilities for ACS 4.1.4 and 4.2 deployments.
System Specifications
ACS View comprises an appliance, the Cisco Application Deployment Engine (ADE) 2120 Series, which runs on a Linux operating system, and the ACS View server software. The software for ACS View is preloaded on the appliance.
The Cisco ADE 2120 Series appliance is configured for AC-input power and has a single auto-ranging AC-input power supply, mounted in a standard 19-inch (48.3 cm) two- or four-post equipment rack. The appliance includes:
•Microprocessor—Intel Core 2 Duo 2.13-GHz processor with an 1066-MHz front side bus (FSB) and 2 MB of Layer 2 cache.
•Dynamic 4 GBRAM (SDRAM).
•Support for up to 2 x 250-GB SATA hard drives.
•Two fixed RJ-45 10BASE-T/100BASE-TX/1000BASE-T network interface connectors (located on the rear panel).
•One slimline DVD-ROM drive (located on the front panel).
•One DB-9 serial (console) port (located on the rear panel).
•Front-to-rear airflow blowers that use two 40-mm exhaust fans and ducting for the CPU and memory, two 40-mm exhaust fans built into the power supply, and one PCI exhaust fan.
•Three USB 2.0 ports (two located on the rear panel, one on the front panel).
•One PS/2 (keyboard) port (located on the rear panel).
•One PS/2 (mouse) port (located on the rear panel).
•One DB-15 serial (video) port (located on the rear panel).
•Rear-access cabling.
•Four green LEDs on the front panel of the appliance, which are the:
–Power (indicates whether the power supply is operational).
–Hard disk drive activity (indicates whether the drive is functioning).
–NIC 1 and NIC 2 activity (indicates whether interrupts or packet transfers are running).
•The Cisco ADE 2120 Series appliance normally ships with a rack-mount kit that includes brackets or rails; so that you can position the appliance in a two- or four-post equipment rack.
For more installation information, see Installing the ACS View Appliance.
System Requirements
Table 1 lists the system requirements for the server from which you access the ACS View GUI.
Table 1 System Requirements for ACS View
Component
|
Requirement
|
Operating System
|
•Windows Vista Business Edition
•Windows XP
|
Supported Browsers
|
•In Windows Vista Business Edition:
–Mozilla Firefox 2.0.0.11
–Microsoft Internet Explorer 7.0
•In Windows XP:
–Mozilla Firefox 2.0.0.11
–Microsoft Internet Explorer 6.0
–Microsoft Internet Explorer 7.0
|
For more configuration information, see Running Setup to Configure ACS View Appliance.
Key Features
This section briefly describes the key features in this ACS View release:
•Comprehensive Report Generation
•Configurable Thresholds to Generate Alerts
•Troubleshooting
•Scheduled and On-Demand Data Collection
•Optimum Security
•Administrative Capabilities
•Flexible User Interface
Comprehensive Report Generation
ACS View provides interactive reports to help you analyze and correlate log, configuration, and diagnostic data from ACS servers. Using this data, you can manage your network efficiently and resolve applicable network-related problems.
ACS View provides advanced reporting through:
•System reports—A set of predefined reports on log and configuration data from ACS servers. System reports provide a summary or detailed information on authentication, session traffic, device administration, ACS server configuration and administration, and troubleshooting.
•Custom reports—Dynamic reports that you can design to suit your requirements. Custom reports expose you to all the report fields that are available in the database. By using a template and a type of report, you can customize the report to generate data for any field in the database. Then, you can run the custom report to extract ACS data that matches your requirements.
You can use ACS View to schedule System and Custom reports to run daily, weekly, or monthly. You can also specify whether the report will be available for other users; or, if it is meant only for your viewing.
By using ACS View, you can format reports any way that you require: tabular or chart; and, drill down to a more detailed level.
You can filter the data of the reports based on your requirements. You can also export the data in a comma-separated-value (CSV) format; even attach the report to an e-mail and print it.
Configurable Thresholds to Generate Alerts
You can use ACS View to monitor ACS server traffic by setting thresholds on data from these servers. When a configured threshold is breached, an alert notifies you.
ACS View alerts can be:
•Data—These alerts are defined based on data collected from ACS servers.
•System—These alerts are triggered based on:
–Threshold conditions that you define for ACS View servers, such as CPU and disk-space usage.
–Critical conditions that ACS View encounters during processing.
When you define trigger conditions, you receive an alert. You can also choose to receive an e-mail notification.
Troubleshooting
ACS View provides troubleshooting by using reports, tools, and utilities.
•Reports—Help you troubleshoot authentication failures related to ACS users.
•Tools and Utilities, such as:
–Authentication Failure Code Utility—Helps you create and maintain data that you can use to troubleshoot authentication failures in ACS. You can use this utility to specify the possible root causes and resolutions for various ACS authentication failure codes to suit your environment. From Authentication reports, you can drill down to the failure codes and view the possible root causes and resolutions in a context-sensitive manner. You can use these codes to configure thresholds related to failed authentication.
–ACS Servers—Helps you troubleshoot connectivity issues with an ACS server, and view details of the last syslog message received or package.cab download.
–Connectivity Test Tool—Helps you troubleshoot connectivity to any server or device by using ping, traceroute, and nslookup commands.
Scheduled and On-Demand Data Collection
You can collect data from ACS servers when needed, or by scheduling it for a specific time.
Optimum Security
ACS View provides optimum security through:
•Access control—Uses two predefined roles in ACS View: Administrator and Operator. When you log in to the ACS View server, your roles determine your access policies. You have access to only those tasks and pages that are predefined for each role.
•HTTP over SSL (HTTPS)—Provides access to the GUI by using a secure SSL connection.
•Password policy—Enforces an administrator-defined password policy by using minimum password length, password expiry and renewal, and account lockup because of incorrect logins.
Administrative Capabilities
ACS View provides several administrative capabilities. Some of the key functions are:
•Database backup and restore—You can back up the ACS View server database and configuration files on a local system or a remote server repository, and restore them to ACS View by using:
–FTP.
–Network File Sharing (NFS).
–Secure File Transfer Protocol (SFTP).
–Trivial File Transfer Protocol (TFTP).
You can also configure backups when you require them, or to a convenient schedule: daily, weekly, or monthly.
•Database export—You can export the ACS View database tables relating to ACS log and configuration files in a CSV format to a remote server. You can then feed the exported data into any in-house reporting solution for further analysis.
•Backup Staging URL—You can back up huge data to a temporary location to avoid overloading the server.
Flexible User Interface
ACS View provides a flexible GUI through:
•Interactive Viewer that you can use to format, filter, and sort generated reports, and to customize your System reports. You can export reports in HTML, PDF, or CSV format, even e-mail and print reports.
•Dynamic Dashboard that serves as a central location for important and useful information, such as your favorite queries, generated reports and alerts.
Installation Notes
This section provides an overview of the tasks required to install and configure the ACS View appliance:
1. Installing the ACS View Appliance
2. Running Setup to Configure ACS View Appliance
Installing the ACS View Appliance
To install the ACS View appliance:
Step 1 Open the package containing the ACS View appliance and verify if it includes:
•ACS View appliance. The ACS View server software is preloaded on the appliance.
•Power cord.
•Rack-mount kit.
•Cisco Information Packet.
•Warranty Card.
•Recovery CD-ROM.
•Quick Start Guide for Cisco Secure Access Control Server View 4.0.
•Regulatory Compliance and Safety Information for the Cisco Application Deployment Engine (ADE) 2120 Series Appliance.
Step 2 See Chapter 3 of the Installation and Setup Guide for Cisco Secure Access Control Server View 4.0 and pay special attention to safety warnings and guidelines.
Step 3 Install the ACS View appliance in a two- or four-post rack, and complete the rest of the hardware installation. See Chapter 4 of the Installation and Setup Guide for Cisco Secure Access Control Server View 4.0.
After completing the hardware installation, you are ready to power up the appliance.
The first time you power up the appliance, you must run the setup command to configure ACS View. See Running Setup to Configure ACS View Appliance, for more information.
Running Setup to Configure ACS View Appliance
The setup process in ACS View is a one-time configuration task. You must power up the appliance before you run the setup program to configure the ACS View appliance.
The setup program launches an interactive command-line interface (CLI) that prompts you for required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ACS View server by using the setup program.
Use the following procedure to configure the ACS View appliance:
Step 1 Power up the ACS View appliance.
The login prompt appears.
Step 2 Enter setup at the login prompt.
The system asks you to enter the parameters, as described in Table 2.
Table 2 Setup Command Parameters
Setup Command Parameters
|
Required Input
|
Hostname
|
Enter the hostname of the ACS View server.
|
IP Address
|
Enter the IP address.
|
Network Mask
|
Enter a valid mask.
|
Default Gateway IP
|
Enter a valid IP address of the default gateway of your subnet or network.
|
Domain Name
|
Enter the domain name of the ACS View server.
|
Name Server Address
|
Enter the IP address of the name server of your network.
|
Username
|
Enter username.
|
Password
|
Enter the password for the administrator user.
|
Note If you enter an incorrect value and have not saved the configuration, press Ctrl-C to exit the setup.
After you provide the required input for each parameter, the appliance reboots to apply the new settings.
After completing the initial setup, you cannot rerun the setup program unless you re-image the ACS View appliance using the recovery CD.
Licensing Requirements
You must have a valid license to add the ACS servers in your network to ACS View. ACS View performs a license check to verify that the total number of ACS servers that are registered with ACS View falls within the number of ACS servers specified in the license file. If the number of ACS servers registered with ACS View are higher than the ACS servers that you are licensed to use, ACS View stops collecting data from the additional ACS servers, starting from the first ACS server that you registered with ACS View.
ACS View supports two types of licenses:
•Evaluation—Offers a free 90-day trial. ACS View stops collecting data from ACS serves after the evaluation period of 90 days. You do not require the Unique Device Identifier (UDI) for obtaining an evaluation license.
•Purchase—Offers a permanent, node-locked license that you can install only on the appliance for which the license was issued, by using its UDI.
Each ACS server in your network counts as one license in ACS View. A secondary or backup ACS server also counts as one license. If you have an ACS server in your network that sends logs to a remote ACS server, this remote ACS server also counts as one license.
The license file that you receive indicates the number of servers that you are licensed to use, in the ACS count (COUNT) column. The ACS Count column in the license file appears:
•For an Evaluation license:
INCREMENT ACSCOUNT cisco 4.0 31-may-2008 uncounted \
VENDOR_STRING="<COUNT>10</COUNT> <UDI>ANY</UDI>" HOSTID=ANY \
NOTICE="<LicFileID>12345</LicFileID><LicLineID>0</LicLineID> \
<PAK>dummyPak</PAK>" SIGN="0059 E534 CBFF A6AC F1C0 7F48 A8F4 \
024A 7DA9 83CE EC3E C807 480E 83F0 4E81 0403 20F5 DB68 D50A \
74C6 8AD8 CB4D 9988 ED15 218D E90C 49DA 0C2A 9E46 5615"
•For a Purchase license:
INCREMENT ACSCOUNT cisco 4.0 permanent uncounted \
VENDOR_STRING="<COUNT>10</COUNT> <UDI>ADE-1010123455</UDI>" \
NOTICE="<LicFileID>23456</LicFileID><LicLineID>0</LicLineID> \
<PAK>dummyPak</PAK>" SIGN="0ED3 F00C 2175 6EDA EF19 199C 33D6 \
0DFD A880 7640 96CC E3FC 81D0 A122 E03A 0C14 FF72 8037 3497 \
266D E669 3B36 17D2 9823 0357 50FD 03A2 14CE FDCD DA39"
Caution Ensure that you back up a version of your license file for use if you have to re-image your ACS View appliance.
For more information, see:
•Evaluation License
•Purchase License
•How to Obtain and Install Your Licenses
Evaluation License
An Evaluation license is a trial license that you can use to evaluate ACS View over a period of 90 days. Using the ACS View evaluation license, you can manage up to 10 ACS servers.
After the 90-day validity period expires, you cannot use the data-collection feature. You can, however, log in to ACS View and generate reports on the available data. To continue to effectively use ACS View, you must obtain a Purchase license.
Note If you overwrite an evaluation license with a purchase license, the evaluation license is deactivated.
You cannot install more than one evaluation license on ACS View.
Purchase License
A Purchase license is a permanent license that you can use to deploy ACS View. This license is node-locked with the UDI of the appliance; it ensures that this license is used only on the appliance for which it is issued.
The two types of purchase licenses are:
•Base—When you obtain a base purchase license, you can collect data from two ACS servers in your network.
•Add-On—After you receive a base purchase license, you must purchase an add-on license to collect and process data from more ACS servers in your network. You can request any number of licenses to match your server requirements.
How to Obtain and Install Your Licenses
This section describes how you can obtain an Evaluation or a Purchase license and deploy it in your network:
•Obtaining Licenses
•Installing Licenses
Obtaining Licenses
To obtain your license file, you must provide the UDI. However, you do not require the UDI for obtaining an evaluation license. Follow this procedure to obtain your UDI from the CLI, and generate a license file.
Step 1 Access the ACS View CLI.
Step 2 In the exec mode, enter:
This command returns information on the Serial Product ID (SPID), Version ID (VPID), and the appliance serial number.
For example:
.
Here, the UDI is CiscoAcsView123455.
Note The UDI includes SPID and the serial number of the appliance. It does not include the Version ID.
Step 3 Decide if you want to obtain an Evaluation license or a Purchase license.
•To obtain an Evaluation license, follow this:
a. Access this link: http://www.cisco.com/go/license. You must have a valid Cisco.com account to log in to this site.
The Product License Registration website appears.
b. Click the link under the Licenses Not Requiring a Product Authorization Key (PAK) section.
c. From the list of available licenses, choose the Evaluation license for ACS View.
d. Review the information, and click Submit.
After you complete the procedure, an evaluation license is generated and sent to you by e-mail.
•To obtain a Purchase license, follow this procedure:
a. Keep your PAK handy. The PAK is an alphanumeric number that is available on the Claims Certificate.
b. Access this link: http://www.cisco.com/go/license.
You must have a valid Cisco.com account to log in to this site.
The Product License Registration website appears.
c. Complete the steps on the Product License Registration page.
After you provide your PAK, UDI, and e-mail address in the Product License Registration page, a license file is generated and sent to you by e-mail.
Step 4 After you receive your license file, log in to ACS View and install the license file by using the procedure in the subsequent section.
Installing Licenses
After obtaining a license file, you must install the file on the ACS View server.
Note Before installing your license file, ensure that you back up your licenses in case you have to re-image ACS View.
To install an Evaluation or a Purchase license file:
Step 1 Once you receive your license file, save each file to the server on which you plan to access the ACS View GUI.
Step 2 Launch your web browser on that system.
Step 3 In the browser address bar, enter:
https://{servername.domain | ip_address}
•servername—Identifies the server on which you installed ACS View by its hostname.
•domain—Identifies the domain name. Enter this parameter only when you specify the ACS View server by its hostname.
•ip_address—Identifies the server on which you installed ACS View by its IP address.
Step 4 Log in with the administrator credentials.
Step 5 Choose System Administration > Server Management > License.
Step 6 Enter the path to the local directory in which you saved the license file; optionally, click Browse.
Step 7 Click Upload.
The License Details area summarizes your:
•License ID—Your unique license ID.
•Licensed Host—The UDI of the ACS View appliance.
•ACS Server Count—The number of ACS servers the license supports.
•Expiry Days—The license expiry period. An Evaluation license expires in 90 days; a Purchase license never expires.
Note You can view the number of ACS Server licensed in a ACS View server by clicking About on the top-right corner of the ACS View Dashboard.
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License:
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)".
The word `cryptographic' can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)".
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
Caveats
This section provides a list of issues that exist in this ACS View release.
•Known Issues in ACS Versions
•Known Issues in ACS View 4.0
Known Issues in ACS Versions
Table 3 lists known issues in ACS 4.1.4 and 4.2 versions that impact the functioning of this ACS View release.
Table 3 Known Issues in ACS Impacting ACS View
CDETS ID
|
Symptom/Condition
|
Found In ACS Version
|
Workaround
|
4.1.4
|
4.2
|
CSCsb88295
|
When you enable the ExtDBInfo attribute, ACS Authentication logs do not contain a value for the attribute in some cases; for example, when you use an external Lightweight Directory Access Protocol (LDAP) server.
When using ACS View, the Authentication Summary and Authentication Summary Details reports (Reports & Troubleshooting > My Reports > Authentication) do not display data related to the ExtDBInfo attribute.
|
P
|
P
|
Currently, there is no workaround for this issue.
|
CSCse25423
|
MAC Authentication Bypass related field (Bypass Info) and External DB information are not populated for certain scenarios in ACS logs. As a result, certain sections of the reports (especially, Authentication reports) related to these may appear as empty.
|
P
|
P
|
Currently, there is no workaround for this issue.
|
CSCsj38193
|
User and Administrator Entitlement reports are not available as part of the package.cab download.
If you have configured an ACS 4.1.4 server as the Configuration Master, when you use ACS View, you cannot generate the Administrator Entitlement report from the Reports & Troubleshooting > My Reports > ACS Administration page.
|
P
|
|
Install the 4.1.4.13.7 cumulative patch, or upgrade the ACS 4.1.4 Configuration Master to ACS 4.2.
|
CSCsk84672
|
When generating the ACS Service Monitoring report, the following CSV attributes:
•CSLog-CPU-usage
•CSAdmin-CPU-usage
•CSLog-Thread-Count
•CSTacacs-CPU-Usage
return incorrect values of -1.
When you use ACS View to generate the ACS Service Status report from the Reports & Troubleshooting > My Reports > ACS Administration page, the values for CPU usage and thread count usage for various ACS processes, such as CSLog, CSAdmin and CSTacacs, return as -1.
|
P
|
|
Install the 4.1.4.13.7 cumulative patch, or upgrade to ACS 4.2.
|
CSCsl06068
|
CSCsl06122
|
CSCsl06145
|
CSCsk84720
|
The AAA-Server attribute in the ACS Backup-Restore log does not display a value.
When using ACS View, the AAA-Server attribute identifies the source of the log message. If the AAA-Server attribute is not available, ACS View discards that message or record.
|
P
|
|
Install the 4.1.4.13.7 cumulative patch, or upgrade to ACS 4.2.
|
CSCsl03768
CSCsl27496
|
When downloading package.cab from ACS servers, if you:
•Do not choose the Collect Log Files option, ACS downloads many of the service log files.
•Specify the number of days, ACS downloads all logs present in ACS, instead of downloading the logs only for the specified days.
ACS View downloads CSV logs through package.cab to plug gaps in syslog messages.
However, because of ACS behavior, the package.cab that ACS View generates from registered ACS servers includes unwanted logs and files that increases the size of the download. This increase causes a delay in downloading, extracting, and processing of the information required from ACS.
|
P
|
|
Install the 4.1.4.13.7 cumulative patch, or upgrade to ACS 4.2.
|
CSCsl36771
|
The Network Access Profile (NAP) Name attribute does not appear in the RADIUS Accounting logs.
When using ACS View, Session reports such as RADIUS Session Summary and RADIUS Session Summary Details reports (Reports & Troubleshooting > My Reports > Session) do not display values for the NAP Name attribute.
|
P
|
|
Install the 4.1.4.13.7 cumulative patch, or upgrade to ACS 4.2.
|
CSCsl43316
|
The Cisco-AVPair attribute in the RADIUS Accounting log does not display the correct value through syslog.
When using ACS View to generate a custom report created with RADIUS Accounting logs, based on the Cisco-AVPair attribute, incorrect values are returned for this attribute.
This error, however, does not occur in messages logged in the CSV files for the RADIUS Accounting log. As a result, when you perform an on-demand or a scheduled data collection, the correct values are updated in ACS View.
|
P
|
|
Use CSV reports for accurate data.
Note To enable updating of the correct values, configure ACS to log the Cisco-AVPair attribute in the CSV logs.
|
CSCsl43431
|
The Status-Class attribute in the ACS Replication log does not display a value through syslog.
When using ACS View to generate a ACS Replication report from the Reports & Troubleshooting > My Reports > ACS Administration page, the Status-Class attribute returns a NULL value.
This error, however, does not occur in ACS Replication CSV files for RADIUS Accounting log. As a result, when you perform an on-demand or a scheduled data collection, the correct values are updated in ACS View.
|
P
|
|
Use CSV reports for data relating to the Status-Class attribute.
|
CSCso27875
|
The changes in the user groups in ACS does not get reflected in the Admin Entitlement Reports.
|
|
P
|
Currently, there is no work around for this issue.
|
None
|
The AAA-Server attribute logs as DELIVERENCE, instead of using the hostname, in the ACS appliance.
When using ACS View, messages from the ACS appliance that have the AAA-Server attribute populated as DELIVERENCE are discarded.
|
P
|
|
1. Re-image the appliance using the ACS 4.1.1.23 Recovery CD.
Note Do not connect network cables to the appliance during this process.
2. When the re-imaging process is complete, reboot the appliance, and connect to it from the console.
3. Configure the required information, such as hostname, domain name, and console admin. Do not configure the IP address at this time.
The appliance reboots.
4. When the console is available, connect the network cable to the appliance. We recommend that you use the lower network port.
5. Using the set ip command, configure the IP address.
Note In case the console throws an error stating that it cannot change the NIC IP, change the hostname of the appliance, and repeat Step 5. Do not restart the appliance after you change the hostname.
6. After you change the hostname and have configured the IP address, reboot the appliance for the changes to take effect.
|
None
|
The Response Time attribute in the ACS Passed/Failed Authentication logs does not display a value.
When using ACS View to generate an Authentication Summary from the Reports & Troubleshooting > My Reports > Authentication page, the report does not display a value for the Response Time attribute.
Additionally, if you create a custom report using the Response Time attribute, data relating to this attribute is not available.
|
P
|
|
Currently, there is no workaround for this issue.
|
Known Issues in ACS View 4.0
Table 4 describes the known issues in this ACS View release.
Table 4 Bugs Open in ACS View
CDETS ID
|
Symptom/Condition
|
Workaround
|
CSCsl42864
|
When you configure a threshold from My Workspace > Alerts > Threshold, by configuring the time duration, ACS View generates Alerts considering the time duration only for the current day.
For example, when you configure time duration as 20:00 Hrs to 21:00 Hrs, it refers to monitoring threshold between 20:00 Hrs and 21:00 Hrs for each of the chosen days. This time duration configuration cannot span over days.
|
This is the intended behavior. When you specify time duration while defining a threshold, ACS View considers the time range only for the current day.
|
CSCsl58951
|
Some syslog messages are not logged at the ACS View syslog collector.
This error occurs when the size of a syslog message that ACS generates exceeds the limit configured in the ACS server, consequently splitting the message. ACS View, in some instances, drops the split message.
|
Recover the dropped split message using the package.cab download, which runs once a day.
|
CSCsl87107
|
When you use the Password Recovery CD, you cannot reset the administrator password.
This error occurs when the ACS View appliance is connected with a USB keyboard, which the appliance cannot detect.
|
Reset the administrator password through the serial console or with a PS2 keyboard/monitor.
|
CSCsl97337
|
Logs that contain special characters that are not enclosed in single (` and ') or double quotation marks (" and ") are not processed.
This error occurs when the username or other keys contain CSVs.
|
Currently, there is no work around for this issue.
|
CSCsm00926
|
When space is given after the page number in the Go To Page field in the Report output page, an error appears.
|
Remove the space after the page number and click Go To Page.
|
CSCsm09711
|
System alerts do not appear in your Alerts Inbox.
This happens if you have not configured the Notify Users field in the System Administration > Server Management > System Settings page.
You must configure at least one user for alert notification.
|
Configure the e-mail IDs of the users you want to notify when generated alerts appear in their Alerts Inbox, or when alerts are forwarded through e-mail. To configure notification:
1. Access the ACS View GUI.
2. Go to System Administration > Server Management > System Settings.
3. Click Select corresponding to the Notify Users field.
The system user popup appears.
4. Select the user IDs in the Available pane, and move them to the Selected pane using the forward arrow ( ) icon.
5. Click Submit.
|
CSCsm11923
|
In rare instances, the process start all command spans multiple instances of the same process.
|
Use the process start AppServer command. This command is equal to the process start all command.
|
CSCsm50283
|
Following a backup, restore, or backup replication operation, alerts are generated even when the threshold is not reached.
|
Create a trigger before the backup, restore, or the replication event starts in ACS. By so doing, you can ensure that ACS View does not miss the necessary logs.
|
CSCsm64368
|
When you restart the ACS View appliance, the configured users and repositories are not retained.
|
From the CLI, run the write memory command to retain configuration information (such as user and repository) after restoring or reloading data.
|
CSCsm84962
|
When running reports for extensive records, the reports take an extended period of time to launch.
|
Change the query parameter to run report for a lesser dataset.
|
CSCso01574
|
Sometimes, when you run the RADIUS Summary Details report, running the report without changing the query parameters throws an error.
|
Run the report again.
If the problem persists, log out and log in to ACS View. Then, launch the report again.
|
CSCso01580
|
ACS View has been tested with five concurrent users. Depending on the concurrent operations and the system load, you may experience slowness or occasional failures for some operations.
|
Retry the operation.
|
CSCso02072
|
When background color is applied to Reports page, the change applies only to alternate rows. This does not happen to the NAP Summary, Network Client Summary, User Status, Admin Entitlement, and Admin Status reports.
Printing a report in HTML format opens the report output with all the titles center-aligned and font size that is bigger than the original size.
The alignment in the date-wise Authentication Details drill down reports is not proper.
|
Currently, there is no workaround for this behavior.
|
CSCso35019
|
Unable to add a user with the username `Operator' from the GUI and CLI.
|
Add the user with a different username.
|
CSCso38049
|
When you save a report, the Save dialog box does not point to the appropriate folder. By default, it points to the /admin folder.
|
Navigate to the appropriate folder.
|
CSCso44603
|
The alignment graph on CPU and disk-space usage on the System Summary page goes awry when you click the Toggle icon on the the Dashboard.
|
ACS View automatically refreshes the System Summary page every five seconds. Click the Refresh icon to realign the graph.
|
CSCso48676
|
After creating and saving a Public report, the content pane does not return to the page for creating Public reports.
|
Choose Reports & Troubleshooting > Public Reports to refresh the page.
|
CSCso52305
|
Unable to save a system or custom report that has special characters in the filename.
|
Ensure that you do not use special characters in report names.
|
CSCso77497
|
After restoring data across servers, the network is not reachable.
|
After a restore operation, run these commands from the console:
•config interface
•no shutdown
•write memory
You must run the no shutdown command whenever you reboot the ACS View appliance.
|
CSCso82598
|
When trying to run the Authentication Details report from Reports & Troubleshooting > My Reports > Authentication for any specific date range (for example, from x date to y date), the output shows the recent top-10 configuration records for only up to the day preceding to the y date. The report output does not show the records for y date.
|
Launch Admin Audit, Service Monitoring, Replication, and Backup and Restore individually under ACS Administration report to view the recent top-10 configuration records for y date.
|
CSCso85027
|
When you run an Inactivity Summary report from Reports & Troubleshooting > My Reports > Session for today (Inactive days as 1) and for any Report On parameter, ACS View returns data for all users who are inactive on today irrespective of the user is active on yesterday.
|
Run the Authentication Summary report or Authentication Query Report to ensure whether the user is active the previous day.
|
Related Documentation
These guides support this ACS View release:
•Quick Start Guide for Cisco Secure Access Control Server View 4.0.
•User Guide for Cisco Secure Access Control Server View 4.0.
•Installation and Setup Guide for Cisco Secure Access Control Server View 4.0.
Additionally, you can refer to:
•Regulatory Compliance and Safety Information for the Cisco Application Deployment Engine (ADE) 2120 Series Appliance.
•Cisco Application Deployment Engine (ADE) 2120 Series Appliance Hardware Installation Guide.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0804R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Release Notes for Cisco Secure ACS View 4.0
© 2008 Cisco Systems, Inc. All rights reserved.
