Table Of Contents
Release Notes for the Cisco Secure Access Control System 5.1
Support for Additional Protocols
Administrator Access Feature Enhancements
Monitoring and Troubleshooting Enhancements
Installation and Upgrade Notes
Auto-Installation of Evaluation License
Resolved Issues in Cumulative Patch ACS 5.1.0.44.1
Resolved Issues in Cumulative Patch ACS 5.1.0.44.2
Resolved Issues in Cumulative Patch ACS 5.1.0.44.3
Resolved Issues in Cumulative Patch ACS 5.1.0.44.4
Resolved Issues in Cumulative Patch ACS 5.1.0.44.5
Resolved Issues in Cumulative Patch ACS 5.1.0.44.6
Supplemental License Agreement
Obtaining Documentation and Submitting a Service Request
Release Notes for the Cisco Secure Access Control System 5.1
Revised: April 26, 2011 OL-18997-01These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.1, hereafter referred to as ACS 5.1. These release notes provide information on the features, related documentation, resolved issues, and known issues for functionality in this release.
This document contains:
•
Installation and Upgrade Notes
•
•
•
•
•
•
•
•
Introduction
ACS is a policy-driven access control system and an integration point for network access control and identity management.
The ACS 5.1 software runs either on a dedicated Cisco 1121 Secure Access Control System (CSACS-1121) appliance, or on a VMware server. However, ACS 5.1 continues to support CSACS-1120 appliances that you have used for ACS 5.0 and that you would like to upgrade to ACS 5.1.
This release of ACS provides new and enhanced functionality on a standard Cisco Linux-based appliance.
Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers to the ACS software.
New and Changed Features
This release of ACS provides improved parity with 4.x. The following sections briefly describe the new and changed features in the 5.1 release:
•
•
•
•
TACACS+ Enhancements
The TACACS+ enhancements include:
•
•
•
Identity Store Enhancements
The identity store enhancements include:
•
•
Internal identity store enhancements include support for:
•
•
•
•
Support for Additional Protocols
ACS 5.1 supports the following additional protocols:
•
•
•
•
•
•
Administrator Access Feature Enhancements
The Administrator Access feature is enhanced to provide additional security. You can now:
•
•
•
•
Policy Condition Enhancements
The policy condition enhancements include:
•
•
Monitoring and Troubleshooting Enhancements
The Monitoring and Report Viewer enhancements include the following:
•
•
•
•
–
–
–
–
–
–
–
•
•
•
–
–
–
–
The following types of syslog messages are supported by ACS Monitoring and Reports Viewer:
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Other Feature Enhancements
Other miscellaneous feature enhancements include:
•
•
•
•
•
•
–
Note
Note
–
Features Not Supported
The following features are not supported in ACS 5.1:
•
•
•
•
•
•
•
•
Installation and Upgrade Notes
This section provides information on the installation tasks and configuration process for ACS 5.1. This section contains:
Installing the CSACS 1121
This section describes how to install the CSACS 1121 Series appliance. The CSACS 1121 Series appliance comes preinstalled with the software.
To set up and configure the CSACS 1121:
Step 1
•
•
•
•
•
•
Step 2
Step 3
Step 4
Step 5
Note
For more details, refer to Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.
For information on installing ACS 5.1 on VMware, refer to Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.
Figure 1 CSACS 1121 Series Appliance Rear View
The following table describes the callouts in Figure 1.
.
1
AC power receptacle
5
(Blocked) Gigabit Ethernet 1
2
(Blocked) Gigabit Ethernet
6
(In Use) Gigabit Ethernet 0
3
Serial connector
7
USB 3 connector
4
Video connector
8
USB 4 connector
Step 6
The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.
Running the Setup Program
This section describes the setup process that configures the ACS Server.
The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ACS 5.1 server using the setup program. The setup process is a one-time configuration task.
To configure the ACS Server:
Step 1
The setup prompt appears:
Please type `setup' to configure the appliancelocalhost login:Step 2
The console displays a set of parameters. You must enter the parameters as described in Table 1.
Note
After you enter the parameters, the console displays:
localhost login: setupEnter hostname[]: acs-server-1Enter IP address[]: 209.165.200.225Enter IP default netmask[]: 255.255.255.0Enter IP default gateway[]: 209.165.200.1Enter default DNS domain[]: mycompany.comEnter Primary nameserver[]: 209.165.200.254Add/Edit another nameserver? Y/N : nEnter username [admin]: adminEnter password:Enter password again:Pinging the gateway...Pinging the primary nameserver...Do not use `Ctrl-C' from this point on...Appliance is configuredInstalling applications...Installing acs...Generating configuration...Rebooting...After the ACS server is installed, the system reboots automatically. Now, you can log in to ACS with the CLI username and password that was configured during the setup process.
Note
Licensing in ACS 5.1
To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.
Note
This section contains:
•
Types of Licenses
Table 2 lists the types of licenses available in ACS 5.1.
Auto-Installation of Evaluation License
If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ACS server.
Note
For more information on installing ACS 5.1 on VMware, refer to Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.
Upgrading to ACS 5.1
Warning
If you have a large database and would like to reduce the upgrade time, see CSCtc12382 listed under the Resolved Issues in Cumulative Patch ACS 5.1.0.44.2.
For step-by-step instructions on how to upgrade from ACS 5.0 to ACS 5.1, refer to the Upgrading the Cisco Secure Access Control System section of the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.
Applying Upgrade Patches
You can download ACS 5.1 cumulative patches from the following location: http://www.cisco.com/public/sw-center/index.shtml
To download and apply the patches:
Step 1
Step 2
Step 3
Issue the following acs patch command in the EXEC mode to install the ACS patch:
acs patch install patch-name.tar.gpg repository repository-name
ACS displays the following confirmation message:
Installing an ACS patch requires a restart of ACS services.Would you like to continue? yes/noStep 4
Known Client Issues
This section lists some of the known issues with the Cisco Secure Services Client (CSSC).
Table 3 lists the client issues that might impact your ACS 5.1 experience.
Resolved ACS Issues
This section lists the issues that are resolved in the ACS 5.1 release.
Table 4 lists the resolved issues in ACS 5.1.
Resolved Issues in Cumulative Patch ACS 5.1.0.44.1
Table 5 lists the issues that are resolved in the ACS 5.1.0.44.1 cumulative patch.
You can download the ACS 5.1.0.44.1 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.
Resolved Issues in Cumulative Patch ACS 5.1.0.44.2
Table 6 lists the issues that are resolved in the ACS 5.1.0.44.2 cumulative patch.
You can download the ACS 5.1.0.44.2 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.
Resolved Issues in Cumulative Patch ACS 5.1.0.44.3
Table 7 lists the issues that are resolved in the ACS 5.1.0.44.3 cumulative patch.
You can download the ACS 5.1.0.44.3 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.
Resolved Issues in Cumulative Patch ACS 5.1.0.44.4
Table 8 lists the issues that are resolved in the ACS 5.1.0.44.4 cumulative patch.
You can download the ACS 5.1.0.44.4 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system
.
Resolved Issues in Cumulative Patch ACS 5.1.0.44.5
Table 9 lists the issues that are resolved in the ACS 5.1.0.44.5 cumulative patch.
You can download the ACS 5.1.0.44.5 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system
Resolved Issues in Cumulative Patch ACS 5.1.0.44.6
Table 10 lists the issues that are resolved in the ACS 5.1.0.44.6 cumulative patch.
You can download the ACS 5.1.0.446 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to "Applying Upgrade Patches" section for instructions on how to apply the patch to your system.
Known ACS Issues
This section lists the known issues for the ACS 5.1 release.
Table 11 lists the known issues in ACS 5.1. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.
Table 11 Known Issues in ACS 5.1
CSCsi71974
When you click the Device Type option in the web interface, ACS displays an HTTP 404 error and a Tomcat error is printed to catalina.out.
Symptom: In the catalina.out (the Tomcat log file), sometimes an HTTP 404 error appears while you are looking for web resource such as images.
Conditions: This occurs when you navigate to the Device Type option in the ACS web interface.
Workaround: None.
CSCsl17897
The Service Selection Rules window may not display the Name column in the Rule-based result selection table.
Symptom: In the Rule-based result selection table of the Access Policies menu, the horizontal scrolling of the table might cause the Name column to not be visible.
Conditions: This may occur when you have a small screen with many conditions and result columns defined.
Workaround: Perform any of the following:
•
•
•
CSCsm00425
ACS does not allow you to create an authorization profile with a maximum value greater than 2147483647 for the unsigned integers.
Symptom: An ACS 5.x administrator cannot create an authorization profile with a maximum value for the unsigned integers.
Conditions: This bug applies to all software releases of 5.x until ACS 5.1.
Workaround: Define maximum values in the range of 0 to 2147483647.
CSCso49849
Long-string attribute names and values are not displayed in the Network Access Profiles and RADIUS attribute pages.
Symptom: For authorization profiles, long-string attribute names and values are not displayed in their entirety.
Conditions: Authorization profiles allow values to be defined for selected RADIUS attributes to be sent in an ACCEPT response. If the value is a string with more than 50 characters, only the start of the string is displayed in the web interface, and the full string is sent in the response. Similarly, for long-string attribute names, the value gets truncated in the web interface.
Workaround: From the attribute list, select a definition that contains the long value and click Edit. The value for this entry is displayed in a text box. You can scroll within the text box to view the attribute name or value.
CSCsq93350
The DenyAccess and PermitAccess options can be enabled simultaneously.
Symptom: In addition to the DenyAccess profile, if you select authorization profiles as results, they are ignored.
Conditions: From the results of the Network Access Profiles, you can select multiple authorization profiles to determine the RADIUS attributes that are to be present in an ACCEPT response. If you simultaneously select the reserved profile DenyAccess, the contents of the other profiles are ignored.
Workaround: To deny access in an authorization, select only the DenyAccess profile.
CSCsr24674
Exporting a report to PDF generates formatting issues.
Symptom: When you click Print to export a report to PDF, you see some formatting issues that include the following:
•
•
Conditions: Printing a report in PDF format causes some formatting issues.
Workaround: Select HTML as the export option, instead of PDF.
CSCsr74090
ADE-OS password recovery returns a 64-bit address space error.
Symptom: When you perform a password recovery using the DVD and type option 3 or 4, the following error appears:
PCI: Unable to handle 64-bit address space.But the password recovery operation succeeds.
Conditions: This error occurs when you use the DVD for password recovery.
Workaround: None.
CSCsr81297
Catalina.out logs CSACS-1120-related errors when you select the Active Directory option.
Symptom: When you select the Active Directory option, a tail -f is used in the catalina.out log file that causes a large number of errors.
Conditions: The errors occur when you select Users and Identity Stores > External Identity Stores > Active Directory.
Workaround: None.
CSCsr83584
Two simultaneous promotions are permitted while the current primary server is down.
Symptom: Two secondary instances can be promoted to be a primary server.
Conditions: This occurs only when the current primary is offline and you try simultaneously to promote two secondary instances to be a primary. When the current primary server is online, it acts as an arbitrator and prevents two secondaries from being getting promoted at the same time. But when it is offline, this problem can occur.
Workaround: Avoid promotion of two secondary instances simultaneously. However, if this problem occurs, you can the use Hardware Replacement to connect the extra primary and any secondary instances to the other primary that was promoted.
CSCsr94065
Log messages cannot be viewed for monitored rules.
Symptom: Cannot view the log messages for monitored rules.
Conditions: Monitor rule logs are not generated even if the monitor-only option is selected.
Workaround: Set the log severity to INFO in the policy diagnostics scope.
CSCsu49059
Cannot stop support bundle processing by using Ctrl-C from the CLI.
Symptom: If you press Ctrl-C when using the CLI to run the acs support command, it may not stop the CLI operation. You must wait until the acs support command completes before you run any other commands, such as acs backup or acs restore.
Conditions: From the CLI, press Ctrl-C when running the acs support command.
Workaround: None. This is an intermittent issue that might not occur every time.
CSCsu69983
Restoring a configuration disconnects deployment and causes replication.
Symptom: After restoring a backup database to a primary database, the deployment is disconnected.
Conditions: When a backup database is restored, the database no longer contains the correct deployment information for the secondary instance that belonged to the previous database. To avoid sending replication updates to the wrong secondary instances, the underlying replication communication system is changed so that only reconnected or newly registered secondaries will receive replication updates.
Workaround: After a database restore, you must perform a hardware replacement for each secondary instance to reconnect to the primary instance.
CSCsv32027
Import progress popup issues with Internet Explorer 6.0.
Symptom: When you import using the Internet Explorer browser, you might see the import monitor popup in a flash window.
Conditions: Using Internet Explorer browser for import.
Workaround: None. This is just a cosmetic issue. However, if the progress popup does not appear, you can bring it to the front manually.
CSCsv39142
An active administrator SSH session closes when a malformed SSH loads.
Symptom: During a heavy load in the SSH interface, a working SSH session might be closed.
Conditions: This happens when there is a heavy load on ACS SSH ports. The applicable ACS versions are ACS 5.x, including 5.1.
Workaround: Block SSH load through other Cisco products or solutions (for instance, Cisco MARS) and then create a new SSH session.
CSCsv45016
An error is generated when special characters are used in report parameters.
Symptom: When specifying report parameters, if you enter special characters in one or more of the parameters, the report is not generated and an error message appears.
Conditions: When specifying special characters such as `~!@#$%^&*()/\{}[];:"' in one or more of the report parameters.
Workaround: None.
CSCsv55503
AD client DEBUG logs change back to INFO after AD rejoin.
Symptom: AD client DEBUG logs change back to INFO after AD rejoin.
Conditions: ACS AD client logs are enabled in DEBUG level [debug-adclient enable], then AD agent rejoins the AD domain (adleave & adjoin). AD agent logs are no longer in DEBUG.
Workaround: Log levels are defined in the /etc/syslog.conf file and default to:
user.debug -/opt/CSCOacs/logs/ACSADAgent.log
Perform the following steps:
1.
*.debug -/opt/CSCOacs/logs/ACSADAgent.log
2.
3.
4.
$/opt/CSCOacs/runtime/adagent/bin/ACS_AD_Runner.sh addebug onCSCsv65225
The health summary for the secondary ACS instance is not updated.
Symptom: In the health summary of a secondary ACS instance, the process status shows as running even if it is not running. When a process is down, it takes 10 minutes for the report to indicate the process status.
Conditions: This issue occurs when viewing the health summary of the ACS instance.
Workaround: None.
CSCsv65444
Monitoring and Report Viewer log section contains incorrect steps on Advance option.
Symptom: The Monitoring and Report Viewer log section says that ACS continues with Advance options even after the Reject or Drop options are selected. These steps are not correct.
Conditions: Configuring ACS by navigating through Access-services > Identity > Advance option to drop or reject the three drop-down options.
Workaround: None.
CSCsv88662
Reports are not displayed in ACS Monitoring and Reports.
Symptom: When the ACS Monitoring and Reports application is launched, the reports are not displayed in the reports catalog or in the default favorite reports.
Conditions: This issue occurs if the administrator name contains special characters such as !@#$%^&*()\/"'[]{}.
Workaround: Do not use special characters in administrator names.
CSCsv97503
Monitoring and Report Viewer does not change severity for log view based on ACSconfig.
Symptom: When configuring AAA diagnostic logs for a severity level that is different from the default level (WARN), the Monitoring and Report Viewer does not show these logs.
Conditions: Configuring ACS from System Administration and viewing the logs in the Monitoring and Report Viewer by navigating to Reports > Catalog > AAA Protocol.
Workaround: To avoid this issue, perform either of the following procedures:
Procedure 1:
1.
2.
3.
4.
Procedure 2:
1.
2.
3.
4.
5.
6.
CSCsw79961
Some records are missing when simultaneously inserting the records from multiple users.
Symptom: When multiple users simultaneously perform a lot of configurations, a small number of objects that are to be added to the ACS configuration are not added.
Conditions: This issue occurs when all of the following are done:
•
•
•
•
Workaround: To avoid this issue:
•
•
CSCsw79994
If Auto Activation is disabled, the secondary server displays incorrect deployment status.
Symptom: When Auto Activation is disabled:
•
•
Conditions: When Auto Activation is disabled, a registered secondary becomes inactive and stops receiving Full Replication updates from the primary server. The web interface of the secondary displays the deployment state of the secondary as it was before the registration. Once the secondary is active, this state is replaced with the configuration from the primary.
Workaround: From the web interface of the primary, activate the secondary to update it with the deployment configuration.
CSCsw82472
EAP timeout message is not printed to the local store.
Symptom: Sometimes an EAP timeout log message is not written in the local store.
Conditions: This happens when a timeout occurs for EAP conversations.
Workaround: You can view the EAP timeout messages in the Monitoring and Reports Viewer.
CSCsx06721
ACS web interface does not recognize that the internal database is down.
Symptom: When the database is shut down and does not go up automatically, the web interface displays a general error message, but does not state that the database is down.
Conditions: This occurs when the ACS database process is shut down explicitly through the CLI or killed by the OS.
Workaround: Issue show application status acs in the ACS CLI to verify if the status is "not monitored" or "failed." If it is either, restart the ACS server.
CSCsz30605
Submitting a NAR without filling in a name causes display problems on Internet Explorer 7.0.
Symptom: The End Station Filters tabs overlap with the text fields.
Conditions: This occurs when you perform the following steps:
1.
2.
3.
4.
Workaround: Be sure to fill in the Name field before you click Submit.
CSCsz38686
A NAR end station exception is displayed.
Symptom: The End Station Filters page gets stuck.
Conditions: This occurs when you enter a string with special characters such as ~!@#$%^&*()_+| in the End Station Filters page.
Workaround: Do not use special characters.
CSCsz45821
Ampersand in network device group (NDG) selection breaks the policy property page.
Symptom: NDG selection in the rule table editor appears empty.
Conditions: This occurs when you perform the following steps:
1.
2.
3.
Workaround: Do not use the ampersand when creating NDGs.
CSCsz63336
When the local ACS Bind CA Signed Certificate tries to use the same user-friendly name as an existing one for the local certificate, the web interface displays misleading error messages.
Symptom: The errors may appear when binding a certificate with a name that already exists.
Conditions: This occurs when you configure a certificate with the same name in ACS.
Workaround: None. However, it is impossible to insert two certificates with the same name.
CSCsz77025
An NDG with an ampersand (&) trims the log in the ACS local store.
Symptom: When a username attribute contains the ampersand, the log message is truncated.
Conditions: This error occurs when a logged attribute contains an ampersand.
Workaround: None.
CSCsz77412
HTTP 500 and an exception appears when accessing a deleted access service from another browser.
Symptom: A null pointer exception appears when you select an access service from the navigation bar.
Conditions: This error occurs when you access the same access service through two browser windows, delete the access service in one of the windows, try to access the Identity and Authorization submenus, and return to the main access service from the navigation bar on the other window.
Workaround: Do not use two browsers to work with the ACS application. If this error happens, you must collapse the Access Policies drawer and then expand it to reload the navigation bar.
CSCsz81061
Out-of-band provisioning does not support identity names in UTF-8 format.
Symptom: The Protected Access Credential (PAC) name that is generated in the Save As dialog box is not presented well when you use non-English fonts.
Conditions: Under System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC, in the Identity field, fill in an identity in a non-English font. When you click Generate PAC, a Save As dialog box appears, prompting you to save the file. Junk characters appear in the filename.
Workaround: Do either of the following:
•
•
CSCta10658
CLI commands that require a restart do not have an audit log in the Monitoring and Report Viewer.
Symptom: CLI commands that require ACS restart do not have an audit log in Monitoring and Report Viewer.
Conditions: This error occurs when you issue CLI commands, such as IP address changes that require ACS to be restarted. The audit message does not appear in the Monitoring and Report Viewer because the Monitoring and Report Viewer Collector goes down when ACS restarts.
Workaround: None.
CSCta12956
When you change the ACS hostname, the server certificate still has the old hostname.
Symptom: After you change the ACS hostname through the CLI, the hostname in the server certificate (management interface certificate) is not changed and the server certificate might block access to the ACS web interface.
Conditions: This issue occurs when you change the ACS hostname.
Workaround: Do either of the following:
•
•
CSCta25997
User is not logged out after session timeout.
Symptom: Super Admin User is not logged out after session timeout.
Conditions: After logging in as a super admin user, configure the session timeout to n minutes. Launch the Monitoring and Report Viewer and wait for n minutes. After n minutes, the Monitoring and Report Viewer returns an error, but is functional. The My Account page in ACS is also active.
Workaround: None.
CSCta30608
Even though the ACS upgrade fails, the ACS CLI displays the following success message:
Application upgrade successfulSymptom: ACS services do not get started for many hours after the ACS upgrade.
Conditions: This occurs when the ACS database is in an unstable condition during the upgrade.
Workaround: If the ACS services have not started a couple of hours after the upgrade is complete, check the /opt/CSCOacs/logs/acsupgrade.log to verify that the application upgrade was successful.
CSCta33184
UTF-8 is not supported in the acs-config mode.
Symptom: UTF-8 characters are not supported in acs-config mode.
Conditions: When the administrator's username or password consists of UTF-8 characters and this administrator moves into the acs-config mode in the CLI, the authentication fails.
Workaround: Define an administrator username and password with no UTF-8 characters and use that to log in to acs-config mode in the CLI.
CSCta35416
Custom - Does not support UTF-8 characters.
Symptom: When you open the NDG selector from the Rule Edit dialog box, no entries are found even though several entries are defined.
Conditions: Define several NDGs with non-English names and go to the rule table. Ensure that the condition type of the relevant NDG is configured to be displayed, and click the Create, Edit or Duplicate button. Check the check box of the relevant NDG condition, and click the select button next to it. An empty selector appears even though there are several entries defined.
Workaround: Use English names for the NDGs.
CSCta35585
During ADE-OS installation, can enter shell as root user (console only, not SSH).
Symptom: It is possible to enter the ACS appliance's root shell from the console.
Conditions: After you install ADE-OS from the console, pressing Ctrl+Alt+F2 allows you to enter the shell as a root user.
Workaround: None.
CSCta35595
Whenever ADE-OS is rebooted, the appliance is stuck on conntrack version.
Symptom: While rebooting, ACS suspends operations for four to five minutes.
Conditions: This error occurs when your ACS appliance is configured to run the log collector, and you have not defined the Domain Name System (DNS) or you have configured an incorrect DNS.
Workaround: None.
CSCta49062
HTTP is nonresponsive when ACS starts.
Symptom: When ACS starts up, the show application status acs command might display the management running (HTTP nonresponsive) status.
Conditions: This issue occurs when you start ACS. It also happens when you enter the acs start command and follow it up with the show application status acs command.
Workaround: Wait for ACS to start completely and then re-enter this command.
CSCta58436
After CLI replication, the user is logged out of the acs-config mode.
Symptom: When you use replication full sync from a secondary node in a distributed deployment, the acs-config session is closed with an error message.
Conditions: No special conditions.
Workaround: Wait for ACS to restart. You can use the show application status acs command. After ACS restarts, recreate the acs-config session.
CSCta62697
No prevention or warning message appears when you choose the backup or restore option while an upgrade is in progress.
Symptom: No prevention or warning message appears when you choose the backup or restore option while an upgrade is in progress.
Conditions: This issue occurs when you choose to back up or restore while an upgrade is in progress. This can cause the database to be corrupted.
Workaround: Do not begin a backup or restore operation while an upgrade is in progress.
CSCta68251
EGRESS Matrix Scalability— The Edit window is empty when there are 3000 Security Group Access Control Lists (SGACLs).
Symptom: Server error appears when you select the Egress Matrix page.
Conditions: Define 3000 security groups (SGs), where each SG holds 1000 SGACLs, and then open the matrix table (TrustSec).
Workaround: Define fewer SGs and SGACLs, or consider rearranging the structure of the SGs into various groups and SGACLs together.
CSCta75080
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authentication with UTF-8 SAM and NETBIOS does not work.
Symptom: MSCHAP authentication fails against AD when non-English characters are used in usernames.
Conditions: This error occurs when you attempt PEAP/EAP-MSCHAP or RADIUS/MSCHAP authentication against AD, and non-English characters are present in the username, and the username is in the SAM or NETBIOS format.
Workaround: You must perform authentication with the username in the UPN format.
CSCta84904
Authorization policy becomes deformed when the NDG has an ampersand (&) in its name or description.
Symptom: When you access the policy rule table, the page displays a deformed table and the customize button does not display any columns.
Conditions: This error occurs when you define an access service for an NDG with ampersand in its name or description. The access authorization policy in the defined access service is deformed (the create button is dimmed, the custom dialog box does not have any configuration, and so on).
Workaround: Do not configure an NDG with an ampersand in its name or description.
CSCta95615
The ACS web interface accepts creating an LDAP without entering all the mandatory fields.
Symptom: You can click Submit on the LDAP wizard without filling in all the mandatory fields.
Conditions: Choose Users and Identity Stores > External Identity Stores > LDAP. Click Create. Enter a valid name and click Next. Enter a valid hostname, IP address, and port and click Next. In the Directory Organization page, do not enter any values in the mandatory fields (Directory Structure, Subject Search Base, and Group Search Base). Click Finish.
Workaround: Fill in the Directory Structure, Subject Search Base, and Group Search Base fields.
CSCtb00427
EAP-MSCHAP or EAP-TLS host authentication fails with AD multiple forest environment.
Symptom: EAP-MSCHAP or EAP-TLS host authentication fails in a Microsoft AD multiple forest environment.
Conditions: When you attempt a PEAP/EAP-MSCHAP or EAP-FAST/EAP-MSCHAP or EAP-TLS host authentication against a Microsoft AD multiple forest environment, the host performs authentication with its service principal name (DNS). The host's DNS name is not aligned with the AD domain structure.
For example, a host with DNS name myhost.domainA.com is defined on the domainB.com Active Directory DC.
Workaround: Perform authentication with the host's NETBIOS name (for example, domainB\myhost$).
CSCtb00431
EAP-GTC with SPN in multiple forest does not work.
Symptom: EAP-GTC host authentication fails in a Microsoft AD multiple forest environment.
Conditions: When you attempt a PEAP/EAP-GTC or EAP-FAST/EAP-GTC host authentication against a Microsoft AD multiple forest environment, the host performs authentication with its service principal name (DNS name).
Workaround: Perform authentication with the host's NETBIOS name (for example, domain\hostname$).
CSCtb03182
ACS Monitoring and Report Viewer could take several minutes to run the ACS Instance Authentication Summary report, depending on the number of records in the database.
CSCtb05977
GUI framework—Broken listing page found when using the html tags.
Symptom: Listing pages are sometimes broken and have misaligned elements and fields.
Conditions: Go to any listing page. Click Create. Enter the required information. Click Submit. The listing page that appears is sometimes broken.
Workaround: None.
CSCtb18905
Logs are not complete if an administrator with a username that contains an ampersand (&) is edited.
Symptom: In the Monitoring and Reports Viewer, under Reports > Catalog > ACS Instance > ACS Configuration Audit, some fields, such as Administrator, Object Identifier, IP address, Modifications, and so on are empty.
Conditions: This issue occurs if the Administrator username contains an ampersand.
Workaround: Do not define a username with an ampersand.
CSCtb20586
A success message appears for acs backup and acs support CLI commands that have failed.
Symptom: Success message appears for acs backup and acs support commands that have failed. The command output includes both failure and success messages.
Conditions: No write permission is defined on a remote repository.
Workaround: Use a different repository or ensure that write permission is defined on the given repository.
CSCtb40466
There is no indication if two users try to change the password of an account at the same time.
Symptom: No error message appears when change password upon login fails.
Conditions: This error occurs when you access ACS from two browsers, and the administrator changes the password in one of the browsers and tries to log into the other browser with the old password.
Workaround: Work with a single browser per administrator login.
CSCtb49667
GUI page freezes after repeated errors.
Symptom: The Create or Edit Shell Profiles page under Policy Elements > Authorization and Permissions > Device Administration suspends operation.
Conditions: Go to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles and then click Create, or select a shell profile and click Edit. In the Common Tasks tab, for the Access Control List, choose Static and do not provide a value. Click Submit. An error similar to the following appears:
Value is required.Select the Not in Use option for the Access Control List and then Static again. Click Submit. The page becomes inactive. You cannot move between the tabs or click Submit or Cancel.
Workaround: Enter the value in the Common Tasks tab before you click Submit.
CSCtb54190
ACS allows you to generate a self-signed certificate with XSS.
Symptom: The Local Certificates table is broken.
Conditions: XSS happens in the Certificate Authority page, and in a certificate where the subject is of the format <script>alert(`Hello')</script>.
Workaround: Do not use <> characters in the subject.
CSCtb62056
Error when trying to retrieve AD groups if AD configuration is cleared while groups are selected.
Symptom: An error appears when trying to retrieve AD groups if AD configuration is cleared while groups are selected.
Conditions: ACS is joined to AD. A policy is configured with AD as the identity store. From the Directory Groups tab, select a few groups and click Clear Configuration. An error message notifying you of references appears. Click OK and then try to retrieve the AD group.
Workaround: Remove AD and then define a new AD before you retrieve the AD group.
CSCtb66701
Login to secondary server takes a long time after the secondary server's status is updated.
Symptom: Login to secondary server takes a long time.
Conditions: This error occurs when you log in immediately after registration is complete and the secondary server's status is changed to UPDATED.
Workaround: Open a new browser and log in to the secondary server.
CSCtb70105
Removing Certificate Authority certificate from the ACS web interface produces null system error message in report.
Symptom: When you remove a CA certificate under Certificate Authority, ACS generates a null system error message in the report. The following message appears:
Encountered invalid or null system message.Conditions: This issue occurs when you remove a CA certificate.
Workaround: None. Ignore this message.
CSCtb75010
Left column in the main page of ACS GUI is corrupted after some time.
Symptom: The left navigation panel becomes misaligned.
Conditions: Resizing the left navigation pane several times leads to a misaligned panel.
Workaround: Refresh the application.
CSCtb75556
When the connection is slow, group retrieval throws warning error.
Symptom: When connection is slow between ACS and AD, and AD group retrieval is requested, the browser throws a warning error.
Conditions: Connection is very slow between ACS and AD, and AD group retrieval is requested. The browser throws a warning error.
Workaround: Use a filter to query for the specific group. Only the relevant groups are returned, and communication is saved.
CSCtb82917
Removal of the ACS application shows the following error: ***globed detected ***
Symptom: Removal of the ACS application shows the following message on the CLI:
*** glibc detected *** double free or corruption (out): 0x0807b428 ***Conditions: This occurs inconsistently on entering the following command from the CLI:
application remove acsWorkaround: None.
CSCtb82970
With Internet Explorer 7, the software update page gets stuck if invalid text is entered.
Symptom: The Centralized Software Updates > Create page gets stuck when submitted.
Conditions: This error occurs if you use Internet Explorer 7 and do the following:
1.
2.
3.
Workaround: Use the Browse button to select a file instead of pasting the invalid text.
CSCtb95299
Cannot export more than one server certificate at a time.
Symptom: After exporting a certificate from the Local Certificate list, you cannot export another certificate.
Workaround: To export another server certificate:
1.
2.
3.
CSCtb98071
Launching a shared report in the ACS 5.1 Monitoring and Report Viewer displays an iportal error for a particular scenario.
Symptom: You will see the following iportal error message when you launch a shared report:
iPortal generate report failed.Conditions: This error occurs when you add a report to a group in the interactive viewer and save it as a shared report.
Workaround: Avoid using the option Add Group from the interactive viewer for hyperlinked column entries when you save the report as shared.
CSCtc02925
AD GUI page gets stuck when ACS tries to join AD.
Symptom: When you try to join ACS to AD, and DNS is configured incorrectly, the AD GUI page gets stuck for approximately 5 minutes.
Conditions: This happens when ACS is installed and the wrong DNS configuration is defined through the ADE-OS CLI.
Workaround: To avoid this issue, do the following:
1.
2.
3.
CSCtc03004
When trying to join with two DNS servers, the connectivity status is disconnect.
Symptom: When ACS is configured with two DNS, ACS successfully joins the AD but the connectivity status is shown as disconnect.
Conditions: This error occurs when two DNS servers are configured, where the first is configured incorrectly and the second is configured correctly. After AD is configured, ACS successfully joins AD, but the connectivity status is shown as disconnect.
Workaround: Make sure that the DNS server is up and valid.
CSCtc09870
Groups are not listed from the LDAP page.
Symptom: If Group Object class is set to the wrong object class in the LDAP configuration page and Test Configuration button is clicked, it shows Groups >100. This is incorrect.
Conditions: This error occurs when you set the wrong object class in the LDAP configuration page and click Test Configuration.
Workaround: If the object class is set incorrectly, the correct number of groups is 0. This is correctly displayed in the Directory Group tab.
CSCtc09973
CLI commands are missing after installing ACS 5.1 on the new ADE-OS machine.
Symptom: Not all ACS-related commands appear in CLI.
Conditions: The ACS CLI commands are missing after installing ACS 5.1 on the new ADE-OS machine, using the same login shell.
Workaround: Close the shell in which you installed ACS 5.1 and log in again. All commands appear in the new shell.
CSCtc14191
[AD agent] Authentication fails after UPN user name is edited in AD.
Symptom: Plain password authentication fails against the Windows Server AD.
Conditions: The authentication fails under the following conditions:
1.
2.
3.
4.
Workaround: Change the user password.
CSCtc19231
Error message appears while creating ACS support bundle.
Symptom: While executing the following CLI command:
<CmdBold>decrypt-support-bundle</CmdBold>The following error message appears:
gpg: can't open `/gnupg/options.skel': No such file or directoryConditions: This message appears regardless of any condition.
Workaround: No workaround is needed, because the command completes successfully regardless of the error message.
CSCtc22063
ACS restore fails for large ACS database when using Windows File Transfer Protocol (FTP) server.
Symptom: When trying to restore the ACS configuration to a remote Windows FTP server, an ACS database error occurs, and ACS does not start properly.
Conditions: This error occurs in the following conditions:
1.
2.
3.
4.
Workaround: Choose either of the following two options:
•
•
–
–
CSCtc24654
Expired users (Password Aging Rules) enabled after import.
Symptom: Users whose accounts expired in ACS 4.x are enabled in ACS 5.1 after migration.
Conditions: Users whose accounts have expired due to Password Aging Rules in ACS 4.x are enabled in ACS 5.1 after migration.
Workaround: Manually disable these users after migrating to ACS 5.1 or before migration in, ACS 4.x.
CSCtc27869
Users are not imported if enable password is fewer than four characters.
Symptom: Users from ACS 4.x who have an enable password of less than four characters are not migrated.
Conditions: Internal users in ACS 4.x who have enable password of fewer than four characters are not migrated, and this is reported in the import report.
Workaround: Update the enable password and rerun the migration for such users.
CSCtc28096
ACS GUI page is not accessible; HTTP is not responsive.
Symptom: The ACS web interface is not accessible after the system has been in a stale connection for a while.
Conditions: ACS is in a stale mode for a long period.
Workaround: Restart ACS if it has not recovered after a short while.
CSCtc29082
Using an existing hostname in the deployment should display a warning.
Symptom: Deployment stops working correctly if the primary hostname is changed to be the same as the secondary hostname. The secondary with the same hostname stops working, while the primary does not show the real changed name.
Conditions: The primary hostname is changed by the ACS administrator to be the same as the secondary hostname.
Workaround: Rename the primary hostname to the former name, and then give it a new name that does not already exist in the deployment and, preferably, does not duplicate entries in the DNS server.
CSCtc34937
If ACS is not restarted after changing the DNS, ACS still works on the old DNS.
Symptom: When ACS is not restarted after changing the DNS, the ACS agent may still validate the old DNS name, and the authentication passes.
Conditions: This error occurs when ACS is not restarted after changing the DNS. The ACS agent may still validate the old DNS name, and the authentication passes.
Workaround: Restart ACS after changing the DNS.
CSCtc39922
Migration of 300,000 users takes more than 11 hours.
Symptom: The migration takes more than 11 hours.
Conditions: When the ACS 4.x database is large (300,00 users, 50,000 MABs, 45.000 devices), it takes about 11 hours to complete the import to ACS 5.1.
Workaround: Run migration on a standalone ACS 5.1 server using groups, migration of all users, migration of all devices, and so on.
CSCtc40582
If NFS staging URL is used, backup or restore job copies a set of files to the NFS staging location.
Symptom: ACS, Monitoring and Report Viewer, and ADE-OS-related files are available at the NFS staging location.
Condition: This issue occurs if you use an NFS staging URL for a backup or restore job.
Workaround: Do not use an NFS staging URL for backup or restore jobs.
CSCtc41730
ACS resets SYN packets if Maximum Segment Size (MSS) is not set.
Symptom: TACACS+ authentication attempts from some devices fail with no response from ACS. Packet capture shows TCP reset being sent immediately by ACS.
Conditions: This issue occurs if the TCP SYN packet does not have the MSS option set.
Workaround: Configure the device to include the MSS option in the SYN packet.
CSCtc47793
During import process, ACS displays the NullPointerException and generates no audit messages.
Symptom: The import process completes and the relevant objects get added or updated to the database, but no audit messages are generated.
Conditions: This problem occurs when two attributes with the same name belonging to different dictionaries are in the database. For example, if you define an attribute called Description in both the user and host dictionaries.
Workaround: None.
CSCtc48245
Unable to open the second calendar when two date attributes are selected.
Symptom: Having two date conditions defined in the rule table and selected to be configured triggers the following in the rule edit dialog box:
•
•
Conditions: This error occurs under the following conditions:
1.
2.
3.
is not selected.
Workaround: Do the following, in this order:
1.
2.
3.
CSCtc49185
Socket error in migration.log when you import 300,000 users.
Symptom: The migration log includes exceptions.
Conditions: When you migrate a large database of about 300,000 users, 50,000 MABs, 45,000 devices, and so on, you might encounter some connection errors with the ACS 5.1 server. These problems are exposed as SSL and connection timeout exceptions in the migration logs.
Workaround: Run the migration in groups and not all objects at once. For example, first run for users, then devices, and so on.
It is recommended to run the migration against the primary server, which is a standalone server and has no secondary connected to it.
CSCtc60425
Primary secondary MGMT GAP after migration.
Symptom: Migration from ACS 4.x is complete; however, secondary ACS appliances are in pending state.
Conditions: This issue occurs in a distributed deployment where there are more than three secondary servers that consist of CSACS-1120 and CSACS-1121. This happens when there are a large number of user, device, and MAB objects. Tested on 300000 users and 50000 devices.
Workaround: This happens because the secondary servers are processing the data while the primary server has completed data processing. Allow the secondary servers to continue processing the data and monitor their statuses from the primary distributed status page. If a secondary server's status moves to updated, it indicates that this secondary server has completed the processing. This activity might take an additional 2 to 5 hours depending on the size of your deployment.
CSCtc75332
Full binary comparison is performed in EAP-TLS at the time of session resume.
Symptom: ACS performs full binary comparison against LDAP at the time of session resume instead of performing only user lookup.
Conditions: This issue occurs when you use the EAP-TLS protocol, configure LDAP identity store for the service, and the client performs a successful TLS session resume.
Workaround: None.
CSCtc75375
No reports are available in Favorites list after upgrading with a specific database.
Symptom: Favorite reports do not appear in the ACS web interface.
Conditions: After you upgrade from ACS 5.0 to ACS 5.1, the favorite reports might not appear in the ACS web interface.
Workaround: Choose the Reset Reports option from any of the Catalog Reports to view your favorite reports again.
CSCtc78971
Proactive PAC update does not correctly generate PAC v1.
Symptom: Proactive PAC update sends an invalid Tunnel PAC to the client.
Conditions: This issue occurs if ACS receives Tunnel PAC v1 that will expire soon and requires proactive PAC update and ACS receives authorization PAC along with this Tunnel PAC v1.
Workaround: When invalid PAC is provided to the client, the client tries to authenticate it and ACS falls back to provisioning. If the client supports provisioning, a new PAC will be provided to the client. If not, the client might force start provisioning (on some clients, you must start provisioning manually).
CSCtc79113
UTF-8 for alarm syslog target displays an error for providing name in Japanese.
Symptom: The Monitoring & Reporting Viewer web interface displays an error when UTF-8 characters are used.
Conditions: This issue appears only when you use UTF-8 characters.
Workaround: None.
CSCtc79155
Promotion during import should be blocked.
Symptom: Replication stops between nodes in a deployment and cannot log in to a new promoted secondary server.
Conditions: Start an import process of users, hosts, or devices. While the import is in progress, promote one of the secondary servers in your deployment to be the primary server. This issue will most likely occur in a long import process where you have a large number of objects.
Workaround: In general, promoting a server in a deployment should not be done while there are ongoing configuration activities. Specifically, you can determine if an import process is in progress using the following command from the ACS CLI:
import-export-status-all
If this issue occurs, promote the original server to be the primary server again in the deployment. Perform full replication for the secondary server that had been promoted earlier when the problem occurred.
CSCtc81452
RT core file created for large scale configuration after installing ADE-OS 1.2 patch.
Symptom: RT core file is created in /opt/CSCOacs/runtime directory after you install the ADE-OS upgrade patch 5-0-0-21-adeos-1_2_upgrade.tar.gpg and restart ACS.
Conditions: This issue occurs if you have ACS version 5.0.0.21, you have applied the following patches, and there is a large scale configuration:
•
•
Workaround: ACS Watchdog restarts RT daemon automatically. ACS functionality is not affected.
CSCtc81695
Permission not granted properly for administrators.
Symptom: Security administrators have read-only permission for the administrator access setting pages. Policy administrators do not have permission to add or delete LDAP databases. The following administrator roles, User, ChangeUserPassword, ChangeAdminPassword, and other roles that grant the privilege to change user password and administrator password has only read-only access permission for the administrator access setting pages.
Workaround: Use other administrator roles that have the privileges to configure administrator access settings.
CSCtc81704
Internet Explorer (IE) 6: Unable to create network conditions as policy admin
Symptom: Cannot create network conditions in the ACS web interface.
Conditions: This issue occurs when you use IE 6 to configure a network condition.
Workaround: Use IE 7 or FireFox version 3.
CSCtc81929
Import and export processes are not functioning with IE 6 as expected.
Symptom: Cannot see the progress of import or export from the ACS web interface.
Conditions: This issue occurs when you use IE 6 for import and export operations through the ACS web interface.
Workaround: Even though the progress is not displayed in the ACS web interface, the import and export processes work. We recommend that you use FireFox version 3.
CSCtc84751
ACS 5.1 has an issue with incremental backup across multiple repositories.
Symptom: ACS does not display the recent incremental backups to restore in the Restore page under Monitoring Configuration > System Operations > Data Management.
Conditions: This error occurs when you use one repository for a full backup and a different one for the subsequent incremental backups.
Workaround: If you generate a full backup on one repository, you must continue to generate all the subsequent incremental backups on the same repository.
You can create a new full backup with incremental backups on a different repository, so long as all backups exist on the same repository.
CSCtc87079
Top N SGT Assignment report displays an error message for custom time range.
Symptom: Top N SGT Assignment report displays an error message for custom time range.
Conditions: This issue occurs only if you run the report for a custom time range.
Workaround: Use the predefined time ranges when you run this report. Do not choose the Query and Run option.
CSCtc89566
Authentication using alternative UPN suffix fails in AD multiforest.
Symptom: ACS does not support user authentication in AD when a username is supplied with an alternative UPN suffix configured in multiforest.
Conditions: This issue occurs when you:
1.
2.
3.
4.
5.
This authentication fails.
Workaround: Configure ACS to join the forest or domain where an alternative UPN suffix is configured. Install different ACS instances to join different AD forests.
CSCtc90954
Support bundle download URL contains hostname only.
Symptom: When you choose to download the support bundle on ACS, the browser is referred to an URL that contains only the hostname instead of the fully qualified domain name. When SSL certificates are in use for the web interface, the browser displays a warning that the certificate subject name does not match the hostname in the URL.
Conditions: This issue occurs in ACS 5.0 and ACS 5.1.
Workaround: Choose to proceed past the warning that is displayed in the web interface.
CSCtd00477
Can not retrieve AD groups if forest's name is composed of single word.
Symptom: Cannot retrieve AD groups from the AD group retrieval page.
Conditions: This issue occurs if the global catalog is located in the top domain. For example, if the domain is x.y and the global catalog is located in y, then this issue occurs.
Workaround: Add the AD groups manually instead of selecting them from the retrieval list.
CSCtd06227
SafeWord: No lookup with caching using special format.
Symptom: In SafeWord, fast reconnect in PEAP-GTC/stateless session resume in EAP-FAST-GTC fails for users with username in special format (username, password).
Conditions: This issue occurs in SafeWord user authentication when the username is in special format (username, password) and caching is enabled for SafeWord identity store (stores only the username and not the password), and this is followed by a fast reconnect in PEAP-GTC/stateless session resume in EAP-FAST-GTC with username in special format (username, password).
Workaround: None.
CSCtd06290
System failure error when submitting Change Password request with the enum attribute.
Symptom: Cannot perform change password operations for an internal user from the user's record. When such operations are performed, a system error appears.
Conditions: This issue occurs when an internal user has an enumerated identity attribute defined.
Workaround: None.
CSCtd07787
PEAP—Misleading EAP session timeout error message with identity sequence.
Symptom: Misleading error message for EAP session timeout.
Conditions: This issue occurs when you:
1.
2.
3.
4.
24008 User not found in LDAP ServerWorkaround: Drill down to the details in this report to find the EAP session timeout message.
CSCtd09816
Sometimes onActivate is not called for notification extensions.
Symptom: EAP certificate updates are not applied correctly sometimes, especially when authentications happen concurrently.
Conditions: An EAP certificate update is not applied to ACS Runtime.
Workaround: Resubmit the certificate for update through the ACS web interface.
CSCtd10767
Syslog data loss during upgrade.
Symptom: When you perform an upgrade, it might take some time to upgrade the Monitoring and Report Viewer database. While this upgrade is in progress, ACS continues to receive syslog messages. However, the syslog data that is collected during upgrade might not be available in the database after upgrade.
Conditions: This problem occurs when you run the upgrade process.
Workaround: After upgrade is complete, before you click the Switch Database button, you must take a manual backup of the database. Apply the ACS 5.1.0.44.1 upgrade patch.
Following scenarios are tested:
Scenario 1
1.
100 GB, you need to run the backup and configure the destination repository as an external FTP, TFTP or NSF server.2.
3.
Refer to Applying Upgrade Patches for instructions on how to apply the patch to your system.
4.
5.
Click the Switch Database button below to activate the converted database. You may need to scroll down to make it visible.
The ACS processes will restart in order to switch the database. It will be necessary to log back in after the restart has completed.
6.
Data from the temporary database is restored to the main database.
Expected results:
•
•
Scenario 2
1.
2.
Click the Switch Database button below to activate the converted database. You may need to scroll down to make it visible.
The ACS processes will restart in order to switch the database. It will be necessary to log back in after the restart has completed.
3.
Refer to Applying Upgrade Patches for instructions on how to apply the patch to your system.
4.
Data from the temporary database is restored to the main database.
Expected result:
There is no significant data loss.
Scenario 3
1.
2.
Click the Switch Database button below to activate the converted database. You may need to scroll down to make it visible.
The ACS processes will restart in order to switch the database. It will be necessary to log back in after the restart has completed.
3.
4.
5.
Refer to Applying Upgrade Patches for instructions on how to apply the patch to your system.
6.
The backup is downloaded and the data from the backup file is restored to the main database.
Expected result:
Data that is collected during the upgrade process is restored without significant data loss.
For further links to information on the upgrade process, see Upgrading to ACS 5.1.
CSCtd14560
GUI session is logged out when launching the Monitoring & Report Viewer.
Symptom: GUI session logs out when you launch the Monitoring and Report Viewer.
Conditions: This issue occurs when you log in to ACS after a session timeout and immediately launch the Monitoring & Report Viewer and you must log in to ACS again.
Workaround: None.
CSCtd16392
ACS uses AD agent user's group caching during authorization.
Symptom: When authenticating against AD, the user might be considered a member of a group to which he no longer belongs to and this might impact the policy and rule conditions.
Conditions: If a user is removed from certain groups within the AD server and if this user has authenticated through ACS against AD within the past 30 minutes, the changes made in the AD server is not updated in the cache.
Workaround: Wait for 30 minutes until the cache is updated or install the root patch and clear cache with the help of support.
CSCtd16825
CLI "copy" command is broken when working with "disk."
Symptom: The CLI command, copy disk: fails.
Conditions: This issue occurs when the CLI copy command contains the full path along with the filename. For example, copy file:/opt/SCSO/logs/acsRuntime.log ftp://a.b.c.d
Workaround: Use the command with the relative path instead of the full path.
CSCtd16850
Dropped reports do not appear in the Monitoring & Report Viewer when AD is disconnected.
Symptom: Dropped reports do not appear in the Monitoring & Report Viewer when AD is disconnected.
Conditions: This issue occurs when authenticating against an AD that is disconnected.
Workaround: None.
CSCtd24949
TACACS+ authorization failure when authen_type is 0.
Symptom: When you attempt to log in to a switch that runs a network assistant, authentication succeeds, but authorization fails. You get the following error:
13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets
Conditions: This issue occurs when you use network assistant on a switch.
Workaround: Use SSH or Telnet to access the switch.
CSCtd24978
UCP—When primary server is down, the secondary server will not update the primary server.
Symptom: Changes to internal user password does not take effect on all the servers in the deployment and takes effect only on the secondary server that processed the change.
Conditions: This issue occurs if you change internal user password while the primary server is down.
Workaround: Do not change internal user password if the primary server is down. If you encounter this issue, then manually change the password through the ACS web interface on the primary server.
CSCtd83913
After or during upgrading from ACS 5.0 to 5.1, SSH stops working if closed or disconnected.
Symptom: Cannot open SSH session after upgrading from ACS 5.0 to ACS 5.1.
Conditions: This issue occurs after you upgrade from ACS 5.0 to ACS 5.1 and restore the ACS 5.0 database. If SSH connection is lost or timed out, you cannot open another SSH session.
Workaround: Reboot the ACS appliance.
CSCtd52207
The Monitoring and Report Viewer does not send Alarms or e-mails when working in distribution mode.
Symptom: When working in distribution mode, Monitoring and Report Viewer does not send Alarms or e-mails.
Conditions: Monitoring and Report Viewer does not send e-mails even when there is a rule to monitor ACS process status on primary ACS server and the log collector is on secondary server.
Workaround: Monitor alerts from the Monitoring and Report Viewer GUI page.
CSCtd48969
Schedule View Database backup to local-disk is not working.
Symptom: Scheduled Monitoring and Report Viewer database backup to local-disk is not working.
Conditions: Scheduled Monitoring and Report Viewer database backup to local-disk is not working even after submitting and successfully saving the settings.
Workaround: None.
CSCtd51443
Thresholds do not present Identity Store Sequences database.
Symptom: Thresholds do not show the Identity Store Sequences database.
Conditions: The issue occurs when:
1.
2.
Identity Store Sequences data is not present in the list.
Workaround: None.
CSCte20853
View Troubleshooting traceroute does not show traceroute information.
Symptom: The Monitoring and Report Viewer traceroute does not show traceroute information.
Conditions: The issue occurs when:
1.
2.
The traceroute information is not displayed.
Workaround: Traceroute the device from the ACS CLI.
CSCte20871
View Troubleshooting ping device by DNS hostname does not work.
Symptom: Pinging device by DNS hostname is not working.
Conditions: The issue occurs when:
1.
2.
There is no response. DNS of the device and ACS are same.
Workaround: Ping the device from the ACS CLI.
CSCtd14560
GUI session gets logged out when launch monitoring.
Symptom: When you launch the Monitoring and Report Viewer, the GUI session gets logged off.
Conditions: This issue occurs when you log in to the ACS server after a session timeout and immediately launch the Monitoring & Report Viewer.
Workaround: To overcome this issue:
1.
2.
CSCtd39360
Changing Identity from AD to Identity with wildcard, "System Failure" occurs.
Symptom: When trying to change Policy Identity Store to Identity Sequences, the following error appears:
This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page.
Conditions: This issue occurs when using Identity Sequences with wildcard.
Workaround: Create Identity Sequences without wildcard (such as &% ,.!+ -).
Documentation Updates
Table 12 lists the updates to Release Notes for the Cisco Secure Access Control System 5.1.
Table 12 Updates to Release Notes for the Cisco Secure Access Control System 5.1
4/25/2011
Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.6" section.
1/27/2011
Updated "Features Not Supported" section.
1/12/2011
Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.5" section.
9/20/2010
Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.4" section.
08/24/2010
Updated the following sections:
06/08/2010
Added "Resolved Issues in Cumulative Patch ACS 5.1.0.44.3" section.
05/21/2010
Added the following to the list of Known ACS Issues:
•
•
•
•
•
•
•
•
04/12/2010
Added the following sections:
•
•
Updated the "Upgrading to ACS 5.1" section.
Updated description of the bug CSCtd10767.
02/22/2010
Added a note stating that no TAC support is available for modified python scripts in the "Other Feature Enhancements" section
12/02/09
Added the following to the list of Known ACS Issues:
•
•
•
11/30/09
Added Configuring NADs to Send Syslog Messages to the list of Monitoring & Report Viewer feature enhancements.
11/26/09
Added the following to the list of Known ACS Issues:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
11/11/2009
Cisco Secure Access Control System Release 5.1.
Product Documentation
Table 13 describes the product documentation that is available for ACS 5.1 on Cisco.com. To find end-user documentation for all products on Cisco.com, go to:
http://www.cisco.com/go/techdocs
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License:
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1.
2.
3.
4.
5.
6.
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1.
2.
3.
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)".
The word `cryptographic' can be left out if the routines from the library being used are not cryptography-related.
4.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
Supplemental License Agreement
END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE:
IMPORTANT: READ CAREFULLY
This End User License Agreement Supplement ("Supplement") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence.
In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.
1.
For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are:
A. Advanced Reporting and Troubleshooting License
Enables custom reporting, alerting and other monitoring and troubleshooting features.
B. Large Deployment License
Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise.
C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release)
Enables TrustSec policy control functionality and other advanced access features.
2.
•
•
•
3.
Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x].
Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].
4.
Please refer to the Cisco Systems, Inc., End User License Agreement.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Release Notes for the Cisco Secure Access Control System 5.1
© 2010 Cisco Systems, Inc. All rights reserved
