This document provides answers to the most frequently asked questions (FAQ) related to Cisco Secure Access Control System (ACS) 5.x and later.
Q. Can a few users/groups of the ACS 5.x internal database be excluded from the user password policy (System Administration > Users > Authentication Settings)?
A. By default, every internal database user must comply with the user password policy. Currently, no users/groups of the ACS 5.x internal database can be excluded.
Q. Can a few GUI administrators of ACS 5.x be excluded from the administrative user password policy (System Administration > Administrators > Settings > Authentication)?
A. By default, every GUI administrative user must comply with the administrative user password policy. Currently, no administrative user of ACS 5.x can be excluded.
Q. What are the supported EAP authentication protocols for ACS 5.x when LDAP is configured as the identity store?
A. When LDAP is used as the identity store, ACS 5.2 supports PEAP-GTC, EAP-FAST-GTC, and EAP-TLS protocols only. It does not support EAP-FAST MSCHAPv2, PEAP EAP-MSCHAPv2, and EAP-MD5. For more information, refer to Authentication Protocol and User Database Compatibility.
Q. Why did authentication for WLC with the use radius on ACS fail, and why did ACS not show any failed attempts?
A. An issue exists with ACS 5.0 and WLC interoperability before patch 4. Download patch 8, and apply the patch on the CLI. Do not use TFTP in order to fix this issue.
Q. Why I am unable to restore tar.gz files that were backed up with the backup-log command in ACS 5.2?
A. You cannot restore log files that are backed up with the backup-log command. You can restore only those files backed up for the ACS configuration and ADE-OS. Refer to the backup and backup-logs commands in the CLI Reference Guide for the Cisco Secure Access Control System 5.1 for more information.
A. No. This feature is not available on ACS 5.2, but it is expected to be integrated in ACS 5.3. Refer to the Features Not Supported section of the Release Notes for the Cisco Secure Access Control System 5.2 for more information.
Q. I am unable to use the option to change the password at next login for internal users in ACS 5.0. How do I resolve this issue?
A. The option to change the password at next login is not supported in ACS 5.0. Support for this feature is available in ACS 5.1 and later versions.
What does this alarm on ACS mean?
Cisco Secure ACS - Alarm Notification
Alarm Name delete 20000 sessions
Cause/Trigger active sessions are over limit
Alarm Details session is over 250000
Cisco Secure ACS - Alarm Notification Severity: Warning Alarm Name delete 20000 sessions Cause/Trigger active sessions are over limit Alarm Details session is over 250000
A. This error means that when the ACS View reaches a limit of 250,000 sessions, it throws an alarm to delete 20,000 sessions. The ACS view database stores all the previous authentication sessions and when it reaches 250,000, it gives an alarm to clear the cache and delete 20,000 sessions.
Q. How do I resolve this error message: Authentication failed : 24407 User authentication against Active Directory failed since user is required to change his password?
A. This error message appears when there is a problem with the password management during SDI authentication. ACS 5.x is used as a Radius proxy and the users must be authenticated by an RSA server. The Radius proxy to RSA will work only without password management. The reason is that the OTP value must be recoverable by the Radius server in order to proxy the password value to the RSA server. When password management is enabled in the tunnel group, the Radius request is sent with MS-CHAPv2 attributes. RSA does not support the MS-0CHAPv2; it supports only PAP.
A. No, it is not possible to restrict ACS admin to manage only certain devices within ACS 5.1.
A. No, ACS does not support QoS in authentication. ACS will not prioritize RADIUS authentication requests over TACACS or TACACS requests over RADIUS.
A. Yes, all the ACS 5.x versions can proxy the RADIUS authentications to other RADIUS servers. ACS 5.3 and later can proxy the TACACS authentications to other TACACS servers.
A. Yes, in ACS 5.3 and later you can allow, deny, and control access of the dial-in permissions of a user. The permissions are checked during authentications or queries from Active Directory. It is set on the Active Directory dedicated dictionary.
A. Yes, TACACS+ CHAP and MSCHAP authentication types are supported in ACS versions 5.3 and later.
A. Yes, in ACS 5.3 and later you can set the password type of an ACS internal user. This feature was available in ACS 4.x.
Q. Can I pass/fail an authentication based on the time at which the user was created in the ACS Internal Identity Store?
A. Yes, in ACS 5.3 and later you can use the Number of Hours Since User Creation attribute in order to create your policies. This attribute contains the number of hours since the user was created in the Internal Identity Store to the time of the current authentication request.
A. Yes, ACS 5.3 and later allows you to use wildcards when you add new hosts into the Internal Identity Store. It also allows you to enter wildcards (after you enter the first three octets) in order to specify all devices from the identified manufacturer.
A. No, it is not currently possible to create IP address pools on the ACS 5.x.
Q. Can I see the IP address of the AAA client where the request came in the FAILED AUTHENTICATION report?
A. No, it is not possible to see the AAA client's IP address from where the request came in.
A. ACS 5.3 provides a new feature to recover any logs that are missed when the view is down. ACS collects these missed logs and stores them in its database. Using this feature, you can retrieve the missed logs from the ACS database to the view database after the view is back up. In order to use this feature, you must set the Log Message Recovery Configuration to on. For more details on configuring the View Log Message Recovery, refer to Monitoring & Report Viewer System Operations.
Q. Can I compress the ACS 5.x database by issuing the database-compress command from the Solution Engine CLI? This feature was available in ACS 4.x.
A. Yes, in ACS 5.3 and later, the database-compress command reduces the ACS database size with an option to delete the ACS Transaction table.ACS administrators can issue this command in order to reduce the database size. This helps to reduce the database size and the time taken for backups and full synchronization that is needed for maintenance.
A. Yes, ACS 5.3 and later allows you to search a network device using its IP address. You can also use wildcards and the range in order to search a specific set of network devices.
Q. Can I create a condition based on the time at which the user was created in the ACS Internal Identity Store?
A. Yes, in ACS 5.3 and later you can use the Number of Hours Since User Creation attribute which enables you to configure the policy rule conditions, based on the time at which the user was created in ACS Internal Identity Store. For example: IF group=HelpDesk&NumberofHoursSinceUserCreation>48 then reject. This attribute contains the number of hours since the user was created in Internal Identity Store to the time of the current authentication request.
Q. Can I check in which Identity Store the User was authenticated in the Authorization section of a Service Policy?
A. Yes, in ACS 5.3 and later you can use the Authentication Identity Store attribute, which enables you to configure the policy rule conditions based on the Authentication Identity Store. For example: IF AuthenticationIdentityStore=LDAP_NY then reject. This attribute contains the name of the Identity Store used and it is updated with the relevant Identity Store name after successful authentication.
A. The ACS goes to the next Identity Store defined in the Identity Store Sequence in these scenarios:
A user is not found in the first Identity Store
An Identity Store is not available in the sequence
A. The Account Disablement Policy allows you to disable the users of Internal Identity Store when the configured date is beyond the permitted date, the configured number of days are beyond the permitted days, or the number of consecutive unsuccessful login attempts exceeds the threshold. The default value for date exceeds is 30 days from the current date. The default value for days should not be more than 60 days from the current day. The default value for failed attempts is 5.
A. Yes, you are allowed to change the password of an internal database user using TACACS+ over telnet. You need to select Enable TELNET Change Password under Password Change Control on ACS 5.x.
Q. Does the primary ACS 5.x instance automatically update the backup instances periodically, or should it only happen when a configuration has changed?
A. ACS 5.x will immediately replicate to the Secondary ACS whenever you make changes on the Primary ACS. In addition, if you do not make any changes to the Primary ACS then, it will do a force replication every 15 minutes. At this point, there is not an option to control the timer so that ACS can replicate the information after a specific time.
Q. Can I view/export a report on ACS 5.x of all the users that are currently logged in and authenticated from ACS on different NAS clients?
A. Yes, it is possible. There are two separate reports for RADIUS and TACACS+. You can find them under Monitoring & Reports > Reports > Catalog > Session Directory > RADIUS Active Sessions and TACACS Active Sessions. Both reports are based on the accounting information from the NAS clients since it allows you to track when the user connects and logs out. Session history even allows you to get information from the start and stop messages during a specific day.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.