THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE
OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE
IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD
NOTICE AT ANY TIME.
Updated the Problem Description,
and Workaround/Solution Sections
Initial Public Release
ACS5 - 5.x
A serious problem exists when Firefox 46 is used to manage the Access Control System (ACS). Customers are urged to deploy a patch as soon as possible.
A change in Firefox 46 causes the entire ACS policy set to be overwritten by blank rules, which leads to an empty policy in ACS. As a result, network access will fail for all devices covered by the affected policies.
Customers are urged to immediately apply the relevant patch (as described in the Workaround/Solution section) or the latest patch to their ACS deployment in order to overcome this change in Firefox 46.
When you attempt to edit/update the rules in the Access Policies or Service Selection Policies with Firefox 46 to access the ACS user interface, it is not possible to view the current policy configuration. Instead, this message is displayed:
There are unsaved changes on this page. Do you wish to continue?
The message prompts the user to choose one of these options:
- Save changes & continue
- Discard changes & continue
If the user chooses "Save changes & continue", all previously configured ACS policy rules are deleted. With the rules erased from the database, authentications to ACS fail.
End user authentications fail after you submit Access Policies or Service Selection Policies to ACS with the FireFox 46 browser.
Do not use Firefox version 46 in order to manage ACS. Refer to the Compatibility Guide for a list of supported browers approved to manage ACS.
Refer to the Cisco Secure Acess Control System - Compatibility Information page.
If you attempt to edit/update the rules with Firefox 46 and receive the error message, choose "Discard changes & continue" in order to avoid deletion of all previously configured ACS policy rules.
If the problem is encountered, restore a recent backup configuration of ACS with a supported browser. If no configuration backup is available the rules will have to be reconfigured manually.
Patches are available for ACS versions 5.6, 5.7, and 5.8 that prevent occurrence of the issue with Firefox 46. However, if the policy rules have been deleted you still need to restore these per the information in this section. Earlier versions of ACS are currently out of support and a software patch is not available.
Customers are advised to install these patches (based on their currently installed version) or the latest ACS patch. As patches are inclusive of earlier patches, installation of any patch later than these also includes the fix for this specific issue.
Patches are published for ACS releases that are currently under maintenance. If you run a release that does not have one of these patches or that is not under maintenance, upgrade to a supported release.
These releases already contain the fix to this issue. If you are considering installation of a new ACS server/deployment, you might consider installing one of these releases. Be advised that Cisco suggests installation of ACS 5.8, as all other releases have already reached their End of Sale state.
To follow the bug ID link below and see detailed bug information, you must be
a registered customer and you must be logged in.
|CSCuz48986 (registered customers only)
||ACS: Editing Service Selection Rules in Firefox 46 erases all rules
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.