THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Migration to new field notice system
|Affected OS Type
||Affected Release Number
||ACS: Editing Service Selection Rules in Firefox 46 erases all rules|
A serious problem exists when Firefox version 46 is used to manage the Cisco Secure Access Control System (ACS). Customers are urged to deploy a patch as soon as possible.
A change in Firefox version 46 causes the entire ACS policy set to be overwritten by blank rules, which leads to an empty policy in ACS. As a result, network access will fail for all devices covered by the affected policies.
Customers are urged to immediately apply the relevant patch or the latest patch to their ACS deployment in order to overcome this change in Firefox version 46.
When an attempt to edit or update the rules in the Access Policies or Service Selection Policies with Firefox version 46 to access the ACS user interface, it is not possible to view the current policy configuration. Instead, this message is displayed:
"There are unsaved changes on this page. Do you wish to continue?"
The message prompts the user to choose one of these options:
- Save changes & continue
- Discard changes & continue
If the user chooses "Save changes & continue", all previously configured ACS policy rules are deleted. With the rules erased from the database, authentications to ACS will fail.
End user authentications fail after an edit or update is made to Access Policies or Service Selection Policies to ACS with the FireFox version 46 browser.
Do not use Firefox version 46 to manage ACS. Refer to the Cisco Secure Acess Control System - Compatibility Information page for a list of supported browers approved to manage ACS.
If an attempt is made to edit or update the rules with Firefox version 46, choose "Discard changes & continue" in order to avoid deletion of all previously configured ACS policy rules.
If the previously configured ACS policy rules have already been deleted, restore a recent backup configuration of ACS with a supported browser. If no configuration backup is available, then the rules will have to be reconfigured manually.
Patches are available for ACS versions 5.6, 5.7, and 5.8 that prevent occurrence of the issue with Firefox version 46. However, if the policy rules have been deleted, then they will still need to be restored. Earlier versions of ACS are currently no longer supported and a software patch is not available.
Customers are advised to install these patches (based on their currently installed version) or the latest ACS patch. As patches are inclusive of earlier patches, installation of any patch later than these also includes the fix for this specific issue.
Patches are only published for ACS releases that are currently under maintenance. If an earlier release is used that does not have one of these patches or that is not under maintenance, please upgrade to a supported release.
ACS 5.6 (patch 6)
ACS 5.7 (patch 3)
ACS 5.8 (patch 4)
These releases already contain the fix to this issue. When installing a new ACS server/deployment, please consider installing one of these releases. Please be advised that Cisco suggests installation of ACS 5.8, as all other releases have already reached their End of Sale state.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.