Supported Hardware

Cisco Secure ACS is packaged with your appliance or image for installation. Cisco Secure ACS 5.7 ships on the following platforms:

Supported Virtual Environments

ACS 5.7 supports the following VMware versions:

■VMware ESXi 5.0

■VMware ESXi 5.0 Update 2

■VMware ESXi 5.1

■VMware ESXi 5.1 Update 2

■VMware ESXi 5.5

■VMware ESXi 5.5 Update 1

For information on VMware machine requirements and installation procedures, see the “ Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7.

Supported Browsers

You can access the ACS 5.7 administrative user interface using the following browsers:

■MAC OS

–Mozilla Firefox version 28.x

–Mozilla Firefox version 29.x

–Mozilla Firefox version 31.x

–Mozilla Firefox version 32.x

–Mozilla Firefox version 33.x

–Mozilla Firefox version 34.x

–Mozilla Firefox version 35.x

–Mozilla Firefox version 36.x

–Mozilla Firefox version 37.x

–Mozilla Firefox version 38.x

–Mozilla Firefox version 39.x

–Mozilla Firefox version 40.x

–Mozilla Firefox version 41.x

–Mozilla Firefox version 42.x

–Mozilla Firefox version 43.x

–Mozilla Firefox version 44.x

–Mozilla Firefox version 45.x

–Mozilla Firefox version 46.x

–Mozilla Firefox version 47.x

–Mozilla Firefox version 48.x

–Mozilla Firefox version 49.x

–Mozilla Firefox version 24.4 ESR

–Mozilla Firefox version 45.0.2 ESR

■Windows 7 32-bit and Windows 7 64-bit

–Internet Explorer version 10.x

–Internet Explorer version 11.x

–Mozilla Firefox version 33.x

–Mozilla Firefox version 34.x

–Mozilla Firefox version 35.x

–Mozilla Firefox version 36.x

–Mozilla Firefox version 37.x

–Mozilla Firefox version 38.x

–Mozilla Firefox version 39.x

–Mozilla Firefox version 40.x

–Mozilla Firefox version 41.x

–Mozilla Firefox version 42.x

–Mozilla Firefox version 43.x

–Mozilla Firefox version 44.x

–Mozilla Firefox version 45.x

–Mozilla Firefox version 46.x

–Mozilla Firefox version 47.x

–Mozilla Firefox version 48.x

–Mozilla Firefox version 49.x

–Mozilla Firefox version 31.4.0 ESR

–Mozilla Firefox version 31.5.0 ESR

–Mozilla Firefox version 31.6.0 ESR

–Mozilla Firefox version 45.0.2 ESR

■Windows 8.x

–Internet Explorer version 11.x

–Mozilla Firefox version 31.x

–Mozilla Firefox version 37.x

–Mozilla Firefox version 38.x

–Mozilla Firefox version 39.x

–Mozilla Firefox version 40.x

–Mozilla Firefox version 41.x

–Mozilla Firefox version 42.x

–Mozilla Firefox version 43.x

–Mozilla Firefox version 44.x

–Mozilla Firefox version 45.x

–Mozilla Firefox version 46.x

–Mozilla Firefox version 47.x

–Mozilla Firefox version 48.x

–Mozilla Firefox version 49.x

–Mozilla Firefox version 31.0 ESR

–Mozilla Firefox version 31.3.0 ESR

–Mozilla Firefox version 31.4.0 ESR

–Mozilla Firefox version 31.6.0 ESR

–Mozilla Firefox version 45.0.2 ESR

Note: Mozilla Firefox version 46.x or later is supported only after installing ACS 5.7 patch 3 or later.

Note: Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser.

When you import or export a .csv file from ACS 5.x, you must turn off the pop-up blocker.

You can launch the ACS web interface using IPv6 addresses only in Internet Explorer 7.x or later and Mozilla Firefox 3.x versions.

Supported Device and User Repositories

For information on supported devices, 802.1X clients, and user repositories, see Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.7.

Exporting Additional Columns From ACS Administrator Entitlement Summary Report

In ACS 5.6, while exporting the ACS Administrator Entitlement Summary Report, ACS exports the following two columns from the reports table to a comma separated value file:

■Administrators

■Roles

But, in ACS 5.7, while exporting the ACS Administrator Entitlement Summary Report, ACS exports one additional column “Resources and Privileges” along with the “Administrator” and “Roles” column. The Resources and Privileges section contains the resources and privileges that are available for the respective administrator accounts.

New Administrator Roles

ACS 5.7 supports two new administrator roles named OperationsAdmin and ProvisioningAdmin.

These two administrator roles are comprised of the resources and privileges from a few existing administrator roles along with some extra resources and privileges.

To view the resources and privileges of the two new administrator roles:

1. Choose System Administration > Administrators > Roles from ACS web interface.

2. Click the radio button near OperationsAdmin or ProvisioningAdmin.

3. Click View.

ACS displays the resources and privileges associated with ProvisioningAdmin.

The OperationsAdmin and ProvisioningAdmin can be used as a two different administrator accounts separately. You cannot use these two administrator roles together or along with any other administrator roles while creating administrator accounts.

If you try to create an administrator account using these two administrator roles together or along with any other administrator roles, ACS displays the following error:

You cannot assign these two administrator accounts as a recovery administrator account.

Disable User Account After N Days of Inactivity

ACS 5.7 allows the administrators to disable the user accounts based on the number of days they are not logged in to the network. The administrators can configure the maximum number of days in ACS web interface after which the user account should be disabled if the user is not logged in to the network. For this feature to work properly, the log collector server in the deployment should be running and receiving the syslog messages from all the nodes in the deployment and the log recovery must be enabled. This configuration is available in System Administration > Users > Authentication Settings > Advanced page. The administrator can enable the disabled user accounts. The subsequent calculation for the inactivity will be from the last enabled date. For more information on Disabling user account after n days of inactivity, see User Guide for Cisco Secure Access Control System 5.7.

Disable and Delete Host Accounts After N Days of Inactivity

ACS 5.7 allows the administrators to disable the host accounts if they are inactive for the configured number of days. Further, the administrator can delete the host accounts if they are inactive for configured number of days after the host account is disabled. For this feature to work properly, the log collector server in the deployment should be running and receiving the syslog messages from all the nodes in the deployment and the log recovery must be enabled. This configuration is available in System Administration > Hosts > Authentication Settings page. The administrator can enable the disabled host accounts. The subsequent calculation for the inactivity will be from the last enabled date. For more information on Disabling host account after n days of inactivity and Deleting host accounts after n+x days of inactivity, see User Guide for Cisco Secure Access Control System 5.7.

Support for Storing Password Hashes

To enhance security to internal users passwords, ACS 5.7 introduced the new feature “Enable Password Hash”. If you enable this option, the user password is converted to hashes using the PBKDF2 of Cisco SSL hashing algorithm and stored in the ACS internal user database as hashes. This feature is only applicable for password based authentications. Therefore, when this option is enabled, you cannot use CHAP and MSCHAP authentications. For information on how to enable or disable password hashing for internal users, see User Guide for Cisco Secure Access Control System 5.7.

Customizing the TACACS+ port

ACS 5.7 allows the administrator to customize the TACACS+ port from ACS web interface. In releases prior to ACS 5.7, the TACACS+ port field is a non-editable field. But in ACS 5.7, you can configure the TACACS+ port with number 49 and numbers ranging from 1024 to 65535. This operation restarts the ACS runtime and all registered instances.

Sending Notification Email to Users and Administrators About Their Password Expiry

ACS 5.7 allows the administrators to send an email every day to the internal users and administrators about their password expiry n days before their password expires. The administrators can configure the email address and the number of days from the ACS web interface. If this feature is configured in ACS, ACS verifies the users and administrators about their password expiry immediately after 5 minutes from the time of management processes are restarted. The subsequent verifications are performed every 24 hours from the last verified time. For information on this, see User Guide for Cisco Secure Access Control System 5.7.

Maximum Failed Attempts Count Policy

ACS 5.7 allows the administrator to disable the user accounts after n successive failed attempts. This feature is applicable only for internal users. ACS 5.7 introduces the login failed attempt count configuration for users and identity groups. The global login failed attempt count configuration is already available in ACS. The login failed attempt count at user level takes the precedence. If the maximum login failed attempts count is not configured at user level, then ACS proceeds to the identity group to which the user is associated. If the maximum login failed attempts count is not configured at the identity group level, then ACS proceeds to the parent group until it reaches the root in the hierarchy. If the login failed attempt count is not configured at the identity group level, then ACS proceeds to the global login failed attempt count configuration. If the user is configured less number of login failed attempt and the user group is configured with more number of login failed attempt count, ACS considers the login failed attempt count at the user level even though it is less. For more information on Maximum Failed Attempts Count Policy, see User Guide for Cisco Secure Access Control System 5.7.

New Sub-Attributes for Service Type RADIUS IETF Attribute

ACS 5.7 provides a set of standard IETF RADIUS attributes with a set of predefined sub-attributes and values. You can not edit these RADIUS IETF attributes. In ACS 5.7, you have two new sub-attributes for the RADIUS IETF attribute “Service Type” and they are:

■ HP-Oper and its ID is 252

■ HP-User and its ID is 255

You can use these two sub-attributes in policy conditions. These two sub-attributes are specifically designed for the HP devices to understand permissions of the user.

Supporting SNMP Traps for Monitoring Disk Utilization

ACS 5.7 allows you to send SNMP traps to an SNMP host if any of the above ACS partitions reaches its configured threshold disk utilization value. ACS introduces a new CLI command snmp-server trap dskThresholdLimit <value> to configure the threshold percentage for disk utilization. The threshold value in the above command represents the percentage of the available free space. After you configure this command from ACS CLI, a kron job starts running every minute and monitors the ACS partitions. If any one of the partitions reaches its threshold limit, then ACS sends a trap to the configured SNMP server with the disk path and the threshold limit value. You can view the SNMP traps using the traps receiver in a MIB browser. For information on how to configure SNMP Traps for Monitoring Disk Utilization, See User Guide for Cisco Secure Access Control System 5.7.

Log Message for CLI Administrator Account Locked Out

In ACS CLI, the administrator can enable the Lock Account option and configure the number of maximum failed attempts. If the administrator enters the wrong password for the number of times determined by the configuration, it leads to the account being locked out. Previous releases of ACS displayed the “Access Denied” message even though the account was locked due to the number of failed attempts count exceeding the threshold limit that was configured. This led to the failure of the customer in identifying the root cause of the login failure which was the maximum number of attempts being exceeded. Previous releases of ACS logged a log message in /var/log/secure file in the file system. Administrators cannot access that log messages. However, ACS 5.7 displays a log message in the ADE.log file when a CLI administrator's maximum failed attempt count exceeds the threshold limit. This helps the administrator to understand the proper reason for login failure and fix it accordingly. ACS 5.7 runs a kron job for every minute which identifies the locked accounts and sends those details to ADE logs. Administrators can verify the ADE logs if the access is denied to check if their maximum failed attempt count exceeds.

ACS displays the following log in ADE logs if the maximum failed attempt count exceeds:

Account for <username> is locked after 6 failed attempts and the latest attempt is from the host <host IP address> at <date> <time>.

Establishing New Connection from Sybase if Oracle is down

ACS 5.7 supports re-establishing the connection to Oracle database if the existing connection breaks due to a connectivity problem. When you export logs from ACS (Sybase) to Oracle database, ACS establishes a connection with the Oracle database and exports the log information. If the Oracle database goes down for some reason, previous releases of ACS did not try to establish a new connection with Oracle database, instead, it used the old connection even after the Oracle database comes up and running. To overcome this issue, ACS 5.7 establishes a new connection with the Oracle database after the Oracle database comes up and running. This feature does not require any configuration from ACS web interface.

Length Included Flags in Access Policies for TWLU Clients

Many Airplanes use Honeywell Terminal Wireless Local Area Network Unit (TWLU) clients that allows them to join a wireless network at various airports using WPA2-Enterprise EAP-TLS authentication method. The TWLU clients expects a key exchange message with L flag set in it. RFC 5216 does not require the length included flag to be set in the EAP-TLS authentications.

RFC 5216 request states:

■The L bit (length included) is set to indicate the presence of the four-octet TLS message length field and must be set for the first fragmented TLS message or set of messages.

■The M bit (more fragments) is set on all fragments except the last fragment.

The S bit (EAP-TLS start) is set in an EAP-TLS start message. This differentiates the EAP-TLS start message from a fragment acknowledgment.

To make this authentication more secure, ACS introduces a new authentication protocol called “EAP-TLS L-bit” protocol under allowed protocols section of Default Network Access page in ACS web interface. This option adds a length included flag (L-bit) in the change cipher suite specification irrespective of the number of fragments present in it. Therefore, the Honeywell TWLU clients that are looking for L flag in the change cipher suite messages will get the L flag and the EAP-TLS authentication will be successful.

Change cipher specifications and encrypted handshake message fits inside a single packet. The recommended way of implementation is to create a separate group of all TWLU units and create an access policy with L flag included in it and use that access policy for all the TWLU units so that it will not disturb the other clients.

ACS CLI Changes to TCP Parameters

ACS 5.7 introduces a few new commands to fine tune the TCP parameters when there is a huge TACACS+ traffic. The following new commands are introduced:

■ tcp recycle

■ tcp reuse

■ tcp timeout

For more information on these commands, see CLI Reference Guide for Cisco Secure Access Control System 5.7.

New Light Weight REST API (getAllDevices)

ACS 5.7 introduces a light weight getAllDevices API method that helps you to get all network resources and AAA clients information without the Network Device Group information. This API method returns only the minimal or basic information about the network resources and AAA clients in ACS. The basic information includes the name, IP address, description, device ID, version, and other authentication related details. This light weight API method does not retrieve the network device group information. This new light weight “getAllDevices” API method increases the response time to retrieve data from ACS.

If you use “getAll” API method to retrieve device information from ACS, when you have 10 devices, or 100 devices, it retrieves all information about the network devices including the network device groups quickly. But, when you have 10K devices and you try to retrieve device information using “getAll” API method, it takes around 30 minutes to process the request. Therefore, in such cases, you need to use the light weight “getAllDevices” API method. This light weight “getAllDevices” API method retrieves the limited basic information from ACS. You can use the name or ID of the device and use “getByName” or “getById” API methods to get all related information of that device and perform CRUD operations on the retrieved objects.

If you are going to use the light weight “getAllDevices” API method, you must add a version field in your database. The version field indicates that the number of times an object is modified. This version field must be increased by one every time when you update that object. When you retrieve data using “getAllDevices” method, the version field is also retrieved from ACS. You need to compare the object version in your database with the retrieved objects version from ACS. You need to compare the versions in your database with the records that are fetched from ACS. If the retrieved version of the object is different from what you have it in your database, then you need to update that object using the “getByName” or “getById” API methods.

RSA Public Key Authentication for SFTP Repository

In general, when you want to configure an SFTP repository in ACS, you need to configure it with a username and password in ACS 5.x. The password of SFTP users are changing frequently according to the system requirement. Every time when there is a change in the user password, user needs to update the password in ACS repository configuration which is troublesome. To overcome this issue, ACS allows you to configure SFTP repository with RSA public key based authentication.

In ACS 5.7, you can configure an SFTP repository with a username and RSA public key using which you can authenticate the users against the SFTP repository. For more information on configuring SFTP repository with RSA public key authentication, see User Guide for Cisco Secure Access Control System 5.7.

Installing, Setting Up, and Configuring CSACS-1121

This section describes how to install, set up, and configure the CSACS-1121 series appliance. The CSACS-1121 series appliance is preinstalled with the software.

To set up and configure the CSACS-1121:

1. Open the box containing the CSACS-1121 Series appliance and verify that it includes:

■The CSACS-1121 Series appliance

■Power cord

■Rack-mount kit

■Cisco Information Packet

■Warranty card

■ Regulatory Compliance and Safety Information for Cisco Secure Access Control System 5.7

2. Go through the specifications of the CSACS-1121 Series appliance.

For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7 .

3. Read the general precautions and safety instructions that you must follow before installing the CSACS-1121 Series appliance.

For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7 and pay special attention to all safety warnings.

4. Install the appliance in the 4-post rack, and complete the rest of the hardware installation.

For more details on installing the CSACS-1121 Series appliance, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7.

5. Connect the CSACS-1121 Series appliance to the network, and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.

Figure 1 shows the back panel of the CSACS-1121 Series appliance and the various cable connectors.

Note: For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal emulation software.

For more details, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7.

For information on installing ACS 5.7 on VMware, see the “ Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7.

Figure 1 CSACS 1121 Series Appliance Rear View

 

The following table describes the callouts in Figure 1.

.

6. After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program.

Installing, Setting Up, and Configuring Cisco SNS-3495 or Cisco SNS-3415

The Cisco SNS-3495 and Cisco SNS-3415 appliances do not have a DVD drive. You must use the CIMC on the appliance or a bootable USB to install, set up, and configure ACS 5.7 on this appliance. For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.7 .

This section describes how to install, set up and configure the Cisco SNS-3495 and Cisco SNS-3415 appliance. The Cisco SNS-3495 and Cisco SNS-3415 appliance are preinstalled with the software.

To set up and configure the Cisco SNS-3495 and Cisco SNS-3415:

1. Open the box containing the Cisco SNS-3495 and Cisco SNS-3415 appliances and verify that it includes:

■The Cisco SNS-3495 and Cisco SNS-3415 appliance

■Power cord

■KVM cable

■Cisco information packet

■Warranty card

■ Regulatory Compliance and Safety Information for Cisco Secure Access Control System 5.7

2. Go through the specifications of the Cisco SNS-3495 or Cisco SNS-3415 appliance.

For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.7 .

3. Read the general precautions and safety instructions that you must follow before installing the Cisco SNS-3415 or Cisco SNS-3495 appliance.

For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.7 and pay special attention to all safety warnings.

4. Install the appliance in the 4-post rack, and complete the rest of the hardware installation.

For more details on installing the Cisco SNS-3495 or Cisco SNS-3415 appliance, see the

Installation and Upgrade guide for the Cisco Secure Access Control System 5.7.

5. Connect the Cisco SNS-3495 or Cisco SNS-3415 appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port.

See the Installation and Upgrade guide for Cisco Secure Access Control System 5.7 for illustrations of the front and back panel of the Cisco SNS-3495 and Cisco SNS-3415 appliance and the various cable connectors.

Note: For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.

For more details, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.7 .

For information on installing ACS 5.7 on VMware, see the” Installing ACS in a VMware Virtual Machine” chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.7.

6. After completing the hardware installation, power up the appliance.

The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.7.

Running the Setup Program

The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and enter the initial administrator credentials for the ACS 5.7 server that is using the setup program. The setup process is a one-time configuration task.

To configure the ACS server:

1. Power up the appliance.

The setup prompt appears:

At the login prompt, enter setup and press Enter.

The console displays a set of parameters. You must enter the parameters as described in Table 2.

Note: You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.

 

After you enter the parameters, the console displays:

After the ACS server is installed, the system reboots automatically. Now, you can log into ACS with the CLI username and password that was configured during the setup process.

You can use this username and password to log in to ACS only through the CLI. To log in to the web interface, you must use the predefined username ACSAdmin and password default.

When you access the web interface for the first time, you are prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the web interface.

Licensing in ACS 5.7

To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface.

Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.

This section contains:

■Types of Licenses

■Upgrading an ACS Server

Types of Licenses

Table 3 lists the types of licenses that are available in ACS 5.7.

ACS 5.7 does not support auto installation of the evaluation license. Therefore, if you need an evaluation version of ACS 5.7, then you must obtain the evaluation license from Cisco.com and install ACS 5.7 manually.

If you do not have a valid SAS contract with any of the ACS products, you will not be able to download the ISO image from Cisco.com. In such case, you need to contact your local partner or the Cisco representative to get the ISO image.

Upgrading an ACS Server

If you have ACS 5.5 or ACS 5.6 installed on your machine, you can upgrade to ACS 5.7 using one of the following two methods:

■Upgrading an ACS server using the Application Upgrade Bundle

■Re imaging and upgrading an ACS server

You can perform an application upgrade on a Cisco appliance or a virtual machine only if the disk size is greater than or equal to 500 GB. If your disk size is lesser than 500 GB, you must re image to ACS 5.7, followed by a restore of the backup taken in ACS 5.5 or ACS 5.6, to move to ACS 5.7 Release.

See the Installation and Upgrade Guide for Cisco Secure Access Control System 5.7 for information on upgrading your ACS server.

Note: Upgrading to ACS 5.7 may fail if any LDAP identity store is configured without groups or attributes in it and AD identity store is not configured. To avoid this issue, before upgrading to ACS 5.7, you need to either add groups or attributes to the LDAP identity store or configure an AD identity store.

Note: You must provide full permission to NFS directory when you configure the NFS location using the backup-stagging-url command in ACS 5.7 to perform a successful On Demand Backup.

Note: You must disable FIPS before upgrading ACS 5.5 or ACS 5.6 to ACS 5.7 as FIPS cannot be disabled post-upgrade if protocols such as PAP and EAP-MD5 are needed for network access.

Applying Patches in ACS 5.7

Periodically, patches will be posted on Cisco.com that provide fixes to ACS 5.7. These patches are cumulative. Each patch includes all the fixes that were included in previous patches for the release.

In ACS 5.7, you must first install the ACS 5.7 Base patch before installing the Cumulative patch ACS 5.7.0.15.1. For subsequent patch installations, you can directly install the corresponding cumulative patches.

This section describes:

■Applying ACS 5.7 Base Patch

■Applying Cumulative Patches

Applying ACS 5.7 Base Patch

This patch addresses the issues found in ACS 5.7 patch installation process. You must install the ACS 5.7 Base Patch from the Download Software location before you start installing ACS 5.7 Cumulative Patches.

To install the ACS 5.7 base patch, complete the following steps:

1. Login to Cisco.com and navigate to Products > Security > Access Control and Policy > Secure Access Control System > Secure Access Control System 5.7.

2. Download the ACS 5.7 Base Patch.

3. Login to ACS CLI using the administrator credentials.

4. Enter the patch install command in the EXEC mode to install the base patch.

patch install ACS57BasePatch.tar.gz repository-name

ACS displays the following confirmation message:

5. Enter Yes.

6. The ACS 5.7 patch upgrade bundle displays the md5 and sha256 checksum. Compare it with the value displayed on Cisco.com at the download site. Do one of the following:

■Enter Y if the crypto hashes match. If you enter Y, ACS proceeds with the installation steps and displays the following message:

The ACS version is upgraded to the base patch.

7. Enter show application command in EXEC mode to verify the base patch installation.

ACS CLI displays the following output:

You can observe that the CLI output displays Patch 1. If you see “Patches: 1” in the CLI output, then it indicates that the ACS 5.7 base patch is installed successfully.

8. You can also enter the show version history command to view more details such as installation time, name of the patch, and the repository used information about the base patch.

ACS CLI displays the following output:

 

Note: The base patch installation does not require a restart of ACS services.

■Enter N if the crypto hashes do not match. If you enter N, ACS stops the installation process.

Removing ACS 5.7 Base Patch

1. Login to ACS CLI using the administrator credentials.

2. Enter the following command in EXEC mode of ACS CLI:

patch remove acs 1

ACS displays the following message:

3. Enter Y.

ACS displays the following message after successfully removing the patch from ACS.

Application patch successfully uninstalled.

Applying Cumulative Patches

*You can download ACS 5.7 cumulative patches from the following location:

http://software.cisco.com/download/navigator.html

Note: In ACS 5.7, you must install ACS 5.7 Base patch before installing the cumulative patch ACS 5.7.0.15.1.

To download and apply the patches:

1. Log in to Cisco.com and navigate to Products > Security > Access Control and Policy > Policy and Access Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.7.

2. Download the patch.

3. Install the ACS 5.7 cumulative patch. To do so:

Enter the following acs patch command in EXEC mode to install the ACS patch:

acs patch install patch-name .tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.

Would you like to continue? yes/no

4. Enter yes.

ACS displays the following:

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...

md5: aa45b77465147028301622e4c590cb84

sha256: 3b7f30d572433c2ad0c4733a1d1fb55cceb62dc1419b03b1b7ca354feb8bbcfa

% Please confirm above crypto hash with what is posted on download site.

% Continue? Y/N [Y]?

5. The ACS 5.7 upgrade bundle displays the md5 and sha256 checksum. Compare it with the value displayed on Cisco.com at the download site. Do one of the following:

■Enter Y if the crypto hashes match. If you enter Y, ACS proceeds with the installation steps.

% Installing an ACS patch requires a restart of ACS services.

Would you like to continue? yes/no

■Enter N if the crypto hashes do not match. If you enter N, ACS stops the installation process.

6. Enter yes.

The ACS version is upgraded to the applied patch. Check whether all services are running properly, using the show application status acs command from EXEC mode.

7. Enter the show application version acs command in EXEC mode and verify if the patch is installed properly or not.

ACS displays a message similar to the following one:

acs/admin# show application version acs

Table 4 Resolved Issues in ACS 5.7

Bug ID	Description
CSCua13802	The system status and the AAA status are shown as not available and zero in the dashboard.
CSCuo89940	Able to download files from an expired URL from ACS 5.x.
CSCup22665	Multiple Vulnerabilities are found in OpenSSL.
CSCup58251	Evaluating CVE-2008-5161 in Cisco Secure ACS.
CSCup90024	ACS 5.x fails to start the runtime services if an Identity Store name contains an underscore followed by a number.
CSCuq56122	Unable to launch Monitoring and Reports web interface from a secondary ACS instance in a distributed deployment using Mozilla Firefox browser.
CSCuq74150	Open Redirect vulnerability in found in ACS web interface.
CSCuq79027	Injection Vulnerability is found in ACS.
CSCuq79034	ACS bypasses authorizations.
CSCur00511	ACS evaluation for CVE-2014-6271 and CVE-2014-7169. This fix addresses the vulnerabilities identified in the bash shell by upgrading to the required system libraries. This patch fix includes security fixes, and as a result, ACS server prompts a reboot which is highly recommended for a successful installation of the patch.
CSCur07409	Modify TCP settings to enhance TACACS+ performance in ACS 5.x.
CSCur27402	Unable to Schedule reports in ACS 5.6 Reports web interface.
CSCur30345	SSLv3 Poodle vulnerability evaluation is found in ACS.
CSCur42721	Improvement is required in ACS 5.x TACACS+ threading.
CSCur59417	ACS 5.x web interface fields does not allow the single quotes, apostrophe, and plus symbols.
CSCur93568	RSA SecurID authentication fails to work when you perform authentication using RSA SecurID for the first time.
CSCus05897	Users can login to ACS and perform RADIUS authentication with expired passwords.
CSCus17482	The primary instance sends an incorrect reference to the secondary instances after deleting an object from the primary instance.
CSCus42056	Incremental backup issues in ACS View.
CSCus64212	Scheduled reports in ACS 5.6 does not display all columns.
CSCus68826	ACS 5.x is vulnerable to CVE-2015-0235.
CSCus80750	Service selection rule fails to match if the first TACACS+ ASCII request does not have the username.
CSCus97002	Favorite reports in ACS 5.6 does not display any data.
CSCut01441	Runtime crashes if ACS receives a SIGPIPE (broken pipe) signal.

Table 5 Resolved Issues in Cumulative Patch ACS 5.7.0.15.1

Bug ID	Description
CSCuv29649	ACS allows its administrators to authenticate against RSA and RADIUS SecurID Servers.
CSCuu38040	ACS allows On Demand and Scheduled export of ACS policies from ACS web interface.
CSCus43434	System overload message is received in ACS if a reset request is received during packet processing.
CSCuv07066	ACS allows changing password through REST API.
CSCus45389	ACS drops the RADIUS requests when Vendor Specific Attribute field is empty and VendorTypeField size is 1.
CSCuu11005	Local file inclusion vulnerability is found in ACS 5.x
CSCuu11002	Reflected XSS vulnerability is found in ACS 5.x.
CSCus63338	ACS View dashboard displays an error when you add a new layouts.
CSCuv44311	Database compress and ACS View database compress operations are not working properly in ACS.
CSCuv32799	TCP dumps stops working after upgrading ACS to ACS 5.7.
CSCut62022	Too many REST call to ACS can cause Denial of Service in ACS.

New Features introduced in ACS 5.7.0.15.1

ACS 5.7 patch 1 introduces the following new features:

■Authenticating Administrators against RADIUS Identity and RSA SecurID Servers

■Exporting Policies from ACS Web Interface

■Changing Internal User Password from REST API

Authenticating Administrators against RADIUS Identity and RSA SecurID Servers

Previous releases of ACS supports authenticating administrators only against Active Directory or LDAP. But, after installing ACS 5.7 patch 1, ACS supports authenticating administrators against RADIUS Identity Server and RSA SecurID Servers. This feature is available in both ACS web interface and acs-config mode of ACS CLI. This feature enhances security to administrator authentications using the One Time Password (OTP) that RADIUS Identity servers or RSA SecurID servers generate. For more information on this feature, see User Guide for Cisco Secure Access Control System 5.7.

Exporting Policies from ACS Web Interface

ACS 5.7, after installing patch 1, allows you to export the following policies and policy elements from ACS web interface as an XML file to a configured remote repository or to the configured email ids:

■Service Selection Policies

■Access Service Policies

■Network Access Policies

■Authorization Profiles

■Device Administration Policies

■Command Sets

■Shell Profiles

■Identity Policies

■Group Mapping Policies

■Authorization Policies

■Downloadable Access Lists

You must have an administrator account with SuperAdmin role to export policies from ACS web interface. ACS does not export access service policies of type external proxy. For more information, see User Guide for Cisco Secure Access Control System.

Changing Internal User Password from REST API

ACS, after installing patch 1, allows you to change the user password from REST API. You can use the GET method from REST API to retrieve the change password XML file from ACS. You can enter the old password and new password in the retrieved XML file and use the PUT method to update the same in ACS. This feature is applicable only for the internal users. For more information, see Software Developers’ Guide for Cisco Secure Access Control System.

Table 6 Resolved Issues in Cumulative Patch ACS 5.7.0.15.2

Bug ID	Description
CSCut46073	OpenSSL Vulnerabilities were found in ACS during March 2015.
CSCus42781	OpenSSL Vulnerabilities were found in ACS during January 2015.
CSCuu82493	OpenSSL Vulnerabilities were found in ACS during June 2015.
CSCuu30320	ACS server does not identify the passcode cache timeout option that is configured from ACS web interface.
CSCuu42929	End Station Filters limitation has to be relaxed in ACS 5.x.
CSCuu43343	ACS does not allow special characters for KEK and MACK keys of Network devices.
CSCuu59807	Replication issues are identified due to administrator account password change in ACS 5.x.
CSCuu75750	Updating end station filters using a.csv file fails in ACS.
CSCuu81221	Unable to delete the old subordinate CAs after installing a new CA certificate.
CSCuu93287	The report links that are provided in an email notification for alarms does not work in ACS.
CSCuv03303	ACS does not properly send emails when you export reports from ACS web interface.
CSCuv20514	Issues were found when you restore ACS 5.5 View database.
CSCuv39328	ACS management process fails to respond when there are huge number of AAA clients and you search for reports with the network device name in ACS.
CSCuv72012	ACS 5.7 displays an error when you add duplicate certificates.
CSCuv99693	ACS 5.6 does not allow special characters in command sets.
CSCuw09481	ACS 5.x is vulnerable to CVE2015-5600.
CSCuw21552	ACS 5.x displays incorrect results for all filters that you use on configuration Audit Scheduled Report.
CSCuv95363	Scheduled reports in ACS 5.x are not working after reloading the ACS server.
CSCuv58437	Unable to edit the saved reports name is ACS 5.7.
CSCuw33071	Scheduled backups in ACS 5.7 fails when you use RSA crypto keys to authenticate against SFTP repository.
CSCuu66563	Search option in ACS 5.7 displays additional fields after canceling the search results.
CSCuu94829	ACS 5.x displays an incorrect device name when ACS identifies an overlapping IP range.
CSCuv88038	ACS 5.7 has compatibility issues with Mozilla Firefox 39.0 browser.
CSCuw81495	The password types drop down does not display the available options when you apply filters for user objects and try to change your password from ACS 5.7 web interface. This issue is specific to Mozilla Firefox browser versions 39 or later.
CSCuw81477	ACS has to allow the read only user to execute the show user status command.
CSCut84046	ACS has to support 128 characters for CLI repository password.
CSCut99902	ACS does not list the identity group if you have the character / in the identity group description field.
CSCuv10632	ACS displays an error message intermittently when you execute the acs config-web-interface migration enable command.
CSCuv42038	The advanced drop option does not drop the TACACS+ requests in ACS 5.x. This issue is now resolved.
CSCuv63197	ACS runtime crashes when the last EAP fragment length is greater than the total EAP fragment length. This issue is now resolved.
CSCuw89910	ACS fails to join the Active Directory domain when the password includes the includes < or > characters.
CSCuv88723	Issues are found while changing ACS administrator password if the password includes < or > characters.
CSCuw24694	Denial of Service vulnerability is found in Secure Shell connections with ACS.
CSCuw24700	SQL injection vulnerability in ACS.
CSCuw24705	Reflective XSS vulnerability in ACS.
CSCuw24710	Dom based XSS vulnerability in ACS.
CSCuw24714	XML injection vulnerability in ACS.
CSCuw26641	Unable to execute acs troubleshoot command after an incorrect Active Directory operation.
CSCuw55386	Management process fails to start after restoring a full ACS View back in ACS 5.7 web interface.
CSCuw70238	Unable to save scheduled reports in ACS 5.x with clock time zone set as ETC/GMT+/-7.
CSCux04983	Administrator Entitlement report in ACS fails to run properly when the administrator is an operational or provisional administrator.
CSCux07030	ACS displays the following error while authentication an user after upgrading ACS from 5.4 to 5.5 version: 15020 Could not find selected Shell Profiles
CSCux16057	The NTP server status reverts back to local in ACS 5.6 and 5.7.
CSCux33250	The User Changeable Password (UCP) fails to work after enabling Enable Password Hash option in ACS 5.7.
CSCux34781	Apache Common Collections Java library vulnerability was found in ACS during December 2015.
CSCuc16427	Exporting records to a.csv file using the time stamps option does not work properly.
CSCur92646	SSLv3/TLS Renegotiation Stream Injection issue in ACS 5.7.
CSCux39905	Evaluating CVE-2015-6564 in ACS.
CSCuw89652	Unable to edit the acsadmin account details when there is a + symbol in the clocks timezone.
CSCux33426	ACS 5.7 fails to import a CSV file that has an ampersand symbol in the Network Device Group filters.
CSCux43519	Authentication lookup portlet feature in ACS 5.7 displays an internal error.
CSCut77567	NTPD vulnerabilities in April 2015.
CSCuw84970	Evaluating ACS 5.x for NTP.
CSCux44063	Secure Syslog feature is not working properly when you restart the log collector server in ACS 5.7.
CSCuy09740	ACS View reports does not display the latest records when the report has more than 25K records.
CSCuy05184	User Accounts in ACS are disabled when you configure the disable user account after n days of inactivity option though there are passed authentications within the configured number of days.
CSCuy13890	Log Recovery is stuck when a syslog message attribute length is greater than 1024.
CSCuy36585	Evaluating ACS for glibc during February 2016.

Table 7 Resolved Issues in Cumulative Patch ACS 5.7.0.15.3

Bug ID	Description
CSCuz48986	Adding or editing the Service Selection Rules in ACS using Firefox 46 erases all the rules.

Table 8 Resolved Issues in Cumulative Patch ACS 5.7.0.15.4

Bug ID	Description
CSCuv10688	ACS primary node shows the status of the secondary node as "Node not responding" though the secondary node is connected.
CSCuw24655	Protection vulnerability impacts the integrity of the system due to improper RBAC validation in ACS.
CSCuw24661	Protection vulnerability due to improper RBAC validation in ACS while accessing the Launch Monitoring and Report Viewer.
CSCux76335	Unable to restore ACS 5.5 backup on ACS 5.7/5.8 when VSA attribute changes are done.
CSCux98281	DBPurge fails when the Log Recovery feature is enabled.
CSCuy44452	Issues with Change password on next login in ACS 5.7 and ACS 5.8 if password hash is enabled for internal users.
CSCuy45998	ACS 5.7 does not allow unlocking of user account when the user reaches the password retries threshold due to incorrect password entered in the CLI.
CSCuy54597	Evaluating ACS 5.x for OpenSSL in March 2016.
CSCuy63004	Catalina.log file reaches 100-200GB in size.
CSCuy63906	ACS creates the database crash dumps in /home/ directory instead of database home directory.
CSCuy73706	Log files are not updated for a long time due to the following error: "failed to allocate a SYSV semaphore" while getting connection from the database.
CSCuy78327	DB purge on Feb 29 is deleting all the logs.
CSCuy81798	Updating TACACS shared secret details using import/export operation throws validation error when the key exceeds 32 characters.
CSCuy92367	ACS is vulnerable to CVE-2016-1907.
CSCuz11125	Logging recovery process creates duplicate records in log collector.
CSCuz11163	Logging Recovery time interval needs to be fine-tuned.
CSCuz12297	Promotion fails while configuring RSA SecurID Token Servers.
CSCuz24101	Management process does not run properly after reloading ACS.
CSCuz41442	ACS 5.7/5.8 PAC provisioning fails with Credential Time TLV.
CSCuz43689	Restoring ACS View database from GUI fails with sudo errors.
CSCuz45645	ACS throws the following error: "ProvisioningAdmin and OperationsAdmin Role should not combined with any of other roles. Please remove roles accordingly" while creating or editing the authorization rules on ACS by adding another external AD group.
CSCuz46123	Firefox 46 browser causes system failure on changing Network access Identity
CSCuz49536	After restoring the log collector backup, logging recovery does not work properly.
CSCuz49544	Few logs are missing during the logging recovery process.
CSCuz50048	Browser hangs while configuring CommandSet Arguments with double quotes.
CSCuz52505	OpenSSL Vulnerabilities were found in ACS during May 2016.
CSCuz98731	In ACS 5.7 patch 2 or 3, CLI Admin Unlock done via ISO boot remains ineffective.
CSCva23984	ACS should not be accessible using unsupported browser.
CSCva79933	ACS Stops processing RSA Authentication and displays the following error: "ACM_NO_SERVER".
CSCva81649	ACS needs to update “tzdata” for December 2016 leap second.

Table 9 Limitations in ACS Deployments

Object Type	ACS System Limits
ACS Instances	22
Hosts	150,000
Users	300,000
Identity Groups	1,000
Active Directory Group Retrieval	1,500
Network Devices	100,000
Network Device Groups	Unique top-level NDGs: 12 Network Device Group Child Hierarchy: 6 All Locations: 10,000 All Device Types: 350
Services	25
Authorization Rules	320
Conditions	8
Authorization Profile	600
Service Selection Policy (SSP)	50
Network Conditions (NARs)	3,000
ACS Admins	50
	9 static roles
dACLs	600 dACL with 100 ACEs each

Table 10 Known Issues in ACS 5.7

Bug ID	Description
CSCut84046 Password length for ACS repositories configured from ACS CLI are not fixed.	ACS allows a maximum of 15 characters for repository passwords that are configured from ACS CLI. This problem occurs when you configure repository from ACS CLI. Workaround: None. The functionality is working fine. ACS web interface allows 128 characters for repository passwords.
CSCut97299 Errors in permissions list of ProvisioningAdmin in ACS web interface.	When you navigate to System Administration > Administrators > Roles > View: “ProvisioningAdmin” in ACS web interface, the permission “Monitor and view reports” is wrongly displayed as “Monitor and view reports, Configure reports”. This problem occurs when you navigate to Navigate to System Administration > Administrators > Roles > View: “ProvisioningAdmin” and check the role permissions of ProvisioningAdmin administrator role from ACS web interface. Workaround: None. ACS displays the wrong permission names, but the functionality is not affected.
CSCuo95553 Default value of “Disable Account if Failed Attempts Exceed” feature is displayed as empty when you export Internal Users.	When you export internal users from ACS, the “Disable Account if Failed Attempts Exceed” column is displayed as an empty column if you enable this feature and set its default value. This problem occurs when you configure an internal user with default value for “Disable Account if Failed Attempts Exceed” and export the internal users to an external repository. Workaround: Reset “Disable Account if Failed Attempts Exceed” option with a value other than its default value.
CSCuo95364 ACS View wrongly displays the PEAP-GTC authentication method as PAP_ASCII in logs.	ACS View wrongly displays the PEAP GTC authentication as PAP_ASCII in logs when you perform PEAP GTC authentication in ACS. This problem occurs when you perform an PEAP GTC authentication for an internal users in ACS. Workaround: None. The reports detail page displays the authentication methods properly. You need to open the reports detail page to view the correct authentication method.
CSCuo95340 SNMP walk does not display the correct values for ACS.	The disk utilization percentage displayed in the SNMP walk against ACS server is less than the disk utilization percentage displayed when you run the command df -kh from ACS CLI. Workaround: None. You can ignore this as the percentage of disk space displayed in SNMP walk is based on the net SNMP agent Host Resources-MIB where as the disk space displayed when you run the command df -kh is from the root shell. Also, we are sending SNMP traps based on the df -kh command output.
CSCuo51027 Reason for blocking the host accounts must be displayed in ACS web interface.	The host accounts are disabled because of host account inactivity configured in ACS. But, the reason for the account being blocked is not displayed in the ACS web interface. This problem occurs when you configure host inactivity from ACS web interface. Workaround: None. You must check the reports in ACS view to know the reason for disabling hosts.
CSCuo51041 ACS must disable the user or host account Inactivity when the log collector server is not working.	The “Disable user or host accounts after n days of inactivity” feature verification should be stopped when the log collector server is not working or not receiving the passed authentication records for more than a day. This problem occurs when you have configured user or host account inactivity from ACS web interface and the log collector server is not working. Workaround: Restore the previous working backup in ACS and disable the user and host inactivity options until the log collector server is up and running properly.
CSCuo51060 ACS must stop verifying the user or host inactivity feature when there are differences between ACS and ACS view backups.	The “Disable user or host accounts after n days of inactivity” feature verification must be stopped when the ACS and ACS view backups are not synchronized. This problem occurs when you have configured user or host account inactivity from ACS web interface and the ACS and ACS view back ups are not synchronized. Workaround: 1. Restore the synchronized ACS and ACS view. 2. Uncheck the “Disable user or host accounts after n days of inactivity” feature.

Table 11 Updates to Release Notes for Cisco Secure Access Control System 5.7

Date	Description
10/20/2016	Added Resolved Issues in Cumulative Patch ACS 5.7.0.15.4
5/20/2016	Added Resolved Issues in Cumulative Patch ACS 5.7.0.15.3
3/07/2016	Added Resolved Issues in Cumulative Patch ACS 5.7.0.15.2.
8/14/2015	Added Resolved Issues in Cumulative Patch ACS 5.7.0.15.1.
5/12/2014	Cisco Secure Access Control System, Release 5.7.

Table 12 Product Documentation

Document Title	Available Formats
Cisco Secure Access Control System In-Box Documentation and China RoHS Pointer Card	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-documentation-roadmaps-list.html
Migration Guide for Cisco Secure Access Control System 5.7	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-installation-guides-list.html
User Guide for Cisco Secure Access Control System 5.7	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-user-guide-list.html
CLI Reference Guide for Cisco Secure Access Control System 5.7	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-command-reference-list.html
Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.7	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-device-support-tables-list.html
Installation and Upgrade Guide for Cisco Secure Access Control System 5.7	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-installation-guides-list.html
Software Developer’s Guide for Cisco Secure Access Control System 5.7	http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/ products-programming-reference-guides-list.html
Regulatory Compliance and Safety Information for Cisco Secure Access Control System	http://www.cisco.com/c/en/us/td/docs/net_mgmt/ cisco_secure_access_control_system/5-6/regulatory/compliance/ csacsrcsi.html