Introduction ACS is a policy-driven access control system and an integration point for network access control and identity management. The ACS 5.3 software runs either on a dedicated Cisco 1121 Secure Access Control System (CSACS-1121) appliance, or on a VMware server. However, ACS 5.3 continues to support the CSACS-1120 appliances that you have used for previous releases of ACS that you can upgrade to ACS 5.3.

1. Acs Installation Complaints
2. Acs License File

This release of ACS provides new and enhanced functionality. Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers to the ACS software. Note When you install ACS 5.3 or upgrade any older version of ACS to ACS 5.3, you are strongly recommended to install the cumulative patch 5.3.0.40.4 or a later patch as a part of this installation or upgrade process. This patch includes some important fixes that are related to the upgrade process and Active Directory operations.

You must install this patch if you are using Active Directory as the identity store in ACS. You can upgrade ACS using two methods. For more information on the upgrading ACS, see. If you use Re-imaging and Upgrading ACS Server method to upgrade ACS, then you must install the cumulative patch 5.3.0.40.4 or a later patch before restoring the backed up data from ACS 5.1 or 5.2 versions. If you use Upgrading an ACS Server Using Application Upgrade Bundle method to upgrade ACS, then you must install the cumulative patch 5.3.0.40.4 or a later patch after the successful completion of the upgrade process. Note that, while upgrading ACS with upgrade bundle method, some log collection related processes may not be restarted successfully. The log collection related processes will be restarted after installing the cumulative patch 5.3.0.40.4 or later.

See to install the cumulative patch in ACS. Dial-In Attribute Support The Dial-In Attribute feature enhancement includes:. Dial-in permissions You can allow, deny, and control access of dial-in permissions of a user. The permissions are checked during authentications or queries from Active Directory. It is set on the Active Directory dedicated dictionary. Callback You can set up callback options. The server calls the caller back during the connection process if this option is enabled.

The phone number that is used by the server, is set either by a the caller or the network administrator. PEAP(EAP-TLS) The Protocol enhancements in ACS 5.3 includes:. TACACS+ Proxy You can use the proxy server to relay requests to remote AAA servers and return the responses from them to Network Devices. TACACS+ CHAP and MSCHAP authentication types are supported in ACS 5.3. Attribute Substitution for TACACS+ shell profiles Allows you to substitute a value of TACACS+ attribute to the value of another attribute from one of the available dynamic dictionaries on the shell profile configuration.

For more information related to TACACS + Authentications, see. EAP Authentication Protocols Supports EAP-TLS inner method for PEAP, in addition to EAP-MSCHAPv2 and EAP-GTC.

Policy and Identity Enhancements The Policy and Identity enhancements in ACS 5.3 include:. Display RSA node secret missing Reports the status of a RSA Node Secret on the ACS Instance Setting section. Maximum user sessions Allows you to restrict the user from too many concurrent user sessions. The permitted number of concurrent user sessions is between 1 and 65535.

For more information on this see,. Account Disablement Allows you to disable the users of Internal Identity Store when the configured date is beyond the permitted date, the configured number of days are beyond the permitted days, or the number of consecutive unsuccessful login attempts, exceeds the threshold.

The default value for date exceeds is 30 days from the current date. The default value for days should not be more than 60 days from the current day. The default value for failed attempts is 5. For more information on this, see. User Check Attributes Allows you to create conditions that compares the values of two different attributes. Identity Sequence Advanced Options ACS 5.3 authenticates the user in a sequence against the Identity Store.

Now, it is possible to configure whether to proceed to the next identity source in a sequence when it is not possible to connect to the identity store. ACS goes to the next Identity Store when: – A user is not found in the first Identity Store. – An Identity Store is not available in the sequence. User Password Type Allows you to set the password type of users in internal identity stores. You can select any one of the external identity store names along with internal users, to indicate against which identity store, this user needs to be authenticated. For more information on User Password Type, see. Additional Attributes available in the policy condition Supports two new additional attributes in the policy condition.

The administrator should customize the Simple or Compound Condition option in the rule table to use these two attributes. – Authentication Identity Store Enables you to configure the policy rule conditions based on the Authentication Identity Store. For example: IF AuthenticationIdentityStore=LDAPNY then reject” This attribute contains the name of the Identity Store used and it is updated with the relevant Identity Store name after successful authentication. – Number of Hours Since User Creation Enables you to configure the policy rule conditions, based on the time at which the user was created in ACS Internal Identity Store. For example: IF group=HelpDesk&NumberofHoursSinceUserCreation48 then reject” This attribute contains the number of hours since the user was created in Internal Identity Store to the time of the current authentication request. Wildcards for Hosts Allows you to use wildcards while you add new hosts into the Internal Identity Store. It also allows you to enter wildcards (after you enter the first three octets) to specify all devices from the identified manufacturer.

For more information on this, see. Network Device Ranges Allows you to configure single or multiple ranges of IP address, using wildcards.

The Exclude Range option allows you to exclude a set of IP address from the configured range. You can also filter devices, based on IP addresses. Look up Network Device by IP address Allows you to search a network device, using its IP address. You can also use wildcards and the range to search a specific set of network devices. New CLI Commands The following are the new CLI commands in ACS 5.3:. database-compress database-compress reduces the ACS Database size with an option to delete the ACS Transaction table. ACS administrators can run this command to reduce the database size.

This helps to reduce the database size and the time taken for backups and full synchronization that is needed for maintenance. For more information on this command, see the. acsview-db-compress acsview-db-compress reduces the Monitoring and Report viewer database size. ACS administrator can run this command to reduce the Monitoring and Report viewer database size. This command compresses the ACS Monitoring and Report viewer database by rebuilding each table in the database and releases the unused space. This reduces the physical size of the view database.

For more information on this command, see. Features Not Supported The following features are not supported in ACS 5.3:. The Create, Read, Update, and Delete (CRUD) operations for network device objects in REST PI. The Create, Read, Update, and Delete (CRUD) operations for end devices (hosts) in REST PI. Ability to provide IP addresses from IP address pools defined in ACS. Additional comparison operators for policy definitions such as full range or string and integers matching operators. Instance specific configuration.

Ability to show the IP address from where the request came, in the Failed Authentications report. Ability to authenticate the users against an external ODBC database.

RDBMS support for synchronization of user accounts with an external database. Online certificate status protocol (OSCP). Support for on VMware installations with less than 500 GB hard disk.

Support for VMware Tools. Support for Multiple Network Interface Card (NIC). Remote Database with cluster setup is not supported. Installing, Setting up and Configuring CSACS 1121 This section describes how to install, set up and configure the CSACS 1121 Series appliance. The CSACS 1121 Series appliance is preinstalled with the software. To set up and configure the CSACS 1121: Step 1 Open the box containing the CSACS 1121 Series appliance and verify that it includes:. The CSACS 1121 Series appliance.

Power cord. Rack-mount kit. Cisco Information Packet. Warranty card. Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler Step 2 Go through the specifications of the CSACS 1121 Series appliance. For more details, see. Step 3 Read the general precautions and safety instructions that you must follow before installing the CSACS 1121 Series appliance.

For more details, see and pay special attention to all safety warnings. Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation. For more details on installing the CSACS 1121 Series appliance, see Step 5 Connect the CSACS 1121 Series appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port. Shows the back panel of the CSACS 1121 Series appliance and the various cable connectors.

Description Hostname localhost First letter must be an ASCII character. Length must be more that 2 but less than 20 characters.

Valid characters are alphanumeric (A-Z, a-z, 0-9), hyphen (-), and the first character must be a letter. Enter the hostname. IPv4 IP Address None, network specific Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter the IP address. IPv4 Netmask None, network specific Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255. Enter a valid netmask. IPv4 Gateway None, network specific Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid default gateway. Domain Name None, network specific Cannot be an IP address. Valid characters are ASCII, any digit, hyphen (-), and period (.) Enter the domain name. IPv4 Primary Name Server Address None, network specific Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255. Enter a valid name server address. Add/Edit another nameserver None, network specific Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

To configure multiple name servers, enter Y. Username admin The name of the first administrative user. You can accept the default or enter a new username. Must be more than 2 but less than 9 characters, and must be alphanumeric. Enter the username. Admin Password None No default password. Enter your password.

The password must be at least six characters in length and have at least one lower case letter, one upper case letter, and one digit. In addition:.

Save the user and password information for the account that you set up for initial configuration. Remember and protect these credentials because they allow complete administrative control of the ACS hardware, the CLI, and the application. If you lose your administrative credentials, you can reset your password by using the ACS 5.3 installation CD. Enter the password.

After you enter the parameters, the console displays. After the ACS server is installed, the system reboots automatically. Now, you can log into ACS with the CLI username and password that was configured during the setup process. You can use this username and password to log into ACS using only the CLI. To log into the GUI, you must use the predefined username ACSAdmin and password default. When you access the GUI for the first time, you are prompted to change the predefined password for the administrator.

You can also define access privileges for other administrators who will access the GUI application. Description Base License The base license is required for all deployed software instances, as well as for all appliances. The base license enables you to use all ACS functions except license controlled features, and it enables standard centralized reporting features.

The base license:. Is required for all primary and secondary ACS instances. Is required for all appliances. Supports deployments that have a maximum of 500 managed devices.

The following are the types of base licenses:. Permanent—Does not have an expiration date.

Supports deployments that have a maximum of 500 managed devices. Evaluation—Expires 90 days from the time the license is issued. That have a maximum of 50 managed devices.

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the number of devices is 256. Add-On Licenses Add-on licenses can only be installed on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license.

The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. However, the permanent Security Group Access feature license can be used only with a permanent base license. Auto-Installation of Evaluation License If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ACS server. If you use an ACS server with less than 500 GB hard disk space, Cisco does not provide support for scalability, performance, and disk space-related issues. For more information on installing ACS 5.3 on VMware, see chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3. Applying Cumulative Patches Periodically, patches will be posted on Cisco.com that provide fixes to the ACS 5.3.

These patches are cumulative. Each path includes all the fixes that were included in previous patches for the release. You can download ACS 5.3 cumulative patches from the following location: To download and apply the patches: Network Management Security Identity Management Cisco Secure Access Control System Cisco Secure Access Control System 5.3.

Step 1 Log into Cisco.com and navigate to Network Management Security Identity Management Cisco Secure Access Control System Cisco Secure Access Control System 5.3. Step 2 Download the patch. Step 3 Install the ACS 5.3 cumulative patch. To do this: a. Enter the following acs patch command in the EXEC mode to install the ACS patch: acs patch install patch-name.tar.gpg repository repository-name ACS displays the following confirmation message: Installing an ACS patch requires a restart of ACS services. Would you like to continue?

Yes/no Step 4 Enter yes. The ACS version is upgraded to the applied patch. Check whether all services are running properly, using the CLI show application status acs from the EXEC mode. Description CSCtg36142 Indication of secureid file did not work properly in the Node Secret set. This problem is resolved now. CSCta75080 MSCHAP authentication with UTF8 SAM & NETBIOS did not work against AD in Centrify configuration. This problem is resolved now.

CSCtb99448 An error was displayed in ACS Management log while performing PAP Authentication. This problem is resolved now. CSCte57427 SNMP location and contact information were not saved on reboot in ACS 5.1.

This problem is resolved now. CSCte70665 An error message was displayed while launching the Authentication Trend page from the Dashboard.

This problem is resolved now. CSCte98032 ACS 5 partitions were not aligned properly when they were installed on VMware.

This problem is resolved now. CSCtf09891 Remote log targets did not accept classless IP formats. This problem is resolved now. CSCtf77292 The Evaluation of domain local groups resulted in delayed authentication AD PERF. This problem is resolved now.

CSCtg62673 The Feature license with & character in the company name could not be loaded. This problem is resolved now.

CSCtg71016 Primary and Secondary servers did not accept same server certificates. This problem is resolved now. CSCth66492 Recovery mechanism was required while reconnecting the log-collector. This problem is resolved now.

CSCti00159 Network did not function properly when the MAC address of the host was changed in ACS 5 on VMware. This problem is resolved now. CSCti30276 Admin users could not log in after a password reset.

This problem is resolved now. CSCti36058 The user authentication is ACS 5.1 failed while searching for the server in a remote domain. This problem is resolved now. CSCti70509 In ACS 5, Restored DB from TFTP may result in corrupted configuration.

This problem is resolved now. CSCti95750 The filter did not show any result in ACS 5.1 while using a filter for AD groups in AD1:ExternalGroups. This problem is resolved now. CSCtj58965 AD page did not load when there were issues in DNS or DCs.

This problem is resolved now. CSCtj61100 When adding three IP name-server through CLI, you were prompted to restart ACS three times. This problem is resolved now. CSCtj68184 Evaluation License for AM&R was not being overwritten. This problem is resolved now. CSCtk32478 CPU utilized high memory related to CDPD process in VMware.

This problem is resolved now. CSCtk32664 ACS sent change-pass request to a wrong ID -store in the sequence. This problem is resolved now. CSCtk76151 Changing NIC's IP address caused NTP to go out of synchronization.

This problem is resolved now. CSCtk82961 RADIUS Proxy did not forward unknown attributes. This problem is resolved now. CSCtl05923 Remote DB sql schema related information has to be updated for export run failed operation in ACS 5.3 documents.

This problem is resolved now. CSCtl07445 Negative integer in AV pair caused exception for ACS Log Collector.

This problem is resolved now. CSCtl07664 Unable to change the Error code. This problem is resolved now. CSCtl11307 SNMP preferences setting existed in a wrong place on the ACS VIEW. This problem is resolved now. CSCtl42972 Runtime process restarted after adding Shell Profile. This problem is resolved now.

CSCtl52327 ACS LDAP authorization was case sensitive. This problem is resolved now.

CSCtl84778 Sometimes two processes did not run after ACS reboot. This problem is resolved now.

CSCtl85457 The unreachable servers from DNS SRV resulted in a delay in ACS. This problem is resolved now. CSCtn05827 The enable password option in TACACS did not work properly. This problem is resolved now. CSCtn13731 Importing or updating TACACS+ devices need COA field to be filled.

This problem is resolved now. CSCtn18359 When ACS CLI password expires with password policy cannot be reset. This problem is resolved now.

CSCtn21381 CDP data containing & character resulted in show run to fail. This problem is resolved now.

CSCtn26604 ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.

CSCtn62214 Could not import the.CSV file when the custom attribute was defined for local user/hosts. This problem is resolved now.

CSCtn67457 Dynamic attributes in authorization profiles stopped working after it was changed. This problem is resolved now. CSCtn76469 Setting RADIUS accounting on got rejected with 11014 msg. This problem is resolved now. CSCtn78315 Backing up data failed while using SFTP if it was not transferred within 60 seconds. This problem is resolved now. CSCtn81510 ACS 5 documents did not have clear information on getACSViewWebServicesPort for M&R.

This problem is resolved now. CSCto09231 ACS Interpreted Username in NetBIOS Format with Dot in DOMAIN as DNS. This problem is resolved now. CSCto09337 ACS had problems with Network device filter using location or dev type.This problem is resolved now. CSCto42187 EAP Authentication Method was not available for policy during PEAP fast reconnect.

This problem is resolved now. CSCto72525 Writing a Custom application to integrate M&R generated errors. This problem is resolved now. CSCto72918 ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now. CSCto77214 When ACS was overloaded, an error server workspace storage appeared.

This problem is resolved now. CSCtq07534 ACS 5 did not verify RSA keys for SFTP repositories. This problem is resolved now. CSCtq15610 ACS Intermittent was Disconnected from AD. This problem is resolved now. CSCtq17598 Runtime services failed to start in a shell profile attribute.

This problem is resolved now. CSCtq46433 ACS 5: Web page errors were found while filtering the device using IE8 if the device contain u. This problem is resolved now. CSCtq61094 AD configuration affected the ACS Runtime process. This problem is resolved now. CSCtq61125 ACS did not follow the identity store sequence.

This problem is resolved now. CSCtq61267 The password was not accepted after installing ESXi 4.x. This problem is resolved now.

CSCtq62007 Unable to save AD configuration when only user name or password was changed. This problem is resolved now. CSCtq64672 Failure reason editor under System Configuration displayed an error for COD. This problem is resolved now. CSCtq65124 ACS 5.2: Boolean LDAP attribute was incorrectly interpreted by ACS. This problem is resolved now. CSCtq76307 CLI documentation did not have the updated SFTP information.

This problem is resolved now. CSCtq78681 Group Queries to Virtual Directory Server failed to return results. This problem is resolved now. CSCtr23536 ACS 5.2: Appending domain name to SAN when trying to match account in AD resulted in the user not being found in external store database and a failed authentication. This problem is resolved now.

CSCtr24473 Radius Request were dropped by ACS without any explanation. This problem is resolved now. CSCtr43053 The port attribute could not be used to match the rule if you used ASCII as authentication type for TACACS + authentications. This problem is resolved now.

CSCtr57687 ACS 5.x documents did not have the information on Replicated Items. This problem is resolved now.

CSCts55739 ACS 5.2Configuration Guide did not explain the failover scenarios. This problem is resolved now. Description CSCtn94094 Web interface for compound rules uses non-standard boolean notation. CSCts38477 In ACS 5.2 Compound Condition, replacing 'And' logic with 'Or' Duplicate of CSCtn94094.

CSCtq81172 Admin Wen interface takes time to load for large NDG tree. CSCtg51846 Enum values are not shown in compound conditions in the rule. CSCto73527 Network Device Filter fails with AND Condition while using Location and Device Type.

CSCts17763 ACS may crash when Shell Profile name contains special characters. CSCtq76294 Need an alert to be triggered when backup operation fails.

CSCts40901 Shared secret key is displayed in clear text. CSCtq80926 Select option is not working in Compound condition LDAP External groups.

CSCts61733 Bulk CRUD operations for Shell Profile Custom Attributes. CSCtr78192 Multiple vulnerabilities in the Cisco ACS 5 web interface. CSCts85741 Possible SQL injection point in ACS 5.2. CSCtr78143 Multiple Cross-Site Request Forgery and stored XSS in ACS 5.2. CSCtu15651 ACS view upgrade failure. CSCtu07065 ACS 5.2 to 5.3 upgrade fails.

CSCts23451 ACS 5.x needs to update the RSA SecureID API. CSCtu36433 ACS 5.3 web interface gives very slow access after an upgrade from ACS5.2. Description CSCtw97686 Could not edit the ACS 5.2 users after upgrading the system to AS 5.3. CSCtu74476 MAC address format is inconsistent in activity reports. CSCtn26538 EAP-TLS reauthentication fails - principal username is missing. CSCte39351 The SNMP agent process in ACS appliance daemon stops. CSCtu89783 ACS 5 password expiration policy triggered for token users.

CSCtt14745 Cannot add groups to LDAP identity store. CSCtt17019 ACS 5.x has issues while retrieving additional AD groups when referenced in rule. CSCtt21122 Cannot import the command sets if you have the character slash ( /) in the argument. CSCto95888 sh acs-logs details command does not display local store log file names. CSCtw64212 view-logprocessor Process gets stuck and the status is shown as not monitored. CSCtu36357 ACS 5 cannot duplicate user accounts. CSCtw67208 Administrative and Operational Audit logs are not getting recorded in ACS.

CSCtw56498 TACACS+ 'enable' request is dropped in unknown authentication type. CSCtw97877 Installing a patch after 5.3 upgrade did not reduce the network device page loadtime.

CSCtx19470 ACS 5 shows an runtime error while trying to login to the GUI when all process are running properly. CSCtx53340 NIL-CONTEXT error causes TACACS+ failure in ACS 5.3 TCP Listener Process. CSCto88134 Temporary table was missing in 5.2 database after the restoring 5.1 backup. Description CSCtx11180 Sometimes, ACS fails to fetch the group info for users in trusted domain CSCty19628 Unassigning MS-CHAPV2 group retrieval fails. It is a duplicate of the bug CSCtx11180. CSCtw59129 ACS5 tries to contact the domains which are not in trusted list, based on the username.

CSCty11627 ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets. CSCtw71563 ACS gets disconnected from AD if it receives duplicate A records for DC.

CSCtx90637 ACS MS-CHAPV2 is not hashing the MS-CHAP success correctly. CSCtu15832 ACS 5.2 does not recover from an RPC failure with a domain controller. CSCtx71254 ACS 5.3 is disconnecting from AD and unlatch is seen in ADclient logs. CSCtx18638 Cannot add custom shell attribute with the keyword alert.

CSCtx83260 NDG locations are not showing up on the web interface. CSCts14694 Accounting requests are seen as authentication requests. CSCty60512 User authentication fails when having Authorization rule with built-in group. CSCty60915 ACS 5.3 pre-authentication gets failed with AD for some users. CSCtz03041 AD Agent cores management.

CSCty88457 ACS support bundle does not include ADclient core files. CSCtz03084 /opt and /var full-Large AD Agent file contains file descriptor errors. CSCtz03036 AD Agent cache should be flushed when core is generated. CSCtz03943 ACS exposes the AD account username and password.

CSCtz03211 ACS 5.3 sends multiple authentication attempts to Active Directory. Description CSCtu21456 ACS 5.x: Intermittent password change is not working in secondary ACS. CSCtx12249 ACS 5.x: ACS does not support TACACS Service 0x1a (Auth-Proxy). CSCty48702 ACS 5.3 cannot export data to Oracle. CSCtx68133 Some Secondary ACS machines show status as offline when the setup is idle. CSCtx57296 ACS fails to open the view log collector with an irresolvable hostname in the primary machine. CSCtx72675 ACS supports repository user name with domain name.

CSCtx55824 ACS 5.x: SQL schema file for view database export is incorrect. CSCtu19690 Random Parse error alarms are triggered due to the radius accounting messages. CSCtx90623 ACS web server is vulnerable to the HTTP slow header attack.

CSCty80996 Admin user with ResetUserPassword privilege cannot reset user passwords. CSCty18371 Users without enable password option are able to set their own authentication password.

CSCtx40345 MAC addresses shown on end station filter list are incorrect. CSCtx32481 Description is shown as null while importing NDG without a description. CSCty16614 Resource not found or internal server error is seen with bulk filter option in ACS. CSCtx71963 ACS 5.2: Bulk update of users ignores the changes that are made in the custom boolean attribute. CSCtz31830 In some scenarios, Active Directory web interface group retrieval feature takes a long time to respond.

CSCtz42111 Password expiry timer is not replicated after changing the password using TACACS+. Description CSCtz24314 ACS 5.x runs out of disk space.

CSCtz49470 In ACS 5.3, you can create and restore the ACS View database from a support bundle without the help of a root patch. CSCty53608 Core file with 4000 users is generated in TACACS+ proxy. CSCty75050 In ACS 5.3, CHAP authentication for TACACS+ fails.

CSCtx03590 Adding NDG filter with “Replace from File” fails. CSCty92102 RADIUS proxy does not process the response from an external RADIUS server.

CSCtz09614 Validation error that results in an ACS runtime crash occurs while editing the end station filters. CSCtz91356 Evaluation of Local groups lead to an increase in time delay during authentication. CSCtz83523 AD client crashes because of the passwords with non-UTF-8 characters in it. CSCty64763 Multiple groups are selected in authorization policy. CSCua01925 SNMP monitoring cron job is deleted when you configure a scheduled backup.

CSCua51373 Support for On Demand Purge in ACS View. CSCua60625 ACS View database restore fails when there is enough space available in /opt.

CSCua51804 ACS View backup fails even when there is enough disk space available. CSCua60611 Runtime service memory utility is increasing during TACACS+ authentication and accounting requests. CSCty97947 Importing large scale configurations in ACS results in runtime memory errors upon restart. CSCub17638 Replication fails when you import devices in to the primary server. CSCua69912 Config database gets corrupted after changing the authorization profile name which results in an internal error while accessing the web interface.

Description CSCua66744 The ACS view database transaction log reaches more than 50 GB, which fills the /opt partition size. CSCtq46211 The Lexmark Printer works fine with ACS 4.x, but it is not working properly with ACS 5.x versions. CSCtx53223 ACS 5.3 fails to join AD domain, and the Centrify license is missing when you upgrade ACS from its previous versions. CSCtx63760 Scalability issue: ACS drops TACACS+ requests due to a high connection rate. CSCtx56129 The ACS 5.x replication service fails because it cannot bind to port 2030. CSCua67150 The network device is not recorded in the RADIUS Authentication logs. CSCub15396 ACS 5.3 does not support blank spaces in the TACACS shared secret key.

Acs Installation Complaints

CSCua90369 ACS 5.x is creating the error message: ShellProfile.ERROR.DeviceAttrFactory.cpp:29. CSCtw84073 Unable to enter acs-config in the ACS CLI. CSCua81734 In ACS 5.x, Identity groups are truncated when you use Internet Explorer 8.x version. CSCty57491 ACS health logs are purged incorrectly.

CSCub46074 ACS 5.3 response is very slow with a large number of identity groups. CSCub40278 XSS vulnerabilities were found in ACS view pages. CSCub40291 CSRF vulnerabilities were found in ACS 5.3. CSCub40498 The password field in ACS 5.3 has the autocomplete operation enabled. CSCub40527 Unauthenticated download flaws were found in ACS 5.3.

CSCub40480 Cookie vulnerabilities were found in ACS 5.3. CSCuc65634 TACACS+ authentication bypass vulnerabilities were found in ACS 5.3. CSCub98158 The replication is not working when you register or deregister a secondary ACS instance.

Description CSCuc31452 In ACS 5.3, exporting users to.csv file is not working properly. CSCtn99545 Administrators with numerical username are unable to use the dashboard. CSCuc80049 Editing device filters results in validation error and ACS runtime to crash. CSCuc28306 Unable to export the ACSLogInformation from ACS view to a.csv file. CSCub98880 Sometimes, the details icon in the troubleshooting reports page is not shown. CSCuc68843 Secondary ACS server is reported to be in Local mode incorrectly CSCuc93106 Upgrading from ACS 5.3 to ACS 5.4 fails. CSCuc11436 In ACS 5.3, promoting a secondary ACS remotely from a primary ACS fails.

CSCuc06451 ACS cannot find the global catalogs. CSCub82913 ADclient cache issue - Authentication fails when you change the OU in multiple domain controller environment. CSCud06310 TCP socket exhaustion causes ACS 5.x to crash.

CSCub60424 Unable to register ACS in the deployment while the import operation is in progress. CSCuc08568 Unable to register machines to the deployment.

CSCtx45515 PI REST support for Network Devices, Device Groups, and Hosts. Description CSCud40928 The secondary instance management process remains in initializing state after deregistering it from the deployment. CSCue86879 Added NTP service as a part of ACS services in ACS 5.3. CSCud88921 NTP fails for some time after changing the local clock time.

CSCue35765 An invalid alarm is shown that says, “DBPurge is not running for the past two days.” CSCue43289 Rules in Access Policies are pushed to the end of the list when you use filter to search or make any changes in them. CSCud75174 Client-side filtering option in ACS leads to XSS Attack CSCud75177 CSRF vulnerabilities found in ACS admin and ACS view pages. License Issues The OpenSSL toolkit stays under a dual license, i.e. Both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses.

In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License: Copyright © 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( )”.

The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( )”. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License: Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code.

The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed.

Acs License File

If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”. The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. This code cannot simply be copied and put under another distribution license including the GNU Public License.

Supplemental License Agreement END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE: IMPORTANT: READ CAREFULLY This End User License Agreement Supplement ('Supplement') contains additional terms and conditions for the Software Product licensed under the End User License Agreement ('EULA') between you and Cisco (collectively, the 'Agreement'). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence. In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, 'CUSTOMER') TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND.

YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER. Product Names For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are: A.

Advanced Reporting and Troubleshooting License Enables custom reporting, alerting and other monitoring and troubleshooting features. Large Deployment License Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release) Enables Security Group Access policy control functionality and other advanced access features.

ADDITIONAL LICENSE RESTRICTIONS. Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco 1121 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco 1121 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1121 Hardware Platform. Software Upgrades, Major and Minor Releases.

Cisco may provide Cisco Secure Access Control System Software upgrades for the 1121 Hardware Platform as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each Cisco 1121 Hardware Platform. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract. Reproduction and Distribution. Customer may not reproduce nor distribute software.

DEFINITIONS Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number (x).x.x. Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions.

Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number x.(x).x. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS Please refer to the Cisco Systems, Inc., End User License Agreement.

Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.