Read acs_53_rn.fm text version

Release Notes for Cisco Secure Access Control System 5.3

Revised: October 22, 2012 OL-24203-01

These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.3, hereafter referred to as ACS 5.3. These release notes provide information on the features, related documentation, resolved issues, and known issues for functionality in this release. This document contains:

· · · · · · · · · · · · · · · · · · · ·

Introduction, page 3 New and Changed Features, page 3 SFTP Copy, page 6 Features Not Supported, page 6 Supported Virtual Environments, page 7 Supported Web Client/Browsers, page 7 Installation and Upgrade Notes, page 7 Resolved ACS Issues, page 13 Resolved Issues in Cumulative Patch ACS 5.3.0.40.1, page 17 Resolved Issues in Cumulative Patch ACS 5.3.0.40.2, page 18 Resolved Issues in Cumulative Patch ACS 5.3.0.40.3, page 19 Resolved Issues in Cumulative Patch ACS 5.3.0.40.4, page 19 Resolved Issues in Cumulative Patch ACS 5.3.0.40.5, page 20 Resolved Issues in Cumulative Patch ACS 5.3.0.40.6, page 21 Resolved Issues in Cumulative Patch ACS 5.3.0.40.7, page 22 Known ACS Issues, page 24 Documentation Updates, page 33 Product Documentation, page 34 Notices, page 35 Supplemental License Agreement, page 37

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

·

Obtaining Documentation and Submitting a Service Request, page 38

Release Notes for Cisco Secure Access Control System 5.3

2

OL-24203-01

Introduction

Introduction

ACS is a policy-driven access control system and an integration point for network access control and identity management. The ACS 5.3 software runs either on a dedicated Cisco 1121 Secure Access Control System (CSACS-1121) appliance, or on a VMware server. However, ACS 5.3 continues to support the CSACS-1120 appliances that you have used for previous releases of ACS that you can upgrade to ACS 5.3. This release of ACS provides new and enhanced functionality. Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers to the ACS software.

Note

When you install ACS 5.3 or upgrade any older version of ACS to ACS 5.3, you are strongly recommended to install the cumulative patch 5.3.0.40.4 or a later patch as a part of this installation or upgrade process. This patch includes some important fixes that are related to the upgrade process and Active Directory operations. You must install this patch if you are using Active Directory as the identity store in ACS. You can upgrade ACS using two methods. For more information on the upgrading ACS, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/gui de/csacs_upg.html#wp1194859. If you use Re-imaging and Upgrading ACS Server method to upgrade ACS, then you must install the cumulative patch 5.3.0.40.4 or a later patch before restoring the backed up data from ACS 5.1 or 5.2 versions. If you use Upgrading an ACS Server Using Application Upgrade Bundle method to upgrade ACS, then you must install the cumulative patch 5.3.0.40.4 or a later patch after the successful completion of the upgrade process. Note that, while upgrading ACS with upgrade bundle method, some log collection related processes may not be restarted successfully. The log collection related processes will be restarted after installing the cumulative patch 5.3.0.40.4 or later. See Applying Cumulative Patches, page 13 to install the cumulative patch in ACS.

Note

ACS 5.3 does not retrive domain local groups of users when you install patch 3 or a later patch.

Note

When you import or export a .csv file from ACS 5.x, you need to turn off the popup blocker.

New and Changed Features

This release of ACS provides improved parity with 4.x. The following sections briefly describe the new and changed features in the 5.3 release:

· · · · ·

Dial-In Attribute Support, page 4 PEAP(EAP-TLS), page 4 Policy and Identity Enhancements, page 4 New CLI Commands, page 6 View Log Message Recovery, page 6

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

3

New and Changed Features

·

Programmatic Interface Enhancements, page 6

Dial-In Attribute Support

The Dial-In Attribute feature enhancement includes:

·

Dial-in permissions You can allow, deny, and control access of dial-in permissions of a user. The permissions are checked during authentications or queries from Active Directory. It is set on the Active Directory dedicated dictionary.

·

Callback You can set up callback options. The server calls the caller back during the connection process if this option is enabled. The phone number that is used by the server, is set either by a the caller or the network administrator.

PEAP(EAP-TLS)

The Protocol enhancements in ACS 5.3 includes:

·

TACACS+ Proxy You can use the proxy server to relay requests to remote AAA servers and return the responses from them to Network Devices.

· ·

TACACS+ CHAP and MSCHAP authentication types are supported in ACS 5.3 Attribute Substitution for TACACS+ shell profiles Allows you to substitute a value of TACACS+ attribute to the value of another attribute from one of the available dynamic dictionaries on the shell profile configuration. For more information related to TACACS + Authentications, see User Guide for Cisco Secure Access Control System 5.3

·

EAP Authentication Protocols Supports EAP-TLS inner method for PEAP, in addition to EAP-MSCHAPv2 and EAP-GTC.

Policy and Identity Enhancements

The Policy and Identity enhancements in ACS 5.3 include:

·

Display RSA node secret missing Reports the status of a RSA Node Secret on the ACS Instance Setting section. Maximum user sessions Allows you to restrict the user from too many concurrent user sessions. The permitted number of concurrent user sessions is between 1 and 65535.

·

For more information on this see, User Guide for Cisco Secure Access Control System 5.3

·

Account Disablement Allows you to disable the users of Internal Identity Store when the configured date is beyond the permitted date, the configured number of days are beyond the permitted days, or the number of consecutive unsuccessful login attempts, exceeds the threshold.

Release Notes for Cisco Secure Access Control System 5.3

4

OL-24203-01

New and Changed Features

The default value for date exceeds is 30 days from the current date. The default value for days should not be more than 60 days from the current day. The default value for failed attempts is 5. For more information on this, see User Guide for Cisco Secure Access Control System 5.3

·

User Check Attributes Allows you to create conditions that compares the values of two different attributes. Identity Sequence Advanced Options ACS 5.3 authenticates the user in a sequence against the Identity Store. Now, it is possible to configure whether to proceed to the next identity source in a sequence when it is not possible to connect to the identity store. ACS goes to the next Identity Store when:

­ A user is not found in the first Identity Store. ­ An Identity Store is not available in the sequence

·

·

User Password Type Allows you to set the password type of users in internal identity stores. You can select any one of the external identity store names along with internal users, to indicate against which identity store, this user needs to be authenticated. For more information on User Password Type, see User Guide for Cisco Secure Access Control System 5.3. Additional Attributes available in the policy condition Supports two new additional attributes in the policy condition. The administrator should customize the Simple or Compound Condition option in the rule table to use these two attributes.

­ Authentication Identity Store

·

Enables you to configure the policy rule conditions based on the Authentication Identity Store. For example: IF AuthenticationIdentityStore=LDAP_NY then reject" This attribute contains the name of the Identity Store used and it is updated with the relevant Identity Store name after successful authentication.

­ Number of Hours Since User Creation

Enables you to configure the policy rule conditions, based on the time at which the user was created in ACS Internal Identity Store. For example: IF group=HelpDesk&NumberofHoursSinceUserCreation>48 then reject" This attribute contains the number of hours since the user was created in Internal Identity Store to the time of the current authentication request.

·

Wildcards for Hosts Allows you to use wildcards while you add new hosts into the Internal Identity Store. It also allows you to enter wildcards (after you enter the first three octets) to specify all devices from the identified manufacturer. For more information on this, see User Guide for Cisco Secure Access Control System 5.3. Network Device Ranges Allows you to configure single or multiple ranges of IP address, using wildcards. The Exclude Range option allows you to exclude a set of IP address from the configured range. You can also filter devices, based on IP addresses.

·

·

Look up Network Device by IP address

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

5

SFTP Copy

Allows you to search a network device, using its IP address. You can also use wildcards and the range to search a specific set of network devices.

New CLI Commands

The following are the new CLI commands in ACS 5.3:

·

database-compress

database-compress reduces the ACS Database size with an option to delete the ACS Transaction table. ACS administrators can run this command to reduce the database size. This helps to reduce the database size and the time taken for backups and full synchronization that is needed for maintenance. For more information on this command, see the CLI Reference Guide for Cisco Secure Access Control System 5.3

·

acsview-db-compress

acsview-db-compress reduces the Monitoring and Report viewer database size. ACS administrator can run this command to reduce the Monitoring and Report viewer database size. This command compresses the ACS Monitoring and Report viewer database by rebuilding each table in the database and releases the unused space. This reduces the physical size of the view database. For more information on this command, see CLI Reference Guide for Cisco Secure Access Control System 5.3.

View Log Message Recovery

ACS 5.3 provides a new feature to recover any logs that are missed when the view is down. ACS collects these missed logs and stores them in its database. Using this feature, you can retrieve the missed logs from the ACS database to the view database after the view is up. To use this feature, you must set the Log Message Recovery Configuration as on. For more details on configuring the View Log Message Recovery, see User Guide for Cisco Secure Access Control System 5.3.

Programmatic Interface Enhancements

ACS 5.3 provides a new configuration web service. This interface allows you to perform the CRUD (Create, Read, Update, and Delete) methods. The Configuration web services are implemented as REST interfaces over HTTPS. This support is only for the user definitions. For more information on this, see Software Developer's Guide for Cisco Secure Access Control System 5.3.

SFTP Copy

In ACS 5.3, SSH File Transfer Protocol (SFTP) is implemented by Secure Copy Protocol (SCP).

Features Not Supported

The following features are not supported in ACS 5.3:

Release Notes for Cisco Secure Access Control System 5.3

6

OL-24203-01

Supported Virtual Environments

· · · · · · · · · · · ·

The Create, Read, Update, and Delete (CRUD) operations for network device objects in REST PI. The Create, Read, Update, and Delete (CRUD) operations for end devices (hosts) in REST PI. Ability to provide IP addresses from IP address pools defined in ACS. Additional comparison operators for policy definitions such as full range or string and integers matching operators. Instance specific configuration Ability to show the IP address from where the request came, in the Failed Authentications report Ability to authenticate the users against an external ODBC database. RDBMS support for synchronization of user accounts with an external database. Online certificate status protocol (OSCP). Support for on VMware installations with less than 500 GB hard disk. Support for VMware Tools. Support for Multiple Network Interface Card (NIC).

Supported Virtual Environments

ACS 5.3 supports the following virtual environment platforms:

· · · ·

VMware ESX 3.5 VMware ESX 4.0 VMware ESXi 4.1 VMware ESXi 5.0

Supported Web Client/Browsers

You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:

· · · ·

Windows 7 32 bit Internet Explorer version 7.x Internet Explorer version 8.x Mozilla Firefox version 3.x

Installation and Upgrade Notes

This section provides information on the installation tasks and configuration process for ACS 5.3. This section contains:

· · · ·

Installing, Setting up and Configuring CSACS 1121, page 8 Running the Setup Program, page 9 Licensing in ACS 5.3, page 11 Upgrading an ACS Server, page 12

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

7

Installation and Upgrade Notes

·

Applying Cumulative Patches, page 13

Installing, Setting up and Configuring CSACS 1121

This section describes how to install, set up and configure the CSACS 1121 Series appliance. The CSACS 1121 Series appliance is preinstalled with the software. To set up and configure the CSACS 1121:

Step 1

Open the box containing the CSACS 1121 Series appliance and verify that it includes:

· · · · · ·

The CSACS 1121 Series appliance Power cord Rack-mount kit Cisco Information Packet Warranty card Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

Step 2

Go through the specifications of the CSACS 1121 Series appliance. For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3. Read the general precautions and safety instructions that you must follow before installing the CSACS 1121 Series appliance. For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3 and pay special attention to all safety warnings.

Step 3

Step 4

Install the appliance in the 4-post rack, and complete the rest of the hardware installation. For more details on installing the CSACS 1121 Series appliance, see Installation and Upgrade guide for the Cisco Secure Access Control System 5.3. Connect the CSACS 1121 Series appliance to the network and connect either a USB keyboard and Video Graphics Array (VGA) monitor or a serial console to the serial port. Figure 1 shows the back panel of the CSACS 1121 Series appliance and the various cable connectors.

Step 5

Note

For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console running terminal-emulation software.

For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3. For information on installing ACS 5.3 on VMware, see Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.

Release Notes for Cisco Secure Access Control System 5.3

8

OL-24203-01

Installation and Upgrade Notes

Figure 1

CSACS 1121 Series Appliance Rear View

1

2

197065

8 7

4 6 5

4

3

The following table describes the callouts in Figure 1.

.

1 2 3 4

Step 6

AC power receptacle (Blocked) Gigabit Ethernet Serial connector Video connector

5 6 7 8

(Blocked) Gigabit Ethernet 1 (In Use) Gigabit Ethernet 0 USB 3 connector USB 4 connector

After completing the hardware installation, power up the appliance. The first time you power up the appliance, you must run the setup program to configure the appliance. For more information, see Running the Setup Program, page 9.

Running the Setup Program

The setup program launches an interactive CLI that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and enter the initial administrator credentials for the ACS 5.3 server that is using the setup program. The setup process is a one-time configuration task. To configure the ACS Server:

Step 1

Power up the appliance. The setup prompt appears:

Please type `setup' to configure the appliance localhost login:

Step 2

At the login prompt, enter setup and press Enter. The console displays a set of parameters. You must enter the parameters as described in Table 1.

Note

You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is entered.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

9

Installation and Upgrade Notes

Table 1

Network Configuration Prompts

Prompt Hostname

Default localhost

Conditions First letter must be an ASCII character. Length must be more that 2 but less than 20 characters. Valid characters are alphanumeric (A-Z, a-z, 0-9), hyphen (-), and the first character must be a letter.

Description Enter the hostname.

IPv4 IP Address IPv4 Netmask IPv4 Gateway Domain Name

None, network specific Must be a valid IPv4 address between 0.0.0.0 Enter the IP address. and 255.255.255.255. None, network specific Must be a valid IPv4 address between 0.0.0.0 Enter a valid netmask. and 255.255.255.255. None, network specific Must be a valid IPv4 address between 0.0.0.0 Enter a valid default gateway. and 255.255.255.255. None, network specific Cannot be an IP address. Valid characters are ASCII, any digit, hyphen (-), and period (.) Enter the domain name.

IPv4 Primary Name None, network specific Must be a valid IPv4 address between 0.0.0.0 Enter a valid name Server Address and 255.255.255.255. server address. Add/Edit None, network specific Must be a valid IPv4 address between 0.0.0.0 To configure multiple name another nameserver and 255.255.255.255. servers, enter Y. Username admin The name of the first administrative user. You Enter the username. can accept the default or enter a new username. Must be more than 2 but less than 9 characters, and must be alphanumeric. Admin Password None No default password. Enter your password. The password must be at least six characters in length and have at least one lower case letter, one upper case letter, and one digit. In addition:

·

Enter the password.

Save the user and password information for the account that you set up for initial configuration. Remember and protect these credentials because they allow complete administrative control of the ACS hardware, the CLI, and the application. If you lose your administrative credentials, you can reset your password by using the ACS 5.3 installation CD.

·

·

After you enter the parameters, the console displays:

localhost login: setup

Release Notes for Cisco Secure Access Control System 5.3

10

OL-24203-01

Installation and Upgrade Notes

Enter hostname[]: acs-server-1 Enter IP address[]: 209.165.200.225 Enter IP default netmask[]: 255.255.255.0 Enter IP default gateway[]: 209.165.200.1 Enter default DNS domain[]: mycompany.com Enter Primary nameserver[]: 209.165.200.254 Add/Edit another nameserver? Y/N : n Enter username [admin]: admin Enter password: Enter password again: Pinging the gateway... Pinging the primary nameserver... Do not use `Ctrl-C' from this point on... Appliance is configured Installing applications... Installing acs... Generating configuration... Rebooting...

After the ACS server is installed, the system reboots automatically. Now, you can log into ACS with the CLI username and password that was configured during the setup process. You can use this username and password to log into ACS using only the CLI. To log into the GUI, you must use the predefined username ACSAdmin and password default. When you access the GUI for the first time, you are prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the GUI application.

Licensing in ACS 5.3

To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license. This section contains:

· ·

Types of Licenses, page 12 Auto-Installation of Evaluation License, page 12

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

11

Installation and Upgrade Notes

Types of Licenses

Table 2 lists the types of licenses available in ACS 5.3.

Table 2 ACS License Support

License Base License

Description The base license is required for all deployed software instances, as well as for all appliances. The base license enables you to use all ACS functions except license controlled features, and it enables standard centralized reporting features. The base license:

· · ·

Is required for all primary and secondary ACS instances. Is required for all appliances. Supports deployments that have a maximum of 500 managed devices. Permanent--Does not have an expiration date. Supports deployments that have a maximum of 500 managed devices. Evaluation--Expires 90 days from the time the license is issued. that have a maximum of 50 managed devices.

The following are the types of base licenses:

· ·

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the number of devices is 256. Add-On Licenses Add-on licenses can only be installed on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license. The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. However, the permanent Security Group Access feature license can be used only with a permanent base license.

Auto-Installation of Evaluation License

If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ACS server. If you use an ACS server with less than 500 GB hard disk space, Cisco does not provide support for scalability, performance, and disk space-related issues. For more information on installing ACS 5.3 on VMware, see Installing ACS in a VMware Virtual Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.

Upgrading an ACS Server

See Installation and Upgrade Guide for Cisco Secure Access Control System 5.3 for information on upgrading your ACS Server.

Release Notes for Cisco Secure Access Control System 5.3

12

OL-24203-01

Resolved ACS Issues

Applying Cumulative Patches

Periodically, patches will be posted on Cisco.com that provide fixes to the ACS 5.3. These patches are cumulative. Each path includes all the fixes that were included in previous patches for the release. You can download ACS 5.3 cumulative patches from the following location: http://www.cisco.com/cisco/web/download/index.html To download and apply the patches: Network Management > Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.3.

Step 1 Step 2 Step 3

Log into Cisco.com and navigate to Network Management > Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.3. Download the patch. Install the ACS 5.3 cumulative patch. To do this:

a.

Enter the following acs patch command in the EXEC mode to install the ACS patch:

acs patch install

patch-name.tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services. Would you like to continue? yes/no

Step 4

Enter yes. The ACS version is upgraded to the applied patch. Check whether all services are running properly, using the CLI show application status acs from the EXEC mode.

Resolved ACS Issues

Table 3 lists the issues that are resolved in ACS 5.3.

Table 3 Resolved issues in ACS 5.3

Bug ID CSCtg36142 CSCta75080 CSCtb99448 CSCte57427 CSCte70665 CSCte98032

Description Indication of secureid file did not work properly in the Node Secret set. This problem is resolved now. MSCHAP authentication with UTF8 SAM & NETBIOS did not work against AD in Centrify configuration. This problem is resolved now. An error was displayed in ACS Management log while performing PAP Authentication. This problem is resolved now. SNMP location and contact information were not saved on reboot in ACS 5.1. This problem is resolved now. An error message was displayed while launching the Authentication Trend page from the Dashboard. This problem is resolved now. ACS 5 partitions were not aligned properly when they were installed on VMware. This problem is resolved now.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

13

Resolved ACS Issues

Table 3

Resolved issues in ACS 5.3 (continued)

Bug ID CSCtf09891 CSCtf77292 CSCtg62673 CSCtg71016 CSCth66492 CSCti00159 CSCti30276 CSCti36058 CSCti70509 CSCti95750 CSCtj58965 CSCtj61100 CSCtj68184 CSCtk32478 CSCtk32664 CSCtk76151 CSCtk82961 CSCtl05923 CSCtl07445 CSCtl07664 CSCtl11307

Description Remote log targets did not accept classless IP formats. This problem is resolved now. The Evaluation of domain local groups resulted in delayed authentication [AD PERF]. This problem is resolved now. The Feature license with & character in the company name could not be loaded. This problem is resolved now. Primary and Secondary servers did not accept same server certificates. This problem is resolved now. Recovery mechanism was required while reconnecting the log-collector. This problem is resolved now. Network did not function properly when the MAC address of the host was changed in ACS 5 on VMware. This problem is resolved now. Admin users could not log in after a password reset. This problem is resolved now. The user authentication is ACS 5.1 failed while searching for the server in a remote domain. This problem is resolved now. In ACS 5, Restored DB from TFTP may result in corrupted configuration. This problem is resolved now. The filter did not show any result in ACS 5.1 while using a filter for AD groups in AD1:ExternalGroups. This problem is resolved now. AD page did not load when there were issues in DNS or DCs. This problem is resolved now. When adding three IP name-server through CLI, you were prompted to restart ACS three times. This problem is resolved now. Evaluation License for AM&R was not being overwritten. This problem is resolved now. CPU utilized high memory related to CDPD process in VMware. This problem is resolved now. ACS sent change-pass request to a wrong ID -store in the sequence. This problem is resolved now. Changing NIC's IP address caused NTP to go out of synchronization. This problem is resolved now. RADIUS Proxy did not forward unknown attributes. This problem is resolved now. Remote DB sql schema related information has to be updated for export run failed operation in ACS 5.3 documents. This problem is resolved now. Negative integer in AV pair caused exception for ACS Log Collector. This problem is resolved now. Unable to change the Error code. This problem is resolved now. SNMP preferences setting existed in a wrong place on the ACS VIEW. This problem is resolved now.

Release Notes for Cisco Secure Access Control System 5.3

14

OL-24203-01

Resolved ACS Issues

Table 3

Resolved issues in ACS 5.3 (continued)

Bug ID CSCtl42972 CSCtl52327 CSCtl84778 CSCtl85457 CSCtn05827 CSCtn13731 CSCtn18359 CSCtn21381 CSCtn26604 CSCtn62214 CSCtn67457 CSCtn76469 CSCtn78315 CSCtn81510 CSCto09231 CSCto09337 CSCto42187 CSCto72525 CSCto72918 CSCto77214 CSCtq07534 CSCtq15610

Description Runtime process restarted after adding Shell Profile. This problem is resolved now. ACS LDAP authorization was case sensitive. This problem is resolved now. Sometimes two processes did not run after ACS reboot. This problem is resolved now. The unreachable servers from DNS SRV resulted in a delay in ACS. This problem is resolved now. The enable password option in TACACS did not work properly. This problem is resolved now. Importing or updating TACACS+ devices need COA field to be filled. This problem is resolved now. When ACS CLI password expires with password policy cannot be reset. This problem is resolved now. CDP data containing & character resulted in show run to fail. This problem is resolved now. ACS 5 did not support UNICODE characters in certificates. This problem is resolved now. Could not import the .CSV file when the custom attribute was defined for local user/hosts. This problem is resolved now. Dynamic attributes in authorization profiles stopped working after it was changed. This problem is resolved now. Setting RADIUS accounting on got rejected with 11014 msg. This problem is resolved now. Backing up data failed while using SFTP if it was not transferred within 60 seconds. This problem is resolved now. ACS 5 documents did not have clear information on getACSViewWebServicesPort() for M&R. This problem is resolved now. ACS Interpreted Username in NetBIOS Format with Dot in DOMAIN as DNS. This problem is resolved now. ACS had problems with Network device filter using location or dev type.This problem is resolved now. EAP Authentication Method was not available for policy during PEAP fast reconnect. This problem is resolved now. Writing a Custom application to integrate M&R generated errors. This problem is resolved now. ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now. When ACS was overloaded, an error server workspace storage appeared. This problem is resolved now. ACS 5 did not verify RSA keys for SFTP repositories. This problem is resolved now. ACS Intermittent was Disconnected from AD. This problem is resolved now.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

15

Resolved ACS Issues

Table 3

Resolved issues in ACS 5.3 (continued)

Bug ID CSCtq17598 CSCtq46433 CSCtq61094 CSCtq61125 CSCtq61267 CSCtq62007 CSCtq64672 CSCtq65124 CSCtq76307 CSCtq78681 CSCtr23536

Description Runtime services failed to start in a shell profile attribute. This problem is resolved now. ACS 5: Web page errors were found while filtering the device using IE8 if the device contain \u. This problem is resolved now. AD configuration affected the ACS Runtime process. This problem is resolved now. ACS did not follow the identity store sequence. This problem is resolved now. The password was not accepted after installing ESXi 4.x. This problem is resolved now. Unable to save AD configuration when only user name or password was changed. This problem is resolved now. Failure reason editor under System Configuration displayed an error for COD. This problem is resolved now. ACS 5.2: Boolean LDAP attribute was incorrectly interpreted by ACS. This problem is resolved now. CLI documentation did not have the updated SFTP information. This problem is resolved now. Group Queries to Virtual Directory Server failed to return results. This problem is resolved now. ACS 5.2: Appending domain name to SAN when trying to match account in AD resulted in the user not being found in external store database and a failed authentication. This problem is resolved now. Radius Request were dropped by ACS without any explanation. This problem is resolved now. The port attribute could not be used to match the rule if you used ASCII as authentication type for TACACS + authentications. This problem is resolved now. ACS 5.x documents did not have the information on Replicated Items. This problem is resolved now. ACS 5.2Configuration Guide did not explain the failover scenarios. This problem is resolved now.

CSCtr24473 CSCtr43053

CSCtr57687 CSCts55739

Release Notes for Cisco Secure Access Control System 5.3

16

OL-24203-01

Resolved Issues in Cumulative Patch ACS 5.3.0.40.1

Resolved Issues in Cumulative Patch ACS 5.3.0.40.1

Table 4 lists the issues that are resolved in the ACS 5.3.0.40.1 cumulative patch. You can download the ACS 5.3.0.40.1 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Table 4 Resolved Issues in Cumulative Patch ACS 5.3.0.40.1

Bug ID CSCtn94094 CSCts38477 CSCtq81172 CSCtg51846 CSCto73527 CSCts17763 CSCtq76294 CSCts40901 CSCtq80926 CSCts61733 CSCtr78192 CSCts85741 CSCtr78143 CSCtu15651 CSCtu07065 CSCts23451 CSCtu36433

Description Web interface for compound rules uses non-standard boolean notation. In ACS 5.2 Compound Condition, replacing "And" logic with "Or" Duplicate of CSCtn94094. Admin Wen interface takes time to load for large NDG tree. Enum values are not shown in compound conditions in the rule. Network Device Filter fails with AND Condition while using Location and Device Type. ACS may crash when Shell Profile name contains special characters. Need an alert to be triggered when backup operation fails. Shared secret key is displayed in clear text. Select option is not working in Compound condition> LDAP > External groups. Bulk CRUD operations for Shell Profile Custom Attributes. Multiple vulnerabilities in the Cisco ACS 5 web interface. Possible SQL injection point in ACS 5.2. Multiple Cross--Site Request Forgery and stored XSS in ACS 5.2. ACS view upgrade failure. ACS 5.2 to 5.3 upgrade fails. ACS 5.x needs to update the RSA SecureID API. ACS 5.3 web interface gives very slow access after an upgrade from ACS5.2

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

17

Resolved Issues in Cumulative Patch ACS 5.3.0.40.2

Resolved Issues in Cumulative Patch ACS 5.3.0.40.2

Table 5 lists the issues that are resolved in the ACS 5.3.0.40.2 cumulative patch. You can download the ACS 5.3.0.40.2 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Table 5 Resolved Issues in Cumulative Patch ACS 5.3.0.40.2

Bug ID CSCtw97686 CSCtu74476 CSCtn26538 CSCte39351 CSCtu89783 CSCtt14745 CSCtt17019 CSCtt21122 CSCto95888 CSCtw64212 CSCtu36357 CSCtw67208 CSCtw56498 CSCtw97877 CSCtx19470 CSCtx53340 CSCto88134

Description Could not edit the ACS 5.2 users after upgrading the system to AS 5.3. MAC address format is inconsistent in activity reports. EAP-TLS reauthentication fails - principal username is missing. The SNMP agent process in ACS appliance daemon stops. ACS 5 password expiration policy triggered for token users. Cannot add groups to LDAP identity store. ACS 5.x has issues while retrieving additional AD groups when referenced in rule. Cannot import the command sets if you have the character slash ( / ) in the argument. sh acs-logs details command does not display local store log file names. view-logprocessor Process gets stuck and the status is shown as not monitored. ACS 5 cannot duplicate user accounts. Administrative and Operational Audit logs are not getting recorded in ACS. TACACS+ "enable" request is dropped in unknown authentication type. Installing a patch after 5.3 upgrade did not reduce the network device page loadtime. ACS 5 shows an runtime error while trying to login to the GUI when all process are running properly. NIL-CONTEXT error causes TACACS+ failure in ACS 5.3 TCP Listener Process. Temporary table was missing in 5.2 database after the restoring 5.1 backup.

Release Notes for Cisco Secure Access Control System 5.3

18

OL-24203-01

Resolved Issues in Cumulative Patch ACS 5.3.0.40.3

Resolved Issues in Cumulative Patch ACS 5.3.0.40.3

Table 6 lists the issues that are resolved in the ACS 5.3.0.40.3 cumulative patch. You can download the ACS 5.3.0.40.3 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Table 6 Resolved Issues in Cumulative Patch ACS 5.3.0.40.3

Bug ID CSCtx11180 CSCty19628 CSCtw59129 CSCty11627 CSCtw71563 CSCtx90637 CSCtu15832 CSCtx71254 CSCtx18638 CSCtx83260 CSCts14694 CSCty60512 CSCty60915 CSCtz03041 CSCty88457 CSCtz03084 CSCtz03036 CSCtz03943 CSCtz03211

Description Sometimes, ACS fails to fetch the group info for users in trusted domain Unassigning MS-CHAPV2 group retrieval fails. It is a duplicate of the bug CSCtx11180. ACS5 tries to contact the domains which are not in trusted list, based on the username. ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets. ACS gets disconnected from AD if it receives duplicate A records for DC. ACS MS-CHAPV2 is not hashing the MS-CHAP success correctly. ACS 5.2 does not recover from an RPC failure with a domain controller. ACS 5.3 is disconnecting from AD and unlatch is seen in ADclient logs. Cannot add custom shell attribute with the keyword alert. NDG locations are not showing up on the web interface. Accounting requests are seen as authentication requests. User authentication fails when having Authorization rule with built-in group. ACS 5.3 pre-authentication gets failed with AD for some users. AD Agent cores management. ACS support bundle does not include ADclient core files. /opt and /var full-Large AD Agent file contains file descriptor errors. AD Agent cache should be flushed when core is generated. ACS exposes the AD account username and password. ACS 5.3 sends multiple authentication attempts to Active Directory.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.4

Table 7 lists the issues that are resolved in the ACS 5.3.0.40.4 cumulative patch. You can download the ACS 5.3.0.40.4 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

19

Resolved Issues in Cumulative Patch ACS 5.3.0.40.5

Table 7

Resolved Issues in Cumulative Patch ACS 5.3.0.40.4

Bug ID CSCtz35383 CSCtz35418 CSCua46796

Description Restoring ACS 5.1 and 5.2 backup on ACS 5.3 patch 3 fails. Unexpected error occurs while selecting the maximum user session after restoring the backup. LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration.

Resolved Issues in Cumulative Patch ACS 5.3.0.40.5

Table 8 lists the issues that are resolved in the ACS 5.3.0.40.5 cumulative patch. You can download the ACS 5.3.0.40.5 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Table 8 Resolved Issues in Cumulative Patch ACS 5.3.0.40.5

Bug ID CSCtu21456 CSCtx12249 CSCty48702 CSCtx68133 CSCtx57296 CSCtx72675 CSCtx55824 CSCtu19690 CSCtx90623 CSCty80996 CSCty18371 CSCtx40345 CSCtx32481 CSCty16614 CSCtx71963 CSCtz31830 CSCtz42111

Description ACS 5.x: Intermittent password change is not working in secondary ACS. ACS 5.x: ACS does not support TACACS Service 0x1a (Auth-Proxy). ACS 5.3 cannot export data to Oracle. Some Secondary ACS machines show status as offline when the setup is idle. ACS fails to open the view log collector with an irresolvable hostname in the primary machine. ACS supports repository user name with domain name. ACS 5.x: SQL schema file for view database export is incorrect. Random Parse error alarms are triggered due to the radius accounting messages. ACS web server is vulnerable to the HTTP slow header attack. Admin user with ResetUserPassword privilege cannot reset user passwords. Users without enable password option are able to set their own authentication password. MAC addresses shown on end station filter list are incorrect. Description is shown as null while importing NDG without a description. Resource not found or internal server error is seen with bulk filter option in ACS. ACS 5.2: Bulk update of users ignores the changes that are made in the custom boolean attribute. In some scenarios, Active Directory web interface group retrieval feature takes a long time to respond. Password expiry timer is not replicated after changing the password using TACACS+.

Release Notes for Cisco Secure Access Control System 5.3

20

OL-24203-01

Resolved Issues in Cumulative Patch ACS 5.3.0.40.6

Resolved Issues in Cumulative Patch ACS 5.3.0.40.6

Table 9 lists the issues that are resolved in the ACS 5.3.0.40.6 cumulative patch. You can download the ACS 5.3.0.40.6 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Table 9 Resolved Issues in Cumulative Patch ACS 5.3.0.40.6

Bug ID CSCtz24314 CSCtz49470 CSCty53608 CSCty75050 CSCtx03590 CSCty92102 CSCtz09614 CSCtz91356 CSCtz83523 CSCty64763 CSCua01925 CSCua51373 CSCua60625 CSCua51804 CSCua60611 CSCty97947 CSCub17638 CSCua69912

Description ACS 5.x runs out of disk space. In ACS 5.3, you can create and restore the ACS View database from a support bundle without the help of a root patch. Core file with 4000 users is generated in TACACS+ proxy. In ACS 5.3, CHAP authentication for TACACS+ fails. Adding NDG filter with "Replace from File" fails. RADIUS proxy does not process the response from an external RADIUS server. Validation error that results in an ACS runtime crash occurs while editing the end station filters. Evaluation of Local groups lead to an increase in time delay during authentication. AD client crashes because of the passwords with non-UTF-8 characters in it. Multiple groups are selected in authorization policy. SNMP monitoring cron job is deleted when you configure a scheduled backup. Support for On Demand Purge in ACS View. ACS View database restore fails when there is enough space available in /opt. ACS View backup fails even when there is enough disk space available. Runtime service memory utility is increasing during TACACS+ authentication and accounting requests. Importing large scale configurations in ACS results in runtime memory errors upon restrart. Replication fails when you import devices in to the primary server. Config database gets corrupted after changing the authorization profile name which results in an internal error while accessing the web interface.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

21

Resolved Issues in Cumulative Patch ACS 5.3.0.40.7

Resolved Issues in Cumulative Patch ACS 5.3.0.40.7

Table 10 lists the issues that are resolved in the ACS 5.3.0.40.7 cumulative patch. You can download the ACS 5.3.0.40.7 cumulative patch from the following location: http://www.cisco.com/public/sw-center/index.shtml Refer to "Applying Cumulative Patches" section on page 13 for instructions on how to apply the patch to your system.

Table 10 Resolved Issues in Cumulative Patch ACS 5.3.0.40.7

Bug ID CSCua66744 CSCtq46211 CSCtx53223 CSCtx63760 CSCtx56129 CSCua67150 CSCub15396 CSCua90369 CSCtw84073 CSCua81734 CSCty57491 CSCub46074 CSCub40278 CSCub40291 CSCub40498 CSCub40527 CSCub40480 CSCub98158

Description The ACS view database transaction log reaches more than 50 GB, which fills the /opt partition size. The Lexmark Printer works fine with ACS 4.x, but it is not working properly with ACS 5.x versions. ACS 5.3 fails to join AD domain, and the Centrify license is missing when you upgrade ACS from its previous versions. Scalability issue: ACS drops TACACS+ requests due to a high connection rate. The ACS 5.x replication service fails because it cannot bind to port 2030. The network device is not recorded in the RADIUS Authentication logs. ACS 5.3 does not support blank spaces in the TACACS shared secret key. ACS 5.x is creating the error message: ShellProfile..ERROR...DeviceAttrFactory.cpp:29. Unable to enter acs-config in the ACS CLI. In ACS 5.x, Identity groups are truncated when you use Internet Explorer 8.x version. ACS health logs are purged incorrectly. ACS 5.3 response is very slow with a large number of identity groups. XSS vulnerabilities were found in ACS view pages. CSRF vulnerabilities were found in ACS 5.3. The password field in ACS 5.3 has the autocomplete operation enabled. Unauthenticated download flaws were found in ACS 5.3. Cookie vulnerabilities were found in ACS 5.3. The replication is not working when you register or unregister a secondary ACS instance.

Release Notes for Cisco Secure Access Control System 5.3

22

OL-24203-01

Limitations in Different ACS Deployments

Limitations in Different ACS Deployments

ACS 5.3 has the following limitations with respect to Small, Medium, and Large deployment scenarios.

Table 11 Limitations in Different ACS Deployments

Object Type Users Hosts Identity Group Network Devices Device Types Device Hierarchies Device Groups Services

Small 1000 100 10 100 2 (default) 2 5 2

Medium 10000 1000 200 5000 2 (default) 3 10 5 25 5 -25 2 500 3-6 15 5 roles 1K Size

Large 300000 50000 1000 50000 2 (default) 6 20 25 320 8 600 50 3 3000 7-10 50 9 roles 600 dACL with 100 ACEs each

Authorization/Ide 5 ntity Rules Conditions Authorization Profile SSP Result Sets NARs ACS Instances ACS Admins dACLs 3 -5 1 50 1-2 5 2 roles 1K Size

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

23

Known ACS Issues

Known ACS Issues

This section lists the known issues for the ACS 5.3 release. Table 12 lists the known issues in ACS 5.3. You can also use the Bug Toolkit on Cisco.com to find any open bugs that do not appear here.

Table 12 Known Issues in ACS 5.3

Bug ID CSCtl08320

Description The PEAP-GTC and EAP-FAST-GTC authentications are marked as Passed (green line in log) when attribute retrieval phase fails, and the FailOpen option is configured as DROP.

AD is down in Add This problem occurs when Identity Sequence configured in such a way that authentication phase Attribute list, passes but attribute retrieval phase fails. The default FailOpen option for a failed process is DROP' PEAP/EAP-fast MSCHAP auth marked Workaround: fail None CSCtl10839 Break sequence fails for the same User authentication when AD is down (because of cache) Attribute retrieval tries to retrieve groups from AD which is Down, and then continues to Next ID store in the Additional Attribute retrieval list. This occurs although you have selected the break sequence option. This problem occurs when you:

1.

Configure ACS as:

­ ­ ­

AD with groups, with no attributes. Identity Sequence: Authentication ID Stores list is Internal Additional Attribute retrieval list is {AD, Internal, Radius server (or any other)}

2. 3. 4. 5.

Select the break sequence option. Authenticate using AD. Shut down AD. Authenticate using Identity Sequence.

Workaround: None CSCtl93760 Unable to list out the MAC addresses that are in the database. Search option does not This problem occurs when you create MAC addresses using wildcards and then try to list a single MAC address while searching. work for MAC Address Workaround: Use other options such as starts with.

Release Notes for Cisco Secure Access Control System 5.3

24

OL-24203-01

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCtl95969

Description Odyssey supplicant sometimes fails in machine authentication.

The authentication fails and displays the message Subject not found in the identity store Sometimes Machine Authentication fails in (AD). Odyssey supplicant Workaround:

1.

Select the EAP-TLS authentication as authentication type in Odyssey supplicant. EAP-TLS authentication passes. Change the authentication type to PEAP-TLS. This makes the machine work well with Odyssey supplicant.

2.

CSCtn19739 TLS Session Resume fails in PEAP-TLS with CSSC/Odyssey supplicant. CSCtn49931

TLS Session Resume fails in PEAP-TLS with CSSC/Odyssey supplicant. This problem occurs when you enable the TLS session resume in ACS and perform an authentication with the CSSC/Odyssey client. Workaround: None Management processes are not restored when ACS services gets restarted. This issue is not consistent.

Management processes This problem occurs sometimes when you restart ACS services. For example, after upgrading ACS do not come up after 5.2 to 5.3. the application upgrade Workaround: Restart the ACS services manually. CSCto29474 Bulk edit is not supported for maximum session group value. There is no option for bulk editing groups. This problem occurs when there are many identity groups. (For example. 50 or more) It is difficult to edit the values for the groups one by one and there is no option to update many groups together. Workaround: Use the Import option to update the maximum session value for many groups at the same time.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

25

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCto52767

Description The wrong AD user is authenticated.

Centrify: Wrong user This problem occurs when you mix and match UPN and NetBios names for two given user. For is being authenticated. example:

1.

Enter user 1 as: UPN: a1 NETBIOS:a2 psw : [email protected]# user 2: UPN: a2 NETBIOS:a1 psw : [email protected]# Authenticate the first user as user : a1 psw: [email protected]# Authenticate the second user as user : a2 psw: [email protected]# Any one of the above two authentications fails.

2.

3.

Workaround: Make sure AD user names are consistent and avoid naming conventions such that UPN and NetBios of different users are identical. CSCto56190 AD interface operations take a long time if LDAP SSL is not enabled in AD. AD interface operations (test connect, select groups, and select attributes) take a long time if LDAP SSL is not enabled in AD. The delay time in such cases, is the number of domain controllers in the domain in the same site as ACS * 15 seconds This problem occurs if:

· ·

LDAP SSL is not configured or enabled in AD domain controllers. There are many domain controllers in the domain in the same site as ACS.

Workaround: Configure or enable LDAP SSL on AD domain controllers CSCtq12058 Log level set to debug for Monitoring and Collector log but it shows the warning logs. The Debug logs are not displayed in the Monitoring and Collector log. Default warning logs are displayed even after the log level is set to Debug. This problem also occurs while the system performs Authentication. Workaround: Restart ACS

Release Notes for Cisco Secure Access Control System 5.3

26

OL-24203-01

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCtq34427 CARS: Centrify imposed host name limitation of 15 characters

Description AD account is created only for the latest machine that is joined to the AD, while joining multiple hosts. This problem occurs if hosts have:

· ·

Names longer than 15 characters The same 15 character prefix

Workaround: When working with AD, the hostname length should not be more than 15 characters or the 15 character prefix for each host name should be unique. CSCtq45439 Core file of management is generated while running stress in ACS The management process crashes on a secondary ACS server in a distributed deployment and a core file is generated. This problem occurs when a heavy authentication stress is applied to the primary server for a long time (one or two days). Workaround: None. CSCtq52001 It is possible to install non CA certificates under CTL. ACS allows you to install non CA certificates under Certificate Authorities. This problem occurs because a CA certificate has the keyCertSign bit under Key Usage attribute. It is possible to install a non CA certificate without this bit. Workaround: Make sure the installed certificate is indeed a CA certificate. CSCtq52032 No checks for the type This problem occurs when you install a client certificate (such as, extended key usage set to be of certificate while "Client Authentication" only) as a server certificate in ACS installing the server certificate Workaround: Verify the extended key usage, manually. CSCtq61557 Unable to create AAA client, after an error message appears. This problem occurs if you: Cannot create AAA client after an error 1. Create an AAA client with IP Ranges and enter an invalid character in the Exclude option. message appears in the The interface displays an error. Network Device Ranges. 2. Delete the Exclude value and add the IP and click Submit. The AAA client is not created. Workaround:

1. 2. 3.

Invalid server certificate (such as, one that can be used for client authentication only) can be installed as a server certificate in ACS

Edit the IP and enter a proper Exclude value Add the AAA client. Click Cancel and create the AAA client with the proper Exclude value.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

27

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCtq67174 The username in the view displays an invalid escape character at line 1 column 2. CSCtq80926 Select option gets disabled while selecting the string enum attribute.

Description If you click on a username that contains the character ! in it, an error appears. This problem occurs if the username contains the ! character in it. Workaround: Remove the character! from the username. The Select option is disabled and you cannot select the groups configured under Compound Condition and LDAP External Groups. This problem occurs if you select Authorization > Customize selected compound condition, under Compound condition > LDAP > External groups.. This applies to LDAP and AD External groups configuration. Workaround1: Select some other attribute with a different dictionary, to enable the Select option for all types of attributes. Workaround 2: Select the external groups under Customize > LDAP: External groups in both Authorization and Group mapping.

CSCtr56396 Filtering Network Devices according to the new NDG type.

You do not get the correct records that match the filter, if you try to filter Network Devices according to the value of the Network device group that is added after adding the Network Devices. This problem occurs when a new NDG is created after adding the Network Devices. Workaround: Create the NDG before adding the Network Devices An error message Subject not found in the particular identity stores is displayed. This is wrong. The correct error message is Current identity store doesn't support changing password. This problem occurs if you change the password while performing TACACS+ authentication for a user account located on an LDAP server Workaround: Ignore the incorrect error message. Log recovery feature retrieves the missing logs after Restore. This problem occurs when you take a backup of the view with the Log recovery feature enabled and then restore the backup in same setup. Workaround: Disable the feature for 5 minutes and then enable it. This prevents it from restoring the old logs. You cannot create a duplicate for an existing NDG. This problem occurs if you want to create a new NDG by duplicating the existing NDG. In this case, the duplication does not work properly. Workaround: Create a new NDG using the Create option.

CSCtr74964 Wrong error message is displayed when you try to change the password of an LDAP user.

CSCtr95923 Log messages are recovered after Restore.

CSCts07491 NDG: Duplicate option does not work

Release Notes for Cisco Secure Access Control System 5.3

28

OL-24203-01

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCts08356 ACS follows internal identity sequence twice when Fast Reconnect is enabled.

Description ACS performs the attribute retrieval twice in Internal ID store for a non-existent user. This occurs when authenticating by PEAP with fast reconnect enabled with W7 supplicant. This problem occurs when ACS is configured with the following identity store sequence:

AD + Internal and PEAP-MSCHAP with fast reconnect.

Here a user is configured in AD but not in the Internal ID store. When you are negotiating PEAP fast reconnect, the supplicant returns the result as TLV failure and then an inner method is invoked. The user is successfully authenticated in AD. The attribute retrieval is performed twice in Internal ID store (both unsuccessful since the user is not found). The following log messages appear in the log:

22023 Proceed to attribute retrieval 22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against 24210 Looking up User in Internal Users IDStore - ram 24216 The user is not found in the internal users identity store. 22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against 22015 Identity sequence continues to the next IDStore 24210 Looking up User in Internal Users IDStore - ram 24216 The user is not found in the internal users identity store. 22016 Identity sequence completed iterating the IDStores

Workaround: Configure the PEAP fast reconnect in the W7 supplicant correctly, so Fast Reconnect is enabled.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

29

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCts31991

Description ACS fails to join to AD

AD join may fail when This problem occurs when there are multiple IP name-server entries configured in an ACS there are multiple DNS configuration CLI, but not all of the IP name-server entries are configured with Active Directory DNS Records. entries in ACS It occurs where the AD DNS responds slower than the corporate DNS or if there is a DNS that does not resolve in AD DC/GC SRVs Workaround1: Ensure that all IP name-server entries have the required configuration for Active Directory. This way, the fastest responding name server will have the required Active Directory configuration. Workaround 2: Configure ACS 5.3 to use only a specific name server that has the required Active Directory configuration. Use the ACS 5.3 CLI to do this. The ACS administrator should:

1. 2.

Log into the ACS configuration mode using the command acs-config. Use ad-agent-configuration dns.servers to set the IP of the correct IP name-server to use. For example, if the name of the server to use is 10.56.60.150, then the following commands should be entered, using the ACS 5.3 CLI:

cd-acs5-13-50/admin# acs-config Escape character is CNTL/D. Username: acsadmin Password: cd-acs5-13-50/acsadmin(config-acs)# ad-agent-configuration dns.servers 10.56.60.150 Performing AD agent internal setting modification is only allowed with ACS support approval. continue (y/n)? cd-acs5-13-50/acsadmin(config-acs)# show ad-agent-configuration dns-servers dns-servers: 10.56.60.150 cd-acs5-13-50/acsadmin(config-acs)# exit

This operation should be performed when the ACS machine is joined to the required domain for each server in the deployment. CSCts52687 Centrify service gets frozen while starting and does not move to the next available DC. AD functionality is down This problem occurs when the joined DC is offline. There are other DCs online but ACS will not join one of them. Workaround: Bring the joined DC online or resubmit the AD configuration For further problem description, see the guidelines discussed in http://nmtg2.cisco.com/wiki/index.php/RNE_Template

Release Notes for Cisco Secure Access Control System 5.3

30

OL-24203-01

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCto50246 CentrifyDC mode is displayed as "connected" when the current DC is shutdown. CSCts95867 The View database processes freeze when the system gets restarted while upgrading.

Description ACS takes a long time to update the DC details to which it is currently connected. This problem occurs when ACS is connected to another fastest reachable DC, while the previously connected DC is down. Workaround None ACS view database process gets frozen if you restart the services while upgrading. This problem occurs if you:

1. 2. 3. 4.

Configure the data in ACS 5.2 patch 6 when the machine is in a distributed setup where it has a primary server and a secondary server. The secondary server is the log collector. Change the log collector to the primary server. Deregister the secondary server from the primary server. Upgrade the secondary server using the CLI command application upgrade acs.tar.gz repo to ACS 5.3 build #38. The following message is displayed.

application upgraded successfully.

5.

Check the process status now using the CLI command show app upgrade acs. The View Database process gets frozen for more than six hours while restarting the application Upgrade the primary server using the CLI command application upgrade acs.tar.gz repo to 5.3 build #38. The following message is displayed.

application upgraded successfully.

6.

The View Database process gets frozen for more than six hours while restarting the application Workaround: Use acs stop and acs start commands in CLI and restart the ACS services manually. CSCts79921 Authentication fails if you miss the UPN attribute. CSCtq29587 Authentication fails against the Active Directory. This problem occurs when you try to add users using the command NET USER aaa [email protected]# /ADD. Workaround: Add the users through the Active web interface. Authentication fails in switch. Radius Authentication This problem occurs while creating VSA attributes in Proxy and Remote ACS that have the same name, but different types. fails in Switch with same VSA name and Workaround: different data type. Define the VSA attributes with the same names and types.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

31

Known ACS Issues

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCtq60960

Description Expand and Collapse of Authentication results in Authentication details page are not working in both Mozilla in 4.x and 5.x versions.

Could not close the This problem occurs when you use third party tools like Actuate BIRT. Since, by default, the html5 frames in the Authentication reports. stricter parsing engine is enabled in Mozilla 4.x and 5.x versions. You will face this issue if the validation is not proper in the third party tools. Workaround: When you are using Mozilla 4.x and 5.x versions, complete the following steps.

1. 2. 3. 4. 5. 6.

Open a new tab. Enter about:config in the address bar and press Enter. Click I will be careful, I promise!. Enter html5 in the Filter box. Double-click the html5.parser.enable to change its value to false. Now, reload Authentication results in Authentication details page.

The expand and collapse option of Authentication results in Authentication details page works fine. CSCts04765 Switching from IP ranges to single IP address displays an error message. An error message is displayed while switching from IP ranges or IP ranges by mask to single IP option when you are creating AAA clients. This problem occurs when you switch from IP ranges or IP ranges by mask to single IP option in the network range multi column list box. The following error message is displayed.

There is more than one IP address defined. You cannot switch to Single IP Address mode.

This error is shown even after deleting the IP range and switched to single IP option. Workaround: Click Cancel and create a new AAA client. CSCtt04675 Repositories are missing from the Global backup after restoring it. The changes that you made to the running configuration through CLI are not available after a global restore. For example,

1. 2. 3.

Configure a repository. Take a global backup. Now, restore the backedup data. You can observe that the newly configured repository is not available in the running configuration.

This problem occurs if the new configuration was not saved to startup configuration. Workaround: You should make sure that the changes are saved to the startup configuration whenever you make changes to the running configuration.

Release Notes for Cisco Secure Access Control System 5.3

32

OL-24203-01

Documentation Updates

Table 12

Known Issues in ACS 5.3 (continued)

Bug ID CSCts67174 Database fail (TACACS Accounting) alarms are caused due to decimal value in AV pair. CSCtr40972

Description Critical system alarms are caused in TACACS Accounting [Collector]: Database failure (<acs hostname >, TACACS Accounting). This problem occurs when you use a decimal value in the AV pair elapsed time in TACACS Accounting packet sent by NAS. Workaround: None Could not launch ACS using the new IP address after restoring a global backup.

Could not launch ACS This problem occurs when you restore a global back up of one ACS machine in to another ACS machine. with new IP address after a global Backup Workaround: during upgrade. None CSCua46796 LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration. CSCua99537 Network Time Protocol Daemon (NTPD) running with ACS sometimes does not synchronize its clock with the windows time service LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration. The connection is automatically re-established after the TGT renewal. This problem occurs when you use AD or LDAP as an external database. Workaround: None Network Time Protocol Daemon (NTPD) running with ACS, sometimes, cdoes not synchronize its clock with the windows time service This problem occurs often when ACS or AD is running as a virutal machine. Workaround: None.

Documentation Updates

Table 13 lists the updates to Release Notes for the Cisco Secure Access Control System 5.3.

Table 13 Updates to Release Notes for the Cisco Secure Access Control System 5.3

Date 08/24/2012 08/21/2012 08/10/2012 05/29/2012 05/18/2012 04/17/2012

Description Added a known issue CSCua99537 in the Known ACS Issues, page 24 section and not supporting multiple NIC in Features Not Supported, page 6 section. Added "Resolved Issues in Cumulative Patch ACS 5.3.0.40.6" section on page 21 Updated Known ACS Issues, page 24 and "Resolved Issues in Cumulative Patch ACS 5.3.0.40.4" section on page 19. Added "Resolved Issues in Cumulative Patch ACS 5.3.0.40.5" section on page 20. Added "Resolved Issues in Cumulative Patch ACS 5.3.0.40.4" section on page 19. Added "Resolved Issues in Cumulative Patch ACS 5.3.0.40.3" section on page 19.

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

33

Product Documentation

Table 13

Updates to Release Notes for the Cisco Secure Access Control System 5.3 (continued)

Date 02/28/2012 12/16/2011 12/01/2011 10/04/2011

Description Added "Resolved Issues in Cumulative Patch ACS 5.3.0.40.2" section on page 18. Added "Resolved Issues in Cumulative Patch ACS 5.3.0.40.1" section on page 17. Fixed the bug CSCts96708. Cisco Secure Access Control System, Release 5.3.

Product Documentation

Note

We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates. Table 14 lists the product documentation that is available for ACS 5.3. To find end-user documentation for all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs Select Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System.

Table 14 Product Documentation

Document Title

Available Formats

License and Documentation Guide for the Cisco http://www.cisco.com/en/US/products/ps9911/ Secure Access Control System 5.3 products_documentation_roadmaps_list.html Migration Guide for the Cisco Secure Access Control System 5.3 http://www.cisco.com/en/US/products/ps9911/ prod_installation_guides_list.html

User Guide for the Cisco Secure Access Control http://www.cisco.com/en/US/products/ps9911/ System 5.3 products_user_guide_list.html CLI Reference Guide for the Cisco Secure Access Control System 5.3 Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.3 Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3 Software Developer's Guide for the Cisco Secure Access Control System 5.3 http://www.cisco.com/en/US/products/ps9911/ prod_command_reference_list.html http://www.cisco.com/en/US/products/ps9911/ products_device_support_tables_list.html http://www.cisco.com/en/US/products/ps9911/ prod_installation_guides_list.html http://www.cisco.com/en/US/products/ps9911/ products_programming_reference_guides_list.html

Regulatory Compliance and Safety Information http://www.cisco.com/en/US/docs/net_mgmt/ for Cisco Identity Services Engine, Cisco 1121 cisco_secure_access_control_system/5.1/ regulatory/compliance/csacsrcsi.html Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

Release Notes for Cisco Secure Access Control System 5.3

34

OL-24203-01

Notices

Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. 2. 3.

Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)". The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected] Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".

4.

5. 6.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

35

Notices

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Original SSLeay License:

Copyright © 1995-1998 Eric Young ([email protected]). All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. 2. 3.

Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young ([email protected])". The word `cryptographic' can be left out if the routines from the library being used are not cryptography-related.

4.

If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson ([email protected])".

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Release Notes for Cisco Secure Access Control System 5.3

36

OL-24203-01

Supplemental License Agreement

Supplemental License Agreement

END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS CONTROL SYSTEM SOFTWARE: IMPORTANT: READ CAREFULLY This End User License Agreement Supplement ("Supplement") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between you and Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take precedence. In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

1.

Product Names

For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as part of Access Control System Software are: A. Advanced Reporting and Troubleshooting License Enables custom reporting, alerting and other monitoring and troubleshooting features. B. Large Deployment License Allows deployment to support more than 500 network devices (AAA clients that are counted by configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support an unlimited number of network devices in the enterprise. C. Advanced Access License (not available for Access Control System Software 5.0, will be released with a future Access Control System Software release) Enables Security Group Access policy control functionality and other advanced access features.

2. ·

ADDITIONAL LICENSE RESTRICTIONS Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the Cisco 1121 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control System Software Products on the Cisco 1121 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1121 Hardware Platform. Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control System Software upgrades for the 1121 Hardware Platform as Major Upgrades or Minor Upgrades. If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each

·

Release Notes for Cisco Secure Access Control System 5.3 OL-24203-01

37

Obtaining Documentation and Submitting a Service Request

Cisco 1121 Hardware Platform. If the Customer is eligible to receive the Software release through a Cisco extended service program, the Customer should request to receive only one Software upgrade or new version release per valid service contract.

· 3.

Reproduction and Distribution. Customer may not reproduce nor distribute software. DEFINITIONS

Major Upgrade means a release of Software that provides additional software functions. Cisco designates Major Upgrades as a change in the ones digit of the Software version number [(x).x.x]. Minor Upgrade means an incremental release of Software that provides maintenance fixes and additional software functions. Cisco designates Minor Upgrades as a change in the tenths digit of the Software version number [x.(x).x].

4.

DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Release Notes for Cisco Secure Access Control System 5.3 © 2011 Cisco Systems, Inc. All rights reserved

Release Notes for Cisco Secure Access Control System 5.3

38

OL-24203-01

Information

acs_53_rn.fm

38 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

562402