Acs License File Installation Failed

1

AC power receptacle

5

(Blocked) Gigabit Ethernet 1

2

(Blocked) Gigabit Ethernet

6

(In Use) Gigabit Ethernet 0

3

Serial connector

7

USB 3 connector

4

Video connector

8

USB 4 connector

Hostname

localhost

First letter must be an ASCII character.

Length must be more that 2 but less than 20 characters.

Valid characters are alphanumeric (A-Z, a-z, 0-9), hyphen (-), and the first character must be a letter.

Enter the hostname.

IPv4 IP Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter the IP address.

IPv4 Netmask

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid netmask.

IPv4 Gateway

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid default gateway.

Domain Name

None, network specific

Cannot be an IP address.

Valid characters are ASCII, any digit, hyphen (-), and period (.)

Enter the domain name.

IPv4 Primary Name Server Address

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

Enter a valid name server address.

Add/Edit another nameserver

None, network specific

Must be a valid IPv4 address between 0.0.0.0 and 255.255.255.255.

To configure multiple name servers, enter Y.

Username

admin

The name of the first administrative user. You can accept the default or enter a new username.

Must be more than 2 but less than 9 characters, and must be alphanumeric.

Enter the username.

Admin Password

None

No default password. Enter your password.

The password must be at least six characters in length and have at least one lower case letter, one upper case letter, and one digit.

In addition:

• Save the user and password information for the account that you set up for initial configuration.
• Remember and protect these credentials because they allow complete administrative control of the ACS hardware, the CLI, and the application.
• If you lose your administrative credentials, you can reset your password by using the ACS 5.3 installation CD.

Enter the password.

Base License

The base license is required for all deployed software instances, as well as for all appliances. The base license enables you to use all ACS functions except license controlled features, and it enables standard centralized reporting features.

The base license:

• Is required for all primary and secondary ACS instances.
• Is required for all appliances.
• Supports deployments that have a maximum of 500 managed devices.

The following are the types of base licenses:

• Permanent—Does not have an expiration date. Supports deployments that have a maximum of 500 managed devices.
• Evaluation—Expires 90 days from the time the license is issued. that have a maximum of 50 managed devices.

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure.

For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the number of devices is 256.

Add-On Licenses

Add-on licenses can only be installed on an ACS server with a permanent base license. A large deployment requires the installation of a permanent base license.

The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. However, the permanent Security Group Access feature license can be used only with a permanent base license.

CSCtg36142

Indication of secureid file did not work properly in the Node Secret set. This problem is resolved now.

CSCta75080

MSCHAP authentication with UTF8 SAM & NETBIOS did not work against AD in Centrify configuration. This problem is resolved now.

CSCtb99448

An error was displayed in ACS Management log while performing PAP Authentication. This problem is resolved now.

CSCte57427

SNMP location and contact information were not saved on reboot in ACS 5.1. This problem is resolved now.

CSCte70665

An error message was displayed while launching the Authentication Trend page from the Dashboard. This problem is resolved now.

CSCte98032

ACS 5 partitions were not aligned properly when they were installed on VMware. This problem is resolved now.

CSCtf09891

Remote log targets did not accept classless IP formats. This problem is resolved now.

CSCtf77292

The Evaluation of domain local groups resulted in delayed authentication [AD PERF]. This problem is resolved now.

CSCtg62673

The Feature license with & character in the company name could not be loaded. This problem is resolved now.

CSCtg71016

Primary and Secondary servers did not accept same server certificates. This problem is resolved now.

CSCth66492

Recovery mechanism was required while reconnecting the log-collector. This problem is resolved now.

CSCti00159

Network did not function properly when the MAC address of the host was changed in ACS 5 on VMware. This problem is resolved now.

CSCti30276

Admin users could not log in after a password reset. This problem is resolved now.

CSCti36058

The user authentication is ACS 5.1 failed while searching for the server in a remote domain. This problem is resolved now.

CSCti70509

In ACS 5, Restored DB from TFTP may result in corrupted configuration. This problem is resolved now.

CSCti95750

The filter did not show any result in ACS 5.1 while using a filter for AD groups in AD1:ExternalGroups. This problem is resolved now.

CSCtj58965

AD page did not load when there were issues in DNS or DCs. This problem is resolved now.

CSCtj61100

When adding three IP name-server through CLI, you were prompted to restart ACS three times. This problem is resolved now.

CSCtj68184

Evaluation License for AM&R was not being overwritten. This problem is resolved now.

CSCtk32478

CPU utilized high memory related to CDPD process in VMware. This problem is resolved now.

CSCtk32664

ACS sent change-pass request to a wrong ID -store in the sequence. This problem is resolved now.

CSCtk76151

Changing NIC's IP address caused NTP to go out of synchronization. This problem is resolved now.

CSCtk82961

RADIUS Proxy did not forward unknown attributes. This problem is resolved now.

CSCtl05923

Remote DB sql schema related information has to be updated for export run failed operation in ACS 5.3 documents. This problem is resolved now.

CSCtl07445

Negative integer in AV pair caused exception for ACS Log Collector. This problem is resolved now.

CSCtl07664

Unable to change the Error code. This problem is resolved now.

CSCtl11307

SNMP preferences setting existed in a wrong place on the ACS VIEW. This problem is resolved now.

CSCtl42972

Runtime process restarted after adding Shell Profile. This problem is resolved now.

CSCtl52327

ACS LDAP authorization was case sensitive. This problem is resolved now.

CSCtl84778

Sometimes two processes did not run after ACS reboot. This problem is resolved now.

CSCtl85457

The unreachable servers from DNS SRV resulted in a delay in ACS. This problem is resolved now.

CSCtn05827

The enable password option in TACACS did not work properly. This problem is resolved now.

CSCtn13731

Importing or updating TACACS+ devices need COA field to be filled. This problem is resolved now.

CSCtn18359

When ACS CLI password expires with password policy cannot be reset. This problem is resolved now.

CSCtn21381

CDP data containing & character resulted in show run to fail. This problem is resolved now.

CSCtn26604

ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.

CSCtn62214

Could not import the.CSV file when the custom attribute was defined for local user/hosts. This problem is resolved now.

CSCtn67457

Dynamic attributes in authorization profiles stopped working after it was changed. This problem is resolved now.

CSCtn76469

Setting RADIUS accounting on got rejected with 11014 msg. This problem is resolved now.

CSCtn78315

Backing up data failed while using SFTP if it was not transferred within 60 seconds. This problem is resolved now.

CSCtn81510

ACS 5 documents did not have clear information on getACSViewWebServicesPort() for M&R. This problem is resolved now.

CSCto09231

ACS Interpreted Username in NetBIOS Format with Dot in DOMAIN as DNS. This problem is resolved now.

CSCto09337

ACS had problems with Network device filter using location or dev type.This problem is resolved now.

CSCto42187

EAP Authentication Method was not available for policy during PEAP fast reconnect. This problem is resolved now.

CSCto72525

Writing a Custom application to integrate M&R generated errors. This problem is resolved now.

CSCto72918

ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.

CSCto77214

When ACS was overloaded, an error server workspace storage appeared. This problem is resolved now.

CSCtq07534

ACS 5 did not verify RSA keys for SFTP repositories. This problem is resolved now.

CSCtq15610

ACS Intermittent was Disconnected from AD. This problem is resolved now.

CSCtq17598

Runtime services failed to start in a shell profile attribute. This problem is resolved now.

CSCtq46433

ACS 5: Web page errors were found while filtering the device using IE8 if the device contain u. This problem is resolved now.

CSCtq61094

AD configuration affected the ACS Runtime process. This problem is resolved now.

CSCtq61125

ACS did not follow the identity store sequence. This problem is resolved now.

CSCtq61267

The password was not accepted after installing ESXi 4.x. This problem is resolved now.

CSCtq62007

Unable to save AD configuration when only user name or password was changed. This problem is resolved now.

CSCtq64672

Failure reason editor under System Configuration displayed an error for COD. This problem is resolved now.

CSCtq65124

ACS 5.2: Boolean LDAP attribute was incorrectly interpreted by ACS. This problem is resolved now.

CSCtq76307

CLI documentation did not have the updated SFTP information. This problem is resolved now.

CSCtq78681

Group Queries to Virtual Directory Server failed to return results. This problem is resolved now.

CSCtr23536

ACS 5.2: Appending domain name to SAN when trying to match account in AD resulted in the user not being found in external store database and a failed authentication. This problem is resolved now.

CSCtr24473

Radius Request were dropped by ACS without any explanation. This problem is resolved now.

CSCtr43053

The port attribute could not be used to match the rule if you used ASCII as authentication type for TACACS + authentications. This problem is resolved now.

CSCtr57687

ACS 5.x documents did not have the information on Replicated Items. This problem is resolved now.

CSCts55739

ACS 5.2Configuration Guide did not explain the failover scenarios. This problem is resolved now.

CSCtn94094

Web interface for compound rules uses non-standard boolean notation.

CSCts38477

In ACS 5.2 Compound Condition, replacing 'And' logic with 'Or' Duplicate of CSCtn94094.

CSCtq81172

Admin Wen interface takes time to load for large NDG tree.

CSCtg51846

Enum values are not shown in compound conditions in the rule.

CSCto73527

Network Device Filter fails with AND Condition while using Location and Device Type.

CSCts17763

ACS may crash when Shell Profile name contains special characters.

CSCtq76294

Need an alert to be triggered when backup operation fails.

CSCts40901

Shared secret key is displayed in clear text.

CSCtq80926

Select option is not working in Compound condition> LDAP > External groups.

CSCts61733

Bulk CRUD operations for Shell Profile Custom Attributes.

CSCtr78192

Multiple vulnerabilities in the Cisco ACS 5 web interface.

CSCts85741

Possible SQL injection point in ACS 5.2.

CSCtr78143

Multiple Cross--Site Request Forgery and stored XSS in ACS 5.2.

CSCtu15651

ACS view upgrade failure.

CSCtu07065

ACS 5.2 to 5.3 upgrade fails.

CSCts23451

ACS 5.x needs to update the RSA SecureID API.

CSCtu36433

ACS 5.3 web interface gives very slow access after an upgrade from ACS5.2

CSCtw97686

Could not edit the ACS 5.2 users after upgrading the system to AS 5.3.

CSCtu74476

MAC address format is inconsistent in activity reports.

CSCtn26538

EAP-TLS reauthentication fails - principal username is missing.

CSCte39351

The SNMP agent process in ACS appliance daemon stops.

CSCtu89783

ACS 5 password expiration policy triggered for token users.

CSCtt14745

Cannot add groups to LDAP identity store.

CSCtt17019

ACS 5.x has issues while retrieving additional AD groups when referenced in rule.

CSCtt21122

Cannot import the command sets if you have the character slash ( /) in the argument.

CSCto95888

sh acs-logs details command does not display local store log file names.

CSCtw64212

view-logprocessor Process gets stuck and the status is shown as not monitored.

CSCtu36357

ACS 5 cannot duplicate user accounts.

CSCtw67208

Administrative and Operational Audit logs are not getting recorded in ACS.

CSCtw56498

TACACS+ 'enable' request is dropped in unknown authentication type.

CSCtw97877

Installing a patch after 5.3 upgrade did not reduce the network device page loadtime.

CSCtx19470

ACS 5 shows an runtime error while trying to login to the GUI when all process are running properly.

CSCtx53340

NIL-CONTEXT error causes TACACS+ failure in ACS 5.3 TCP Listener Process.

CSCto88134

Temporary table was missing in 5.2 database after the restoring 5.1 backup.

CSCtx11180

Sometimes, ACS fails to fetch the group info for users in trusted domain

CSCty19628

Unassigning MS-CHAPV2 group retrieval fails. It is a duplicate of the bug CSCtx11180.

CSCtw59129

ACS5 tries to contact the domains which are not in trusted list, based on the username.

CSCty11627

ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets.

CSCtw71563

ACS gets disconnected from AD if it receives duplicate A records for DC.

CSCtx90637

ACS MS-CHAPV2 is not hashing the MS-CHAP success correctly.

CSCtu15832

ACS 5.2 does not recover from an RPC failure with a domain controller.

CSCtx71254

ACS 5.3 is disconnecting from AD and unlatch is seen in ADclient logs.

CSCtx18638

Cannot add custom shell attribute with the keyword alert.

CSCtx83260

NDG locations are not showing up on the web interface.

CSCts14694

Accounting requests are seen as authentication requests.

CSCty60512

User authentication fails when having Authorization rule with built-in group.

CSCty60915

ACS 5.3 pre-authentication gets failed with AD for some users.

CSCtz03041

AD Agent cores management.

CSCty88457

ACS support bundle does not include ADclient core files.

CSCtz03084

/opt and /var full-Large AD Agent file contains file descriptor errors.

CSCtz03036

AD Agent cache should be flushed when core is generated.

CSCtz03943

ACS exposes the AD account username and password.

CSCtz03211

ACS 5.3 sends multiple authentication attempts to Active Directory.

CSCtz35383

Restoring ACS 5.1 and 5.2 backup on ACS 5.3 patch 3 fails.

CSCtz35418

Unexpected error occurs while selecting the maximum user session after restoring the backup.

CSCua46796

LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration.

CSCtu21456

ACS 5.x: Intermittent password change is not working in secondary ACS.

CSCtx12249

ACS 5.x: ACS does not support TACACS Service 0x1a (Auth-Proxy).

CSCty48702

ACS 5.3 cannot export data to Oracle.

CSCtx68133

Some Secondary ACS machines show status as offline when the setup is idle.

CSCtx57296

ACS fails to open the view log collector with an irresolvable hostname in the primary machine.

CSCtx72675

ACS supports repository user name with domain name.

CSCtx55824

ACS 5.x: SQL schema file for view database export is incorrect.

CSCtu19690

Random Parse error alarms are triggered due to the radius accounting messages.

CSCtx90623

ACS web server is vulnerable to the HTTP slow header attack.

CSCty80996

Admin user with ResetUserPassword privilege cannot reset user passwords.

CSCty18371

Users without enable password option are able to set their own authentication password.

CSCtx40345

MAC addresses shown on end station filter list are incorrect.

CSCtx32481

Description is shown as null while importing NDG without a description.

CSCty16614

Resource not found or internal server error is seen with bulk filter option in ACS.

CSCtx71963

ACS 5.2: Bulk update of users ignores the changes that are made in the custom boolean attribute.

CSCtz31830

In some scenarios, Active Directory web interface group retrieval feature takes a long time to respond.

CSCtz42111

Password expiry timer is not replicated after changing the password using TACACS+.

CSCtz24314

ACS 5.x runs out of disk space.

CSCtz49470

In ACS 5.3, you can create and restore the ACS View database from a support bundle without the help of a root patch.

CSCty53608

Core file with 4000 users is generated in TACACS+ proxy.

CSCty75050

In ACS 5.3, CHAP authentication for TACACS+ fails.

CSCtx03590

Adding NDG filter with “Replace from File” fails.

CSCty92102

RADIUS proxy does not process the response from an external RADIUS server.

CSCtz09614

Validation error that results in an ACS runtime crash occurs while editing the end station filters.

CSCtz91356

Evaluation of Local groups lead to an increase in time delay during authentication.

CSCtz83523

AD client crashes because of the passwords with non-UTF-8 characters in it.

CSCty64763

Multiple groups are selected in authorization policy.

CSCua01925

SNMP monitoring cron job is deleted when you configure a scheduled backup.

CSCua51373

Support for On Demand Purge in ACS View.

CSCua60625

ACS View database restore fails when there is enough space available in /opt.

CSCua51804

ACS View backup fails even when there is enough disk space available.

CSCua60611

Runtime service memory utility is increasing during TACACS+ authentication and accounting requests.

CSCty97947

Importing large scale configurations in ACS results in runtime memory errors upon restart.

CSCub17638

Replication fails when you import devices in to the primary server.

CSCua69912

Config database gets corrupted after changing the authorization profile name which results in an internal error while accessing the web interface.

CSCua66744

The ACS view database transaction log reaches more than 50 GB, which fills the /opt partition size.

CSCtq46211

The Lexmark Printer works fine with ACS 4.x, but it is not working properly with ACS 5.x versions.

CSCtx53223

ACS 5.3 fails to join AD domain, and the Centrify license is missing when you upgrade ACS from its previous versions.

CSCtx63760

Scalability issue: ACS drops TACACS+ requests due to a high connection rate.

CSCtx56129

The ACS 5.x replication service fails because it cannot bind to port 2030.

CSCua67150

The network device is not recorded in the RADIUS Authentication logs.

CSCub15396

ACS 5.3 does not support blank spaces in the TACACS shared secret key.

CSCua90369

ACS 5.x is creating the error message: ShellProfile.ERROR..DeviceAttrFactory.cpp:29.

CSCtw84073

Unable to enter acs-config in the ACS CLI.

CSCua81734

In ACS 5.x, Identity groups are truncated when you use Internet Explorer 8.x version.

CSCty57491

ACS health logs are purged incorrectly.

CSCub46074

ACS 5.3 response is very slow with a large number of identity groups.

CSCub40278

XSS vulnerabilities were found in ACS view pages.

CSCub40291

CSRF vulnerabilities were found in ACS 5.3.

CSCub40498

The password field in ACS 5.3 has the autocomplete operation enabled.

CSCub40527

Unauthenticated download flaws were found in ACS 5.3.

CSCub40480

Cookie vulnerabilities were found in ACS 5.3.

CSCuc65634

TACACS+ authentication bypass vulnerabilities were found in ACS 5.3.

CSCub98158

The replication is not working when you register or deregister a secondary ACS instance.

CSCuc31452

In ACS 5.3, exporting users to.csv file is not working properly.

CSCtn99545

Administrators with numerical username are unable to use the dashboard.

CSCuc80049

Editing device filters results in validation error and ACS runtime to crash.

CSCuc28306

Unable to export the ACS_Log_Information from ACS view to a.csv file.

CSCub98880

Sometimes, the details icon in the troubleshooting reports page is not shown.

CSCuc68843

Secondary ACS server is reported to be in Local mode incorrectly

CSCuc93106

Upgrading from ACS 5.3 to ACS 5.4 fails.

CSCuc11436

In ACS 5.3, promoting a secondary ACS remotely from a primary ACS fails.

CSCuc06451

ACS cannot find the global catalogs.

CSCub82913

ADclient cache issue - Authentication fails when you change the OU in multiple domain controller environment.

CSCud06310

TCP socket exhaustion causes ACS 5.x to crash.

CSCub60424

Unable to register ACS in the deployment while the import operation is in progress.

CSCuc08568

Unable to register machines to the deployment.

CSCtx45515

PI REST support for Network Devices, Device Groups, and Hosts.

CSCud40928

The secondary instance management process remains in initializing state after deregistering it from the deployment.

CSCue86879

Added NTP service as a part of ACS services in ACS 5.3.

CSCud88921

NTP fails for some time after changing the local clock time.

CSCue35765

An invalid alarm is shown that says, “DBPurge is not running for the past two days.”

CSCue43289

Rules in Access Policies are pushed to the end of the list when you use filter to search or make any changes in them.

CSCud75174

Client-side filtering option in ACS leads to XSS Attack

CSCud75177

CSRF vulnerabilities found in ACS admin and ACS view pages.

CSCur00511

ACS evaluation for CVE-2014-6271 and CVE-2014-7169.

Users

1000

10000

300000

Hosts

100

1000

50000

Identity Group

10

200

1000

Network Devices

100

5000

50000

Network Device Groups

2 (default)

2 (default)

2 (default)

Device Hierarchies

2

3

6

All Locations

5

10

20

All Device Types

5

10

20

Services

2

5

25

Authorization Rules

5

25

320

Conditions

3

5

8

Authorization Profile

--

--

600

SSP

5

25

50

Result Sets

1

2

3

NARs

50

500

3000

ACS Instances

1-2

3-6

7-10

ACS Admins

5

15

50

2 roles

5 roles

9 roles

dACLs

1K Size

1K Size

600 dACL with 100 ACEs each

CSCtl08320

AD is down in Add Attribute list, PEAP/EAP-fast MSCHAP auth marked fail

The PEAP-GTC and EAP-FAST-GTC authentications are marked as Passed (green line in log) when attribute retrieval phase fails, and the FailOpen option is configured as DROP.

This problem occurs when Identity Sequence configured in such a way that authentication phase passes but attribute retrieval phase fails. The default FailOpen option for a failed process is DROP'

Workaround:

None

CSCtl10839

Break sequence fails for the same User authentication when AD is down (because of cache)

Attribute retrieval tries to retrieve groups from AD which is Down, and then continues to Next ID store in the Additional Attribute retrieval list. This occurs although you have selected the break sequence option.

This problem occurs when you:

1. Configure ACS as:

– AD with groups, with no attributes.

– Identity Sequence: Authentication ID Stores list is Internal

– Additional Attribute retrieval list is {AD, Internal, Radius server (or any other)}

2. Select the break sequence option.

3. Authenticate using AD.

4. Shut down AD.

5. Authenticate using Identity Sequence.

Workaround:

None

CSCtl93760

Search option does not work for MAC Address

Unable to list out the MAC addresses that are in the database.

This problem occurs when you create MAC addresses using wildcards and then try to list a single MAC address while searching.

Workaround:

Use other options such as starts with.

CSCtl95969

Sometimes Machine Authentication fails in Odyssey supplicant

Odyssey supplicant sometimes fails in machine authentication.

The authentication fails and displays the message Subject not found in the identity store (AD).

Workaround:

1. Select the EAP-TLS authentication as authentication type in Odyssey supplicant.

EAP-TLS authentication passes.

2. Change the authentication type to PEAP-TLS.

This makes the machine work well with Odyssey supplicant.

CSCtn19739

TLS Session Resume fails in PEAP-TLS with CSSC/Odyssey supplicant.

TLS Session Resume fails in PEAP-TLS with CSSC/Odyssey supplicant.

This problem occurs when you enable the TLS session resume in ACS and perform an authentication with the CSSC/Odyssey client.

Workaround:

None

CSCtn49931

Management processes do not come up after the application upgrade

Management processes are not restored when ACS services gets restarted. This issue is not consistent.

This problem occurs sometimes when you restart ACS services. For example, after upgrading ACS 5.2 to 5.3.

Workaround:

Restart the ACS services manually.

CSCto29474

Bulk edit is not supported for maximum session group value.

There is no option for bulk editing groups.

This problem occurs when there are many identity groups. (For example. 50 or more) It is difficult to edit the values for the groups one by one and there is no option to update many groups together.

Workaround:

Use the Import option to update the maximum session value for many groups at the same time.

CSCto52767

Centrify: Wrong user is being authenticated.

The wrong AD user is authenticated.

This problem occurs when you mix and match UPN and NetBios names for two given user. For example:

1. Enter user 1 as:

UPN: a1

NETBIOS:a2

psw : www123!@#

user 2:

UPN: a2

NETBIOS:a1

psw : ttt123!@#

2. Authenticate the first user as

user : a1

psw: www123!@#

3. Authenticate the second user as

user : a2

psw: ttt123!@#

Any one of the above two authentications fails.

Workaround:

Make sure AD user names are consistent and avoid naming conventions such that UPN and NetBios of different users are identical.

CSCto56190

AD interface operations take a long time if LDAP SSL is not enabled in AD.

AD interface operations (test connect, select groups, and select attributes) take a long time if LDAP SSL is not enabled in AD. The delay time in such cases, is the number of domain controllers in the domain in the same site as ACS * 15 seconds

This problem occurs if:

• LDAP SSL is not configured or enabled in AD domain controllers.
• There are many domain controllers in the domain in the same site as ACS.

Workaround:

Configure or enable LDAP SSL on AD domain controllers

CSCtq12058

Log level set to debug for Monitoring and Collector log but it shows the warning logs.

The Debug logs are not displayed in the Monitoring and Collector log.

Default warning logs are displayed even after the log level is set to Debug. This problem also occurs while the system performs Authentication.

Workaround:

Restart ACS

CSCtq34427

CARS: Centrify imposed host name limitation of 15 characters

AD account is created only for the latest machine that is joined to the AD, while joining multiple hosts.

This problem occurs if hosts have:

• Names longer than 15 characters
• The same 15 character prefix

Workaround:

When working with AD, the hostname length should not be more than 15 characters or the 15 character prefix for each host name should be unique.

CSCtq45439

Core file of management is generated while running stress in ACS

The management process crashes on a secondary ACS server in a distributed deployment and a core file is generated.

This problem occurs when a heavy authentication stress is applied to the primary server for a long time (one or two days).

Workaround:

None.

CSCtq52001

It is possible to install non CA certificates under CTL.

ACS allows you to install non CA certificates under Certificate Authorities.

This problem occurs because a CA certificate has the keyCertSign bit under Key Usage attribute. It is possible to install a non CA certificate without this bit.

Workaround:

Make sure the installed certificate is indeed a CA certificate.

CSCtq52032

No checks for the type of certificate while installing the server certificate

Invalid server certificate (such as, one that can be used for client authentication only) can be installed as a server certificate in ACS

This problem occurs when you install a client certificate (such as, extended key usage set to be 'Client Authentication' only) as a server certificate in ACS

Workaround:

Verify the extended key usage, manually.

CSCtq61557

Cannot create AAA client after an error message appears in the Network Device Ranges.

Unable to create AAA client, after an error message appears.

This problem occurs if you:

1. Create an AAA client with IP Ranges and enter an invalid character in the Exclude option.

The interface displays an error.

2. Delete the Exclude value and add the IP and click Submit.

The AAA client is not created.

Workaround:

1. Edit the IP and enter a proper Exclude value

2. Add the AAA client.

3. Click Cancel and create the AAA client with the proper Exclude value.

CSCtq67174

The username in the view displays an invalid escape character at line 1 column 2.

If you click on a username that contains the character ! in it, an error appears.

This problem occurs if the username contains the ! character in it.

Workaround:

Remove the character! from the username.

CSCtq80926

Select option gets disabled while selecting the string enum attribute.

The Select option is disabled and you cannot select the groups configured under Compound Condition and LDAP External Groups.

This problem occurs if you select Authorization > Customize selected compound condition, under Compound condition > LDAP > External groups.

This applies to LDAP and AD External groups configuration.

Workaround1:

Select some other attribute with a different dictionary, to enable the Select option for all types of attributes.

Workaround 2:

Select the external groups under Customize > LDAP: External groups in both Authorization and Group mapping.

CSCtr56396

Filtering Network Devices according to the new NDG type.

You do not get the correct records that match the filter, if you try to filter Network Devices according to the value of the Network device group that is added after adding the Network Devices.

This problem occurs when a new NDG is created after adding the Network Devices.

Workaround:

Create the NDG before adding the Network Devices

CSCtr74964

Wrong error message is displayed when you try to change the password of an LDAP user.

An error message Subject not found in the particular identity stores is displayed. This is wrong. The correct error message is Current identity store doesn't support changing password.

This problem occurs if you change the password while performing TACACS+ authentication for a user account located on an LDAP server

Workaround:

Ignore the incorrect error message.

CSCtr95923

Log messages are recovered after Restore.

Log recovery feature retrieves the missing logs after Restore.

This problem occurs when you take a backup of the view with the Log recovery feature enabled and then restore the backup in same setup.

Workaround:

Disable the feature for 5 minutes and then enable it. This prevents it from restoring the old logs.

CSCts07491

NDG: Duplicate option does not work

You cannot create a duplicate for an existing NDG.

This problem occurs if you want to create a new NDG by duplicating the existing NDG. In this case, the duplication does not work properly.

Workaround:

Create a new NDG using the Create option.

CSCts08356

ACS follows internal identity sequence twice when Fast Reconnect is enabled.

ACS performs the attribute retrieval twice in Internal ID store for a non-existent user. This occurs when authenticating by PEAP with fast reconnect enabled with W7 supplicant.

This problem occurs when ACS is configured with the following identity store sequence:

AD + Internal and PEAP-MSCHAP with fast reconnect.

Here a user is configured in AD but not in the Internal ID store.

When you are negotiating PEAP fast reconnect, the supplicant returns the result as TLV failure and then an inner method is invoked. The user is successfully authenticated in AD.

The attribute retrieval is performed twice in Internal ID store (both unsuccessful since the user is not found). The following log messages appear in the log:

22023 Proceed to attribute retrieval

22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

24210 Looking up User in Internal Users IDStore - ram

24216 The user is not found in the internal users identity store.

22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

22015 Identity sequence continues to the next IDStore

24210 Looking up User in Internal Users IDStore - ram

24216 The user is not found in the internal users identity store.

22016 Identity sequence completed iterating the IDStores

Workaround:

Configure the PEAP fast reconnect in the W7 supplicant correctly, so Fast Reconnect is enabled.

CSCts31991

AD join may fail when there are multiple DNS entries in ACS

ACS fails to join to AD

This problem occurs when there are multiple IP name-server entries configured in an ACS configuration CLI, but not all of the IP name-server entries are configured with Active Directory DNS Records.

It occurs where the AD DNS responds slower than the corporate DNS or if there is a DNS that does not resolve in AD DC/GC SRVs

Workaround1:

Ensure that all IP name-server entries have the required configuration for Active Directory. This way, the fastest responding name server will have the required Active Directory configuration.

Workaround 2:

Configure ACS 5.3 to use only a specific name server that has the required Active Directory configuration. Use the ACS 5.3 CLI to do this.

The ACS administrator should:

1. Log into the ACS configuration mode using the command acs-config.

2. Use ad-agent-configuration dns.servers to set the IP of the correct IP name-server to use.

For example, if the name of the server to use is 10.56.60.150, then the following commands should be entered, using the ACS 5.3 CLI:

cd-acs5-13-50/admin# acs-config

Escape character is CNTL/D.

Username: acsadmin

Password:

cd-acs5-13-50/acsadmin(config-acs)# ad-agent-configuration dns.servers 10.56.60.150

Performing AD agent internal setting modification is only allowed with ACS support approval. continue (y/n)?

cd-acs5-13-50/acsadmin(config-acs)# show ad-agent-configuration dns-servers

dns-servers: 10.56.60.150

cd-acs5-13-50/acsadmin(config-acs)# exit

This operation should be performed when the ACS machine is joined to the required domain for each server in the deployment.

CSCts52687

Centrify service gets frozen while starting and does not move to the next available DC.

AD functionality is down

This problem occurs when the joined DC is offline. There are other DCs online but ACS will not join one of them.

Workaround:

Bring the joined DC online or resubmit the AD configuration

For further problem description, see the guidelines discussed in http://nmtg2.cisco.com/wiki/index.php/RNE_Template

CSCto50246

CentrifyDC mode is displayed as 'connected' when the current DC is shutdown.

ACS takes a long time to update the DC details to which it is currently connected.

This problem occurs when ACS is connected to another fastest reachable DC, while the previously connected DC is down.

Workaround -

None

CSCts95867

The View database processes freeze when the system gets restarted while upgrading.

ACS view database process gets frozen if you restart the services while upgrading.

This problem occurs if you:

1. Configure the data in ACS 5.2 patch 6 when the machine is in a distributed setup where it has a primary server and a secondary server. The secondary server is the log collector.

2. Change the log collector to the primary server.

3. Deregister the secondary server from the primary server.

Star plus serial kahin to hoga. 4. Upgrade the secondary server using the CLI command application upgrade acs.tar.gz repo to ACS 5.3 build #38.

The following message is displayed.

application upgraded successfully.

5. Check the process status now using the CLI command show app upgrade acs.

The View Database process gets frozen for more than six hours while restarting the application

6. Upgrade the primary server using the CLI command application upgrade acs.tar.gz repo to 5.3 build #38.

The following message is displayed.

application upgraded successfully.

The View Database process gets frozen for more than six hours while restarting the application

Workaround:

Use acs stop and acs start commands in CLI and restart the ACS services manually.

CSCts79921

Authentication fails if you miss the UPN attribute.

Authentication fails against the Active Directory.

This problem occurs when you try to add users using the command NET USER aaa qqq123!@# /ADD.

Workaround:

Add the users through the Active web interface.

CSCtq29587

Radius Authentication fails in Switch with same VSA name and different data type.

Authentication fails in switch.

This problem occurs while creating VSA attributes in Proxy and Remote ACS that have the same name, but different types.

Workaround:

Define the VSA attributes with the same names and types.

CSCtq60960

Could not close the frames in the Authentication reports.

Expand and Collapse of Authentication results in Authentication details page are not working in both Mozilla in 4.x and 5.x versions.

This problem occurs when you use third party tools like Actuate BIRT. Since, by default, the html5 stricter parsing engine is enabled in Mozilla 4.x and 5.x versions. You will face this issue if the validation is not proper in the third party tools.

Workaround:

When you are using Mozilla 4.x and 5.x versions, complete the following steps.

1. Open a new tab.

2. Enter about:config in the address bar and press Enter.

3. Click I will be careful, I promise!.

4. Enter html5 in the Filter box.

5. Double-click the html5.parser.enable to change its value to false.

6. Now, reload Authentication results in Authentication details page.

The expand and collapse option of Authentication results in Authentication details page works fine.

CSCts04765

Switching from IP ranges to single IP address displays an error message.

An error message is displayed while switching from IP ranges or IP ranges by mask to single IP option when you are creating AAA clients.

This problem occurs when you switch from IP ranges or IP ranges by mask to single IP option in the network range multi column list box. The following error message is displayed.

There is more than one IP address defined. You cannot switch to Single IP Address mode.

This error is shown even after deleting the IP range and switched to single IP option.

Workaround:

Click Cancel and create a new AAA client.

CSCtt04675

Repositories are missing from the Global backup after restoring it.

The changes that you made to the running configuration through CLI are not available after a global restore.

For example,

1. Configure a repository.

2. Take a global backup.

3. Now, restore the backedup data. You can observe that the newly configured repository is not available in the running configuration.

This problem occurs if the new configuration was not saved to startup configuration.

Workaround:

You should make sure that the changes are saved to the startup configuration whenever you make changes to the running configuration.

CSCts67174

Database fail (TACACS Accounting) alarms are caused due to decimal value in AV pair.

Critical system alarms are caused in TACACS Accounting [Collector]: Database failure (<acs hostname >, TACACS Accounting).

This problem occurs when you use a decimal value in the AV pair elapsed time in TACACS Accounting packet sent by NAS.

Workaround:

None

CSCtr40972

Could not launch ACS with new IP address after a global Backup during upgrade.

Could not launch ACS using the new IP address after restoring a global backup.

This problem occurs when you restore a global back up of one ACS machine in to another ACS machine.

Workaround:

None

CSCua46796

LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration.

LDAP connection is interrupted for one minute every 10 hours due to Kerberos TGT expiration. The connection is automatically re-established after the TGT renewal.

This problem occurs when you use AD or LDAP as an external database.

Workaround:

None

CSCua99537

Network Time Protocol Daemon (NTPD) running with ACS sometimes does not synchronize its clock with the windows time service

Network Time Protocol Daemon (NTPD) running with ACS, sometimes, does not synchronize its clock with the windows time service

This problem occurs often when ACS or AD is running as a virtual machine.

Workaround:

None.

10/17/2014

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.9” section.

03/29/2013

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.9” section.

11/21/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.8” section.

10/22/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.7” section.

08/24/2012

Added a known issue CSCua99537 in the Known ACS Issues section and not supporting multiple NIC in Features Not Supported section.

08/21/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.6” section.

08/10/2012

Updated Known ACS Issues and “Resolved Issues in Cumulative Patch ACS 5.3.0.40.4” section.

05/29/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.5” section.

05/18/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.4” section.

04/17/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.3” section.

02/28/2012

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.2” section.

12/16/2011

Added “Resolved Issues in Cumulative Patch ACS 5.3.0.40.1” section.

12/01/2011

Fixed the bug CSCts96708.

10/04/2011

Cisco Secure Access Control System, Release 5.3.

License and Documentation Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_documentation_roadmaps_list.html

Migration Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

User Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_user_guide_list.html

CLI Reference Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
prod_command_reference_list.html

Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_device_support_tables_list.html

Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html

Software Developer’s Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/
products_programming_reference_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/
regulatory/compliance/csacsrcsi.html