This release note summarizes the new features, known issues, and installation instructions for Cisco Secure Access Control System (ACS) version 5.2. The key highlights include support for RADIUS keywrap, SHA-2 signatures, and machine key zeroization. It provides information on installing ACS 5.2 on the Cisco 1121 appliance or a VMware server, as well as upgrading from previous versions. The document also lists several known limitations and issues to be aware of in this release.
The document discusses securing Domino servers from the POODLE vulnerability by implementing TLS 1.0 and removing support for SSLv3. It describes how to generate and install SHA-2 certificates on Domino using the KYRTool and OpenSSL to overcome limitations of the Certificate Admin database. Instructions are provided on generating a certificate signing request, acquiring a signed certificate from a certificate authority, and importing the certificate and roots into the Domino keyring.
This document provides information about Cisco Catalyst 2950 and Catalyst 2955 switches, including:
- An overview of features such as performance, manageability, redundancy, and security.
- Examples of network configurations using these switches, such as a small office network and hotel network.
- Instructions for configuring settings like IP addresses, clustering, authentication, and other management functions.
CCNA 2 Routing and Switching v5.0 Chapter 2Nil Menon
This document provides an overview of switched network configuration and security. It discusses basic switch boot processes and configuration, including setting switch ports, IP addresses, and secure remote access using SSH. The document also covers common security threats in switched networks like MAC flooding and DHCP spoofing. It recommends best practices like disabling unused ports and services, strong passwords, and network auditing tools. Specific switch security features covered include port security, DHCP snooping, and putting ports in error disabled state for violations.
This document provides a configuration guide for Cisco Wireless Control System (WCS) software release 4.1. It includes chapters on installing and configuring WCS, adding maps and monitoring wireless devices, managing user accounts, configuring controllers and mobility groups, using templates, and other tasks. The guide is intended for network administrators to effectively manage Cisco's unified wireless network solution using WCS.
This document provides instructions for installing and configuring the Whiptail Invicta storage system. It describes unpacking the system components, mounting the chassis in a rack, connecting cables, powering on the system, and completing the initial console configuration including network settings. Safety precautions are outlined for rack installation and ambient temperature requirements.
The document is an administration and configuration guide for the INVICTA system. It provides an overview of the INVICTA graphical user interface and describes the various configuration tasks that can be performed from each menu tab, such as creating LUNs, network configuration, asynchronous replication pairing, and user account management.
This document provides release notes for ClearPass 6.3.6, including information about supported browsers and system requirements, upgrading and updating instructions, new features, issues resolved, known issues, and contact support details. Key points include supported browsers being the latest versions of Firefox, Chrome, Safari, and IE7+, virtual appliance requirements for the CP-VA models, and considerations for upgrading from earlier 6.1.x or 6.2.x versions to 6.3.x.
Licensing on Cisco 2960, 3560X and 3750X...IT Tech
This document discusses licensing for Cisco 2900/3500/3700 series switches. It describes the available feature sets (LAN Base, IP Base, IP Services), how to install and remove software licenses using the CLI, and license considerations for specific switch models including 2960/2960-S, 3560/3750, 3560E/3750E, and 3560X/3750X. It provides commands for checking licenses and guidelines for license installation on switch stacks.
The document discusses securing Domino servers from the POODLE vulnerability by implementing TLS 1.0 and removing support for SSLv3. It describes how to generate and install SHA-2 certificates on Domino using the KYRTool and OpenSSL to overcome limitations of the Certificate Admin database. Instructions are provided on generating a certificate signing request, acquiring a signed certificate from a certificate authority, and importing the certificate and roots into the Domino keyring.
This document provides information about Cisco Catalyst 2950 and Catalyst 2955 switches, including:
- An overview of features such as performance, manageability, redundancy, and security.
- Examples of network configurations using these switches, such as a small office network and hotel network.
- Instructions for configuring settings like IP addresses, clustering, authentication, and other management functions.
CCNA 2 Routing and Switching v5.0 Chapter 2Nil Menon
This document provides an overview of switched network configuration and security. It discusses basic switch boot processes and configuration, including setting switch ports, IP addresses, and secure remote access using SSH. The document also covers common security threats in switched networks like MAC flooding and DHCP spoofing. It recommends best practices like disabling unused ports and services, strong passwords, and network auditing tools. Specific switch security features covered include port security, DHCP snooping, and putting ports in error disabled state for violations.
This document provides a configuration guide for Cisco Wireless Control System (WCS) software release 4.1. It includes chapters on installing and configuring WCS, adding maps and monitoring wireless devices, managing user accounts, configuring controllers and mobility groups, using templates, and other tasks. The guide is intended for network administrators to effectively manage Cisco's unified wireless network solution using WCS.
This document provides instructions for installing and configuring the Whiptail Invicta storage system. It describes unpacking the system components, mounting the chassis in a rack, connecting cables, powering on the system, and completing the initial console configuration including network settings. Safety precautions are outlined for rack installation and ambient temperature requirements.
The document is an administration and configuration guide for the INVICTA system. It provides an overview of the INVICTA graphical user interface and describes the various configuration tasks that can be performed from each menu tab, such as creating LUNs, network configuration, asynchronous replication pairing, and user account management.
This document provides release notes for ClearPass 6.3.6, including information about supported browsers and system requirements, upgrading and updating instructions, new features, issues resolved, known issues, and contact support details. Key points include supported browsers being the latest versions of Firefox, Chrome, Safari, and IE7+, virtual appliance requirements for the CP-VA models, and considerations for upgrading from earlier 6.1.x or 6.2.x versions to 6.3.x.
Licensing on Cisco 2960, 3560X and 3750X...IT Tech
This document discusses licensing for Cisco 2900/3500/3700 series switches. It describes the available feature sets (LAN Base, IP Base, IP Services), how to install and remove software licenses using the CLI, and license considerations for specific switch models including 2960/2960-S, 3560/3750, 3560E/3750E, and 3560X/3750X. It provides commands for checking licenses and guidelines for license installation on switch stacks.
ArcSight Management Center 2.2 P1 Administrator's Guide.pdfProtect724mouni
This document provides an administrator's guide for HPE ArcSight Management Center version 2.2 Patch 1. It describes how to install, configure, and manage ArcMC and the nodes it manages, including connectors, containers, loggers, and other ArcMCs. The document covers topics such as installing ArcMC, managing nodes and products, configurations, monitoring, backups and restores, licensing, and system administration.
This document provides information about configuring a Cisco Catalyst 2960 switch, including:
- Details on the Catalyst 2960 switch software configuration guide for Cisco IOS Release 12.2(50)SE.
- Instructions and guidelines for configuring features such as VLANs, security, QoS, monitoring, and more.
- Examples of network configuration designs using Catalyst 2960 switches.
- Information on default settings, commands, and other technical aspects of switch configuration.
The document provides instructions for migrating configurations from ABB REL670 1.1 to REL670 1.2.3 using the IED Configuration Migration tool in PCM600 Ver. 2.x. The migration process exports the existing project, imports it into PCM600, and uses ICM to migrate individual IED configurations. This results in obsolete functions being removed and versioned functions being updated. The summary provides details on functions affected and any reengineering required. The instructions then outline reengineering steps for application configuration, parameters, SCL engineering, communication configuration, graphical displays, and signal matrix to complete the migration.
This document provides instructions for a lesson on securing network devices. It discusses concepts like router hardening, secure administrative access, and network monitoring techniques. It also outlines objectives like configuring a secure network perimeter and demonstrating secure router administration access. Finally, it provides details on implementing security features like banners, SSH, privilege levels, role-based CLI access, resilient configuration, and password recovery procedures.
The document discusses Cisco ASA firewall contexts, which allow virtualizing a single physical ASA device to act as multiple independent firewalls. Some key points:
- Contexts have their own routing, filtering, and address translation rules within an ASA in either routing or transparent mode.
- Features like VPN, dynamic routing, and QoS are not supported in contexts. Contexts are used when multiple security appliances are needed on one device.
- The system context manages interface allocation and other settings for all contexts. The admin context provides system-level access. Normal contexts are user-defined partitions.
- Physical interfaces can be allocated to contexts. Contexts also have resource limits defined through resource classes to
The document provides instructions for migrating relay configurations between different versions of the 650 series in PCM600. It describes exporting the existing project, importing it into the new version, and using the IED Configuration Migration tool to upgrade specific IED configurations to a new version. After migration, reengineering is often required, including updating settings, signals, and connections in tools like ACT, PST, SCL/61850, CMT, GDE and the signal matrix. Appendices list functions impacted by each migration for reference during reengineering.
How to configure cisco asa virtual firewallIT Tech
Virtual firewalls, also known as security contexts, allow a single Cisco ASA device to act as multiple independent firewalls. This document discusses how to configure multiple security contexts on a Cisco ASA. It describes allocating interfaces and resources to unique contexts for separate network segments or customers. The admin context manages the entire ASA device and is used to create other contexts. Features like routing and VPN are unavailable in multiple context mode.
The document discusses setting up TACACS+ authentication on a Cisco router and Cisco ISE 2.4. It will go over what TACACS+ is, how to configure it on the router with AAA and TACACS server settings, and how to set up user profiles and command sets on ISE in 5 steps to enable TACACS+ authentication. The setup will then be tested by having a user connect to the router.
This document provides an overview of the FortiManager 5.0.10 Administration Guide. It describes the key features and capabilities of the FortiManager system including centralized management, configuration revision control, administrative domains, firmware management, logging and reporting. The guide covers how to use the web-based manager and system settings. It also provides information on managing devices, policy packages, objects, VPN console, FortiGuard services and more.
This document provides release notes for FortiManager version 5.0.10. Key points include:
- Supported models are FMG-100C, FMG-200D, FMG-300D, FMG-400B, FMG-400C, FMG-1000C, FMG-1000D, FMG-3000B, FMG-3000C, FMG-4000D, FMG-4000E, FMG-5001A, FMG-VM32, FMG-VM64, and FMG-VM64-HV.
- Special notices include monitoring the upgrade process, ADOM upgrades, CLI commands for dynamic objects, and FortiAnalyzer feature set changes.
This document provides steps to setup a Cisco WSA 9.2 appliance from the factory default configuration including: configuring interfaces, downloading the OS, setting the default username/password, installing a license, setting the clock, and completing the initial GUI setup. The WSA has 5 interfaces - M1 for management, P1/P2 for traffic, and T1/T2 for traffic monitoring. The initial setup covers configuring the M1 interface, loading a license file, setting the date/time, and navigating the GUI configuration wizard.
This document provides an overview and summary of the key components of the HPE Security ArcSight ESM solution:
- The ArcSight Manager receives event data from SmartConnectors and stores the data in the integrated CORR-Engine storage system. It also provides correlation, reporting, and administrative capabilities.
- The CORR-Engine is a high-performance storage and retrieval engine that allows the system to ingest events at high rates and perform fast searches.
- The ArcSight Console provides a user interface for administrative tasks like rules creation and user management.
- SmartConnectors forward security events from devices and systems to the ArcSight Manager.
- The ArcSight Command Center
AIX 7.2 is the latest version of IBM's AIX operating system for Power Systems servers. It provides enhancements for improved availability, performance, flexibility and security. New features in AIX 7.2 include live updates for non-disruptive kernel and software updates, improved virtual networking support, and automated memory and storage optimizations. AIX 7.2 maintains binary compatibility with previous AIX versions and editions include Standard and Enterprise options.
This document provides instructions for installing and configuring VMware ESX Server 3i and VirtualCenter 2.5. It discusses installing ESX Server 3i and setting up the required network, storage and security configurations. It also describes how to back up the ESX Server configuration, add the server to a VMware Infrastructure environment using VirtualCenter, and maintain the VI Client and ESX Server software.
Authentication is configured locally on the router using AAA (Authentication, Authorization, and Accounting). The router authenticates users against the local database. Authentication methods include passwords stored locally or using a protocol like RADIUS or TACACS+. The document discusses configuring local authentication, adding usernames/passwords, and troubleshooting authentication.
Secure Shell (SSH) is a protocol that provides secure remote access to devices. This document provides instructions for configuring SSH on Cisco switches including generating SSH keys, configuring the SSH server, and monitoring the SSH configuration. Key steps include generating an RSA key pair, configuring the SSH version, setting timeout values, and limiting network access to SSH-only connections.
This document provides an overview and agenda for deploying Cisco ASA VPN solutions. It discusses the CCNP Security VPN exam, VPN technologies including site-to-site IPSec VPN, remote access IPSec and clientless SSL VPN. It also covers ASA VPN architecture, fundamentals of VPN configurations including group policies and connection profiles. Key topics are IPSec protocols, IKE, AAA and PKI.
The document discusses setting up a FIWARE testbed using OpenStack for infrastructure as a service (IaaS). It describes installing OpenStack components like Nova, Glance, Horizon on servers to deploy virtual machines from images and manage them. Key OpenStack concepts are explained like projects, flavors, images, networking. Steps are provided to launch VMs, assign IPs, security groups. Future plans include adding more FIWARE components and improving the OpenStack installation. The testbed is intended for FIWARE enablers, UCs and open innovation projects to instantiate and test enablers in a cloud environment.
Cisco IOS software is used on Cisco routers and switches to provide routing and switching functionality. Hardening the Cisco IOS involves securing the management plane, control plane, and data plane. For the management plane, this includes implementing strong passwords, disabling unneeded services, limiting access, and using secure protocols. For the control plane, hardening involves securing routing protocols, limiting CPU impact, and implementing authentication. For the data plane, anti-spoofing protections, filtering transit traffic, and attack tracing are implemented. The overall goal is to reduce vulnerabilities by securing each functional plane of the network.
ClearPass Onboard is a product from Aruba Networks that automates the provisioning of network access credentials and configuration settings for devices connecting to an enterprise network. It supports Windows, Mac OS X, iOS and Android devices connecting over wired, wireless and VPN connections. Key features include automatic configuration of network settings, provisioning of unique device credentials, and revocation of credentials for specific devices. The document provides deployment guidelines and configuration instructions for ClearPass Onboard.
This document provides instructions for configuring Cisco Secure Access Control Server (ACS), including deploying ACS servers, configuring new features in ACS 4.2, using RDBMS synchronization, setting password policies, configuring agentless host support, PEAP/EAP-TLS authentication, syslog logging, and network access control. It describes factors to consider for deployment and provides step-by-step examples for common configuration scenarios. The document is intended for security administrators who configure and maintain network and application security using ACS.
This document provides release notes for version 6.2 of the ArcSight Connector Appliance. It describes new features in this version including appliance health monitoring, LDAP authentication, read-only user groups, and SSL certificate expiration alerts. It provides instructions for upgrading from version 6.1, including preserving the remote management configuration and upgrading files. It also lists supported browsers, information users should know about the upgrade, closed issues, and open issues.
ArcSight Management Center 2.2 P1 Administrator's Guide.pdfProtect724mouni
This document provides an administrator's guide for HPE ArcSight Management Center version 2.2 Patch 1. It describes how to install, configure, and manage ArcMC and the nodes it manages, including connectors, containers, loggers, and other ArcMCs. The document covers topics such as installing ArcMC, managing nodes and products, configurations, monitoring, backups and restores, licensing, and system administration.
This document provides information about configuring a Cisco Catalyst 2960 switch, including:
- Details on the Catalyst 2960 switch software configuration guide for Cisco IOS Release 12.2(50)SE.
- Instructions and guidelines for configuring features such as VLANs, security, QoS, monitoring, and more.
- Examples of network configuration designs using Catalyst 2960 switches.
- Information on default settings, commands, and other technical aspects of switch configuration.
The document provides instructions for migrating configurations from ABB REL670 1.1 to REL670 1.2.3 using the IED Configuration Migration tool in PCM600 Ver. 2.x. The migration process exports the existing project, imports it into PCM600, and uses ICM to migrate individual IED configurations. This results in obsolete functions being removed and versioned functions being updated. The summary provides details on functions affected and any reengineering required. The instructions then outline reengineering steps for application configuration, parameters, SCL engineering, communication configuration, graphical displays, and signal matrix to complete the migration.
This document provides instructions for a lesson on securing network devices. It discusses concepts like router hardening, secure administrative access, and network monitoring techniques. It also outlines objectives like configuring a secure network perimeter and demonstrating secure router administration access. Finally, it provides details on implementing security features like banners, SSH, privilege levels, role-based CLI access, resilient configuration, and password recovery procedures.
The document discusses Cisco ASA firewall contexts, which allow virtualizing a single physical ASA device to act as multiple independent firewalls. Some key points:
- Contexts have their own routing, filtering, and address translation rules within an ASA in either routing or transparent mode.
- Features like VPN, dynamic routing, and QoS are not supported in contexts. Contexts are used when multiple security appliances are needed on one device.
- The system context manages interface allocation and other settings for all contexts. The admin context provides system-level access. Normal contexts are user-defined partitions.
- Physical interfaces can be allocated to contexts. Contexts also have resource limits defined through resource classes to
The document provides instructions for migrating relay configurations between different versions of the 650 series in PCM600. It describes exporting the existing project, importing it into the new version, and using the IED Configuration Migration tool to upgrade specific IED configurations to a new version. After migration, reengineering is often required, including updating settings, signals, and connections in tools like ACT, PST, SCL/61850, CMT, GDE and the signal matrix. Appendices list functions impacted by each migration for reference during reengineering.
How to configure cisco asa virtual firewallIT Tech
Virtual firewalls, also known as security contexts, allow a single Cisco ASA device to act as multiple independent firewalls. This document discusses how to configure multiple security contexts on a Cisco ASA. It describes allocating interfaces and resources to unique contexts for separate network segments or customers. The admin context manages the entire ASA device and is used to create other contexts. Features like routing and VPN are unavailable in multiple context mode.
The document discusses setting up TACACS+ authentication on a Cisco router and Cisco ISE 2.4. It will go over what TACACS+ is, how to configure it on the router with AAA and TACACS server settings, and how to set up user profiles and command sets on ISE in 5 steps to enable TACACS+ authentication. The setup will then be tested by having a user connect to the router.
This document provides an overview of the FortiManager 5.0.10 Administration Guide. It describes the key features and capabilities of the FortiManager system including centralized management, configuration revision control, administrative domains, firmware management, logging and reporting. The guide covers how to use the web-based manager and system settings. It also provides information on managing devices, policy packages, objects, VPN console, FortiGuard services and more.
This document provides release notes for FortiManager version 5.0.10. Key points include:
- Supported models are FMG-100C, FMG-200D, FMG-300D, FMG-400B, FMG-400C, FMG-1000C, FMG-1000D, FMG-3000B, FMG-3000C, FMG-4000D, FMG-4000E, FMG-5001A, FMG-VM32, FMG-VM64, and FMG-VM64-HV.
- Special notices include monitoring the upgrade process, ADOM upgrades, CLI commands for dynamic objects, and FortiAnalyzer feature set changes.
This document provides steps to setup a Cisco WSA 9.2 appliance from the factory default configuration including: configuring interfaces, downloading the OS, setting the default username/password, installing a license, setting the clock, and completing the initial GUI setup. The WSA has 5 interfaces - M1 for management, P1/P2 for traffic, and T1/T2 for traffic monitoring. The initial setup covers configuring the M1 interface, loading a license file, setting the date/time, and navigating the GUI configuration wizard.
This document provides an overview and summary of the key components of the HPE Security ArcSight ESM solution:
- The ArcSight Manager receives event data from SmartConnectors and stores the data in the integrated CORR-Engine storage system. It also provides correlation, reporting, and administrative capabilities.
- The CORR-Engine is a high-performance storage and retrieval engine that allows the system to ingest events at high rates and perform fast searches.
- The ArcSight Console provides a user interface for administrative tasks like rules creation and user management.
- SmartConnectors forward security events from devices and systems to the ArcSight Manager.
- The ArcSight Command Center
AIX 7.2 is the latest version of IBM's AIX operating system for Power Systems servers. It provides enhancements for improved availability, performance, flexibility and security. New features in AIX 7.2 include live updates for non-disruptive kernel and software updates, improved virtual networking support, and automated memory and storage optimizations. AIX 7.2 maintains binary compatibility with previous AIX versions and editions include Standard and Enterprise options.
This document provides instructions for installing and configuring VMware ESX Server 3i and VirtualCenter 2.5. It discusses installing ESX Server 3i and setting up the required network, storage and security configurations. It also describes how to back up the ESX Server configuration, add the server to a VMware Infrastructure environment using VirtualCenter, and maintain the VI Client and ESX Server software.
Authentication is configured locally on the router using AAA (Authentication, Authorization, and Accounting). The router authenticates users against the local database. Authentication methods include passwords stored locally or using a protocol like RADIUS or TACACS+. The document discusses configuring local authentication, adding usernames/passwords, and troubleshooting authentication.
Secure Shell (SSH) is a protocol that provides secure remote access to devices. This document provides instructions for configuring SSH on Cisco switches including generating SSH keys, configuring the SSH server, and monitoring the SSH configuration. Key steps include generating an RSA key pair, configuring the SSH version, setting timeout values, and limiting network access to SSH-only connections.
This document provides an overview and agenda for deploying Cisco ASA VPN solutions. It discusses the CCNP Security VPN exam, VPN technologies including site-to-site IPSec VPN, remote access IPSec and clientless SSL VPN. It also covers ASA VPN architecture, fundamentals of VPN configurations including group policies and connection profiles. Key topics are IPSec protocols, IKE, AAA and PKI.
The document discusses setting up a FIWARE testbed using OpenStack for infrastructure as a service (IaaS). It describes installing OpenStack components like Nova, Glance, Horizon on servers to deploy virtual machines from images and manage them. Key OpenStack concepts are explained like projects, flavors, images, networking. Steps are provided to launch VMs, assign IPs, security groups. Future plans include adding more FIWARE components and improving the OpenStack installation. The testbed is intended for FIWARE enablers, UCs and open innovation projects to instantiate and test enablers in a cloud environment.
Cisco IOS software is used on Cisco routers and switches to provide routing and switching functionality. Hardening the Cisco IOS involves securing the management plane, control plane, and data plane. For the management plane, this includes implementing strong passwords, disabling unneeded services, limiting access, and using secure protocols. For the control plane, hardening involves securing routing protocols, limiting CPU impact, and implementing authentication. For the data plane, anti-spoofing protections, filtering transit traffic, and attack tracing are implemented. The overall goal is to reduce vulnerabilities by securing each functional plane of the network.
ClearPass Onboard is a product from Aruba Networks that automates the provisioning of network access credentials and configuration settings for devices connecting to an enterprise network. It supports Windows, Mac OS X, iOS and Android devices connecting over wired, wireless and VPN connections. Key features include automatic configuration of network settings, provisioning of unique device credentials, and revocation of credentials for specific devices. The document provides deployment guidelines and configuration instructions for ClearPass Onboard.
This document provides instructions for configuring Cisco Secure Access Control Server (ACS), including deploying ACS servers, configuring new features in ACS 4.2, using RDBMS synchronization, setting password policies, configuring agentless host support, PEAP/EAP-TLS authentication, syslog logging, and network access control. It describes factors to consider for deployment and provides step-by-step examples for common configuration scenarios. The document is intended for security administrators who configure and maintain network and application security using ACS.
This document provides release notes for version 6.2 of the ArcSight Connector Appliance. It describes new features in this version including appliance health monitoring, LDAP authentication, read-only user groups, and SSL certificate expiration alerts. It provides instructions for upgrading from version 6.1, including preserving the remote management configuration and upgrading files. It also lists supported browsers, information users should know about the upgrade, closed issues, and open issues.
The document provides a guide for deploying and configuring Cisco Secure Access Control Server (ACS) 5.2. It outlines scenarios for installing ACS as a virtual appliance, setting up a backup server for high availability, integrating ACS with Active Directory and LDAP, and configuring AAA authentication and authorization for devices and VPNs using TACACS and RADIUS. Configuration steps are provided for assigning privilege levels to users on routers and firewalls via AAA with shell profiles.
The document provides guidance on migrating configuration data from Cisco Secure Access Control System (ACS) Releases 3.x and 4.x to ACS Release 5.6. It describes the differences between the older and new versions, outlines the migration process, and details how to use the ACS 5.6 Migration Utility to migrate users, network devices, policies and other elements from ACS 4.x to 5.6. Administrators can use the utility to analyze, export, import and validate configuration data during the migration.
Istio and Envoy provide a service mesh solution for microservices architectures that addresses many of the challenges of that architecture style. The service mesh handles tasks like load balancing, service discovery, failure handling, and authentication/authorization transparently for services. Istio's control plane components like Pilot and Mixer configure Envoy sidecar proxies that intercept and route traffic for each service instance. When using Istio, special logic does not need to be added to each individual service to handle these tasks. The service mesh approach improves development, maintenance and portability of microservices.
This document provides instructions and guidelines for configuring and managing Cisco networking hardware and software. It includes information on:
- Configuring redundancy features like NSF with SSO and RPR supervisor engine redundancy for high availability.
- Configuring and monitoring the switch fabric functionality for optimal performance.
- Configuring interfaces including setting speed, duplex mode, flow control, and other optional features.
- Performing enhanced fast software upgrades to minimize disruption when updating software versions.
The document contains detailed technical information, commands, and verification steps to configure and manage Cisco switches and routers for various networking needs.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Nancy Hernandez
Meeting Swift 7.2 & Customer Security Deadlines: Practical strategies for success.
Presented by Patricia Hines, Senior Celent Analyst and Head of Swift Services, B. Venkat from PayCommerce.
We will discuss the following: Classical Security Methods, AAA, Authentication, Authorization, Accounting, AAA Characteristic, Local Based AAA, Server Based AAA, TACACS+ and RADIUS.
This document discusses simplifying security in the data center. It introduces concepts like micro-segmentation using Endpoint Groups (EPGs) in Cisco Application Centric Infrastructure (ACI) to isolate application traffic. It also discusses integrating ACI with Cisco TrustSec to apply common identity and security policies between the campus and data center domains. Finally, it demonstrates how the Cisco Firepower management center can be used to automate a security feedback loop, moving compromised endpoints to a quarantined EPG for remediation through REST API calls to ACI.
ArcSight Management Center 2.5 Administrator's Guide Protect724mouni
This document provides an administrator's guide for HPE ArcSight Management Center 2.5. It describes how to install, configure, and manage the ArcSight Management Center platform as well as the connectors, containers, and other managed products it supports. The guide covers topics such as installing ArcSight Management Center, managing nodes and products from the user interface, configuring backups and restores, and performing system administration tasks. It is intended to help administrators effectively use ArcSight Management Center to centrally monitor, configure, and manage their ArcSight deployment.
The document provides release notes for Cisco Configuration Professional version 1.3, dated April 16, 2009. It includes sections on new features, limitations, documentation, and system requirements. The system requirements section outlines requirements for the PC and supported Cisco routers, including minimum specifications, supported network modules and cards, and required Cisco IOS versions.
PLNOG15: Network and cloud security,Pawel WachelkaPROIDEA
The document discusses Huawei's Cluster Switch System 2 (CSS2) architecture and Super Virtual Fabric (SVF) concept for network orchestration. CSS2 uses clustering-capable switches to form a logical switch for high performance and availability. SVF uses a parent device to manage and configure the network, including access devices, wireless access points, service profiles, policy association, and packet forwarding rules. It also supports service chain orchestration through authentication, service device communication via GRE tunnels, and policy enforcement on service devices.
Plnog15 paweł wachelka - sieć oraz bezpieczeństwo w chmurzeMarta Pacyga
The document discusses Huawei's Cluster Switch System 2 (CSS2) architecture and Super Virtual Fabric (SVF) networking concepts. CSS2 provides high performance and availability by clustering switches through CSS cards, with the lowest inter-chassis delay of 4 microseconds. The SVF creates a logical network by configuring service profiles on a parent device and binding them to access switch port groups. It supports both distributed and centralized packet forwarding. Key SVF features include template-based configuration, policy association, and service chain orchestration through tunnels between orchestration and service devices.
This presentation will offer an Overview of the UCS System Architecture, including all of the technical innovations that serve as the foundation. Among the topics covered will be overviews on Unified Fabric, Service Profiles, Hardware Abstraction, Fabric Extension, Memory Expansion and the UCS Manager. Further insight will be offered into the XML -based API and the basic set of managed objects, including Pools, Policies and Templates.
This document outlines the 5 steps to set up an IKEv2 VPN with EAP-TLS authentication between an ASA and Cisco ISE for remote access VPN:
1. Arrange certificates on the user PC, ASA, and ISE
2. Configure the ASA with group policies, tunnel settings, and to authenticate with ISE
3. Configure ISE with the root CA certificate and RADIUS settings
4. Install the user certificate and trusted root CA on the VPN client
5. Verify the VPN connection between the client and ASA via ISE authentication
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
This document discusses using ScoutSuite to audit cloud security in AWS. It provides instructions for installing and running ScoutSuite against an AWS account to check for common misconfigurations. The document concludes with recommendations for quick wins like restricting security groups and enabling encryption, as well as longer-term work such as enabling CloudTrail logging and meeting PCI DSS requirements.
ArcSight Management Center 2.2 Administrator's Guide.pdfProtect724mouni
This document provides an administrator's guide for HPE ArcSight Management Center version 2.2. It covers topics such as installing and uninstalling ArcSight Management Center, managing nodes and HPE ArcSight products, managing configurations, monitoring, backups and restores, system administration, and special connector configurations. The document contains legal notices, a table of contents, and appendices with additional information.
The document summarizes security enhancements in Visual Studio 2005 and SQL Server 2005, including managed code security improvements like running under less privileged accounts, code access security, and debugging/IntelliSense in restricted permission zones. It also describes SQL Server 2005 features like secure defaults, strengthened authentication, granular permissions, encryption and execution context.
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
Openstack Lessons learned
Continuous Integration and Deployment using Openstack
Tuning Openstack for High Availability and Performance in Large Production Deployments
- The document discusses securing VoIP deployments using Cisco Unified Communications Manager (CUCM) and Cisco Unified Border Element (CUBE)/Session Border Controller (SBC).
- It covers security measures for the network infrastructure, endpoints, and call control using CUCM as well as securing the edge of the network with CUBE/SBC.
- The presentation also discusses CUCM release 11.5 security updates including encryption strengths that meet federal requirements and enhancements for certificate management.
1. Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Release Notes for the Cisco Secure Access
Control System 5.2
Revised: March 3, 2011 OL-21576-01
These release notes pertain to the Cisco Secure Access Control System (ACS), release 5.2, hereafter
referred to as ACS 5.2. These release notes provide information on the features, related documentation,
resolved issues, and known issues for functionality in this release.
This document contains:
• Introduction, page 2
• New and Changed Features, page 2
• SFTP Copy, page 4
• Features Not Supported, page 4
• Known Limitations in ACS 5.2, page 4
• Installation and Upgrade Notes, page 6
• Resolved ACS Issues, page 12
• Resolved Issues in Cumulative Patch ACS 5.2.0.26.1, page 14
• Resolved Issues in Cumulative Patch ACS 5.2.0.26.2, page 16
• Known ACS Issues, page 17
• Documentation Updates, page 33
• Product Documentation, page 34
• Notices, page 35
• Supplemental License Agreement, page 37
• Obtaining Documentation and Submitting a Service Request, page 38
2. 2
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Introduction
Introduction
ACS is a policy-driven access control system and an integration point for network access control and
identity management.
The ACS 5.2 software runs either on a dedicated Cisco 1121 Secure Access Control System
(CSACS-1121) appliance, or on a VMware server. However, ACS 5.2 continues to support CSACS-1120
appliances that you have used for ACS 5.0 and that you would like to upgrade to ACS 5.2.
This release of ACS provides new and enhanced functionality on a standard Cisco Linux-based
appliance.
Throughout this documentation, CSACS-1121 refers to the appliance hardware, and ACS Server refers
to the ACS software.
New and Changed Features
This release of ACS provides improved parity with 4.x. The following sections briefly describe the new
and changed features in the 5.2 release:
• Cryptographic Module, page 2
• Support RADIUS KeyWrap, page 3
• Machine Key Zeroization, page 3
• SHA-2, page 4
• CoA Port, page 4
Cryptographic Module
The cryptographic module enhancements include:
• PKI Key Generation—The ACS 5.1 Public Key Infrastructure (PKI) credentials and the local
certificates and outstanding certificates are restored in ACS 5.2 by reimporting the certificates.
• RADIUS KeyWrap—ACS 5.2 supports configuration and usage of Key Encryption Key (KEK) and
Message Authentication Code Key (MACK).
• Key Zeroization—ACS 5.2 supports zeorization of all key as part of key zeroization.
3. 3
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
New and Changed Features
Support RADIUS KeyWrap
The RADIUS KeyWrap feature enhancements include:
• Shared Secrets
– KEK—ACS 5.2 supports configuration and usage of Key Encryption Key (KEK). This is used
for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of exactly
16 characters; in hexadecimal mode, enter a key length of 32 characters.
– MACK—ACS 5.2 supports configuration and usage of Message Authentication Code Key
(MACK). It is used to calculate the keyed hashed message authentication code (HMAC) over
the RADIUS message.
In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with
40 characters.
• Cisco AV-Pair
The RADIUS KeyWrap feature in ACS 5.2 introduces the following three new AVPs for the Cisco
AV-pair RADIUS Vendor-Specific-Attribute:
– Random Nonce—ACS 5.2 supports Random Nonce, generated by the NAS. It is used for adding
randomness to the key data encryption and authentication, and for linking between requests and
response packets (prevent replay attacks).
– Key—ACS 5.2 supports session key distribution, to replace the use of MS-MPPE-xxxx-KEY
attributes [RFC2548].
– Message Authenticator Code—ACS 5.2 supports the use of Message Authentication Code for
ensuring the authenticity of the RADIUS message (including the EAP-Message and Key
attributes).
When RADIUS KeyWrap is enabled, ACS 5.2 allows the use of these three RADIUS KeyWrap
AVPs for message exchanges and key delivery. According to the KeyWrap attribute requirements,
ACS will reject all RADIUS requests that contain both RADIUS KeyWrap AVPs and the standard
RADIUS Message Authenticator attribute [RFC2869].
• Configuration—ACS 5.2 supports enabling and disabling of RADIUS KeyWrap for AAA clients.
Configuration of RADIUS KeyWrap shared keys for AAA clients and default network devices is
also supported.
• Migration—ACS 5.2 supports migration of KeyWrap network device configuration from ACS 4.x
to 5.2.
Machine Key Zeroization
ACS 5.2 introduces a new CLI command acs zeroize-machine to trigger the zeroization. Zeroization
deletes any key and sensitive files. It also deletes the running memory and the swap files.
This command securely deletes the partition on which ACS is installed. It also securely deletes the swap
partition and restarts the machine to clear all information in the RAM. After the command has completed
running, ACS will not function on the appliance. You have to re-install ACS on the appliance.
For more information on this command, see the CLI Reference Guide for the Cisco Secure Access
Control System 5.2.
4. 4
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
SFTP Copy
SHA-2
ACS 5.2 supports SHA-2 signatures as follows:
• Supports importing of SHA-2 signed certificates.
• Supports SHA-2 signed certificates in TLS protocols.
• Supports SHA-2 in CSR generation. You have an option to choose SHA-2 signature.
• Supports SHA-2 in Self-Signed certificate generation. You have an option to choose SHA-2
signature.
Only SHA2 256-bit certificate digest algorithm is supported by ACS 5.2.
CoA Port
ACS 5.2 allows you to configure Change of Authorization (CoA) port through the GUI. It is used to set
up the RAIUS CoA port for session directory, for user authentication. You can launch this session
directory from the Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled
as 1700.
SFTP Copy
In ACS 5.2, SSH File Transfer Protocol (SFTP) is implemented by Secure Copy Protocol (SCP).
Features Not Supported
The following features are not supported in ACS 5.2:
• ACS upgrade through GUI is not available in ACS 5.2. For more information, see the Installation
and Upgrade Guide for the Cisco Secure Access Control System 5.2.
• Expiry of any user (admin or internal) after certain number of days is not supported.
• Support for defining the maximum number of simultaneous sessions for a user or user group.
Known Limitations in ACS 5.2
The following are the affected areas in ACS 5.2 as a result of FIPS certification:
SSH client
The SSH client should support the following FIPS compliant cipher suits:
• Key exchange cipher: diffie-hellman-group14-sha1
• Encryption ciphers: aes256-cbc, aes128-cbc, 3des-cbc
• MAC: hmac-sha1
5. 5
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known Limitations in ACS 5.2
Browsers
ACS 5.2 supports the following Web Client/Browser Platforms in Windows XP Professional (Service
Pack 2 and 3) and Windows Vista
• Internet Explorer version 7.x
• Internet Explorer version 8.x
• Mozilla Firefox version 3.x
6. 6
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Installation and Upgrade Notes
The above mentioned browsers are supported only with one of the following cipher suits:
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• RSA_WITH_3DES_EDE_CBC_SHA
You should install Windows XP SP3 to use SHA2 256-bit certificates as management certificates.
Logs
ADE logs added the following repetitive log message because of FIPS requirements:
Crypto::notifyStateTransition
Installation and Upgrade Notes
This section provides information on the installation tasks and configuration process for ACS 5.2. This
section contains:
• Installing, Setting up and Configuring CSACS 1121, page 6
• Running the Setup Program, page 8
• Licensing in ACS 5.2, page 10
• Upgrading an ACS Server from 5.0 to 5.2, page 11
• Applying Upgrade Patches, page 12
Installing, Setting up and Configuring CSACS 1121
This section describes how to install, set up and configure the CSACS 1121 Series appliance. The
CSACS 1121 Series appliance is preinstalled with the software.
To set up and configure the CSACS 1121:
Step 1 Open the box containing the CSACS 1121 Series appliance and verify that it includes:
• The CSACS 1121 Series appliance
• Power cord
• Rack-mount kit
• Cisco Information Packet
• Warranty card
• Regulatory Compliance and Safety Information for the Cisco 1121 Secure Access Control
System 5.1
Step 2 Go through the specifications of the CSACS 1121 Series appliance.
For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.
Step 3 Read the general precautions and safety instructions that you must follow before installing the CSACS
1121 Series appliance.
For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2
and pay special attention to all the safety warnings.
7. 7
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Installation and Upgrade Notes
Step 4 Install the appliance in the 4-post rack, and complete the rest of the hardware installation.
For more details on installing the CSACS 1121 Series appliance, see Installation and Upgrade Guide for
the Cisco Secure Access Control System 5.2.
Step 5 Connect the CSACS 1121 Series appliance to the network and connect either a USB keyboard and Video
Graphics Array (VGA) monitor or a serial console to the serial port.
Figure 1 shows the back panel of the CSACS 1121 Series appliance and the various cable connectors.
Note For the initial setup, you must have either a USB keyboard and VGA monitor or a serial console
running terminal-emulation software.
For more details, see Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.
For information on installing ACS 5.2 on VMware, see Installing ACS in a VMware Virtual Machine
chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.
Figure 1 CSACS 1121 Series Appliance Rear View
The following table describes the callouts in Figure 1.
.
Step 6 After completing the hardware installation, power up the appliance.
The first time you power up the appliance, you must run the setup program to configure the appliance.
For more information, see Running the Setup Program, page 8.
197065
1
8 4 4 3
7
2
6
5
1 AC power receptacle 5 (Blocked) Gigabit Ethernet 1
2 (Blocked) Gigabit Ethernet 6 (In Use) Gigabit Ethernet 0
3 Serial connector 7 USB 3 connector
4 Video connector 8 USB 4 connector
8. 8
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Installation and Upgrade Notes
Running the Setup Program
This section describes the setup process that configures the ACS Server.
The setup program launches an interactive CLI that prompts you for the required parameters. An
administrator can use the console or a dumb terminal to configure the initial network settings and enter
the initial administrator credentials for the ACS 5.2 server that is using the setup program. The setup
process is a one-time configuration task.
To configure the ACS Server:
Step 1 Power up the appliance.
The setup prompt appears:
Please type ‘setup’ to configure the appliance
localhost login:
Step 2 At the login prompt, enter setup and press Enter.
The console displays a set of parameters. You must enter the parameters as described in Table 1.
Note You can interrupt the setup process at any time by typing Ctrl-C before the last setup value is
entered.
Table 1 Network Configuration Prompts
Prompt Default Conditions Description
Hostname localhost First letter must be an ASCII character.
Length must be >2 but <20 characters.
Valid characters are alphanumeric (A-Z,
a-z, 0-9), hyphen (-), and the first
character must be a letter.
Enter the hostname.
IPv4 IP Address None, network specific Must be a valid IPv4 address between
0.0.0.0 and 255.255.255.255.
Enter the IP address.
IPv4 Netmask None, network specific Must be a valid IPv4 address between
0.0.0.0 and 255.255.255.255.
Enter a valid netmask.
IPv4 Gateway None, network specific Must be a valid IPv4 address between
0.0.0.0 and 255.255.255.255.
Enter a valid default gateway.
Domain Name None, network specific Cannot be an IP address.
Valid characters are ASCII, any digit,
hyphen (-), and period (.)
Enter the domain name.
IPv4 Primary Name
Server Address
None, network specific Must be a valid IPv4 address between
0.0.0.0 and 255.255.255.255.
Enter a valid name
server address.
Add/Edit
another nameserver
None, network specific Must be a valid IPv4 address between
0.0.0.0 and 255.255.255.255.
To configure multiple name
servers, enter Y.
9. 9
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Installation and Upgrade Notes
After you enter the parameters, the console displays:
localhost login: setup
Enter hostname[]: acs-server-1
Enter IP address[]: 209.165.200.225
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 209.165.200.1
Enter default DNS domain[]: mycompany.com
Enter Primary nameserver[]: 209.165.200.254
Add/Edit another nameserver? Y/N : n
Enter username [admin]: admin
Enter password:
Enter password again:
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Appliance is configured
Installing applications...
Installing acs...
Generating configuration...
Rebooting...
After the ACS server is installed, the system reboots automatically. Now, you can log in to ACS with the
CLI username and password that was configured during the setup process.
Username admin The name of the first administrative user.
You can accept the default or enter a
new username.
Must be >2 and < 9 characters, and must
be alphanumeric.
Enter the username.
Admin Password None No default password. Enter
your password.
The password must be at least six
characters in length and have at least one
lower case letter, one upper case letter, and
one digit.
In addition:
• Save the user and password
information for the account that you
set up for initial configuration.
• Remember and protect these
credentials because they allow
complete administrative control of the
ACS hardware, the CLI, and
the application.
• If you lose your administrative
credentials, you can reset your
password by using the ACS 5.2
installation CD.
Enter the password.
Table 1 Network Configuration Prompts (continued)
Prompt Default Conditions Description
10. 10
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Installation and Upgrade Notes
You can use this username and password to log into ACS using only the CLI. To log into the GUI, you
must use the predefined username ACSAdmin and password default.
When you access the GUI for the first time, you will be prompted to change the predefined password for
the administrator. You can also define access privileges for other administrators who will access the GUI
application.
Licensing in ACS 5.2
To operate ACS, you must install a valid license. ACS prompts you to install a valid license when you
first access the web interface.
Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.
This section contains:
• Types of Licenses, page 10
• Auto-Installation of Evaluation License, page 11
Types of Licenses
Table 2 lists the types of licenses available in ACS 5.2.
Table 2 ACS License Support
License Description
Base License The base license is required for all deployed software instances, as well as for all appliances. The
base license enables you to use all ACS functions except license controlled features, and it enables
standard centralized reporting features.
The base license:
• Is required for all primary and secondary ACS instances.
• Is required for all appliances.
• Supports deployments that have a maximum of 500 managed devices.
The following are the types of base licenses:
• Permanent—Does not have an expiration date. Supports deployments that have a maximum
of 500 managed devices.
• Evaluation—Expires 90 days from the time the license is issued. that have a maximum of 50
managed devices.
The number of devices is determined by the number of unique IP addresses that you configure.
This includes the subnet masks that you configure.
For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses, and hence the
number of devices is 256.
Add-On Licenses Add-on licenses can only be installed on an ACS server with a permanent base license. A large
deployment requires the installation of a permanent base license.
The TrustSec feature licenses are of two types: Permanent, Eval, and NFR. However, the
permanent TrustSec feature license can be used only with a permanent base license.
11. 11
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Installation and Upgrade Notes
Auto-Installation of Evaluation License
If you are using a virtual machine (VM) for ACS with disk space between 60 GB and 512 GB, ACS
automatically installs the evaluation license. However, you can also get the evaluation license and install
it manually on the ACS server.
If you use an ACS server with less than 500 GB hard disk space, Cisco does not provide support for
scalability, performance, and disk space-related issues.
For more information on installing ACS 5.2 on VMware, see Installing ACS in a VMware Virtual
Machine chapter in the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2.
Upgrading an ACS Server from 5.0 to 5.2
To upgrade your ACS 5.0 server to ACS 5.2:
Step 1 Backup the ACS 5.0 database by entering the following backup command in the EXEC mode to perform
a backup and place the backup in a repository.
backup backup-name repository repository-name
Note Ensure that you use a nonlocal repository for the ACS 5.0 data backup. Otherwise, you might lose the
configuration data after you install 5.1.
Step 2 Install ACS 5.1 using the recovery DVD.
Step 3 Install the latest ACS 5.1 patch available on Cisco.com.
Step 4 Restore the ACS 5.0 database by entering the restore command in the EXEC mode to restore the backup
taken earlier:
restore filename repository repository-name
ACS upgrades the 5.0 configuration data and Monitoring and Report Viewer data to the 5.1 format.
Step 5 Backup the ACS 5.1 database by entering the following backup command in the EXEC mode to perform
a backup and place the backup in a repository.
backup backup-name repository repository-name
Note Ensure that you use a nonlocal repository for the ACS 5.1 data backup. Otherwise, you might lose the
configuration data after you install 5.2.
Step 6 Install ACS 5.2 using the recovery DVD.
Step 7 Install the latest ACS 5.2 patch, if available.
Step 8 Restore the ACS 5.1 database by entering the restore command in the EXEC mode to restore the backup
taken earlier:
restore filename repository repository-name
ACS upgrades the 5.1 configuration data and Monitoring and Report Viewer data to the 5.2 format.
12. 12
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Resolved ACS Issues
Applying Upgrade Patches
You can download ACS 5.2 cumulative patches from the following location:
http://www.cisco.com/cisco/web/download/index.html
To download and apply the patches:
Step 1 Login to Cisco.com and navigate to Network Management > Security and Identity Management >
Cisco Secure Access Control Server Products > Cisco Secure Access Control System > Cisco Secure
Access Control System 5.2.
Step 2 Download the patch.
Step 3 Install the ACS 5.2 cumulative patch. To do this:
Enter the following acs patch command in the EXEC mode to install the ACS patch:
acs patch install patch-name.tar.gpg repository repository-name
ACS displays the following confirmation message:
Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
Step 4 Enter yes.
Resolved ACS Issues
Table 3 lists the issues that are resolved in ACS 5.2.
Table 3 Resolved issues in ACS 5.2
Bug ID Description
CSCtc12382 ACS View upgrade failed after scale configuration.
CSCtc89581 Legacy machine PAC did not refresh after migrating to ACS 5.1.
CSCtd48173 Post upgrade could not create or edit a VSA attribute.
CSCte75993 ACS sent the same server list name and gen-ID when NAD switched to ACS.
CSCte79051 ACS 5.1 crashed after concurrent TACACS+ session authorization requests.
CSCtf06311 All internal users were automatically disabled if you logged in as a single user.
CSCtf33152 Restoring corrupted backup file caused ACS to stop functioning.
CSCtf60490 Windows Mobile 5.0 Clients failed LEAP on ACS 5.1.
CSCtf62721 Translation of Group SID to Group name was very inefficient.
CSCtf85659 ACS 5 did not distinguish between unique certificates.
CSCtg58234 EAP-FAST did not work if different username cases were used in PAC and inner
method.
CSCtg78076 ACS 5 replaced separator ';' in dACL .csv file import with CR-LF.
CSCth15868 ACS 5 migration tool truncated DACL name.
CSCth42292 There was a security problem in OpenSSL.
13. 13
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Resolved ACS Issues
CSCtc20671 ACS 5 developed file system problems with SAN over fiber.
CSCtc41730 ACS reset SYN packets if MSS was not set.
CSCtc90954 Support bundle download URL contained only the host name.
CSCtd00477 Could not retrieve AD groups if forest's name was composed of a single word.
CSCtd14560 GUI session got logged out when tried to launch Monitoring and Reports Viewer.
CSCtd16825 CLI command copy disk: failed if full path to the file was provided.
CSCtd24949 TACACS authorization failed when authen_type=0.
CSCtd46884 ACS 5.x - AD save changes failed if admin password contained a space.
CSCtd52207 View did not send any alarms or mails if you were working in distribution mode.
CSCtd69364 ADClient did not restart.
CSCtd99822 AD users with expired passwords fail authentication.
CSCte16911 ACS 5 did not support the PPP TACACS service type for authentication.
CSCte70900 ACS 5.1 did not allow AP to join WDS domain. A message appeared, LEAP
packet validation failed.
CSCte72751 ACS 5.1 dropped authentication requests if the password was blank.
CSCte81150 ACS 5.x reported key mismatch for unknown authentication method.
CSCte88357 ACS5.1 TACACS Accounting Report missed a few attributes caused by NULL
characters.
CSCtf08567 ACS5.1 permitted commands without arguments, instead of denying them
CSCtf23507 ACS 5.1 authenticated AD users by querying attribute altSecurityIdentifier.
CSCtf30684 The system could not change the password by using the User-Change-Password
web service through a python-based web page.
CSCtf33226 ACS EAP-MSCHAP sometimes failed and a message appeared, User has no
dialing permissions.
CSCtf39158 Could not retrieve AD groups in single forest with multiple trees scenarios.
CSCtf43054 Group assignment dialog box did not allow "+" symbol in group name.
CSCtf46139 After deregistering or deleting, primary server still communicated with the
deregistered box.
CSCtf65179 Discovery of host account domain was done several time.
CSCtf75806 ACS 5.1 did not log accounting details for some AAA clients.
CSCtf79183 Domain name was not appended when redirected to the primary server.
CSCtg15941 ACS 5 high memory usage - memory usage was more than 90% when idle or with
less load.
CSCtg38950 EAP-GTC always used hardcoded password prompt 'password:'.
CSCtg38987 Password and passcode were not configurable for RSA Identity Store.
CSCtg52633 ADClient could not handle duplicate CLDAP on UDP port 329.
CSCtg60736 Exporting command sets on ACS 5 created an invalid file.
CSCtg77168 Page could not be displayed for support logs if the ACS name was not resolved.
Table 3 Resolved issues in ACS 5.2 (continued)
Bug ID Description
14. 14
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Resolved Issues in Cumulative Patch ACS 5.2.0.26.1
Resolved Issues in Cumulative Patch ACS 5.2.0.26.1
Table 4 lists the issues that are resolved in the ACS 5.2.0.26.1 cumulative patch.
You can download the ACS 5.2.0.26.1 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to “Applying Upgrade Patches” section on page 12 for instructions on how to apply the patch to
your system.
CSCtg78120 Monitoring & Report Viewer could be redirected to ACS view using only the host
name.
CSCth08243 Aggregation errors appeared after upgrading from ACS 5.0 to 5.1.
CSCth55074 The ‘put’ method was enabled in ACS 5.x webserver.
CSCth62273 ACS database could become large because of incomplete user password changes.
CSCtd37384 ACSView 5.0 and 5.1 did not display "Remote Address".
CSCtg04259 ACS 5.1 took a long time to fetch group lists from AD.
CSCsy54062 ACS did not verify SubjectKeyID / AuthorityKeyID in CertChain building.
CSCtb94187 Migration of users - Apostrophe ('), space, or underscore (_) characters not
supported.
CSCtc42936 Support bundle contents was encrypted.
CSCtc61819 The CoA port in ACS was not configurable and default port mismatch to SW.
CSCtf72641 ACS 5.x did not allow LEAP-first authentication.
CSCtg12399 ACS 5.1 did not support 2008 R2 Server for AD.
CSCtg67722 Users with apostrophes could not be edited.
CSCtd10767 Syslog data loss during upgrade.
CSCtc19231 Error message while creating ACS support bundle.
CSCte30267 ACSView: Authentication Fail (EAP timed out) entries did not contain client
information.
CSCtd68974 ACS upgrade did not start.
CSCtd57980 EPM Syslogs were not parsed as expected in View collector.
CSCtd39360 Change Identity from AD to Identity with wildcard. System failure occurred.
CSCtd00725 Important TLS/SSL security update.
CSCsl45043 Upgrade OpenSSH.
CSCsk52006 Weak SSL ciphers supported, should be turned off.
CSCth95632 Browser crashed when left in Live Authentication screen for a long time.
CSCth66146 Some failure reasons disappeared in Failure Reasons Editor.
CSCth33629 802.1X VLAN not found. Interface info was populated along with session ID.
Table 3 Resolved issues in ACS 5.2 (continued)
Bug ID Description
15. 15
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Resolved Issues in Cumulative Patch ACS 5.2.0.26.1
Table 4 Resolved Issues in Cumulative Patch ACS 5.2.0.26.1
Bug ID Description
CSCtg87278 ACS not able to establish SSL tunnel with LDAP server with CRL verification.
This fix allows to establish SSL tunnel with LDAP server with CRL verification.
CSCth82664 ACS DB needs to be compressed as a maintenance operation.
This fix introduced new CLI command in the ACS config that should use only on
the primary node. The CLI command introduced is:
acs-config database-compress [truncate_log]
This maintenance operation compresses the ACS DB by rebuilding each table in
the database and releasing unused space.
The command also has the option to release the replication transaction table.
Before initiating the command, you should move all the secondary nodes to local
mode. Then you should initiate the command on the primary node.
When the DB compress is completed and all the services are up, you should
reconnect the secondary nodes, one by one. On re-connecting the secondaries,
full-sync between the primary and the secondary will be initiate automatically.
CSCth78269 ACS transactions table is not cleaned properly during bulk operations.
The cleaning of the ACS transaction table (a table which stores configuration
change logs) is changed to be more intensive.
Only the last 2000 configuration transactions will be stored.
CSCth62139 ACS authentication rate decreases with internal user attributes.
This fix includes two parts:
Read only attributes value from request from DB (without user information like,
UserName, Password, EnablePassword, LastLoginTime).
Check default attribute value without try-catch mechanism.
CSCti90973 Adding “User is in management hierarchy” flag to TACACS+ authorization
policy.
In this solution a hierarchical label is assigned to each device that represent the
administrative location of this device within the organizations management
hierarchy.
For instance, “All:US:NY:MyMgmtCenter” denotes that the device is in
“MyMgmtCenter” which is in NY which is in the US.
Permissions are granted to the user based on their assigned level within the
management hierarchy.
For instance, if a user has an assigned level of "All:US:NY", that user will be
granted permission when accessing through any device with a hierarchy that
starts with "All:US:NY".
CSCsu69983 Restoring a configuration disconnects deployment and causes replication.
In the distributed setup, when you restore the backup on CLI, it will throws a
warning message and you will have to configure each secondary to re-connect
with primary.
16. 16
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Resolved Issues in Cumulative Patch ACS 5.2.0.26.2
Resolved Issues in Cumulative Patch ACS 5.2.0.26.2
Table 5 lists the issues that are resolved in the ACS 5.2.0.26.2 cumulative patch.
You can download the ACS 5.2.0.26.2 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to “Applying Upgrade Patches” section on page 12 for instructions on how to apply the patch to
your system.
Resolved Issues in Cumulative Patch ACS 5.2.0.26.3
Table 6 lists the issues that are resolved in the ACS 5.2.0.26.3 cumulative patch.
You can download the ACS 5.2.0.26.3 cumulative patch from the following location:
http://www.cisco.com/public/sw-center/index.shtml
Refer to “Applying Upgrade Patches” section on page 12 for instructions on how to apply the patch to
your system.
Table 5 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 2
Bug ID Description
CSCth57441 ACS 5.1 - HDD Failure doesn't prevent RT to process incoming requests
CSCtg49699 ACS 5 fails to join AD Domain.
CSCti22161 ACS 5.1 AD admin password length too short.
CSCti98492 ACS 5 tries to connect only to three DCs.
CSCtj15764 ACS 5 will not accept two certificates with same SKI.
CSCtj32663 Most significant bit is not set on the MS MPPE Keys.
CSCtj31250 Windows 7 PEAP fast reconnect fails with ACS5.
CSCtj32835 Group fetch does not work for eight hours after joining a new domain.
CSCtj36382 Find AD Global catalog may fail in certain scenario.
CSCtj87187 Trust for client with EAP-TLS not stored with allow dup option.
CSCtj86607 ACS 5.1 HTTP 500 errors, requiring management service restart.
CSCtk08342 ACS gets disconnected from Active Directory when DNS reply is delayed.
CSCtk08423 ACS reconnects to different DCs if AD namespace is disjoined.
CSCtk32168 Add an option to change password when password expires (T+ and RADIUS).
CSCtk32178 Add an option for pass never expired for specific users.
CSCtk32664 ACS sends change-pass request to a wrong id-store in the sequence.
CSCtk32683 Add option for checking user existence in internal before authenticate.
CSCtl12831 Superadmin role has no permissions for authentication settings.
CSCtj34574 Change and view speed/duplex settings via CLI in ACS.
17. 17
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
Known ACS Issues
This section lists the known issues for the ACS 5.2 release.
Table 7 lists the known issues in ACS 5.2. You can also use the Bug Toolkit on Cisco.com to find any
open bugs that do not appear here.
Table 6 Resolved Issues in Cumulative Patch ACS 5.2.0.26. 3
Bug ID Description
CSCti68031 ACS 5 sees ‘DC=’ in the certificate subject as invalid DN.
With this fix ‘DC=’ is allowed as part of the certificate subject when
generating a certificate signing request.
CSCti42591 NDG Locations disappeared from GUI.
This fix enables the NDG locations to appear on the NDG GUI even after
adding an attribute with name 'location' for internal users.
CSCth77468 ACS 5.1 not including 'C' and 'V' values in MS-CHAP-v2 Failure Packet.
CSCth72626 MS-CHAPv2 responses with bad flag values will not be dropped.
CSCtf78048 Discovery of host's account domain is very inefficient.
CSCtk32073 Network device groups are not evaluated properly in device filters.
Already created device filter using ACS 5.2 before installing patch 3
should be removed and created again.
CSCtj38410 ACS sends TLS SessionTicket which can break compatibility with
LDAPs.
CSCtk31968 Getting exception while doing user attribute retrieval in AD.
CSCtj89705 ACS 5 import of internal user attribute fails for attribute with default.
CSCth68051 Network devices after migration - import/update does not work.
CSCtl71157 ACS runtime does not send system status and health.
Table 7 Known Issues in ACS 5.2
Bug ID Description
CSCtf00575 Error occurs if you select a Boolean type, Migrated User attribute.
Symptom: An error appears if you choose the Migrated User attribute with Boolean type.
Condition: This problem occurs if you select any Migrated User attributes with Boolean type.
Workaround: None.
CSCtf11100 Null pointer exception while migrating NDG
Symptom: A Nullpointer exception occurs while migrating NDG, if there are any invalid characters
in keywrap.
Condition: This problem occurs if invalid characters are used in ACS 4.x NDG and migrated. A
Nullpointer exception appears.
Workaround: None.
18. 18
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtf25265 Invalid user password ranges are not reported while migrating and the migration fails.
Symptom: Invalid user password range is not reported while migration.
Condition: This problem occurs if you migrate a user with more that 32 characters and authenticate
with that user. The migration will fail.
Workaround: None.
CSCtg62673 Cannot load a feature license with ampersand (&) in the company name.
Symptom: You cannot load a feature license if it has an ampersand (&) in the name. An error
message does not appear for this problem.
Conditions: This problem occurs on ACS 5.0 and ACS 5.1 if the company name in the license
contains an ampersand (&) character.
Workaround: Re-issue the license without an ampersand (&) in the company name.
CSCtg49699 ACS 5 fails to join AD Domain.
Symptom: If ACS was configured with an AD domain, it will fail to rejoin the domain if there are
any changes in the AD infrastructure, such as IP addresses of the AD servers.
Conditions: This problem occurs if you move the ACS from one domain to another domain without
clearing the AD configuration page.
It also occurs when ACS is joined with a DC in the lab and then it is moved to the production
environment on the same domain. ACS will not rejoin the live DC.
Workaround:
1. Clear the configuration of AD on ACS and the old DC should be reachable while clearing
2. Reconfigure the AD part and ACS will rejoin the domain.
3. Reset the ACS to factory defaults.
Make sure you still have the ACS license before doing that because after the reset, ACS will
prompt you for the license.
CSCth08274 ACS 5: View does not load next page in IE if the username contains a "u" character.
Symptom: While viewing a report an error is displayed in Internet Explorer and the navigation
buttons for the report get disabled.
Conditions: The error Expected Hexadecimal Digit is displayed for users with a "u" in the
username or domain name. This happens because"u" is a unicode escape character.
Workaround: This problem occurs only on Internet Explorer. Try using other browser like FireFox.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
19. 19
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCth26298 Machine accounts with many ACE entries cause AD domain join to fail.
Symptom: ACS 5.1 cannot join a Windows AD domain.
Conditions: This problem occurs when the machine account used by ACS to join the domain
contains a large number of Access Control Entries (ACE).
Workaround:
1. Ensure that there is no other account for the ACS from earlier failed attempts to join the domain.
2. Create a temporary container or OU with no ACEs.
3. Create an account for ACS.
4. Join the domain.
5. Move the ACS machine account to the normal/required container or OU if needed.
This symptom only affects the Join operation.
CSCth31525 Live authentication report does not show TACACS+ data.
Symptom: The TACACS+ live authentication report is missing data on some columns, including
NAS and IP address.
Conditions: This problem occurs only on ACS 5.1.
Workaround: Use one of the other available reports to view this data.
CSCte57427 ACS 5.1 - SNMP location and contact information is not saved when you reboot the system.
Symptom: The following commands in ACS 5.1 may disappear from the config after you reboot the
system:
snmp-server contact
snmp-server location
Conditions: This problem occurs in ACS 5.1 if you use spaces in the contact or location string.
For example:
snmp-server contact "my name"
Workaround: Remove any blank spaces from the configured string.
For example:
snmp-server contact my_name
CSCte98032 ACS 5 partitions are not properly aligned when installed on VMWare.
Symptom: VMWare tools report that ACS 5 partitions are not properly aligned.
Conditions: This problem occurs when you install ACS 5 on VMWare ESX 4.0.
Workaround: None.
CSCtf09891 Remote log targets does not accept classless IP format.
Symptom: You cannot set Remote Log Target using IP address 131.123.246.255 on ACS 5.1
appliance. The following error appears:
IP Address format violation.
Conditions: This problem occurs if a classless IP address is configured.
Workaround: Use classfull IP address.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
20. 20
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtf78048 [AD PERF] Discovery of host's account domain is very inefficient.
Symptom: Slow host authentications against Active Directory with host name format
host/machine.domain.com.
Conditions: This problem occurs if ACS is configured to perform authentications against Active
Directory and to fetch groups from Active Directory.
Workaround: Use domain machine$ host name format.
CSCtc61926 Active directory NetBIOS authentication passes when user is defined as UPN.
Symptom: User authentication passed with illegal username format.
Conditions: This problem occurs if the UPN name and the NetBIOS username are different. For
example, NetBIOS username = somename and UPN = Some Name.
Workaround: Do not use the UPN form of username.
CSCtc70071 MSCHAP v2 & PEAP NetBIOS authentication fails if there are special characters in the username.
Symptom: MSCHAP v2 user authentication fails if the SAM name or NetBIOS name contains '@'.
Conditions: This problem occurs if you create a user in Active Directory and the SAM name contains
'@' sign (with ADSI edit)
Workaround: Do not use '@' sign on SAM names or authenticate using the UPN name.
CSCtc36013 ESX secondaries cannot handle transactions gap during large users import.
Symptom: Secondary appliances are not updated even after the import process has completed on the
primary appliances.
Conditions: Some secondary appliances are defined on VMWare ESX and the primary appliance is
defined on ACS 5.1. The import is done from the primary appliance. In this case 300,000 users are
imported into the primary node through the import/export utility.
Workaround: Do one of the following:
• Wait until the secondary nodes are updated with the information from the primary appliance.
You can check the secondary nodes status in the Distributed System Management page.
• Wait until the primary appliance finished importing the 300,000 users and then issue a full sync
request on each secondary node. By doing this you can make sure that the secondary nodes are
updated.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
21. 21
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtf52072 MAB inconsistent username formats for access-request and access-accept.
Symptom: When authenticating a supplicant using MAC Authentication Bypass (MAB) the
Authenticator and the Authentication Server (ACS), use different formats for the username within
the RADIUS Access-Request and Access-Accept messages.
Conditions: This problem occurs under the following conditions:
• The Authenticator sends a RADIUS Access-Request message with the MAC address as the
username with no dashes and all lowercase alpha-numeric characters.
• The Authentication server replies with a RADIUS Access-Accept message with the user's MAC
address as the username but uses a different format.
• The RADIUS Access-Accept packet has all uppercase alpha-numeric characters and dashes
between each octet of the MAC address.
This anomaly should not have any negative impact while authenticating using MAB.
Workaround: None.
CSCte93628 An error message %AAA-3-DROPACCTFAIL: appears when you boot up a Switch.
Symptom: System accounting record is rejected by ACS with the following message on box:
"TPLUS: Received accounting response with status FAIL"
00:04:27: %AAA-3-DROPACCTFAIL: Accounting record dropped, send to server
failed: system
Conditions: This problem occurs during system accounting start after reload of the device.
Workaround: None.
CSCtf71065 If you set the debug-log to debug level, it enables debug-adclient even for unauthorized
administrators.
Symptom: Unauthorized administrators can enable the debug-adclient log in CLI.
Conditions: This problem occurs if you change the debug-log command.
Workaround: None.
CSCtc34967 An incorrect message appears when ACS is configured with PEAP-GTC and the supplicant is
configured with PEAP-MSCHAP.
Symptom: Authentication fails and shows an incorrect error message.
Conditions: This problem occurs when supplicant is configured as PEAP-GTP and ACS is
configured to accept PEAP-MSCHAP only. Authentication fails and the following message is
displayed:
Authentication failed : 12727
Workaround: None
CSCtc70023 Identity groups - display names are truncated after upgrade.
Symptom: If a database with 500 Identity groups is migrated from ACS 4.x and then upgraded from
ACS 5.0 to 5.1, the names of the groups are truncated.
Conditions: This problem occurs only in Internet Explorer 6.0
Workaround: Use another browser such as Firefox 3.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
22. 22
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtc78550 During RADIUS authentication against AD, some messages are duplicated on the customer log.
Symptom: While running RADIUS authentication with AD as database, some messages’ text is
duplicated on customer log.
Conditions: Authorization message ID duplicated:
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
Workaround: None.
CSCtg70874 Connection times out while creating server certificates.
Symptom: An error message appears while creating server certificates.
Conditions: This problem occurs if you try to create a large certificate.
Workaround: Reduce the size of the certificate.
CSCtc83623 All groups are not shown in Directory Group in LDAP.
Symptom: The LDAP group selection page shows only a maximum of 100 groups.
Conditions: This problem occurs when you search for a group and there are more than 100 groups.
Workaround: Use search criteria to filter groups.
CSCtd53402 Policy Element RADIUS attribute editing does not work.
Symptom: Attribute value does not get saved correctly when creating a RADIUS attribute.
Conditions: This problem occurs when you:
1. Go to the Authorization Profiles page under Policy Elements > Authorization and Permissions
> Network Access
2. Duplicate a group which has three entries, with a new tag
3. Highlight the first entry and click Edit
4. Modify the tag
5. Click Add
6. Do the same for the second and third entry
Three new entries are displayed.
7. Click Submit.
The fifth entry is wrong. The value is Decnet IV instead of 802.
Workaround: Create new profile, do not use duplicate.
CSCtg65300 User command set in users with apostrophe (') is not migrated successfully.
Symptom: ACS 4.x command sets on the user level are not migrated.
Conditions: This problem occurs when the username includes an apostrophe (').
Workaround: Manually migrate the user command set.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
23. 23
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtf19736 Not able to register to primary server with Host name.
Symptom: Cannot register to primary server.
Conditions: This problem occurs when you use the primary server host name.
Workaround: Use the primary server IP address.
CSCtd53435 Error occurs while editing a RADIUS Attribute.
Symptom: While editing a RADIUS attribute, the GUI displays the following error:
An unexpected error has occurred.
Conditions: This problem occurs when you:
1. Go to the Authorization Profiles page under Elements > Authorization and Permissions >
Network Access
2. Select a VLAN name
3. Click Edit
4. Click Replace
5. Click Submit
Workaround: Reselect the option in the left navigation bar.
If you continue to receive the unexpected error message, close your browser and log in to ACS again.
If you still receive the unexpected error message, contact your system administrator or technical
assistance.
CSCtf22214 Invalid characters appear in the migration tool and an error message is not displayed in the CLI if
you enter an invalid value.
Symptom: No error message appears if you enter a wrong value for the CLI command acs
config-web-interface migration.
For example,
acs config-web-interface migration asdf
It will not show that the interface is not enabled.
Conditions: This problem occurs if you use the CLI command acs config-web-interface migration,
and enter a value other than [enable | disable].
Workaround: None.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
24. 24
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtg87278 ACS not able to establish SSL tunnel with LDAP server with CRL verification.
Symptom: When you use Secure LDAP and uncheck the Bypass CRL Verification if CRL is not
Received check box, the authentications fail. This is because CS is not able to establish SSL tunnel.
The following errors appear:
Unknown CA - error unable to get issuer certificate locally
Unknown CA - Unable to get CRL
ACS is sending TLS Alert "Level: Fatal" and "Description: Unknown CA"
This happens even if all CA certificates are installed on ACS and the CRL URLs are properly
configured.
Conditions: This problem occurs if you use Secure LDAP and uncheck Bypass CRL Verification if
CRL is not Received.
Workaround: Select the check box Bypass CRL Verification if CRL is not Received.
CSCtc90865 Errors during PEAPv0 stress.
Symptom: When primary instance is set with Monitoring & Reports Viewer, there are no secondaries
attached to it. After installation, restore a large database. The following two issues are shown during
stress.
• About 15% of the authentications resulted with error.
• In Runtime.log, after every few thousand authentications, there is the following error:
ConfigNotificationFlow,02/11/2009,18:04:56:852,ERROR,3014974368,cntx=0000450988,
ConfigNotificationFlow::onMBSendEventResponse: MB error, status=TIMEOUT, msg=,
state=ListenSync,ConfigNotificationFlow.cpp:700
MessageBus,02/11/2009,18:04:56:880,ERROR,3016510368,A response arrived for a non
related message id:
880cd6eb-61e9-460a-811c-2c98d5df42b0:0:0:146,MessageBusSender.cpp:303
Conditions: This problem occurs during PEAPv0 stress.
Workaround: Use two or more ACS instances.
CSCtf77292 Evaluation of domain local groups causes authentication delays.
Symptom: Slow authentications against Active Directory.
Conditions: This problem occurs if ACS is configured to perform authentications against Active
Directory and to fetch groups from Active Directory.
Workaround: None.
CSCtd54069 The ACS UI does not allow you to edit the authorization rule in case of LDAP/AD.
Symptom: The Select button is grayed out if you select AD1 from the dictionary on the
Authorization Rule page.
Conditions: This problem occurs when you:
1. Create authorization rule with LDAP and select a few groups in list
2. Select the authorization rule to edit the rule
3. Select AD1 in dictionary and external groups attributes
4. Try to add groups by using the Select button
Workaround: Create new authorization rule instead of editing an existing one.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
25. 25
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtf65218 Simultaneously promoting of two secondaries when primary is offline.
Symptom: Simultaneous promotion of secondaries when primary is offline causes unexpected
behavior when primary is brought online again.
Condition: This problem occurs when the secondaries have been promoted while primary was
offline.
Workaround: Primary must be online when promoting secondaries.
CSCtg51846 Enum values are not shown in compound conditions in rule.
Symptom: Enum values are not shown in compound conditions in rule.
Conditions: This problem occurs in compound conditions if you add an attribute with enum values
The enum values are not displayed.
Workaround:
1. Create a Policy condition display name to the enum attribute.
2. Customize the GUI policy to use this name.
3. Use this name instead of using compound condition.
CSCtd49251 ADE 2120 fails AD test connection because of an NTP error.
Symptom: AD test connection fails.
Conditions: This problem occurs during normal operation when ACS and AD are up, running and
the authentications are working.
If you:
1. Go to Users and Identity Stores > External Identity Stores > Active Directory.
2. Click the Test Connection button to ensure that the credentials are correct and Active Directory
Domain is reachable.
3. Click the AD Test Connection button.
It displays the following error:
Connection test to 'ibns.com' failed. Further information on status: - Network
Time Protocol status error.
Workaround: Ignore the failure since authentications are working and the clocks between the ACS
and AD are the same.
CSCtf64833 Filtering in service selection rule do not filter the device filter.
Symptom: Filtering in service selection rule does not work.
Conditions: This issue occurs when you go to Access Policies > Access Services > Service Selection
Rules. Filtering a rule based on device filter does not work.
Workaround: None.
CSCtf71535 Wrong connection status on ACS GUI when admin user is disabled in AD.
Symptom: Wrong connection status on ACS GUI when admin user is disabled in AD.
Conditions: This problem occurs if you disable the Administrator user (used for configuring AD on
ACS GUI) is disabled in AD. The authentications against AD still succeed.
Workaround: None.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
26. 26
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtg29788 No failure reason if the value for attributes mismatch.
Symptom: No failure reason if the value for attributes do not match.
Conditions: This problem occurs if you enter a wrong attribute value during authentication. The log
will not show any failure reason.
Workaround: None.
CSCtg36142 Node Secret set - indication of secureid file exists does not work properly.
Symptom: The GUI indication whether the secureid file exists, does not work properly.
Conditions: This problem occurs even if you set the node secret, many hours earlier and capture and
the image. The status continues to display, Not Cached.
Workaround: None.
CSCtc79341 The acs reset-config command does not remove ACS Patches.
Symptom: The acs reset-config command does not remove the installed ACS patches.
Conditions: This problem occurs if the patch contain changes to ACS database. This may cause
problems with the original ACS database.
Workaround: Uninstall all ACS patches manually after running the command acs reset-config and
then install them again.
CSCte09557 Restore with different CARS admin username creates problems.
Symptom: You cannot perform a Restore operation with a different CARS admin username.
Conditions: This problem occurs if you try to perform a Restore operation with a username that is
not the same as the username that you used for the backup.
Workaround: Restore with the same admin username.
CSCtf27416 Incorrect information displayed while importing .csv file with null values.
Symptom: Incorrect result displayed while importing .csv file with null values.
Conditions: This problem occurs when you install ACS with 5.2 and import the .csv file configured
with null values for the mandatory fields. Incorrect information is displayed.
Workaround: Enter default values in the null fields.
CSCtg71016 Cannot add the same server certificate in primary and secondary servers.
Symptom: An error appears if you add the same server certificates in both primary and secondary
servers.
Conditions: This problem occurs if you add the same server certificates in both primary and
secondary servers.
Workaround: None
CSCth13070 If there is no space left on the device, backup file should not be created.
Symptom: Restoring configuration from backup file, fails.
Conditions: This problem occurs if the backup file is empty or invalid. This happens when ACS
machine disk does not have enough space left for the system to create the backup file.
Workaround: None.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
27. 27
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCth25903 CARS setup accepts invalid characters during installation.
Symptom: During ACS installation, when CARS is being set up, ACS accepts other letters besides
Y (yes) or N (no) regarding the host name.
Conditions: This problem occurs during ACS installation, CARS setup in the hostname dialog.
Workaround: Make sure to respond only by typing Y or N.
CSCtd46841 Clock/TZ/NTP/nameserver changes can damage AD functionality.
Symptom: ACS AD functionality may be severely damaged and possibly there will be little evidence
visible to the user.
Conditions: This problem occurs if you apply changes to system services that AD connectivity relies
upon, such as TZ, NTP and DNS settings.
Workaround: Restart ACS services after applying changes to change the TZ, NTP & DNS settings.
CSCte39351 ACS appliance SNMP agent process daemon stops.
Symptom: ACS SNMP daemon stops.
Conditions: This problem occurs when you run the following command:
acs/admin#show port
!
Process : snmpd (2319)
udp: 0.0.0.0 (161)
Workaround:
1. Reboot the ACS appliance
2. Restart the ACS SNMP daemon
CSCtg32596 ACS server error while changing the log collector in a distributed deployment.
Symptom: Error in the ACS server.
Conditions: This problem occurs when you try to change the log collector in distributed deployment.
Workaround: Restart the ACS Monitoring & Reports Viewer processes.
CSCtg47711 TACACS authorization fails if the custom attribute value is more than 175.
Symptom: TACACS+ authorization fails if length for the customer attributes value exceed 175.
For example, if two custom attributes are configured and length of the value of the two custom
attributes put together exceeds 175, the authorization will fail. This is also true for single custom
attributes.
Conditions: This problem occurs if the length for the customer attributes value exceed 175.
Workaround: Make sure the length of value given for custom attributes does not exceed 175.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
28. 28
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCtc64472 ACS Instance Health Summary - Data for details such as CPU figures are not updated.
Symptom: ACS Instance Health Summary report in ACS Monitoring & Reports Viewer does not get
updated frequently.
Conditions: This problem occurs when you launch ACS Instance Health Summary report in ACS
Monitoring & Reports Viewer.
Workaround: Check the status shown in tool tips for the ACS instance under ACS Health tab in the
Dashboard.
CSCtc81268 Report links for authentication inactivity alarm authentication trend does not work.
Symptom: The link to Authentication Trend report given inside the alarm generated for
Authentication inactivity does not work.
Conditions: This problem occurs with the link inside the alarm generated for Authentication
inactivity.
Workaround: Launch the Authentication Trend report from Monitoring and Reports > Reports >
Catalog > AAA Protocol > Authentication trend.
CSCtc86337 Favorite report launched from the dashboard displays an error.
Symptom: Favorite report cannot be launched from the dashboard.
Conditions: This problem may occur when you launch a favorite report that has special characters
in the name from the dashboard.
Workaround: Launch the report from Monitoring and Reports > Reports > Favorites.
CSCtd36180 When you run CoA re-auth, accounting shows a stop record.
Symptom: For a given active session on ACS when CoA is run with the Re-Auth, ACS accounting
records for the session display a "Stop" record followed by "Interim-Update".
Conditions: This problem occurs when the device is authenticated using MAB and then a CoA
re-auth is run from the ACS Monitoring & Reports Viewer.
Workaround: None.
CSCtd44318 ACS Monitoring & Reports Viewer logs an error for non-existing service "NDAC_SGT_Service"
with EAP-FAST.
Symptom: RADIUS authentication report for EAP-FAST has undefined Access Service type as
"NDAC_SGT_Service".
Conditions: This problem occurs with RADIUS authentication report with EAP-FAST.
Workaround: None.
CSCtd46268 ACS Monitoring & Reports Viewer does not log records when changed from distributed to
standalone.
Symptom: ACS instance that is changed in the distributed environment from a log collector to the
stand alone mode, does not log any new authentication records.
Conditions: This problem occurs when you change an ACS instance from a log collector in a
distributed environment to the stand alone mode.
Workaround: Restart the view processes.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
29. 29
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCte20853 Traceroute information is not shown when you trace a device from Monitoring and Reports >
Troubleshooting.
Symptom: Traceroute information is not shown from Monitoring and Reports > Troubleshooting.
Conditions: This problem occurs when you go to Monitoring and Reports > Troubleshooting and try
to do a Traceroute for a device.
Workaround: Do the traceroute from ACS CLI.
CSCte20871 When you ping a device by DNS hostname from Monitoring and Reports > Troubleshooting, it does
not work.
Symptom: When you try to ping a device by DNS hostname, it does not work.
Conditions: This problem occurs when you ping a device by DNS hostname from Monitoring and
Reports > Troubleshooting. The DNS of the device and ACS are the same.
Workaround: Ping the device from ACS CLI.
CSCte84824 ACS Monitoring & Reports Viewer’s Expert Troubleshooter does not compare assigned Device
SGT.
Symptom: ACS Monitoring & Reports Viewer’s Expert Troubleshooter does not compare Device
SGT that is assigned to the device.
Conditions: This problem occurs with Device SGT.
Workaround: None.
CSCte94293 ACS Monitoring & Reports Viewer’s Expert Troubleshooter does not compare IP user SGT.
Symptom: ACS Monitoring & Reports Viewer’s Expert Troubleshooter does not compare IP user
SGT.
Conditions: This problem occurs with IP user SGT.
Workaround: None.
CSCtf18322 Expert Troubleshooter tool’s Egress Policy failed to compare the policies
Symptom: Expert Troubleshooter tool’s Egress Policy does not compare the ACS policy and the
policy that is on the switch.
Conditions: This problem occurs with Egress Policy.
Workaround: None.
CSCtc65305 ACS Monitoring & Reports Viewer displays ServSelect Rule # instead of Authorization Rule #.
Symptom: ACS Monitoring & Reports Viewer interchanges the service selection rule and
authorization rule in the report.
Conditions: This problem occurs with service selection and authorization rule.
Workaround: None.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
30. 30
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCth57441 ACS 5.1HDD failure does not prevent RT from processing incoming requests.
Symptom: A hardware failure that causes the ACS appliance’s file system to be mounted in
read-only, does not prevent the runtime component to load and start processing the incoming
RADIUS requests.
However, if critical logging is enabled, the authentication attempts fail. The authentication attempts
cannot be logged on the local hard-drive because it is mounted in read-only mode
Since the runtime process remains active but does not process the authentication requests, it prevents
the AAA client from falling back to the secondary server.
Conditions: This problem occurs when ACS 5.1 appliance is running with a failed HDD and the
critical logger is enabled.
Workaround: Manually shut down the failed ACS appliance until it is replaced.
CSCth62139 ACS authentication rate decreases with internal user attribute.
Symptom: ACS authentication rate decreases disproportionately to the with new internal user
attributes.
Conditions: This problem occurs when you add many new attributes for users in the internal
database. The sustainable authentications rate of ACS 5.1 decreases disproportionately.
For example, with 10 attributes and a single internal user, the sustainable rate can go up to 300-400
RADIUS PAP authentications per second.
By adding up to 96 attributes to that single internal user, the sustainable rate decreases to 30
RADIUS PAP authentications per second.
Workaround: None.
CSCth68051 Migrated devices cannot update the location through the import from CSV file.
Symptom: After migration from ACS 4.x the network devices cannot be updated using the File
Operations update CSV.
Conditions: This problem occurs if you try to update the location or device-type. Update completes
without errors, but nothing changes.
Workaround:
1. Export the migrated or all devices to a CSV file.
2. Remove all devices from ACS 5.x.
3. Import/add the devices again from the CSV file.
After the import you will be able to update the devices through import.
CSCth72626 MS-CHAPv2 responses with bad flag values are not dropped.
Symptom: If the NAS sends an MS-CHAP-v2 response with the flags field not set to '0' (0x00), ACS
5.1 drops RADIUS access requests for MS-CHAP-v2 with the following error message:
Flags in radius attribute MSCHAP2_Response MUST be zero, but now is - 1
Conditions: This problem occurs if the flags in the fourth byte of the MS-CHAP-v2 response is not
0x00 (the only mandatory value allowed by RFC 2548).
Workaround: None.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
31. 31
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCth72779 ACS 5 sends EAP-failure message as a challenge rather than as an access-reject.
Symptom: When a supplicant sends a bad MSCHAP message inside a PEAP tunnel ACS 5.x server
responds with an EAP-failure message encapsulated in a RADIUS-challenge packet.
Conditions: This problem occurs when you are running ACS 5.x with PEAP-MSChapV2.
Workaround: None.
CSCth77468 ACS 5.1 do not include 'C' and 'V' values in MS-CHAP-v2 failure packet.
Symptom: ACS 5.1 does not include 'C' and 'V' values in MS-CHAP-v2 failure packet.
Conditions: This problem occurs while sending a RADIUS access-reject for PPP MS-CHAP-v2
authentication. ACS 5.1 includes the following values in the MS-CHAP-v2 failure:
• 'E' = 691 to indicate the authentication failure
• 'R' = 0 to indicate that a retry is not allowed
The "cccccccccccccccccccccccccccccccc" is the ASCII representation of a hexadecimal challenge
value. This field must be exactly 32 octets long
Because of this, some NASs, such as an ASA do not honor the RADIUS access-reject because of the
missing values. This sends further RADIUS access-request retries.
Workaround: None.
CSCth68006 Process status not updated after restarting runtime in distributed environment.
Symptom: In distributed environment process, the status alert is generated continuously.
Conditions: This problem occurs when you:
1. Configure secondary server as Log collector.
2. Configure alarm threshold to monitor process status of primary.
3. Stop and start runtime in primary.
Workaround: Restart ACS.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
32. 32
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Known ACS Issues
CSCth66212 CLI command show tech-support displays an error message.
Symptom: The CLI command show tech-support displays the following error:
% Error: acs manifest has no TAC information.
Conditions: This problem occurs when you run the following commands in admin mode:
ACS52-227/admin# show tech-support file file1
% Error: acs manifest has no TAC information
ACS52-227/admin# show tech-support
******* support- Information***********
!
!
....
% Error: acs manifest has no TAC information.
At the end file1 is created in localdisk as file1.tar.gz.
Workaround: None
CSCth66302 RADIUS authentication request rejected because of a critical logging error.
Symptom: Running stress PEAP MS-CHAPV2 against primary ACS machine fails with the
following error message:
Radius Authentication Request Rejected due to critical logging error
Conditions: This problem occurs when there is a large deployment setup with one primary connected
to seven secondary machines.
Workaround: None.
CSCth42890 ID store names containing HTML control characters cause error while saving ID policy.
Symptom: ID store names containing HTML control characters cause error while saving ID policy
changes. The following error appears:
This System Failure occurred: {0}. Your changes have not been saved. Click OK to return
to the list page.
Conditions: This problem occurs when you:
1. Create an Identity Store Sequence like under Users and Identity Stores > Identity Store
Sequences
2. Select the created Identity Store Sequence under Access Policies > Access Services > Default
Network Access > Identity
3. Click Save Changes
4. Edit Identity Store Sequence
5. Click Save Changes
Workaround: Do not use HTML control character percentage (%) in names of ID stores.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
33. 33
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Documentation Updates
Documentation Updates
Table 8 lists the updates to Release Notes for the Cisco Secure Access Control System 5.2.
CSCtg87211 Primary management process fails during large user import.
Symptom: Primary management process fails during large user import.
Conditions: The problem occurs when you import more than 50,000 users in a scaled ACS
deployment (7 secondaries and more).
Workaround: The management process is restarted automatically by watchdog. Repeat the import
procedure.
When importing a large number of users (more than 5000) in distributed deployment it is
recommended to deregister all secondary nodes and perform the import to single primary. Then
re-register the secondary nodes.
CSCtl01880 User password expiry reminder message is not shown for RADIUS authentication.
Symptom: No reminder is shown for RADIUS authentication.
Condition: No reminder is shown for RADIUS authentication even when the option for reminder is
enabled, if the password is not changed in N number of days.
Workaround: None.
CSCtk02959 Cannot use a % in password on CLI.
Symptom: Get error if trying to add a % in the password on the CLI.
Conditions: On the CLI, create a user with a % any where in the password.
Workaround: Do not use % in password.
CSCtj81255 Two MAC addresses detected on neighbooring switch of ACS 1121 Appliance.
Symptom: Two MAC addresses are detected on the switch interface connected to an ACS 1121
Appliance although only one interface is connected on the ACS 1121 Server eth 0.
Conditions: Only one Ethernet interface, eth 0 is connected between ACS and Switch.
Workaround: Disable BMC (Baseboard Management Controller) feature using BIOS setup.
Table 7 Known Issues in ACS 5.2 (continued)
Bug ID Description
Table 8 Updates to Release Notes for the Cisco Secure Access Control System 5.2
Date Description
3/3/2011 • Added the following bugs to the “Known ACS Issues” section on page 17:
– CSCtl01880
– CSCtk02959
– CSCtj81255
• Updated “Features Not Supported” section on page 4.
2/15/2011 Added “Resolved Issues in Cumulative Patch ACS 5.2.0.26.3” section on page 16
1/20/2011 Added Expiry of Users under “Features Not Supported” section on page -4
34. 34
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Product Documentation
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
Table 9 lists the product documentation that is available for ACS 5.2. To find end-user documentation for
all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs
Select Network Management > Security and Identity Management > Cisco Secure Access Control
Server Products > Cisco Secure Access Control System.
1/12/2011 Added:
• “Resolved Issues in Cumulative Patch ACS 5.2.0.26.1” section on page -14
• “Resolved Issues in Cumulative Patch ACS 5.2.0.26.2” section on page 16.
11/09/2010 Added “SFTP Copy” section on page 4.
8/19/2010 Cisco Secure Access Control System, Release 5.2.
Table 8 Updates to Release Notes for the Cisco Secure Access Control System 5.2
Date Description
Table 9 Product Documentation
Document Title Available Formats
License and Documentation Guide for the Cisco
Secure Access Control System 5.2
http://www.cisco.com/en/US/products/ps9911/
products_documentation_roadmaps_list.html
Migration Guide for the Cisco Secure Access
Control System 5.2
http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html
User Guide for the Cisco Secure Access Control
System 5.2
http://www.cisco.com/en/US/products/ps9911/
products_user_guide_list.html
CLI Reference Guide for the Cisco Secure
Access Control System 5.2
http://www.cisco.com/en/US/products/ps9911/
prod_command_reference_list.html
Supported and Interoperable Devices and
Softwares for the Cisco Secure Access Control
System 5.2
http://www.cisco.com/en/US/products/ps9911/
products_device_support_tables_list.html
Installation and Upgrade Guide for the Cisco
Secure Access Control System 5.2
http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html
Software Developer’s Guide for the Cisco
Secure Access Control System 5.1
Note The ACS 5.1 Software Developer’s
Guide is applicable for ACS 5.2 as well.
http://www.cisco.com/en/US/products/ps9911/
products_programming_reference_guides_list.html
Regulatory Compliance and Safety Information
for the Cisco 1121 Secure Access Control
System 5.1
http://www.cisco.com/en/US/products/ps9911/
prod_installation_guides_list.html
37. 37
Release Notes for the Cisco Secure Access Control System 5.2
OL-21576-01
Supplemental License Agreement
Supplemental License Agreement
END USER LICENSE AGREEMENT SUPPLEMENT FOR CISCO SYSTEMS ACCESS
CONTROL SYSTEM SOFTWARE:
IMPORTANT: READ CAREFULLY
This End User License Agreement Supplement ("Supplement") contains additional terms and conditions
for the Software Product licensed under the End User License Agreement ("EULA") between you and
Cisco (collectively, the "Agreement"). Capitalized terms used in this Supplement but not defined will
have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms
and conditions of the EULA and this Supplement, the terms and conditions of this Supplement will take
precedence.
In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to
comply at all times with the terms and conditions provided in this Supplement. DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE
AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU
REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE
TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE
SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE
SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD
PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE
AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY
RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND
REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO
RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.
1. Product Names
For purposes of this Supplement, the Product name(s) and the Product description(s) you may order as
part of Access Control System Software are:
A. Advanced Reporting and Troubleshooting License
Enables custom reporting, alerting and other monitoring and troubleshooting features.
B. Large Deployment License
Allows deployment to support more than 500 network devices (AAA clients that are counted by
configured IP addresses). That is, the Large Deployment license enables the ACS deployment to support
an unlimited number of network devices in the enterprise.
C. Advanced Access License (not available for Access Control System Software 5.0, will be
released with a future Access Control System Software release)
Enables TrustSec policy control functionality and other advanced access features.
2. ADDITIONAL LICENSE RESTRICTIONS
• Installation and Use. The Cisco Secure Access Control System (ACS) Software component of the
Cisco 1121 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the
1121 hardware are provided to Customer for reinstallation purposes only. Customer may only run
the supported Cisco Secure Access Control System Software Products on the Cisco 1121 Hardware
Platform designed for its use. No unsupported Software product or component may be installed on
the Cisco 1121 Hardware Platform.
• Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control
System Software upgrades for the 1121 Hardware Platform as Major Upgrades or Minor Upgrades.
If the Software Major Upgrades or Minor Upgrades can be purchased through Cisco or a recognized
partner or reseller, the Customer should purchase one Major Upgrade or Minor Upgrade for each