11-12-2014 05:35 AM - edited 03-10-2019 10:10 PM
Since the upgrade to ACS 5.6 we are not able to edit user settings in the 'Internal User Identity Store' anymore.
As soon as we click the 'submit' button in the 'user edit screen' we are immediately kicked out of the application and we land on the ACS loggin screen with the message 'user logged out successfully'.
The same thing happens with Firefox, IE and Chrome.
What's going on?
11-12-2014 07:20 AM
just as an information for other guys having the same problem. We saw, that when you migrated from ACS 5.x to 5.6 and you have users with () in some fields (e.g. additional information fields), you have to delete these brackets and you are able (in some cases) to edit and save the new user information.
But there are still some users where we click submit, but the changes aren't saved, but you are not logged out of the session. We will further investigate this issue.
11-13-2014 06:19 AM
Another update: a workaround for the problem with the users, which can not be saved, is to change their passwords. After that you are able to save them again.
Even if theses users - migrated from an earlier ACS 5.x version - do not have any special characters in their passwords, they have a problem while editing the user settings. In my opinion, this seems to be a bug in ACS 5.6.
11-26-2014 02:11 AM
The reason for this behavior is the minimum password lenght rule. During the upgrad it was reset to 8 characters instead of 6 characters as bevore. The affected users could not be edited anymore unless the rule was changed or the password was reset with 8 characters.
This is the answer from TAC:
'It seems that you have minimum length for password configured as 8 character. For 146 users password length is less than 8 chars which are already present in the DB. Because of this configuration, user details are not getting updated.
To solve this, you need to either change the password policy to allow shorter passwords (6 characters) or change all the passwords that are less than 8 chars to meet the required length.
MGMT GUI: System Administration -->Users --> Authentication Settings --> Password Complexity--> Minimum length'
04-07-2015 08:35 AM
This issue (getting logged out) occurs even when trying to create a new Identity Policy (Access Policies --> VPN Access --> Identity --> Create). I cannot create new accounts and I cannot edit existing accounts. It does let me delete accounts. Not sure what to do here. Any advice would be great.
04-17-2015 06:54 AM
Make sure you respect the mininum characters rule for passwords that is set on your system.
05-20-2015 09:41 PM
did you try to install patch version 3 for ACS 5.6? I saw the following resolved issues:
04-23-2015 11:43 PM
we have this Problem also.
We have e Group name "MDE Geräte" (MDE devices) what contains a special character.
We can not change the group name, because after that we are facing with the issue 'user logged out successfully'.
The usernames can be chnaged, but 1000 or more is to much work.
Can we to change this policy so, that this special character can stay?
04-27-2015 08:03 AM
I didn't find a way to allow the forbidden special characters. According to Cisco it is for security reason.
04-27-2015 11:22 PM
Thank you. I oppened a TAC.
11-26-2014 02:04 AM
This is the answer from TAC regarding the situation with the session aborts:
'Regarding the issue with the user logout when attributes contain special characters, ACS is not allowing those chars to protect from vulnerable injection. So you should not have those characters in the fields.'
Conclusion: Do not use special characters like () in any field of the 'user edit screen'.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: