Session abort when editing user in ACS 5.6

Christian Faessler · ‎11-12-2014

Since the upgrade to ACS 5.6 we are not able to edit user settings in the 'Internal User Identity Store' anymore.

As soon as we click the 'submit' button in the 'user edit screen' we are immediately kicked out of the application and we land on the ACS loggin screen with the message 'user logged out successfully'.

The same thing happens with Firefox, IE and Chrome.

What's going on?

Dominic Stalder (old profile) · ‎11-12-2014

Hi Christian

just as an information for other guys having the same problem. We saw, that when you migrated from ACS 5.x to 5.6 and you have users with () in some fields (e.g. additional information fields), you have to delete these brackets and you are able (in some cases) to edit and save the new user information.

But there are still some users where we click submit, but the changes aren't saved, but you are not logged out of the session. We will further investigate this issue.

Regards

Dominic

Dominic Stalder (old profile) · ‎11-13-2014

Another update: a workaround for the problem with the users, which can not be saved, is to change their passwords. After that you are able to save them again.

Even if theses users - migrated from an earlier ACS 5.x version - do not have any special characters in their passwords, they have a problem while editing the user settings. In my opinion, this seems to be a bug in ACS 5.6.

Regards

Dominic

Christian Faessler · ‎11-26-2014

The reason for this behavior is the minimum password lenght rule. During the upgrad it was reset to 8 characters instead of 6 characters as bevore. The affected users could not be edited anymore unless the rule was changed or the password was reset with 8 characters.

This is the answer from TAC:

'It seems that you have minimum length for password configured as 8 character. For 146 users password length is less than 8 chars which are already present in the DB. Because of this configuration, user details are not getting updated.

To solve this, you need to either change the password policy to allow shorter passwords (6 characters) or change all the passwords that are less than 8 chars to meet the required length.

MGMT GUI: System Administration -->Users --> Authentication Settings --> Password Complexity--> Minimum length'

supercell2929 · ‎04-07-2015

This issue (getting logged out) occurs even when trying to create a new Identity Policy (Access Policies --> VPN Access --> Identity --> Create). I cannot create new accounts and I cannot edit existing accounts. It does let me delete accounts. Not sure what to do here. Any advice would be great.

Christian Faessler · ‎04-17-2015

Hello Ian

Make sure you respect the mininum characters rule for passwords that is set on your system.

Dominic Stalder (old profile) · ‎05-20-2015

Hi Ian

did you try to install patch version 3 for ACS 5.6? I saw the following resolved issues:

- CSCur59417 ACS 5.x apostrophe,plus sign causing gui log out

- CSCut55144 Special characters issue

Best regards

Dominic

radics.tibor1974 · ‎04-23-2015

Hi all

we have this Problem also.
We have e Group name "MDE Geräte" (MDE devices) what contains a special character.
We can not change the group name, because after that we are facing with the issue 'user logged out successfully'.
The usernames can be chnaged, but 1000 or more is to much work.
Can we to change this policy so, that this special character can stay?

Thanks

Christian Faessler · ‎04-27-2015

I didn't find a way to allow the forbidden special characters. According to Cisco it is for security reason.

radics.tibor1974 · ‎04-27-2015

Thank you. I oppened a TAC.

Christian Faessler · ‎11-26-2014

This is the answer from TAC regarding the situation with the session aborts:

'Regarding the issue with the user logout when attributes contain special characters, ACS is not allowing those chars to protect from vulnerable injection. So you should not have those characters in the fields.'

Conclusion: Do not use special characters like () in any field of the 'user edit screen'.