Downloads |
Cisco Secure Access Control System Overview
Q. What is Cisco® Secure Access Control System (ACS)?
A. Cisco Secure ACS is the centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. ACS operates as a centralized RADIUS and TACACS+ server, combining user authentication, user and administrator access control, and policy control into a centralized identity networking solution.
Q. Why do I need Cisco Secure ACS?
A. Changing business dynamics, regulatory requirements, and increased security threats have created new demands in access control management. As technologies such as IEEE 802.1x become more pervasive and the need for robust access policy and visibility grow, new solutions are needed that integrate access policy and identity into the network. ACS allows you to implement advanced enterprise policies by defining powerful and flexible policy rules through an easy to use, lightweight graphical user interface (GUI). ACS's integrated management and advanced monitoring, reporting, and troubleshooting capabilities provide the maximum level of control and visibility into policies and activities across the network.
Cisco Secure ACS 5.0: New Features
Q. What is new with Cisco Secure ACS 5.0?
A. Cisco Secure ACS version 5.0 is the initial release of Cisco's next-generation network identity and access solution that delivers significant features and functions including:
• An attribute-driven, rules-based policy model that provides much greater flexibility in addressing policy needs
• A new lightweight GUI
• Integrated advanced monitoring, reporting, and troubleshooting capabilities
• Improved integration with external identity and policy databases (Windows Active Directory and Lightweight Directory Access Protocol [LDAP])
• An automatic incremental replication mechanism that supports large-scale distributed deployments.
Please refer to the user guide at http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html for more information about ACS 5.0 features and functions.
Q. Does Cisco Secure ACS 5.0 replace Cisco Secure ACS 4.2?
A. No. ACS 4.2 is a proven, feature-rich product that meets today's complex identity and access policy needs of enterprises, and Cisco will continue to sell, maintain, and support ACS 4.2. Cisco Secure ACS 5.0 is the initial release of Cisco's next-generation network identity and access solution and is suitable for many deployments today that require support for device administration and wireless and wired 802.1x scenarios. In time, ACS 5.x will incorporate other key 4.x features to allow the broader customer base to upgrade to the next-generation ACS platform.
Q. Is Cisco Secure ACS 5.0 a software or a hardware product?
A. Cisco Secure ACS is offered both as a hardware appliance and software:
• A one rack-unit (1RU) dedicated, security-hardened Linux appliance with the base Cisco Secure ACS software preinstalled
• Software-only image (application and OS) for installation on VMWare ESX
For complete specifications, please refer to the Cisco Secure ACS 5.0 Data Sheet at http://www.cisco.com/go/acs.
Q. How is the new ACS 5.0 policy model different from that of ACS 4.x?
A. Cisco Secure ACS 5.0 introduces a rule-based policy model that is different from the group-based policy model supported in ACS 4.x. The new model delivers the power and flexibility required for complex security policies that require evaluation of many different attributes and conditions, in addition to the user's identity, in order to grant access privileges.
The following are some of the key enhancements with the new policy model:
• Policy logic is decoupled from users and groups. Assignment of privileges and permissions is not directly defined in ACS users and user groups, but through authorization rules.
• In ACS authorization rules, multiple authorization profiles may be specified as an authorization decision result (with a precedence order to resolve conflicts). This reduces the overall number of authorization profiles needed and makes modification of policy more straightforward.
• Network devices may be categorized in multiple device groups. Device group hierarchy based on geography, organization, and so on allows definition of rules based on hierarchical groups.
• More powerful and flexible rule-based mapping of users or hosts to identity groups based on information available in external directory or identity repository (group memberships, identity attributes, and so on).
Q. What are the new capabilities of the ACS 5.0 GUI?
A. ACS 5.0 features a completely redesigned lightweight web-based GUI that is secure, intuitive, and easy to use. ACS 5.0 does not require the installation of additional client software for GUI access. In addition to management and provisioning, the ACS GUI also has integrated monitoring and reporting capabilities that provide a high level of control and visibility into the network.
Q. What are the offered monitoring and reporting capabilities?
A. ACS 5.0 has an integrated Monitoring and Reporting component that is accessible through the ACS GUI. The base ACS license includes access to a variety of reports that provide broad visibility into policies and activities across the network to meet the basic monitoring and reporting needs. ACS also supports advanced monitoring, reporting, and troubleshooting capabilities that provide a high level of control and visibility such as a deploymentwide real-time session directory, threshold-based notifications, and additional diagnostic tools. These advanced capabilities are available through an add-on license that is sold separately.
Q. How does ACS 5.0 integrate with external databases?
A. ACS 5.0 provides a great deal of flexibility for integrating with external identity and policy databases such as Microsoft Active Directory and LDAP-accessible databases. Information in external databases can be referenced directly in ACS 5.0 policy rules. User and group attributes can be retrieved and then referenced when configuring either policy conditions or authorization results. This allows the definition of much more sophisticated policies than authorization through group mapping.
Q. Do I need to run a remote agent to use the ACS 5.0 appliance?
A. No. While previous ACS appliances required that ACS Remote Agent for Windows software be installed on a member of a trusted domain for Microsoft Windows authentication, the ACS 5.0 appliance supports native integration with Active Directory and hence does not need a remote agent.
Scalability
Q. How does Cisco Secure ACS 5.0 scale for large deployments?
A. Cisco Secure ACS 5.0 supports distributed deployment to provide high availability and scalability. An ACS deployment can be composed of multiple ACS instances that are managed together in a single distributed deployment. One ACS is designated as primary, and it accepts configuration changes and propagates to the other secondary instances. For the smallest deployments, a primary and secondary are recommended for redundancy. Larger deployments can add additional secondary servers as dictated by network design. All the ACS instances are identical in the sense that a full ACS software version is installed on each of them. Yet part of the functionality (authentication, authorization, and accounting [AAA], management interface, and monitoring and reporting) could be disabled on these instances and thus allow for each ACS instance to play a specific role or roles in the deployment.
Cisco Secure ACS 5.0 has a very efficient replication mechanism that makes it very easy to manage ACS configuration. Within the distributed deployment, the primary ACS server is the single point of configuration, and all configuration changes made on the primary are automatically replicated in the deployment by propagating incremental changes to all the secondary ACS servers. The primary ACS provides a GUI where all the associated secondary servers can be monitored, together with their replication status.
Q. How is software update done in ACS 5.0?
A. Cisco Secure ACS 5.0 features an improved, centralized management of software updates (upgrades and patches) that is controlled through the GUI of the primary ACS server. Updates can be applied on selected or all ACS servers in a deployment, and software update files can reside in remote repositories or be uploaded to the primary server.
Ordering Information
Q. Should I purchase Cisco Secure ACS 5.0 or Cisco Secure ACS 4.2?
A. Cisco Secure ACS 5.0 is the next-generation platform for centralized identity and access policy management. While Cisco Secure ACS 5.0 is packaged with powerful features that simplify access and policy management, there are features supported in ACS 4.2 that are not supported in ACS 5.0. Some of the key areas of functionality differences include protocol support, external database support, and provisioning interfaces. Customers that choose to deploy ACS 4.2 will have upgrade paths to the next-generation ACS 5.x platform.
Please see the Cisco Secure ACS 5.0 User Guide at http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html for a more detailed comparison of ACS 4 and ACS 5.
Q. What is the licensing for Cisco Secure ACS 5.0?
A. Cisco Secure ACS 5.0 has a new licensing model. Each ACS 5.0 appliance or software package is delivered with a Base license and each ACS 5.0 instance requires a Base license to operate. Add-on licenses are available to support deployments that are larger than 500 devices (AAA clients) and to support advanced monitoring, reporting and troubleshooting functionality. For available part numbers and detailed descriptions, refer to the Cisco Secure ACS 5.0 product bulletin. http://www.cisco.com/go/acs.
Q. I currently use Cisco Secure ACS View 4.0 for monitoring and reporting. Do I still need that product with Cisco Secure ACS 5.0?
A. No. The integrated Monitoring and Reporting component provided with Cisco Secure ACS 5.0 has capabilities similar to the standalone Cisco Secure ACS View 4.0 product. The Monitoring and Reporting component replaces the Cisco Secure ACS View 4.0 product in ACS 5.0 deployments. Customers may still require a separate ACS 5.0 instance for monitoring and reporting to minimize any impact on ACS run-time performance.
Cisco Secure ACS 5.0 and Cisco Secure ACS View 4.0 products run on similar Linux-based appliances. Your investment in Cisco Secure ACS View 4.0 is protected as the software will be upgradeable to future Cisco Secure ACS 5 releases. Once upgraded, the unit can be configured to perform the full ACS functionality (AAA, management interface, and monitoring and reporting) or perform just the monitoring and reporting (ACS View-like) functionality.
Q. Are evaluation copies of Cisco Secure ACS available?
A. Yes. You can download a 90-day trial version of Cisco Secure ACS from links available at http://www.cisco.com/go/acs. Evaluation copies of both ACS 4.2 and ACS 5.0 are available so that customers can determine which product is more suitable for their needs.
For More Information
For more information about Cisco Secure ACS, contact your local account representative or send your questions to acs-mkt@cisco.com.