Q. What is Cisco
® Secure Access Control Server Express 5.0 (Cisco Secure ACS Express)?
A. Cisco Secure ACS Express is an entry-level RADIUS and TACACS+ authentication, authorization, and accounting (AAA) server for retail branch, enterprise branch office deployments and small-medium-sized businesses (SMBs) with fewer than 350 users and 50 devices.
Cisco Secure ACS Express controls user and machine access to various networks including wireless, wired, and virtual private networks. Cisco Secure ACS Express also controls administrative access to network devices using RADIUS and TACACS+.
Q. Is Cisco Secure ACS Express a software or a hardware product?
A. Cisco Secure ACS Express is available on a Cisco hardware appliance that is preloaded with Cisco Secure ACS Express 5.0. For more details on the hardware specifications, please refer to the data sheet at
Q. How is Cisco Secure ACS Express positioned in comparison to Cisco Secure ACS for Windows (ACS Windows) and Cisco Secure ACS Solution Engine (ACS SE)?
A. ACS Windows and ACS SE are for customers who need a highly scalable access control solution that spans multiple sites. The feature set is catered to the enterprise deployments and includes but is not limited to support for Network Admission Control (NAC), device command authorization, command-line interface (CLI) views, integration with CiscoWorks management applications, and support for Cisco Security Monitoring, Analysis, and Response System (MARS).
Cisco Secure ACS Express is well suited for deployments that need an access control solution for fewer than 350 users and 50 devices. This product is intended to serve small to medium-sized businesses, retail sites and enterprise branch offices where customers need an easy-to-use GUI yet require a comprehensive but simple feature set and a lower price point to address their specific deployment needs.
In summary, ACS Windows and ACS SE cater to enterprise-class deployments that need a highly scalable AAA server. Cisco Secure ACS Express is positioned to cater to smaller deployments that need AAA services.
Q. What deployments is Cisco Secure ACS Express best suited for?
A. Cisco Secure ACS Express can be deployed at the following:
• Enterprise branch
• Retail sites
• Small and medium-sized businesses
Large enterprises are likely to have a centralized AAA deployment that manages the various regions within a corporate network. User and machine identities within the enterprise may be stored in centralized user databases, such as Active Directory.
Such large enterprises might have several branch sites that need to mitigate adverse impacts of a WAN outage by having a local AAA server present at that site. For that purpose, a single or a pair of Cisco Secure ACS Express servers may be deployed that are configured to authenticate users and machines against the centralized user database. Alternatively, the branch site may deploy a user database, such as Active Directory, at a local site to work around any dependency on a central site for user management.
Cisco Secure ACS Express can be deployed within retail organizations that require a local AAA server in each of their retail branches for various reasons including but not limited to WAN independence, localized access policies, and decentralized user repositories.
Small and Medium-Sized Businesses
Cisco Secure ACS Express can be deployed at businesses that have a few hundred users across one or multiple sites. In this instance, Cisco Secure ACS Express could be used to control access for wireless, wired, remote access, and device administration deployments, similar to what an enterprise-class AAA server would do in larger deployments but customized from a usability, feature, deployment size, and price point of view.
Q. Can I migrate to Cisco Secure ACS Express from ACS Windows or ACS SE?
A. No. Migration from ACS Windows or ACS SE is not supported.
Q. Can I upgrade to ACS Windows or ACS SE from Cisco Secure ACS Express?
A. No. This upgrade is currently not supported.
Q. Does Cisco Secure ACS Express require any licensing?
A. Cisco Secure ACS Express supports 50 network devices and 350 unique logins in a 24-hour period. No additional licensing is available or required.
Q. What network access gateways does Cisco Secure ACS Express support?
A. Cisco Secure ACS Express supports a broad set of networking access products, including Cisco IOS
® routers, VPN and firewall access products such as VPN concentrators and the ASA, voice-over-IP (VoIP) solutions, Cisco Wireless LAN controllers and access points, storage networks, and 802.1x-enabled Cisco Catalyst
Q. What protocols does Cisco Secure ACS Express support?
A. Cisco Secure ACS Express supports the protocols listed in Table 1.
Table 1. Protocols Supported by Cisco Secure ACS Express
Cisco Secure ACS Express conforms to RFC 2138, 2284, 2865, 2866, 2867, and 2869. Cisco Secure ACS Express supports the following:
• Authentication on old and new RADIUS ports
• Vendor-specific attributes (VSAs) from Cisco IOS Software/PIX
® devices, VPN concentrators, Cisco WLAN controllers, Aironet
® access points, and other IETF RADIUS-compliant Network Access Servers (NAS
• The definition of custom VSAs
Cisco Secure ACS Express supports privilege-level authorization and time of day (TOD) and day of week (DOW) policies for TACACS+ users. Additionally, there is support for external databases such as Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory, one-time password (OTP) servers (RADIUS and RSA native access) for TACACS+ requests.
Cisco Secure ACS Express supports the following Extensible Authentication Protocol (EAP) methods with a configurable order of negotiation:
• EAP Transport Layer Security (EAP TLS)
• Protected EAP (PEAP) v0, v1
• EAP-Flexible Authentication through Secure Tunneling (EAP-FAST) v0
• Cisco LEAP
• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
• Active Directory: LDAP/389, Kerberos/88, Kerberos password change/464, Global Catalog/3268 (out)
• RSA OTP Software Development Kit (SDK): 5500 (out)
• FTP/21 (out)
• Syslog UDP/514 (out)
• Simple Mail Transfer Protocol (SMTP)/465 (out)
Q. How does Cisco Secure ACS Express handle authentication?
A. Cisco Secure ACS Express uses authentication to verify an individual's identity during a login attempt. Cisco Secure ACS Express uses the following authentication methods:
• Credential source
• Machine authentication
Cisco Secure ACS Express supports the use of a local database, an external token server, LDAP, and Active Directory as credential sources based on network access profiles. Cisco Secure ACS Express also supports the use of token server using proxy RADIUS.
Machine authentication enables a client machine to authenticate itself using the identity and credentials of the computer to Cisco Secure ACS Express. Cisco Secure ACS Express supports only Windows Machine Authentication against Active Directory.
Cisco Secure ACS Express supports machine authentication configuration for the protocols listed in Table 2.
You configure the outer and inner EAP methods using the GUI.
As part of the certificate setup, you have to install the server certificate for Cisco Secure ACS Express and enable autoenrollment on Active Directory for the client machine to obtain a machine certificate. Server certificates can be requested using either the Windows Certification Authority or OPENSSL
Q. What authorization policies does Cisco Secure ACS Express make available?
A. Cisco Secure ACS Express supports the authorization policies listed in Table 3.
Specifies whether an uppercase character is required in a user password.
Default is true.
Specifies whether a lowercase character is required in a user password.
Default is true.
Specifies whether a number is required in a user password.
Default is true.
Indicates whether you can use your username for a user password.
Default is true, disallowing username as password.
Cannot Reuse Last Password
Indicates whether you can use your most recent password.
Default is true, meaning that you cannot reuse your last password after it has expired.
Enable Password Lockout after N Attempts
Specifies whether there is a maximum number of failed password attempts.
Default is true.
Number of Failed Attempts
Specifies the number of failed attempts before user is locked out of the system; defaults to 8.
After a user has been locked out due to exceeding the specified number of failed attempts, an administrator must reactivate the user account before it can be used again.
Q. Can I use Cisco Secure ACS Express for high availability?
A. Yes, Cisco Secure ACS Express supports high availability between a Cisco Secure ACS Express pair.
This allows customers to achieve redundancy if one Cisco Secure ACS Express server is unavailable from a network device point of view.
Q. If I need to deploy Cisco Secure ACS Express across more than two sites, how would I distribute my configuration?
A. Cisco Secure ACS Express provides a mechanism to export configurations that can be modified and imported back to the same Cisco Secure ACS Express or another Cisco Secure ACS Express in the network. Customers can use the CLI to export a configuration file, make changes as desired per site, and import the configuration into the destination Cisco Secure ACS Express server.
Q. We have an existing back-end database where our user repository resides. Would I be able to integrate with it?
A. Yes, Cisco Secure ACS Express supports Microsoft Active Directory, LDAP, and OTP servers.
Q. Does Cisco Secure ACS Express support Active Directory natively or is integration required?
A. Cisco Secure ACS Express allows users to authenticate against Active Directory seamlessly. There is no need to install or configure any agent on either the Cisco Secure ACS Express appliance or any other server to interact with Active Directory.
Q. What administrative features are available within Cisco Secure ACS Express?
A. Table 5 lists the administrative features in Cisco Secure ACS Express.
Table 5. Cisco Secure ACS Express Administrative Features
Web and CLI
Cisco Secure ACS Express can be securely administrated from the Web GUI (HTTPS) or through the scriptable CLI.
These administrative interfaces provide flexibility in remotely managing individual Cisco Secure ACS Express appliances directly or in bulk through automated scripts.
Administrator access control
Provides two-level access: administrators and operators; restricts operators to read-only access to specific pages.
Supports password expiration, forced change, and lockout.
Password policy applies to administrator authentication to Cisco Secure ACS Express.
Supports RADIUS accounting logs, debug logs, and backup of the logs off the machine.
Provides usage reports.
Q. What password policies are available for ACS view administrators?
A. Cisco Secure ACS Express provides a password policy applicable to ACS administrators. The policy is made up of rules that define the password complexity and password lockout.