Q. Why doesn't Cisco Secure ACS 5.2 support all the features available in Cisco Secure ACS 4.2? Why have many important features of ACS 4.2 been dropped in Cisco Secure ACS 5.x releases?
A. Cisco Secure ACS 5.2 is a new product and has a completely redesigned, interactive, and simple-to-use GUI. Although the version number may imply otherwise, Cisco Secure ACS 5.2 has not been built upon earlier versions of Cisco Secure ACS. Most of the features supported in Cisco Secure ACS 4.2 are also supported in Cisco Secure ACS 5.2, including integrated monitoring, reporting, and troubleshooting capabilities, which required a separate ACS View product in ACS 4.x releases.
Q. Are there any other mechanisms for adding a user from the external database to Cisco Secure ACS?
A. Cisco Secure ACS 5.3 will support the REST API to create, update, and delete users and identity groups. This API can be used to write a client application program that will read the objects from the existing database and import them into Cisco Secure ACS via the APIs.
Q. Does Cisco Secure ACS 5.2 support RDBMS sync functionality?
A. No. Cisco Secure ACS 5.2 does not support RDBMS sync.
Q. Are there plans to add RDBMS sync to future releases of Cisco Secure ACS?
A. There are no plans to add this support.
Q. For customers using RDBMS sync, what are their options after migrating to Cisco Secure ACS 5.2?
Q. Are there any other mechanisms for performing CRUD operations on Cisco Secure ACS objects?
A. Cisco Secure ACS 5.3 will support the REST API to create, update, and delete users and identity groups. This web services API only supports user object and identity groups in Cisco Secure ACS 5.3.
Q. There are other features in Cisco Secure ACS 4.2 that are not supported in Cisco Secure ACS 5.2. When will those features be available in a future software patch or release?
A. Most of those features will be supported in Cisco Secure ACS 5.3, which is targeted for release in October 2011. They include:
• Programmatic interface for user CRUD operations
• TACACS+ attributes substitution
• Maximum concurrent sessions per user and/or group
• Ability to set the users' password type (ability to get password for internal user from external identity store)
• Ability to disable user accounts upon failed attempts and expiration (by a certain date or number of days)
• Ability to check the next ID store if access to an external ID store fails
• TACACS+ Proxy
• Wildcards for host MAC addresses
• Use of IP address ranges while adding network devices
• Ability to look up devices by IP address
• TACACS+ authentication with CHAP/MSCHAP
• Ability to compare values of two different user attributes in identity/authorization polices
• Dial-in attribute support
• Ability to display RSA node missing secret
• Improved integration with Centrify Active Directory interface
• PEAP-TLS protocol support
• Recovery of logs after reconnection to local servers
Q. Unlike Cisco Secure ACS 4.2, ACS 5.2 does not support integration with CiscoWorks Common Services (for Cisco Security Manager/CiscoWorks LAN Management Solution [LMS]). Will this feature be supported in a future Secure ACS release? If not, what options are available for customers using Cisco Security Manager/CiscoWorks LMS integration for role-based access control (RBAC), after migrating to Cisco Secure ACS 5.2?
A. Integration with CiscoWorks Common Services is not planned for a feature release of Cisco Secure ACS. Customers using Cisco Secure ACS with Cisco Security Manager/CiscoWorks LMS for RBAC can move to CiscoWorks LMS 4.0, which has native RBAC support and does not require integration with Cisco Secure ACS. CiscoWorks LMS 4.0 supports this function locally within the product, enabling administrators to define user roles and permit users to operate on a subset of (or all) network devices within LMS 4.0 itself. The procedure for defining new roles and limiting devices is simplified and requires no additional setup work in Cisco Secure ACS. Access control limits happen on the same groups of devices that are known to LMS, instead of groups defined at Cisco Secure ACS. For more information, please refer to
Q. Will Cisco Secure ACS 4.2 ever be supported on a server running Windows Server 2008 R2?
A. No new features are planned for Cisco Secure ACS 4.2. Customers who must use or upgrade to Windows Server 2008 R2 will have to migrate to Cisco Secure ACS 5.2 or 5.3 (when available).
Q. Will Cisco Secure ACS 4.2 support Microsoft Active Directory running Windows Server 2008 R2?
A. No new features are planned for Cisco Secure ACS 4.2. Customers will have to migrate to Cisco Secure ACS 5.2 or 5.3 (when available), which supports Microsoft Active Directory running Windows Server 2008 R2.
Q. Will Cisco Secure ACS 4.2 support VMware ESX 4.0?
A. No. Cisco Secure ACS 5.2 supports VMware ESX 4.0, and Cisco Secure ACS 5.3 will support VMware ESX/ESXi 4.1.
Q. Cisco Secure ACS 5.2 does not support logging to a remote database via ODBC. This was supported in Cisco Secure ACS 4.2. When I migrate to Cisco Secure ACS 5.2, what alternatives do I have for logging events, alarms, etc.?
A. In Cisco Secure ACS 5.2, you can send logs to an external syslog server and/or a Microsoft or Oracle SQL server in a periodic fashion - as often as every hour, if so desired.
Q. What product IDs can I use to upgrade to Cisco Secure ACS 5.2 from Cisco Secure ACS 4.2 or earlier versions of Cisco Secure ACS?