Cisco Secure Access Control System Overview
Q. What is Cisco
® Secure Access Control System?
A. Cisco Secure Access Control System (ACS) is a centralized identity and access policy solution that ties together an enterprise’s network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.
Q. Why do I need Cisco Secure ACS?
A. Changing business dynamics, regulatory requirements, and increased security threats have created new demands in access control management. As technologies such as IEEE 802.1x become more pervasive and the need for robust access policy and visibility grows, new solutions are needed that integrate access policy and identity into the network. Cisco Secure ACS allows you to implement advanced enterprise policies by defining powerful and flexible policy rules through an easy-to-use, lightweight graphical user interface (GUI). The system’s integrated management and advanced monitoring, reporting, and troubleshooting capabilities provide the maximum level of control and visibility into access control and device administration policies and activities across the network.
Q. What is new with Cisco Secure ACS 5.x compared to Cisco Secure ACS 4.x?
A. Cisco Secure ACS 5.3 is Cisco’s new network identity and access solution that delivers significant features and functions, including:
● An attribute-driven, rules-based policy model that provides greater flexibility in addressing policy needs
● A new lightweight GUI
● Integrated advanced monitoring, reporting, and troubleshooting capabilities
● Improved integration with external identity and policy databases (Windows Active Directory and Lightweight Directory Access Protocol [LDAP])
● An automatic, incremental replication mechanism that supports large-scale distributed deployments
Q. What are the new features available in Cisco Secure ACS 5.3?
A. The following new features and capabilities are supported in Cisco Secure ACS 5.3:
● Enhanced upgrade from versions 5.1 and 5.2 without the need to re-image, back up, or restore policy configuration
● Programmatic interface for Create, Read, Update, and Delete (CRUD) operations on user objects
● Ability to use dynamic attributes (attribute substitution) in TACACS+ shell profiles
● Maximum concurrent sessions for all users or per user group (based on each Cisco Secure ACS instance)
● Capability to retrieve and verify internal users’ passwords from an external ID store
● User accounts can be disabled based on the number of failed attempts and/or their expiration (on a fixed date or in a specific number of days)
● When using ID Store Sequence, option to proceed to the next ID store when access to the current ID store fails for any reason
● Ability to function as TACACS+ proxy server
● Support for wildcards for host MAC addresses
● Network devices can be added using IP address ranges
● Ability to look up devices by IP address
● TACACS+ authentication using CHAP/MSCHAP
● Ability to compare values of any two attributes in identity and authorization policies
● Support for checking the dial-in attributes in users’ Active Directory accounts
● Ability to display RSA node missing secret
● PEAP-TLS protocol support
● Recovery of logs after reconnection of local servers to the remote log collector Secure ACS device
Q. Does Cisco Secure ACS 5.3 have full feature parity with Cisco Secure ACS 4.2?
A. No. Cisco Secure ACS 5.3 supports most of the features in Release 4.2 and is well-suited for many deployments today that require policy-based device administration and/or wired, wireless, or remote access control. Release 4.2 features that are not available in Release 5.3 include synchronization with ODBC and RDBMS databases and integration with CiscoWorks Common Services for RBAC support. Since these features have acceptable workarounds, support is not planned for them in future Cisco Secure ACS releases.
Q. Is Cisco Secure ACS 5.3 a software or a hardware product?
A. Cisco Secure ACS 5.3 is offered both as a hardware appliance and as software:
● A one rack-unit (1-RU), dedicated, security-hardened Linux appliance with the base Cisco Secure ACS software preinstalled
● A software-only image (application and operating system) for installation on VMware ESX/ESXi hypervisor
Q. How is the new Cisco Secure ACS 5.x policy model different from that of earlier releases?
A. Cisco Secure Access Control System 5.x introduced a rules-based policy model that is different from the group-based policy model supported in earlier releases. The new model delivers the power and flexibility needed for complex security policies that require evaluation of many different attributes and conditions, in addition to the user’s identity, in order to grant access privileges.
Following are some of the main enhancements with the new policy model:
● Policy logic is decoupled from users and groups. Assignment of privileges and permissions is not directly defined in Cisco Secure ACS users and user groups, but is defined through authorization rules.
● In Cisco Secure ACS authorization rules, multiple authorization profiles may be specified as an authorization decision result (with a precedence order to resolve conflicts). This reduces the overall number of authorization profiles needed and simplifies policy modification.
● Network devices may be categorized in multiple device groups, such as those based on geography or organization. This allows rules to be defined based on hierarchical groups.
● Release 5.x offers more powerful and flexible rules-based mapping of users or hosts to identity groups based on information available in external directories or identity repositories (such as group memberships or identity attributes).
● Release 5.x includes highly flexible access control policies that address authentication protocol requirements, device restrictions, time-of-day restrictions, posture validation, downloadable access control lists (dACLs), VLAN assignments, and other authorization parameters.
Q. What are the new capabilities of the Cisco Secure ACS GUI?
A. Release 5.x features a lightweight, web-based GUI that is secure, intuitive, and easy to use, and does not require the installation of additional client software for GUI access. In addition to policy management and provisioning, the Release 5.x GUI also has integrated monitoring and reporting capabilities that provide a high level of granular control and visibility into the network.
Q. What are the monitoring and reporting capabilities that the new GUI offers?
A. Cisco Secure ACS 5.x includes an integrated monitoring, reporting, and troubleshooting component that is accessible through the web-based GUI. This tool provides maximum visibility into configured policies and authentication and authorization activities across the network. Logs are viewable and exportable for use in other systems as well.
Q. How does Cisco Secure ACS 5.x integrate with external databases?
A. Release 5.x provides a great deal of flexibility for integrating with external identity and policy databases such as Microsoft Active Directory and LDAP-accessible databases. Information in external databases can be referenced directly in policy rules. User and group attributes can be retrieved and then referenced when configuring either policy conditions or authorization results. This allows the definition of much more sophisticated policies than authorization through group mapping.
Q. Do I need to run a remote agent to use the Cisco Secure ACS 5.3 appliance?
A. No. While previous Cisco Secure ACS appliances required that Cisco Secure ACS Remote Agent for Windows software be installed on a member of a trusted domain for Microsoft Windows authentication, the Release 5.x appliance supports native integration with Active Directory and does not need a remote agent.
Q. How does Cisco Secure ACS 5.3 scale for large deployments?
A. Cisco Secure ACS 5.3 supports distributed deployment to provide high availability and scalability. A deployment can be composed of multiple ACS instances that are managed together in a single, distributed deployment. One system is designated as primary, and it accepts configuration changes and propagates them to the secondary instances. For the smallest deployments, one primary and secondary instance are recommended for redundancy. Larger deployments can add additional secondary servers as dictated by network design. All the Cisco Secure ACS instances are identical in the sense that a full Cisco Secure ACS software version is installed on each of them. Yet part of the functionality (authentication, authorization, and accounting [AAA], management interface, and monitoring and reporting) could be disabled on these instances and thus allow for each Cisco Secure ACS instance to play a specific role or roles in the deployment.
Cisco Secure ACS 5.3 has an efficient replication mechanism that makes the system easy to configure. Within the distributed deployment, the primary Cisco Secure ACS server is the single point of configuration, and all configuration changes made on the primary server are automatically replicated in the deployment by propagating incremental changes to all the secondary servers. The primary server provides a GUI where all the associated secondary servers can be monitored, together with their replication status.
Q. How are software updates done in Cisco Secure ACS 5.3?
A. Cisco Secure ACS 5.3 features improved, centralized management of software updates (upgrades and patches); this process is controlled through the GUI of the primary ACS server. Updates can be applied on selected or all ACS servers in a deployment, and software update files can reside in remote repositories or be uploaded to the primary server.
Q. What is the licensing model for Cisco Secure ACS 5.3?
Each Cisco Secure ACS 5.3 appliance or software package is delivered with a Base license and each Cisco Secure ACS instance requires a Base license to operate. Add-on licenses are available to support deployments with more than 500 network devices and to support advanced Security Group Access (SGA) features. For available part numbers and detailed descriptions, refer to the Cisco Secure ACS 5.3 Ordering Guide at
Q. I currently use Cisco Secure ACS View 4.0 for monitoring and reporting. Do I still need that product with Cisco Secure ACS 5.x?
A. No. Cisco Secure ACS 5.x’s integrated monitoring and reporting component replaces the Cisco Secure ACS View 4.0 product in Cisco Secure ACS 5.x deployments. Customers may still require a separate Cisco Secure ACS 5.x instance for monitoring and reporting to minimize any impact on run-time performance.
Q. Are evaluation copies of Cisco Secure ACS available?
For More Information
For more information about Cisco Secure ACS, contact your local account representative or send your questions to firstname.lastname@example.org.