User Guide for the Cisco Secure Access Control System 5.0
Introducing ACS 5.0
Downloads: This chapterpdf (PDF - 102.0KB) The complete bookPDF (PDF - 12.93MB) | Feedback

Introducing ACS 5.0

Table Of Contents

Introducing ACS 5.0

Overview of ACS 5.0

ACS 5.0 Feature Highlights

ACS Distributed Deployment

ACS 4.x and 5.0 Replication

ACS Licensing Model

ACS Management Interfaces

ACS Web-Based Interface

ACS Command Line Interface


Introducing ACS 5.0


This section contains the following topics:

Overview of ACS 5.0

ACS 5.0 Feature Highlights

ACS Distributed Deployment

ACS Management Interfaces

Overview of ACS 5.0

ACS is a policy-driven access control system and an integration point for network access control and identity management. ACS is the dominant enterprise network access control platform, and it is the administrative access control system for Cisco and non-Cisco devices and applications.

ACS 5.0 provides these basic areas of functionality:

Standard Authentication, Authorization, and Accounting (AAA) RADIUS services for managing user access to network gateways (wireless, dialup, Virtual Private Network [VPN] and firewall). ACS supports multiple authentication methods using EAP, EAP-FAST and PEAP. For more information on authentication methods see "Authentication in ACS 5.0."

TACACS+ functionality for managing administrative access to network devices.

ACS is the point in the network that establishes identity. This identity establishment can occur directly by using the ACS internal identity repository for local user authentication; or, it can use a mapping from an identity repository. For example, ACS can use Active Directory to authenticate a user and map to identity stores in the network. For more information about creating identities and supported identity services, see Chapter 7 "Managing Users and Identity Stores."

ACS 5.0 evolves beyond AAA (pronounced triple-A) to be a policy control point in the network. From a policy perspective, ACS 5.0 is the access decision point in the network. While ACS 5.0 may not make all policy decisions involved in access, ACS 5.0 is the arbiter to the network device. For example, an external posture broker may evaluate a Network Admission Control (NAC) posture and convey the evaluation to ACS to incorporate that posture information in the authorization policy decision.

For more information about using ACS for device administration and network access scenarios, see Chapter 4 "Common Scenarios Using ACS."

Related Topics

ACS 5.0 Feature Highlights

ACS Distributed Deployment

ACS Management Interfaces

ACS 5.0 Feature Highlights

ACS 5.0 delivers new architecture and functionality on a standard Cisco Linux-based appliance, and includes:

A revised, rules-based policy model, to allow much greater flexibility in addressing policy needs. See Chapter 3 "ACS 5.0 Policy Model" for more information.

Improved management interfaces—The web interface has been completely redesigned and reorganized, and the command line interface (CLI) provides a text-based interface in which you can perform some configuration tasks and monitoring. See ACS Management Interfaces for more information.

Integrated monitoring, reporting and troubleshooting capabilities, similar to those available in the ACS View 4.0 product. See ACS 4.x Versus ACS 5.0 Logging for information on the differences in logging functionality between ACS 4.x and ACS 5.0.

Improved integration with Windows Active Directory and LDAP back-end stores.

A revised high-performance runtime system, based on field-proven code.

A new platform architecture, providing greatly enhanced centralized management in a distributed deployment, delivered as a Linux-based appliance. See ACS Distributed Deployment for more information.

Support for the Cisco identity solution features: wired 802.1x support, and NAC RADIUS integration with Cisco NAC Appliance - Clean Access Manager. Also support for Cisco TrustSec solutions. See ACS and NAC RADIUS, and ACS and Cisco TrustSec for more information.

For information about differences between ACS 4.x and ACS 5.0, see Chapter 2 "Migrating From ACS 4.x to ACS 5.0."

ACS Distributed Deployment

ACS 5.0 is delivered preinstalled on a standard Cisco Linux-based appliance, and supports a fully distributed deployment.

An ACS deployment can consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally; one ACS instance becomes the primary instance and you can register additional ACS instances to the primary instance as secondary instances. All instances have the configuration for the entire deployment, which provides redundancy for configuration data.

The primary instance centralizes the configuration of the instances in the deployment. Configuration changes made in the primary instance are automatically replicated to the secondary instance. You can force a full replication to the secondary instance. Full replication is used when a new secondary instance is registered and other cases when the replication gap between the secondary instance and the primary instance is significant.

Related Topic

ACS 4.x and 5.0 Replication

ACS 4.x and 5.0 Replication

In ACS 4.x, you must select the database object types (or classes) you wish to replicate from primary instance to the secondary instance. When you replicate an object, a complete configuration copy is made on the secondary instance. In ACS 5.0, any configuration changes made in the primary instance are immediately replicated to the secondary instance. Only the configuration changes made since the last replication are propagated to the secondary instance. ACS 4.x did not provide incremental replication, only full replication, and there was service downtime for replication. ACS 5.0 provides incremental replications with no service downtime.

You can also force a full replication to the secondary instance if configuration changes do not replicate it. Full replication is used when a new secondary instance is registered and other cases when the replication gap between the secondary instance and the primary instance is significant.

For more information about setting up a distributed deployment, see Configuring System Operations.


Note Network Address Translation (NAT) is not supported in ACS distributed deployment environment. That is, if a primary or secondary instance's network address is translated then the database replication may not work properly, and displays a shared secret mismatch error.


ACS Licensing Model

You must have a valid license to operate ACS; ACS prompts you to install a valid base license when you first access the web interface. Each server requires a unique base license in a distributed deployment. For information about the types of licenses you can install, see Types of Licenses. For more information about licenses, see Configuring Licenses.

Related Topic

ACS Distributed Deployment

ACS Management Interfaces

This section contains the following topics:

ACS Web-Based Interface

ACS Command Line Interface

ACS Web-Based Interface

You can use the ACS web-based interface to fully configure your ACS deployment, and perform monitoring and reporting operations. The web interface provides a consistent user experience regardless of the particular area that you are configuring.

The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer, versions 6 and 7, and Firefox version 2.x, but not Firefox 3.x.

The new web interface design and organization:

Reflects the new policy model, which is organized around the user's view of policy administration. The new policy model is easier to use, as it separates the complex interrelationships that previously existed among policy elements; for example, user groups, network device groups (NDGs), network access filters, network access profiles, and so on.

Presents the configuration tasks in a logical order that you can follow for many common scenarios. For example, first you configure conditions and authorizations for policies in the Policy Elements drawer, and then you move on to the Policies drawer to configure the policies with the defined policy elements.

Provides new page functionality, such as sorting and filtering lists of items.

See Chapter 18 "Using the Web Interface" for more information.

Related Topics

ACS Command Line Interface

ACS Command Line Interface

You can use the ACS CLI, a text-based interface to perform some configuration and operational tasks and monitoring. Access to the ACS-specific CLI requires administrator authentication by ACS 5.0. You do not need to be an ACS administrator, or log into ACS 5.0 to use the non-ACS configuration mode. ACS Configuration mode command sessions are logged to the diagnostics logs.

ACS 5.0 is shipped on the Cisco 1120 Secure Access Control System (CSACS 1120). The CSACS 1120 OS software supports these command modes:

EXEC—Use these commands to perform system-level operation tasks (for example, install, start, and stop application; copy files and installations; restore backups; and display information). In addition, certain EXEC mode commands have ACS-specific abilities (for example, start an ACS instance, display and export ACS logs, and reset an ACS configuration to factory default settings). The documentation expressly calls out EXEC mode commands that provide this ability.

ACS configuration—Use these commands to set the debug log level (enable or disable) for the ACS management and runtime components, and show system settings.

Configuration—Use these commands to perform additional configuration tasks for the appliance server in an ADE OS environment.


Note The CLI includes an option to reset the configuration that, when issued, resets all ACS configuration information, but retains the appliance settings such as network configuration.


For information about using the CLI, see the Command Line Interface Reference Guide for Cisco Secure Access Control System 5.0.

Related Topic

ACS Web-Based Interface