Migration Guide for the Cisco Secure Access Control System 5.1
Feature Comparison of ACS 3.x and 4.x with ACS 5.1
Downloads: This chapterpdf (PDF - 133.0KB) The complete bookPDF (PDF - 6.95MB) | Feedback

Feature Comparison of ACS 3.x and 4.x with ACS 5.1

Table Of Contents

Feature Comparison of ACS 3.x and 4.x with ACS 5.1


Feature Comparison of ACS 3.x and 4.x with ACS 5.1


Table C-1 Feature Comparison List—ACS 3.x/4.x and ACS 5.1 

Feature
ACS 3.x and 4.x
ACS 5.1
Notes
Platform Support

1111

Yes

No

 

1112

Yes

No

 

1113

Yes

No

 

1120

Yes (4.2)

Yes

ACS 5.0 shipping appliance

1121

No

Yes

ACS 5.1 shipping appliance

Windows Server

Yes

No

 

Virtual machine

ESX 3.x

ESX 3.x/4.0

 
Components
     

ACS for Windows

Yes

No

No Windows Server support in ACS 5.1

ACS Solution Engine

Yes

No

ACS 5.1 provides its own appliance option

ACS View 4.0

Yes

No

ACS 5.1 has integrated View functionality

ACS Remote Agent

Yes

No

Remote Agent not required in 5.1

ACS Express 5.0

No

No

 
Application Integration

CiscoWorks Common Services (for CSM/LMS)

Yes

No

 

Cisco Wireless Control System (WCS)

Yes

Yes

 
Distributed Model

Single primary/Multiple Secondary

Yes

Yes

 

Cascading replication

Yes

No

 

Replication trigger

Manual or per schedule

On configuration change

 

Replication unit

Whole replication component

Configuration delta only

 

Synchronization

Loose

Tight

 

Automatic outage resynchronization

No

Yes

 

Internal user password updates

On primary only

Any server

 

Role-based secondary to primary promotion

No

Yes

 
Identity Store Support

Internal

Yes

Yes

 

Active Directory

Yes

Yes

 

LDAP

Yes

Yes

 

RDBMS

Yes

No

 

RSA SecurID

Yes

Yes

 

Other One-time Password Servers

Yes

Yes

Uses RADIUS interface to OTP server

AAA Proxy Support

RADIUS proxy

Yes

Yes

Includes EAP Proxy

TACACS+ proxy

Yes

No

 
Logging Destinations

ACS View

Yes

Yes

 

Syslog

Yes

Yes

 

ODBC

Yes

No

ACS 5.1 provides View log data synchronization with an external database for archival purposes

Configuration Query/Provisioning

Web-based GUI

Yes

Yes

 

CSV-based updates

Yes

Yes

 

CSUtil

Yes

No

 

RDBMS Synchronization

Yes

No

 
Management

SNMP query

Yes (appliance only)

Yes

 

SNMP traps

No

No

 

View alarms

Yes

Yes

 

GUI

Yes

Yes

 

Cisco standard look and feel GUI

No

Yes

 

CLI

Yes (limited, appliance only)

Yes (similar to IOS)

 

System restart after some configuration changes

Yes

No

 

KVM console access

No

Yes

 

Choice of file transfer storage repositories

No

Yes

 

In-place, cross-version upgrade procedure

No

Yes

 

Remote upgrades/patching

Partial

Yes

 
Password Authentication

PAP

Yes

Yes

 

CHAP

Yes

Yes

 

MS-CHAPv1

Yes

Yes

 

MS-CHAPv2

Yes

Yes

 

EAP-MD5

Yes

Yes

 

EAP-TLS

Yes

Yes

 

PEAP-MSCHAPv2

Yes

Yes

 

PEAP-GTC

Yes

Yes

 

PEAP-TLS

Yes

No

 

FAST-MSCHAPv2

Yes

Yes

 

FAST-GTC

Yes

Yes

 

FAST-TLS

Yes

No

 

LEAP

Yes

Yes

 
TACACS+

Command authorization

Yes

Yes

 

Accounting

Yes

Yes

 

Single connect

Yes

Yes

 

Change password

Yes

Yes

 

Enable handling

Yes

Yes

 

Custom services

Yes

Yes

 

Optional attributes

Yes

Yes

 

CHAP/MSCHAP authentication

Yes

No

 

Attribute substitution

Yes

No

 
ACS Password Policy

Complexity

Yes

Yes (stronger)

 

History

Yes (last only)

Yes (multiple)

 

Expiry

Yes (age by days, logins, first login)

Yes (age by days)

 

Expiry warning

Yes

Yes

 

Grace period

Yes

No

 
Account Disablement

By date

Yes

No

Can be implemented using authorization policy

By failed attempts

Yes

No

 

By inactivity

No

No

 
Network Devices

Separate TACACS+/RADIUS entries

Yes

No

 

Hierarchical, scalable device grouping

No

Yes

 

Default network device

TACACS+ only

RADIUS and TACACS+

 

Group-level shared secrets

Yes

No

 

Wildcard for IP address

Yes

Yes (mask-based only)

 
Access Policy

Flexible, rules-based policy model

No

Yes

 

Mandatory ACS group assignment

Yes

No

 

Multiple group membership

No

Yes

 

Static IP address assignment

Yes

Yes

ACS 5.1 can support this by adding an IP address field to the user schema, and then referencing the field in an authorization profile.

Maximum sessions

Yes

No

 

Group disablement

Yes

Yes

Implement in ACS 5.1 policy

VOIP support

Yes

No

 

ToD settings

Yes

Yes

 

Callback

Yes

Yes

Use of Windows Callback setting is not available in ACS 5.1

Network Access Restrictions

Yes

Yes

 

Usage quotas

Yes

No

 

Enable options

Yes

Yes

Implement in ACS 5 policy

Token caching

Yes

No

 

IP address assignment

Yes

Yes (static and AAA client pool only)

For assigning static IP address, implement in authorization policy by adding IP address field to user schema.

AAA client pool refers to the ability to set the VSA attribute "ip-pool-definition" on ACS. The pool itself will be defined on the switch or router.

Downloadable ACLs

Yes

Yes

 

Supplementary user information

Yes

Yes

 

Extendable ACS user schema for use in policy conditions and for authorization values

No

Yes

 

User attributes (internal, AD, LDAP), that can be leveraged in policy conditions and as authorization values

No

Yes

 

External password authentication for ACS internal users

Yes

Yes

In ACS 5, the password store must be specified through Access Service Identity Policy, and cannot be specified in the user's record.

Time bound alternate group

Yes

Yes

In ACS 5, time-based conditions are used to specify different permissions based on time of the day.

Windows dial-in support

Yes

No

 
ACS Administrators

Network restrictions

Yes

Yes

 

Entitlement reports

Yes

Yes

 

Password complexity

Yes

Yes (stronger)

 

Password aging

Yes

Yes

 

Password history

Yes

Yes

 

password inactivity

Yes

Yes

 

Account disablement because of failed attempts

Yes

Yes

 

Account disablement because of account inactivity

Yes

Yes

 

Permission control

Yes

Yes (role-based)

 
Certificate-based Authentication/Authorization

Mandatory AD authorization

Yes

No

 

SAN/CN Comparison

Yes

No

Can be implemented indirectly in ACS 5.1 by checking for user attribute existence

Certificate binary comparison

Yes

Yes