Table Of Contents
Supported and Interoperable Devices for
Cisco Secure ACS Express, 5.0
Introduction
Supported Protocols
Exceptions To TACACS+ Draft 1.78 Support
Supported and Interoperable Devices
Supported Browsers
Supported and Interoperable Devices for
Cisco Secure ACS Express, 5.0
Revised: October 28, 2007, OL-14842-01
CDC Date: October 29, 2007
Introduction
The Cisco Secure ACS Express Server Release 5.0 (ACS Express) works with many devices and device types. This guide provides a listing of all tested devices and device types we support and a list of supported browsers.
Note 
Cisco officially supports only tested devices and software.
For general information and a list of known anomalies, see the Release Notes for Cisco Secure ACS Express, 5.0 (OL-11674-02):
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/release/notes/xpnote.html
This document contains the following sections:
•Supported Protocols
•Supported and Interoperable Devices
•Supported Browsers
Supported Protocols
ACS Express supports both Radius and TACACS+ protocols concurrently. ACS Express conforms to the latest TACACS+ specification (draft 1.78) from Cisco with some exceptions.
ACS Express conforms to the RADIUS protocol as defined in the draft of April 1997 and conforms substantially to the following Requests for Comments (RFCs):
•RFC 2138
•RFC 2139
•RFC 2284
•RFC 2865
•RFC 2866
•RFC 2867
•RFC 2868
•RFC 2869
The ports used for authentication and accounting have changed in RADIUS RFC documents. To support the older and newer RFCs, ACS Express accepts authentication requests on port 1645 and port 1812. For accounting, ACS accepts accounting packets on port 1646 and port 1813.
In addition to support for standard Internet Engineering Task Force (IETF) RADIUS attributes, ACS Express supports vendor-specific attributes (VSAs). The following VSAs are supported out of the box:
•Cisco IOS/PIX 6.0
•Cisco VPN 3000/ASA/PIX 7.x+
•Cisco VPN 5000
•Cisco Airespace
•Cisco Aironet
•Juniper
•Microsoft
ACS Express also enables you to add and modify VSAs from the vendors listed above. ACS Express supports up to ten additional vendors. After a new RADIUS VSA is defined, you can use it as if it were a predefined ACS Express RADIUS VSA.
Exceptions To TACACS+ Draft 1.78 Support
The following lists exception to TACACS+ Draft 1.78 that are not supported in ACS Express 5.0.
•Command Authorization or command authorization sets are not supported.
•Only Service type shell is supported; different service types such as PPP, SLIP, ARAP, and EAP over TACACS+ are not supported.
•Only ASCII TACACS+ password type is supported. Other password types such as PAP, CHAP, and ARAP are not supported.
•TACACS+ password change sequence is only supported for local database and not for external databases like LDAP or Active Directory.
•Only TACACS+ attribute-value pairs, priv_lvl, timeout, idletime, service are supported. Attribute-value pairs such as acls, route, autocmd, and some others are not supported.
•TACACS+ Single-connection is not supported.
Supported and Interoperable Devices
This section contains the following tables:
•Table 1, Tested Routers
•Table 2, Tested Security and VPN Devices
•Table 3, Tested Switches
•Table 4, Tested Wireless Devices
•Table 5, Tested PKI Certificate Services
•Table 6, Tested External User Databases
Table 1 lists the tested routers in ACS Express, 5.0.
Table 1 Tested Routers
Device Series
|
Supported Protocols
|
Cisco 1600
|
RADIUS and TACACS+ interoperability
|
Cisco 1700
|
RADIUS and TACACS+ interoperability
|
Cisco 2600
|
RADIUS and TACACS+ interoperability
|
Cisco 3600
|
RADIUS and TACACS+ interoperability
|
Cisco 3700
|
RADIUS and TACACS+ interoperability
|
Cisco 7100
|
RADIUS and TACACS+ interoperability
|
Cisco 7200
|
RADIUS and TACACS+ interoperability
|
Cisco 7300
|
RADIUS and TACACS+ interoperability
|
Cisco 7400
|
RADIUS and TACACS+ interoperability
|
Cisco 7500
|
RADIUS and TACACS+ interoperability
|
Cisco 10000
|
RADIUS interoperability
|
Note ACS Express supports any router that is compliant with the protocols listed in Supported Protocols.
Table 2 lists the tested security and VPN devices in ACS Express, 5.0.
Table 2 Tested Security and VPN Devices
Device Series
|
Supported Protocols
|
3000 Series Concentrators
3005, 3015, 3030, 3060, 3080
|
RADIUS and TACACS+ interoperability
|
Pix 500 Series Firewall
501, 506E, 515, 515E, 525, 535
|
RADIUS and TACACS+ interoperability
|
ASA 5500
|
RADIUS and TACACS+ interoperability
|
Note ACS Express supports any security or VPN devices that are compliant with the protocols listed in Supported Protocols.
Table 3 lists the tested switches in ACS Express, 5.0.
Table 3 Tested Switches
Device Series
|
Supported Protocols
|
Cisco Catalyst 2900
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 2950
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 3500
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 3550
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 3750
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 4500
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 6500
|
RADIUS and TACACS+ interoperability
|
Cisco Catalyst 7600
|
RADIUS and TACACS+ interoperability
|
Note ACS Express supports any switch that is compliant with the protocols listed in Supported Protocols.
Table 4 lists the tested wireless devices in ACS Express, 5.0.
Table 4 Tested Wireless Devices
Device Series
|
Supported Protocols
|
Aironet 1100
|
RADIUS and TACACS+ interoperability
|
Aironet 1200
|
RADIUS and TACACS+ interoperability
|
Wireless LAN Controller 2100
|
RADIUS interoperability
|
Wireless LAN Controller 2100
|
RADIUS interoperability
|
Note ACS Express supports any wireless device that is compliant with the protocols listed in Supported Protocols.
Table 5 lists the tested PKI Certificate Services in ACS Express, 5.0.
Table 5 Tested PKI Certificate Services
Device Series
|
Versions
|
Microsoft CA Certificate Server
|
Windows 2003 Enterprise and Standard Edition
|
Table 6 lists the External User Databases tested with ACS Express, 5.0.
Table 6 Tested External User Databases
Platform
|
Version
|
Notes
|
AD on Windows 2003
|
Windows 2003 Server RTM
Windows 2003 Server SP1
Windows 2003 Server R2
Windows 2003 Server R2 SP2
|
Tested with R2 Service Pack 2
|
AD on Windows 2000
|
Windows 2000 Server SP4
|
Tested with Service Pack 4
|
LDAP
|
Generic LDAP
version 2
|
Tested with OpenLDAP 2.2.1.3
Sun Java System Directory 5.2.4
|
One-Time Password Token Servers
|
Generic RADIUS token servers
|
Tested with RSA 6.1
|
Supported Browsers
ACS Express uses a web-based browser as a graphical user interface (GUI) for the administrative console. Table 7 lists the browsers and their supported versions for ACS Express, 5.0.
Note ACS Express has been tested with the browsers listed in Table 7.
Table 7 Supported Browsers
Browser
|
Supported Versions
|
Microsoft Internet Explorer
|
6.0 and 7.0
|
Mozilla Firefox
|
1.5 and 2.0 on Windows
|
Note ACS Express does not support Safari on MAC OS.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
