|
Table Of Contents
Supported and Interoperable
Devices and Software Tables for Cisco Secure ACS Release 4.1Tested Network Elements and Software
Supported ACS Software Versions on the ACS SE
Windows Support for the Remote Agent
Supported Upgrades for ACS for Windows
Supported Migrations for ACS SE
Solaris Support for the Remote Agent
Tested Windows Security Patches
Third-Party RADIUS and TACACS+ Clients
Supported and Interoperable Devices and Software
Supported and Interoperable
Devices and Software Tables for Cisco Secure ACS Release 4.1
OL-9973-03Revised: February 27, 2008Introduction
The Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS, works with hundreds of devices. Given the number of devices, this device list might significantly differ from the device lists associated with other Cisco products.
Use this list to find:
•Tested devices and software that we support.
•Interoperable devices and software.
Note Cisco officially supports only tested devices and software.
For information on ACS SE hardware platforms and supported ACS software versions, see Supported ACS Software Versions on the ACS SE. For details regarding limitations and known problems, see the Release Notes for Cisco Secure ACS Release 4.1.
This document contains the following sections:
•Tested Network Elements and Software
•Supported ACS Software Versions on the ACS SE
•Supported Upgrades for ACS for Windows
•Supported Upgrades for ACS SE
•Supported Migrations for ACS SE
•Tested Windows Security Patches
•Third-Party RADIUS and TACACS+ Clients
•Supported and Interoperable Devices and Software
Tested Network Elements and Software
This section lists the network elements and software that were tested with ACS 4.1.
Tested Network Elements
Cisco has tested the following network elements:
•Routers
–Cisco 800
–Cisco 1600
–Cisco 1700
–Cisco 2600
–Cisco 3600
–Cisco 3810
–Cisco 7100
–Cisco 7200
–Cisco uBR7114E
–Cisco AS5300
•Switches
–Catalyst 3550
–Catalyst 4500
–Catalyst 6500/Cisco 7600
•Security Appliances
–PIX 500 Series Firewall
–VPN 3000
•Wireless Access Points
–AP350
–AP1100
–AP1200
–Airespace controller
Tested Software
Cisco has tested the following Cisco and third-party software:
•Cisco Trust Agent (CTA), v.2.x
•Microsoft IIS 5.0
•Microsoft IIS 6.0
•Microsoft Internet Explorer, v.6.0 (SP1)
•Microsoft OS (Windows 2000 Server SP4, Windows 2003 Standard Edition, Windows 2003 Enterprise Edition)
•Microsoft SQL server v.7.5
•Microsoft SQL server v8.0
•NAI VirusScan Enterprise, v.8.0
•Netscape Communicator for Microsoft Windows, v.8.0
•Oracle 9i Database
•Red Hat Linux Enterprise, v.3.0 WS
•RSA ACE/Server, v.6.0
•Safeword Premier Access, v.3.1, 3.2
•Secure RSA agent for Windows, v.5.6
•Secure RSA Server (OTP), v.5.2
•Solaris 8 for SPARC
•SunONE Identity Server (Formerly iPlanet Directory), v.5.2
•Supplicants for supported protocols (1 for each)
•Third-party Auditing Servers (tested with QualysGuard Appliance by Qualys and Wholesecurity by Symantec)
•Trend Micro Antibody Server Corporate Edition, v.6.5
•Trend Micro OfficeScan Server Corporate Edition, v.6.5
•VMware ESX Server
•Win XP(SP2) and a Hotfix for the MS PEAP fast reconnect defect, for dialup clients used as 802.1x supplicants
Supported ACS Software Versions on the ACS SE
Table 1 indicates the Cisco Secure ACS software versions that each Cisco Secure ACS SE platform supports.
Table 1 Supported Versions
Cisco Secure ACS
Solution Engine Platform Cisco Secure ACS version 4.0.1 and 4.1 Cisco Secure ACS version 3.3 Cisco Secure ACS version 3.2Cisco 1111
Yes
Yes1
Yes
Cisco 1112
Yes2
Yes
No
Cisco 1113
Yes
No
No
1 To upgrade an existing Cisco 1111 platform to Cisco Secure ACS version 3.3, see "Supported Upgrades for ACS SE".
2 To upgrade an existing Cisco 1112 or 1113 platform to Cisco Secure ACS version 4.x, see "Supported Upgrades for ACS SE".
Supported Operating Systems
ACS supports the following Windows operating systems. The operating system and the service pack must be English-language versions.
•Windows 2000 Server, with Service Pack 4 installed
•Windows 2000 Advanced Server
–with Service Pack 4 installed
–without features specific to Windows 2000 Advanced Server enabled
•Windows Server 2003, Enterprise Edition, with Service Pack 1 installed
•Windows Server 2003, Standard Edition, with Service Pack 1 installed
Note The following restrictions apply to support for Microsoft Windows operating systems:
•We have not tested and cannot support the multiprocessor feature of any supported operating system. However, we did test ACS with dual-processor computers.
•We cannot support the Microsoft clustering service on any supported operating system.
•We do not support Windows 2000 Datacenter Server.
When running ACS on Windows Server 2003, you might encounter event messages that falsely indicate that ACS services have failed. Bug CSCea91690 documents this issue. For details, see the Release Notes for Cisco Secure ACS Release 4.1.
Remote Agent Support
Cisco Secure ACS 4.1 supports Cisco Secure ACS Remote Agent on the Microsoft Windows and Solaris operating systems. The following sections describe ACS Remote Agent support.
Windows Support for the Remote Agent
The Remote Agent runs on following English-language versions of the Windows operating system and service pack:
Note You must use only English-language versions of the operating system and the service pack.
SNMP Support
Cisco Secure ACS provides Simple Network Management Protocol (SNMP) support for the appliance only. The SNMP agent provides read-only SNMP v1 and SNMP v2c support. The supported Management Information Bases (MIBs) include:
•Structure and Identification of Management Information for TCP/IP-based Internets (1155).
•SNMP (1157).
•MIB for Network Management of TCP/IP-based internets: MIB-II (1213).
•MIB-II and LAN Manager MIB-II for Windows.
•Host Resources MIB (RFC 1514/2790).
Note Support for the Host Resources MIB (RFC 1514/2790) does not include support for releases:
•1.3.6.1.2.1.25, which is related to Microsoft's hostmib.dll.
•1.3.6.1.4.1, which is related to WinTrust.dll.
The SNMP agent is configurable on the appliance configuration page.
Supported Upgrades for ACS for Windows
Table 2 indicates the tested upgrades to ACS for Windows Server 4.1.
Note After you upgrade to ACS release 3.3.3, 3.3.4, or 4.0.1, you can then upgrade to release 4.1.
Supported Upgrades for ACS SE
We tested upgrades for the ACS Solution Engine from releases 3.3.3 to release 4.0.1, and 4.1 and from release 3.3.4 to release 4.1. To upgrade the Solution Engine from an earlier release (3.2.1, 3.2.2, 3.2.3, 3.3.1, and 3.3.2), you must first upgrade to either release 3.3.3 and then upgrade to release 4.0.1 or 4.1 or upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Supported Migrations for ACS SE
We support direct migration from ACS for Windows releases 3.3.3, 3.3.4 and 4.0.1 to release 4.1 of the ACS Solution Engine. To migrate from an earlier release of ACS for Windows (3.3.2, 3.3.1, 3.2.3, 3.2.2, 3.2.1, 3.1.2, and 3.0.4), you must either first upgrade to release 3.3.3, and then upgrade to release 4.0.1 or 4.1, or first upgrade to release 3.3.4 and then upgrade to release 4.1. For more information, see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Solaris Support for the Remote Agent
The Cisco Secure ACS Remote Agent for Solaris runs on Solaris 8.
Note The Solaris Remote Agent requires the libstdc++.so library (C++ runtime). Without this library, the Remote Agent is not operational. The default path is set in the environment variable LD_LIBRARY_PATH and the directory /router/lib.
Tested Windows Security Patches
Note The list of tested patches will be updated as additional patches are identified and tested.
Security Patch Process
Cisco Systems officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 when they are used with Cisco Secure ACS.
Cisco experience has shown that these patches do not cause problems with the operation of Cisco Secure ACS. If the installation of security patches does cause a problem with Cisco Secure ACS, contact the Cisco TAC and we will resolve the problem as quickly as possible.
For information about our process for evaluating and releasing Microsoft security patches for Cisco Secure ACS, see the Cisco Secure ACS Q&A area in the Product Literature area for the Cisco Secure Access Control Server Solution Engine at http://www.cisco.com.
Windows Server 2003 Patches
We tested ACS with the following Windows Server 2003 patches:
Windows 2000 Server Patches
We tested ACS with the following Windows 2000 Server patches:
Third-Party RADIUS and TACACS+ Clients
ACS fully interoperates with third-party RADIUS and TACACS+ client devices that adhere to the governing protocols. Support for RADIUS and TACACS+ functions depends on the device-specific implementation. For example, on a specific device:
•TACACS+ might not be available for user authentication and authorization.
•RADIUS might not be available for administrative authentication and authorization.
For TACACS+ devices, ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.78, which is available at http://www.cisco.com.
For RADIUS, ACS conforms to the following RFCs:
• RFC 2138—Remote Authentication Dial In User Service (RADIUS)
• RFC 2865—Remote Authentication Dial In User Service (RADIUS)
• RFC 2867—RADIUS Accounting for Tunnel Protocol Support
• RFC 2868—RADIUS Attributes for Tunnel Protocol Support
Note For details regarding the implementation of vendor-specific attributes (VSAs), see the User Guide for Cisco Secure ACS 4.1.
For TACACS+ devices, ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.78, which is available at http://www.cisco.com.
Supported and Interoperable Devices and Software
This section contains the following tables and sections:
•Table 4, Device Operating Systems
•Table 6, Access Devices/Universal Gateways
•Table 8, Content Networking Devices
•Table 9, Security and VPN Devices
•Table 10, Storage Networking Devices
•Table 12, Cisco Aironet Software (Access Points for Wireless LAN)
•Table 14, PKI/Certificate Servers
You can find information about new device support at http://www.cisco.com.
Note To ensure full ACS capabilities, you must use the most recent operating system release on the clients that you deploy. See Table 4, Device Operating Systems, for the minimum acceptable client operating system versions.
Table 3 Web Browsers1
Program Versions NotesMicrosoft Internet Explorer
Version 6.0
•Service Pack 1 for Microsoft Windows (English and Japanese Language versions)
•Sun Java Plug-in, v.1.4.2_04
Tested
Microsoft Internet Explorer
Version 5.5
•Service Pack 1 for Microsoft Windows
•Japanese Language version
•Sun Java Plug-in, v.1.4.2_04
Not Tested
Netscape Communicator
Version 8.0 for Microsoft Windows
•English Language version
•Sun Java Plug-in, v.1.4.2_04
Version 7.1 for Microsoft Windows
•Japanese Language version
•Sun Java Plug-in, v.1.4.2_04
Tested
Netscape Communicator
Versions 7.0, 7.1, and 7.2 for Microsoft Windows
•English and Japanese Language versions
•Sun Java Plug-in, v.1.4.2_04
Not Tested
1 To use a web browser to access the ACS web interface, you must enable Java and JavaScript in the browser. You must also disable the HTTP proxy in the browser.
Table 6 Access Devices/Universal Gateways
Series Notes6400 Series
RADIUS and TACACS+ interoperability
AS2600 Series
RADIUS and TACACS+ interoperability
AS5350 Series
RADIUS and TACACS+ interoperability
AS5300 Series
RADIUS and TACACS+ interoperability
AS5400 Series1
RADIUS and TACACS+ interoperability
AS5850 Series
RADIUS and TACACS+ interoperability
DSL Series/6015, 6100, 6130, 6160, 6260
RADIUS and TACACS+ interoperability
MGX Series/8220, 8250, 8800, 8950
TACACS+ interoperability
1 Tested on version 3.2, not retested on version 3.3.
Table 7 Cable Devices
Devices NotesuBR71001
RADIUS and TACACS+ interoperability
1 Tested on version 3.2, not retested on version 3.3.
Table 8 Content Networking Devices1
Series/Devices NotesCE7300/CE 7320
RADIUS and TACACS+ interoperability
CDM4600/CDM4630, CDM4650
RADIUS and TACACS+ interoperability
4400 Content Routers/CR4430
RADIUS and TACACS+ interoperability
1 Tested on version 3.2, not retested on version 3.3.
Table 10 Storage Networking Devices
Series Devices Supported NotesMDS 9000
MDS 9216, MDS9509
RADIUS and TACACS+ interoperability
Table 12 Cisco Aironet Software (Access Points for Wireless LAN)
Series NotesAP1100
RADIUS interoperability with IOS v12.3(4)JA
AP1200
RADIUS interoperability with IOS v12.3(4)JA
Table 15 Token Servers1
Platform Version Client Requirement NotesActivCard Server
3.1
—
Not Tested
CRYPTOCard CRYPTOAdmin
5.16
—
Not Tested
PassGo Defender
4.1.3
—
Not Tested
RSA ACE/Server
6.0
—
Tested
RSA ACE/Server
5.2
—
Tested
Safeword Premier Access
3.1, 3.2
—
Tested
Vasco Vacman Server
6.0.2
—
Not Tested
1 Cisco Secure ACS uses a RADIUS interface to support all token servers, with the exception of the RSA ACE/Server.
Table 17 User Databases1
Platform Version RequirementAD on Windows 2003
—
Tested with Service Pack 1
AD on Windows 2000
—
Tested with Service Pack 4
SAM on Windows 2000
—
Tested with Service Pack 4
SAM on Windows NT 4.0
—
Not Tested
LDAP
Generic
See Table 16.
Novell NetWare
Version 6.5
Not Tested
Open Database Connectivity (ODBC)-compliant relational databases
—
In addition to the Windows ODBC interface, the third-party ODBC driver must be installed on the ACS server.
LEAP Proxy RADIUS servers
—
Tested
1 See also Table 15, Token Servers.
Table 18 User Databases1
Platform Version RequirementAD on Windows 2003
—
Tested with Service Pack 1
AD on Windows 2000
—
Tested with Service Pack 4
SAM on Windows 2000
—
Tested with Service Pack 4
SAM on Windows NT 4.0
—
Not Tested
LDAP
Generic
See Table 16
Novell NetWare
6.5
Not Tested
LEAP Proxy RADIUS servers
—
Tested
1 See also Table 15, Token Servers.
Table 19 Proxy Support
Platform Version NotesCisco Secure ACS
—
Tested with version 4.1
Funk Steel Belted Radius
Enterprise Edition
Not Tested
VMWare ESX Server Support
ACS 4.1 has been tested on the VMWare ESX server with the following configuration:
•VMWare ESX Server 3.0.0
•16 GB of RAM
•AMD Opteron Dual Core processor
•300 GB hard drive
•Four virtual machines
•Windows 2003 Standard Edition
•3 GB of RAM for the guest operating system