Today's growing number of network-access methods, which increase the possibility of security breaches and uncontrolled user access, are becoming a top concern across service provider, enterprise, and commercial market segments. Security challenges exist not only at the perimeter but also inside a network. Identity networking solutions that provide mechanisms to control network access are of high interest to such customers.
Cisco® Secure Access Control Server (ACS) is an industry-leading access control server that provides a comprehensive identity-based networking solution to enterprise customers for network access (wired, wireless, remote access) and device administration. Cisco ACS extends security to users, machines, and device administrators by providing authentication, authorization, and accounting (AAA) services through robust access policies. These policies defining AAA access are managed from a centralized, identity-based networking framework that gives enterprise networks greater flexibility, mobility, and security resulting in user productivity gains.
The Cisco ACS family of products introduces the new Cisco Secure ACS Express 5.0, which is intended for commercial (fewer than 350 users), retail, and enterprise branch office deployments. The product offers a comprehensive yet simplified feature set, a cutting-edge user-friendly GUI, and an attractive price point that allows customers to deploy this product in situations where Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine may not be suitable.
Cisco ACS Express is available as a 1-rack-unit (RU), security-hardened appliance with a preinstalled Cisco Secure ACS Express license. Cisco ACS Express supports a maximum of 50 AAA clients and 350 unique user logons in a 24-hour period.
Table 1 lists the supported features within Cisco Secure ACS Express 5.0.
Table 1. Supported Features
Cisco Secure ACS Express conforms to RFC 2138, 2284, 2865, 2866, 2867, and 2869.
Cisco Secure ACS Express supports the following:
• Authentication on old and new RADIUS ports
• Vendor-specific attributes (VSAs) from Cisco IOS® Software/PIX® devices, VPN concentrators, Cisco WLAN controllers, Aironet® access points, and other IETF RADIUS-compliant Network Access Servers (NAS
• The definition of custom VSAs
Cisco Secure ACS Express supports privilege-level authorization and time of day (TOD), day of week (DOW) policies for TACACS+ users. Additionally, there is support for external databases such as Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory, OTP servers (RADIUS and RSA native access) for TACACS+ requests.
Extensible Authentication Protocol (EAP)
Cisco Secure ACS Express supports the following EAP methods with a configurable order of negotiation:
• Protected EAP (PEAP) v0, v1
• EAP-Flexible Authentication through Secure Tunneling (EAP-FAST) v0
• Lightweight EAP (LEAP)
• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
Cisco Secure ACS Express supports the use of local database, external token server, LDAP, and Active Directory.
Cisco Secure ACS Express supports Microsoft Windows machine authentication against Active Directory.
Cisco Secure ACS Express supports the mapping of external groups to determine entitlements for user or machine.
Cisco Secure ACS Express supports access based on time of day and day of week.
RADIUS response sets
Cisco Secure ACS Express supports the returning of RADIUS attribute/values in an authentication response based on group mapping and time-based conditions.
Cisco Secure ACS Express supports the maximum privilege levels for device access.
Machine access restrictions
Cisco Secure ACS Express supports machine address restriction to mandate machine authentication as a prerequisite for successful user authentication.
RADIUS access services
RADIUS access services allow classification of access requests based either on the basis of device membership in a device group or on the basis of RADIUS attributes in the access request such as network location, protocol, or other RADIUS attributes sent by the device the user is connecting through.
Cisco Secure ACS Express supports high availability between an ACS Express pair.
This allows customers to achieve redundancy if one ACS Express server is unavailable from a network device point of view.
Administration and configuration of Cisco Secure ACS Express can be done remotely through HTTPS using a Web browser.
Provides a command-line interface (CLI) to remotely administer the server.
Additionally, the CLI provides a mechanism to export configurations that can be modified and imported back to the same Cisco Secure ACS Express or another Cisco Secure ACS Express in the network.
Administrator access control
Provides two-level access: administrators and operators; restricts operators to read-only access to specific pages.
Conforms to password policies in the Cisco security baseline.
Supports password expiration, forced change, and lockout.
Password policy applies to administrator authentication to Cisco Secure ACS Express.
Supports RADIUS accounting logs, debug logs, and backup of the logs off the machine.
Provides usage reports.
Supports addition of new Certificate Authority (CA) certificates and self-signed certificates
Supports management of the Certificate Revocation List (CRL)
Cisco Secure ACS Express is offered as a hardened appliance with the software preinstalled for deployment ease.
A maximum of 50 AAA clients.
A maximum of 350 unique user ID logons to AAA (through TACACS+ or RADIUS). The limit applies daily and is reset at 12 midnight.
Cisco Secure ACS Express is available as a 1-rack-unit, security-hardened appliance with a preinstalled Cisco Secure ACS Express license. Table 2 lists the specifications of the Cisco Secure ACS Express appliance.
Table 2. Product Specifications
Intel 352 Celeron D
Basic input/output system (BIOS) type
Standard hard disk size
1 x 250 GB
Mean time between failure (MTBF) of hard drives
1.0 Mhours (40C)
24 hours/7 days (70-80 percent duty cycle)
1, front accessible (8X DVD read, 24X CD read)
Ethernet network interface card (NIC)
2 onboard 10/100/1000
2 RJ-45 connectors on back of server
USB 2.0 ports
3 (1 at front and 2 at back of chassis)
Maximum power consumption
540W (maximum load, power supply rating)
Autoranging AC input
Policy feature card (PFC)
Input low range
90 to 127 (nominal) VAC; 47-63 Hz
Input high range
180 to 264 (nominal) VAC; 47-63 Hz
Air temperature - Server on
50 to 95°F (10 to 35°C)
Air temperature - Server off
-104 to 158°F (-40 to 70°C)
Server off: 95 percent, noncondensing at +30°C
3 fans installed (two are in the power supply)
2 blowers installed
2-post, 4-post rack-mounting options available
15.0 lb (6.8 kg), base chassis
1.7 in. (43 mm)
16.9 in. (429 mm)
20.0 in. (508 mm) without bezel or mounting hardware
Cisco Secure ACS Express 5.0 will be orderable beginning October 12, 2007. Customers interested in purchasing this product can place orders through their normal sales channels.
Table 3. Ordering Information for Cisco Secure ACS
Cisco Secure Access Control Server Express 5.0
Service and Support
Cisco offers a wide range of services programs to accelerate customer success. These innovative programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, see Cisco Technical Support Services.
For More Information
For more information about the Cisco Secure ACS product family, including the user guide and release notes, please visit http://www.cisco.com/go/acs.