|
|
|
|
|
1111 |
Yes |
No |
|
1112 |
Yes |
No |
|
1113 |
Yes |
No |
|
1120 |
Yes (4.2) |
Yes |
ACS 5.0 shipping appliance |
1121 |
No |
Yes |
ACS 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, and 5.8 shipping appliance |
3415 |
No |
Yes |
ACS 5.4, 5.5, 5.6, 5.7, and 5.8 shipping appliance |
3495 |
No |
Yes |
ACS 5.5, 5.6, 5.7, and 5.8 shipping appliance |
3515 |
No |
Yes |
ACS 5.8.1 shipping appliance |
3595 |
No |
Yes |
ACS 5.8.1 shipping appliance |
Windows Server |
Yes |
No |
|
Virtual machine |
ESX 3.x |
ESX i5.0, i5.0 update 2, i5.1, i5.5, i5.5 update 1, and i5.5 update 2 |
|
|
|
|
|
ACS for Windows |
Yes |
No |
No Windows Server support in ACS 5.8.1 |
ACS Solution Engine |
Yes |
No |
ACS 5.8.1 provides its own appliance option |
ACS View 4.0 |
Yes |
No |
ACS 5.8.1 has integrated View functionality |
ACS Remote Agent |
Yes |
No |
Remote Agent not required in 5.8.1 |
ACS Express 5.0 |
No |
No |
|
|
CiscoWorks Common Services (for CSM/LMS) |
Yes |
No |
|
Cisco Wireless Control System (WCS) |
Yes |
Yes |
|
|
Single primary/multiple secondary |
Yes |
Yes |
|
Cascading replication |
Yes |
No |
|
Replication trigger |
Manual or per schedule |
On configuration change |
|
Replication unit |
Whole replication component |
Configuration delta only |
|
Synchronization |
Loose |
Tight |
|
Automatic outage resynchronization |
No |
Yes |
|
Internal user password updates |
On primary only |
On primary only |
|
Role-based secondary to primary promotion |
No |
Yes |
|
|
Internal |
Yes |
Yes |
|
Active Directory |
Yes |
Yes |
|
LDAP |
Yes |
Yes |
|
RDBMS |
Yes |
No |
|
RSA SecurID |
Yes |
Yes |
|
Other One-time Password Servers |
Yes |
Yes |
Uses RADIUS interface to OTP server |
|
RADIUS proxy |
Yes |
Yes |
Includes EAP Proxy |
TACACS+ proxy |
Yes |
Yes |
|
|
ACS View |
Yes |
Yes |
|
Syslog |
Yes |
Yes |
|
ODBC |
Yes |
No |
ACS 5.8.1 provides View log data synchronization with an external database for archival purposes |
Configuration
Query/Provisioning
|
Web-based GUI |
Yes |
Yes |
|
CSV-based updates |
Yes |
Yes |
|
CSUtil |
Yes |
No |
|
RDBMS Synchronization |
Yes |
No |
|
|
SNMP query |
Yes (appliance only) |
Yes |
|
SNMP traps |
No |
Yes |
|
View alarms |
Yes |
Yes |
|
GUI |
Yes |
Yes |
|
Cisco standard look and feel GUI |
No |
Yes |
|
CLI |
Yes (limited, appliance only) |
Yes (similar to IOS) |
|
System restart after some configuration changes |
Yes |
No |
|
KVM console access |
No |
Yes |
|
Choice of file transfer storage repositories |
No |
Yes |
|
In-place, cross-version upgrade procedure |
No |
Yes |
|
Remote upgrades/patching |
Partial |
Yes |
|
|
PAP |
Yes |
Yes |
|
CHAP |
Yes |
Yes |
|
MS-CHAPv1 |
Yes |
Yes |
|
MS-CHAPv2 |
Yes |
Yes |
|
MAB |
Yes |
Yes |
|
EAP-MD5 |
Yes |
Yes |
|
EAP-TLS |
Yes |
Yes |
|
PEAP-MSCHAPv2 |
Yes |
Yes |
|
PEAP-GTC |
Yes |
Yes |
|
PEAP-TLS |
Yes |
Yes |
|
FAST-MSCHAPv2 |
Yes |
Yes |
|
FAST-GTC |
Yes |
Yes |
|
FAST-TLS |
Yes |
No |
|
LEAP |
Yes |
Yes |
|
|
Command authorization |
Yes |
Yes |
|
Accounting |
Yes |
Yes |
|
Single connect |
Yes |
Yes |
|
Change password |
Yes |
Yes |
|
Enable handling |
Yes |
Yes |
|
Custom services |
Yes |
Yes |
|
Optional attributes |
Yes |
Yes |
|
CHAP/MSCHAP authentication |
Yes |
Yes |
|
Attribute substitution |
Yes |
Yes |
|
|
Complexity |
Yes |
Yes (stronger) |
|
History |
Yes (last only) |
Yes (multiple) |
|
Expiry |
Yes (age by days, logins, first login) |
Yes (age by days) |
|
Expiry warning |
Yes |
Yes |
|
Grace period |
Yes |
No |
|
|
By date |
Yes |
Yes |
Can be implemented using authorization policy |
By failed attempts |
Yes |
Yes |
|
By inactivity |
No |
Yes |
|
|
Separate TACACS+/RADIUS entries |
Yes |
Yes |
|
Hierarchical, scalable device grouping |
No |
Yes |
|
Default network device |
TACACS+ only |
RADIUS and TACACS+ |
|
Group-level shared secrets |
Yes |
No |
|
Wildcard for IP address |
Yes |
Yes |
|
|
Flexible, rules-based policy model |
No |
Yes |
|
Mandatory ACS group assignment |
Yes |
No |
|
Multiple group membership |
No |
Yes |
|
Static IP address assignment |
Yes |
Yes |
Extend schema, policy |
Maximum sessions |
Yes |
Yes |
|
Group disablement |
Yes |
Yes |
Implement in ACS 5.8.1 policy |
VOIP support |
Yes |
No |
|
ToD settings |
Yes |
Yes |
|
Callback |
Yes |
Yes |
Use of Windows Callback setting is not available in ACS 5.8.1 |
Network Access Restrictions |
Yes |
Yes |
|
Usage quotas |
Yes |
No |
|
Enable options |
Yes |
Yes |
Implement in ACS 5 policy |
Token caching |
Yes |
No |
|
IP address assignment |
Yes |
Yes (static and AAA client pool only) |
For assigning static IP address, implement in authorization policy by adding IP address field to user schema. AAA client pool refers to the ability to set the VSA attribute "ip-pool-definition" on ACS. The pool itself will be defined on the switch or router itself. |
Downloadable ACLs |
Yes |
Yes |
|
Supplementary user information |
Yes |
Yes |
|
Extendable ACS user schema for use in policy conditions and for authorization values |
No |
Yes |
|
User attributes (internal, AD, LDAP), that can be leveraged in policy conditions and as authorization values |
No |
Yes |
|
External password authentication for ACS internal users |
Yes |
Yes |
In ACS 5, the password store must be specified through Access Service Identity Policy, and cannot be specified in the user's record. |
Time bound alternate group |
Yes |
Yes |
In ACS 5, time-based conditions are used to specify different permissions based on time of the day. |
Windows dial-in support |
Yes |
No |
|
|
Network restrictions |
Yes |
Yes |
|
Entitlement reports |
Yes |
Yes |
|
Password complexity |
Yes |
Yes (stronger) |
|
Password aging |
Yes |
Yes |
|
Password history |
Yes |
Yes |
|
password inactivity |
Yes |
Yes |
|
Account disablement because of failed attempts |
Yes |
Yes |
|
Account disablement because of account inactivity |
Yes |
Yes |
|
Permission control |
Yes |
Yes (role-based) |
|
Certificate-based Authentication/Authorization
|
Mandatory AD authorization |
Yes |
No |
|
SAN/CN Comparison |
Yes |
No |
Can be implemented indirectly in ACS 5.8.1 by checking for user attribute existence |
Certificate binary comparison |
Yes |
Yes |
|