Skip Links

Is Cisco ACS 5.0 worth the upgrade?

Top 10 new features and limitations

By jheary on Tue, 08/25/09 - 12:31am.

I've been receiving this question more and more recently from Cisco ACS customers so figured I'd post my answer here for all to view. As some of you already know, Cisco's ACS software received an overhaul this past year. Many of the features that ACS customers have been asking for, for a while, have finally made it into ACS 5.0.
Here are the top 10 new features that will affect your upgrade decision. You can use this info to make up your own mind if you should make the switch from 4.x yet.


1. First things first, one major difference, and in my opinion for the better, is that ACS 5.0 runs on Linux now. ACS 4.x ran on windows. This resulted in an almost complete re-write of the ACS code from the ground up.

2. ACS sports a completely new GUI that is much easier to use and understand than previous versions. This one even has wizards, what a novel concept. ACS 5.0 has significantly cut down on the number of clicks necessary to perform operations.

3. The fundamental architecture of ACS has been changed in 5.0. AAA decisions are now based on a rule based policy model using access policies. For the first time you can setup complex AAA decision trees in ACS allowing you to provide fine grained access control. You can determine what privileges a user has based on location, device, time, any radius or tacacs+ attribute value or any LDAP or AD attribute value.

4. ACS 5.0 provides an IOS like CLI configuration option that is full featured.

5. ACS 5.0 eliminates the need for AD agents to be loaded on to DC's. Instead the ACS logs into AD and joins the domain. A built in LDAP and AD browser lets you see and select the attributes, groups, users you want to use in your access policies.

6. ACS 5.0 employs a new distributed scaling model where one ACS is designated primary/master and other ACSes (secondary ACSes) can be attached to the primary to scale the solution. All ACS boxes have an exact copy of the configuration, config updates are propagated immediately with no service outage, only update changes are sent to secondary boxes, not the complete configuration, making replication faster and more efficient. The primary can also push down software updates centrally.

7. ACS 5.0 provides new reporting, troubleshooting and monitoring that was sorely missing from previous ACS versions. It is based on the ACS View product. The detail provided for each failed or successful authentication is granular enough that you don't need to setup debugs on the devices themselves anymore.

8. ACS 5.0 supports new wired 802.1x features not available in ACS 4.2, making it Cisco's recommended platform for wired 802.1x deployments. In many cases, you'll find it is also the right version for wireless 802.1x as well.

9. ACS 5.0 drops the software only option that ACS 4.x enjoyed but maintains the hardware appliance option. However, ACS 5.0 only runs on a new, faster hardware appliance called the 1120. In exchange for dropping the software only option, ACS 5.0 is available as a VMware Appliance that can run on ESX.

10. Given the massive rewrite necessary with Cisco ACS 5.0, several features are not yet available in this version that were previously supported in ACS 4.x. Before you upgrade make sure to review the supported features tables below. According to Cisco, subsequent releases of ACS 5.0 will cover these differences. Tables were copied from the
Cisco 5.0 User guide.








Here are some pictures of the new ACS 5.0 Interface and features for your viewing pleasure:

New outlook like GUI side panel that is better organized than 4.x.


User and Identity Store configuration


Example of Identity based access rules. Each rule maps to a separate identity source


ACS 5.0 Monitoring Dashboard




ACS 5.0 now has full LDAP integration with ability to test your config and display attributes through the integrated LDAP browser




Example of authorization rules. Based on the matched conditions user will be assigned an authorization profile. Authorization profiles in turn define what privileges they have.


Cisco ACS 5.0 User guide
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_sys...

Cisco ACS 5.0 Homepage
http://www.cisco.com/en/US/products/ps9911/index.html




The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.