I've been receiving this question more and more recently from Cisco ACS customers so figured I'd post my answer here for all to view. As some of you already know, Cisco's ACS software received an overhaul this past year. Many of the features that ACS customers have been asking for, for a while, have finally made it into ACS 5.0.
Here are the top 10 new features that will affect your upgrade decision. You can use this info to make up your own mind if you should make the switch from 4.x yet.
1. First things first, one major difference, and in my opinion for the better, is that ACS 5.0 runs on Linux now. ACS 4.x ran on windows. This resulted in an almost complete re-write of the ACS code from the ground up.
2. ACS sports a completely new GUI that is much easier to use and understand than previous versions. This one even has wizards, what a novel concept. ACS 5.0 has significantly cut down on the number of clicks necessary to perform operations.
3. The fundamental architecture of ACS has been changed in 5.0. AAA decisions are now based on a rule based policy model using access policies. For the first time you can setup complex AAA decision trees in ACS allowing you to provide fine grained access control. You can determine what privileges a user has based on location, device, time, any radius or tacacs+ attribute value or any LDAP or AD attribute value.
4. ACS 5.0 provides an IOS like CLI configuration option that is full featured.
5. ACS 5.0 eliminates the need for AD agents to be loaded on to DC's. Instead the ACS logs into AD and joins the domain. A built in LDAP and AD browser lets you see and select the attributes, groups, users you want to use in your access policies.
6. ACS 5.0 employs a new distributed scaling model where one ACS is designated primary/master and other ACSes (secondary ACSes) can be attached to the primary to scale the solution. All ACS boxes have an exact copy of the configuration, config updates are propagated immediately with no service outage, only update changes are sent to secondary boxes, not the complete configuration, making replication faster and more efficient. The primary can also push down software updates centrally.
7. ACS 5.0 provides new reporting, troubleshooting and monitoring that was sorely missing from previous ACS versions. It is based on the ACS View product. The detail provided for each failed or successful authentication is granular enough that you don't need to setup debugs on the devices themselves anymore.
8. ACS 5.0 supports new wired 802.1x features not available in ACS 4.2, making it Cisco's recommended platform for wired 802.1x deployments. In many cases, you'll find it is also the right version for wireless 802.1x as well.
9. ACS 5.0 drops the software only option that ACS 4.x enjoyed but maintains the hardware appliance option. However, ACS 5.0 only runs on a new, faster hardware appliance called the 1120. In exchange for dropping the software only option, ACS 5.0 is available as a VMware Appliance that can run on ESX.
10. Given the massive rewrite necessary with Cisco ACS 5.0, several features are not yet available in this version that were previously supported in ACS 4.x. Before you upgrade make sure to review the supported features tables below. According to Cisco, subsequent releases of ACS 5.0 will cover these differences. Tables were copied from the Cisco 5.0 User guide.
Here are some pictures of the new ACS 5.0 Interface and features for your viewing pleasure:
Cisco ACS 5.0 User guide
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_sys...
Cisco ACS 5.0 Homepage
http://www.cisco.com/en/US/products/ps9911/index.html
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Run on Linux and VMWARE !
good news that the ACS 5.0 run on Linux and VMWARE.also the ACS 5.0 GUI interface seems easy to understand regarding the ACS 4.2 GUI that is more complicated and hard to find the things.
licensing...
is also pretty "interesting"... for "large" deployments you have to pay an extra fee and reporting etc. is an addon too :/
my mistake
you no longer have to pay for reporting etc.
It is included with base license now.
I corrected the blog.
-Jamey
ACS still alive!
I was wondering when it would be released!
A Cisco CSE told me that no further development is going to be done on ACS going forward. Are future versions on hold?
I heard the same thing
5.1 is rumored to be the last version. Development has proven expensive and there are so many options that customers are migrating.
not sure about versions put
not sure about versions put on hold. what i heard is that some key architects and management on the engineering/marketing side were laid off/fired, and they are "rearchitecting" it all over again since 5.0 was "not done right".
Cisco not getting out of AAA market
Here is a quote I received from the ACS BU Product TME
"Cisco is by no means leaving this domain, in
fact it continues to invest heavily in network identity and access
policy. ACS 5.x is a big leap forward, and customers can expect further innovations from Cisco in this domain."
-Jamey
licensing
large deployment license means means 500 managed devices, 90% of customers don't need this type of license.
the same for advanced reporting & monitoring license since basic capabilities are included and free.
ACS 5.1 will be released soon to close main gaps with 4.2 release, and other future versions of ACS on the radar.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/admin_config.html#wpxref68935
Thanks for the info Jamie;
Thanks for the info Jamie; very helpful
Your Welcome
glad you found it useful.
-Jamey
Post new comment