I've been receiving this question more and more recently from Cisco ACS customers so figured I'd post my answer here for all to view. As some of you already know, Cisco's ACS software received an overhaul this past year. Many of the features that ACS customers have been asking for, for a while, have finally made it into ACS 5.0.
Here are the top 10 new features that will affect your upgrade decision. You can use this info to make up your own mind if you should make the switch from 4.x yet.
1. First things first, one major difference, and in my opinion for the better, is that ACS 5.0 runs on Linux now. ACS 4.x ran on windows. This resulted in an almost complete re-write of the ACS code from the ground up.
2. ACS sports a completely new GUI that is much easier to use and understand than previous versions. This one even has wizards, what a novel concept. ACS 5.0 has significantly cut down on the number of clicks necessary to perform operations.
3. The fundamental architecture of ACS has been changed in 5.0. AAA decisions are now based on a rule based policy model using access policies. For the first time you can setup complex AAA decision trees in ACS allowing you to provide fine grained access control. You can determine what privileges a user has based on location, device, time, any radius or tacacs+ attribute value or any LDAP or AD attribute value.
4. ACS 5.0 provides an IOS like CLI configuration option that is full featured.
5. ACS 5.0 eliminates the need for AD agents to be loaded on to DC's. Instead the ACS logs into AD and joins the domain. A built in LDAP and AD browser lets you see and select the attributes, groups, users you want to use in your access policies.
6. ACS 5.0 employs a new distributed scaling model where one ACS is designated primary/master and other ACSes (secondary ACSes) can be attached to the primary to scale the solution. All ACS boxes have an exact copy of the configuration, config updates are propagated immediately with no service outage, only update changes are sent to secondary boxes, not the complete configuration, making replication faster and more efficient. The primary can also push down software updates centrally.
7. ACS 5.0 provides new reporting, troubleshooting and monitoring that was sorely missing from previous ACS versions. It is based on the ACS View product. The detail provided for each failed or successful authentication is granular enough that you don't need to setup debugs on the devices themselves anymore.
8. ACS 5.0 supports new wired 802.1x features not available in ACS 4.2, making it Cisco's recommended platform for wired 802.1x deployments. In many cases, you'll find it is also the right version for wireless 802.1x as well.
9. ACS 5.0 drops the software only option that ACS 4.x enjoyed but maintains the hardware appliance option. However, ACS 5.0 only runs on a new, faster hardware appliance called the 1120. In exchange for dropping the software only option, ACS 5.0 is available as a VMware Appliance that can run on ESX.
10. Given the massive rewrite necessary with Cisco ACS 5.0, several features are not yet available in this version that were previously supported in ACS 4.x. Before you upgrade make sure to review the supported features tables below. According to Cisco, subsequent releases of ACS 5.0 will cover these differences. Tables were copied from the Cisco 5.0 User guide.
Here are some pictures of the new ACS 5.0 Interface and features for your viewing pleasure:
Cisco ACS 5.0 User guide
Cisco ACS 5.0 Homepage
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.