A core component of the Cisco TrustSec solution, Cisco Secure ACS is a highly sophisticated policy platform providing RADIUS and TACACS+ services. It supports the increasingly complex policies needed to meet today's new demands for access control management and compliance. Cisco Secure ACS provides central management of access policies for device administration and wireless, wired 802.1x, and remote (VPN) network access scenarios.
With the ever-increasing reliance on enterprise networks to perform daily job routines and the increasing number of methods available to access today's networks, security breaches and uncontrolled user access are of primary concern among enterprises. Network security officers and administrators need solutions that support flexible authentication and authorization policies that are tied not only to a user's identity, but also to context such as the network access type, time of day the access is requested, and the security of the machine used to access the network. Further, there is a stronger need to effectively audit use of network devices, monitor activities of device admins for corporate compliance, and provide broader visibility and control over device access policies across the network.
Cisco Secure ACS is a highly scalable, high-performance access policy system that centralizes device administration, authentication, and user access policy and reduces the management and support burden for these functions.
Complete access control and confidentiality solution
ACS can be deployed with other Cisco TrustSec components, including policy components, infrastructure enforcement components, endpoint components, and professional services.
Cisco Secure ACS 5.4 supports two distinct protocols for authentication, authorization, and accounting (AAA). Cisco Secure ACS 5.4 supports RADIUS for network access control and TACACS+ for network device access control. Cisco Secure ACS is a single system for enforcing access policy across the network as well as network device configuration and change management as required for standards compliance such as PCI compliance.
Cisco Secure ACS 5.4 supports an integrated user repository in addition to supporting integration with existing external identity repositories such as Windows Active Directory and LDAP servers, and RSA Token Server. This includes use of multiple LDAP servers for an ACS cluster as well as connecting each ACS node (instance) to a different AD domain. Multiple databases can be used concurrently for maximum flexibility in enforcing access policy with identity store sequences.
Cisco Secure ACS 5.4 supports a wide range of authentication protocols, including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and PEAP-TLS to support your authentication requirements. It also supports TACACS+ authentication with CHAP/MSCHAP protocols and PAP-based password change when using TACACS+ and EAP-GTC with LDAP servers.
Cisco Secure ACS 5.4 supports a rules-based, attribute-driven policy model that provides greatly increased power and flexibility for access control policies that may include authentication protocol requirements, device restrictions, time of day restrictions, posture validation, and other access requirements. Cisco Secure ACS may apply downloadable access control lists (dACLs), VLAN assignments, and other authorization parameters. Version 5.4 can also disable user accounts within the internal database based on expiration on a user basis.
Cisco Secure ACS 5.4 supports a completely redesigned lightweight, web-based GUI that is easy to use. An efficient, incremental replication scheme quickly propagates changes from primary to secondary systems, providing centralized control over distributed deployments. Software upgrades are also managed through the GUI and can be distributed by the primary system to secondary instances.
Support for larger ACS deployments
Cisco Secure ACS 5.4 supports up to 21 instances in a single ACS cluster, compared to 10 instances officially supported by earlier software versions.
Cisco Secure ACS 5.4 supports a programmatic interface for Create/Read/Update/Delete operations on users and identity groups, network devices, and hosts (endpoints) within the internal database.
Monitoring and troubleshooting
Cisco Secure ACS 5.4 includes an integrated monitoring, reporting, and troubleshooting component that is accessible through the web-based GUI. This tool provides maximum visibility into configured policies and authentication and authorization activities across the network. Logs are viewable and exportable for use in other systems as well.
Cisco Secure ACS 5.4 can function as a RADIUS or TACACS+ proxy for an external AAA server by forwarding incoming AAA requests from a network access device (NAD) to the external server and forwarding responses from that server back to the NAD initiating such requests.