ASK THE EXPERT-IDENTITY AND ACCESS CONTROL USING CISCO SECURE ACS 5.0

Unanswered Question
Jan 5th, 2009
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to use Cisco Secure Access Control Security for AAA and policy management with Cisco expert Jeff Hillendahl. Jeff is a technical marketing engineer in the policy management business unit (PMBU) at Cisco, and has supported the Cisco secure access control server (ACS) product line for six years. He has worked for Cisco for eleven years, starting out in the technical assistance center (TAC), focusing on security products.

Remember to use the rating system to let Jeff know if you have received an adequate response.


Jeff might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 16, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
beth-martin Mon, 01/05/2009 - 11:18
User Badges:
  • Bronze, 100 points or more

When will ACS 5.0 be available?

danmassa Mon, 01/05/2009 - 11:30
User Badges:

Yes, I also need availability information. We are a reseller and we have a 4.2 deal soon to be in the pipeline. I'm interested in the Windows version.


Also, what will the officially supported operating systems be? Will running CSACS 5.x in a virtual machine be a supported configuration as long as the guest OS is one of the supported operating systems?

Microsoft has a 2008 Server web edition. Is that a supported OS?


Thanks.


jhillend Mon, 01/05/2009 - 11:55
User Badges:
  • Bronze, 100 points or more

Appliance:

Orderability: 23rd December, 2008

FCS: 7th January, 2009


Software:

Orderability: 7th January, 2009

FCS: 16th January, 2009


The software version is supported on VMware ESX 3.5. Both the appliance and software versions run on a Cisco build of Linux and comes as a pre-installed package. There is no Windows version.

jhillend Mon, 01/05/2009 - 11:52
User Badges:
  • Bronze, 100 points or more

Appliance:

Orderability: 23rd December, 2008

FCS: 7th January, 2009


Software:

Orderability: 7th January, 2009

FCS: 16th January, 2009



jhillend Mon, 01/05/2009 - 13:34
User Badges:
  • Bronze, 100 points or more

Not sure if this got properly tagged...


Appliance:

Orderability: 23rd December, 2008

FCS: 7th January, 2009


Software:

Orderability: 7th January, 2009

FCS: 16th January, 2009

danmassa Mon, 01/05/2009 - 11:58
User Badges:

If I'm reading the documentation for the 5.0 Express appliance correctly, 5.0 can talk to a Windows AD domain directly without an agent installed on a separate workstation. Will this be the case with the non-Express 5.0 appliance? Are there any caveats I wouldn't expect after using the Windows version for many years?


Thanks.

jhillend Mon, 01/05/2009 - 12:19
User Badges:
  • Bronze, 100 points or more

ACS 5.0 uses the same AD interface that ACS Express 5.0 uses. There are no limitations with regards to its use other than what is described in the user guide.

danmassa Mon, 01/05/2009 - 12:21
User Badges:

What are the supported Windows operating systems, including service packs?


Thanks.

jhillend Mon, 01/05/2009 - 12:24
User Badges:
  • Bronze, 100 points or more

For ACS 5.0? None. ACS 5.0 is pre-installed with a Cisco build of Linux. There is no Windows support for ACS 5.0.

danmassa Mon, 01/05/2009 - 12:28
User Badges:

In one of your previous posts, you gave FCS dates for the appliance and the software. What software were you referring to if not 5.0 that runs on a customer-supplied copy of Windows?

jhillend Mon, 01/05/2009 - 13:14
User Badges:
  • Bronze, 100 points or more

It's the same ACS/Linux installation for use on VMware ESX 3.5. It is virtually the same installation package that runs on the appliance.

cisco24x7 Mon, 01/05/2009 - 12:36
User Badges:
  • Silver, 250 points or more

Does ACS 5.0 have a 90 days eval ISO that one

can install on ESX 3.5? Thanks.


jhillend Mon, 01/05/2009 - 14:13
User Badges:
  • Bronze, 100 points or more

One is in the works. We expect to have it available in the very near future. Please refer to www.cisco.com/go/acs for availability.

Gustavo Novais Mon, 01/05/2009 - 12:37
User Badges:

Hello,


I've been reading the release notes for ACS 5.0 and its not supported features seem a bit... excessive.

What do the RN mean by not supporting Complete TACACS+ support for device administration (password change, and so on). Is it only password change?

Radius proxy not being supported also seems lack of a quite standardized feature.

My question is:

Are the "not suported" features on roadmap? or shouldn't we count on them for any near or midterm future?


Other than that the Policy Engine does seem to be quite an interesting feature.


Thanks and have a happy new year!

jhillend Mon, 01/05/2009 - 13:38
User Badges:
  • Bronze, 100 points or more

Cisco Secure ACS 5.0 is the initial release of Cisco's next-generation network identity and access solution and is suitable for many deployments today that require support for device administration and wireless and wired 802.1x scenarios. In time, ACS 5.x will incorporate other key 4.x features to allow the broader customer base to upgrade to the next-generation ACS platform.

danmassa Tue, 01/06/2009 - 06:37
User Badges:

When will marketing/sales materials be posted?

clausonna Tue, 01/06/2009 - 10:42
User Badges:
  • Bronze, 100 points or more

How (and more importantly when?) will ACS 5.0 integrate with the NAC Clean Access servers? Are there any new hooks/features between ACS 5.0 and CCA 4.5?

mathias@handsche.de Wed, 01/07/2009 - 04:25
User Badges:

Hi,

the product bulletin for ACS 5.0 talks about an ACS 5.0 Deployment Guide but I can't find in on cco. Are there any sizing guides and hardware recuirements for the vmware version available?


Regards


Mathias

mathias@handsche.de Wed, 01/07/2009 - 06:06
User Badges:

Hi,

when will the CSACS-5.0-IENVM-K9 available in the Global Price list? I can't see it in the price list from the 07. Jan.


Regards


Mathias

jhillend Wed, 01/07/2009 - 09:00
User Badges:
  • Bronze, 100 points or more

Only the appliance version of ACS 5.0 is currently available. The VM version will be available later this month.

jhillend Wed, 01/07/2009 - 08:59
User Badges:
  • Bronze, 100 points or more

The VM version of ACS 5.0 has not yet been released. When it is available we will also have an installation guide that will provide that information.

jhillend Tue, 01/13/2009 - 13:13
User Badges:
  • Bronze, 100 points or more

The ACS 5.0 deployment guide should be available shortly.

danmassa Wed, 01/07/2009 - 09:09
User Badges:

Is the CSACS 5.0 EXPRESS the same product as the non-EXPRESS version except it is handicapped in the following ways...


--Limit of 50 AAA clients

--Limit of 350 unique logins per day

--No VMWare version

--No Advanced Monitoring and Reporting add-on license available


Did I miss anything? Is my initial assumption correct that it is the same software on both platforms?


Thanks.

jhillend Wed, 01/07/2009 - 10:23
User Badges:
  • Bronze, 100 points or more

Cisco Secure ACS 5.0 and Cisco Secure ACS Express 5.0 are two different products. Though they share some common components, their databases and configuration structures are completely different and are not compatible.

b.hsu Thu, 01/08/2009 - 08:38
User Badges:
  • Silver, 250 points or more

Can I upgrade from ACS 4.2 to ACS 5.0?

jhillend Thu, 01/08/2009 - 11:28
User Badges:
  • Bronze, 100 points or more

Please check out the following Q&A to first determine whether ACS 5.0 is right for you:

http://cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/ps9915/qa_c67-504496.html


Note that ACS 5.0 does not have full feature parity with ACS 4.2 at this time. Also, the eval version is not quite ready yet. I expect it to be available soon, though.

jhillend Thu, 01/08/2009 - 11:29
User Badges:
  • Bronze, 100 points or more

One note that I forgot, moving to ACS 5.0 is a migration, not an upgrade, due to the new ACS 5.0 paradigm.

rtuttle Fri, 01/09/2009 - 08:53
User Badges:

Good day,

We just purchased two of the ACS appliances 4.2 in November. I see there is a migration not an upgrade to the 5.0 but is this a covered upgrade with SAS? Or is this goinog to be a major release where we would have to pay?

Should I worry that the 4.2 stuff will start to go by the wayside and concentrate on the new architecture?

jhillend Fri, 01/09/2009 - 10:20
User Badges:
  • Bronze, 100 points or more

Please refer to the Q&A located at:

http://cisco.com/en/US/products/ps9911/prod_qandas_list.html


The short answer is no, ACS 4.2 will continue to be supported until such time ACS 5.x has full feature parity with ACS 4.2.


As for migrating from ACS 4.2 to ACS 5.0, this is a major upgrade that requires ACS 5.0 to be purchased. SAS will not cover the migration. However, we expect there will be incentives for migrating from ACS 4.2 to ACS 5.0.

b.speltz Tue, 01/13/2009 - 07:29
User Badges:
  • Bronze, 100 points or more

Will ACS View 4.0 work with ACS 5.0?

jhillend Tue, 01/13/2009 - 12:12
User Badges:
  • Bronze, 100 points or more

No, but ACS 5.0 will have some of View's capabilities in the base license and an extended reporting and monitoring license gives an ACS 5.0 server the full View capabilities.

mlenco Tue, 01/13/2009 - 13:02
User Badges:

When configuring AAA on a Cisco ACE module using the administration guide, I end up successfully logging into the ACE from ssh but I then lock everyone else out of every other router. Per the guide instructions, under TACACS+ I check shell and custom attributes and enter shell:Admin*Admin default-domain. I also check Default (Undefined) Services option under Checking this Option Will Permit all Unknown services. I backed out now leaving the ACE without AAA. How do I get AAA on the ACE module IOS 2.2 without locking out everyone else on every other router?

jhillend Tue, 01/13/2009 - 13:21
User Badges:
  • Bronze, 100 points or more

What is the general configuration on your other devices? Is AAA/TACACS+ configured on these as well? Are you doing both authentication and authorization?


Are you able to access the other devices via the console port? If so, have you run debugs on one of the other devices with the above configuration?


I suspect the custom attribute shell:Admin*Admin default-domain is what is wreaking havoc with your other network devices. However, knowing the configuration on the other devices would help.


mlenco Tue, 01/13/2009 - 17:15
User Badges:

I am doing authentication only on 3825, 3845, 4500, 6500 7200, 3750 3550 in general.


I can telnet and ssh into any box, I just can't enter enable mode or configuration mode.



jhillend Wed, 01/14/2009 - 14:30
User Badges:
  • Bronze, 100 points or more

If the other devices do not have the following configured:

aaa authorization ...

I don't know why they would react to any authorization configuration on ACS. Do you see any errors on the non ACE devices when ACS is configured for ACE?

Actions

This Discussion