Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7475
Views
8
Helpful
1
Replies

ACS vs ISE

m-mneimneh
Level 1
Level 1

‎04-05-2012 01:12 PM - edited ‎03-10-2019 06:58 PM

Hi experts,

I'm looking into a network access control solution, and I have the following questions:

1- My understanding is that ACS assigns unauthorized assets to a guest vlan/zone, but what happens next if access to resources (such as internet) requires authentication? In other words, does an ACS-only solution imply manual guest access provisioning, as opposed to automatic provisioning with an overlay NAC Guest server?

2- Captive portal vs. Webauth: My understanding is that ACS alone does not provide a captive portal for guests. It only provides a webauth feature that is mainly a fallback authentication mechanism for employees/managed assets, not guests/unmanaged assets. Is this correct?

3- Finally, the Trustsec v2.00 document (http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf) mentions “Cisco TrustSec 2.0 adds support for Wireless user access. With Cisco TrustSec 2.0, Cisco ISE provides the same authentication methods regardless of user access methods, which could be from wired line or Wi-Fi connection”. Does this mean that ACS has limitations to support wireless connections?

Thank you,

-Mohamad.

Labels:
0 Helpful
1 Reply 1

Nicolas Darchis
Cisco Employee
Cisco Employee

‎04-06-2012 10:23 AM

1. Wrong understanding. ACS does what you tell it to do. It can assign a guest vlan to unknown assets or assign whatever else you like.

What do you mean with an internet access requiring authentication ? If you think about a guest portal, i.e. a web page asking to enter credentials, then ACS doesn't do that, so you have to couple ACS with a Guest Server. That's a bit of a pity because the Guest Server is not a product that will evolve. ISE just do everything in 1.

2. ACS is not a captive portal correct. When you say "it provides a webauth feature that is fallback", it's wrong. ACS doesn't provide anything like that. The switches implement web authentication (or the wireless controllers) and ACS can authenticate the people using that, but ACS is just a radius server saying "yes/no" and giving privileges.

3.ACS has no limitations to support wireless in particular. What the paper says is that ISE provides a captive portal that will be the same for wired or wireless users.

Remember that with ACS, you need to use the captive portal of the switch and WLC or a nac guest server. So not unified.

Customers Also Viewed These Support Documents