Cisco Secure ACS is a scalable, high-performance Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+) security server.It is the centralized control point for managing network users, network administrators, and network infrastructure resources. ACS provides a comprehensive identity-based network-access control solution. It extends network-access security by combining traditional authentication, authorization, and accounting (AAA) with policy control.
ACS supports a broad variety of Cisco and other network-access devices (NADs), also known as AAA clients:
Wired and wireless LAN switches and access points
Edge and core routers
Dialup and broadband terminators
Content and storage devices
Voice over IP (VoIP)
Virtual private networks (VPNs)
Cisco Secure ACS 4.1 release provides the following features:
Improved Compliance Support
This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance.
Forcing periodic change of administrator's password
Applying password structure policy
Forcing administrator's password change for inactive account
Preventing the reuse of password (password history)
Disabling administrator accounts for inactivity
Disabling administrator accounts after failed logins
Allowing ACS administrators to change own passwords
Audit and Reporting:
Logging all administrative actions via Syslog, in addition to existing logging targets.
Controlling administrators' access to log file configuration in order to prevent the disablement of specific audit logging.
Adding new reports for administrators privileges
Providing a read-only privilege for users and groups
External database support for MAC Authentication Bypass
The ability to maintain MAC address lists in an external LDAP server; and map MAC addresses to user groups
Improved diagnostics and error messages
Improved diagnostic information about certificate mismatches with HCAP and GAME servers have been added to this release. The raw dump of GAME and HCAP messages is in a readable format and the authentication failure codes are now more intuitive.
The authenticator side of PEAP/EAP-TLS as a protocol enhancement is included in this release. This permits ACS to authenticate clients with PEAP by using EAP-TLS as the phase two inner method, and enables certificate based authentication to occur within a secure tunnel, encrypting identity information.
Logging and Reporting Extensions
New internal mechanisms for logging have been added to this release, to create consistent log levels and improved performance. Syslog is supported and the capability to log ACS messages to remote servers that support Syslog standard is available.
Multiple concurrent logging destinations
Log data may be sent to multiple destinations simultaneously.
Enhanced remote agent support for logging
User can expose reports externally that were previously provided only locally, for files from previous versions, for example, sending audit reports to remote agent on appliance.
RADIUS AES Key Wrap Functionality
This feature supports a secure, certified mode of operation, notably in a Federal Information Processing Standard (FIPS)-compliant wireless solution. RADIUS Key Wrap support with EAP-TLS authentication in ACS, is another step towards satisfying the set of security requirements in Cisco's practical, deployable, and interoperable secure solutions. AES replaces MD5 encryption.
Cisco NAC support
ACS 4.1 acts as a policy decision point in NAC deployments. By using configurable policies, it evaluates and validates the credentials that it receives from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the network-access device: ACLs, a policy based access control list, or a private VLAN assignment.
Extended replication components
Improved and enhanced replication components have been added to this release. Administrators now can replicate:
Posture validation settings
Additional logging attributes
Audit support for MAC Authentication Bypass
Audit processing has been enhanced to include MAC Authentication Bypass (MAB). MAB enables double checking an audit request against a MAC authentication policy and an Audit Policy, and combines the evaluation of these two policies.
Audit Verification of MAC Exceptions
User can apply MAC exceptions to NAC audit requests. Dual verification of endpoints is then possible.
Japanese Microsoft Windows Support
New support for the Japanese version of Microsoft Windows 2003 at the service pack level is available. Only ACS for Windows supports the Japanese version of Windows 2003. The ACS Solution Engine does not support the Japanese OS.