Q. What is Cisco Secure Access Control Server (ACS)?
A. Cisco Secure ACS is a highly scalable, high-performance access control server that operates as a centralized RADIUS or TACACS+ server system and controls the authentication, authorization, and accounting (AAA) of users who access corporate resources through a network. Cisco Secure ACS allows you to control user access to the network, authorize different types of network services for users or groups of users, and keep a record of all network user actions. Cisco Secure ACS supports access control and accounting for dialup access servers, cable and DSL broadband solutions, firewalls, VPNs, voice-over-IP (VoIP) solutions, storage, and switched and wireless LANs. In addition, network managers can use the same AAA framework to manage (through TACACS+) administrative roles and groups and control how they change, access, and configure the network internally. Cisco Secure ACS for Windows runs on Windows 2003.

Q. Why do I need Cisco Secure ACS?
A. Changing network dynamics and increased security threats have created new demands in access control management. As AAA becomes more available throughout the network through new technologies such as IEEE 802.1x and the requirements to control user access expand, new trends emerge that require identity networking to be pervasive throughout the network. Cisco Secure ACS extends access security by combining authentication, user and administrator access, and policy control from a centralized identity networking solution. This allows greater flexibility and mobility, increased security, and user productivity gains.

Q. Is Cisco Secure ACS a software or a hardware product?
A. Cisco Secure ACS is offered as Cisco Secure ACS for Windows – software for installation on Windows servers, and as the Cisco Secure ACS Solution Engine – a 1-rack-unit (1RU) appliance with a preinstalled Cisco Secure ACS license.

Q. What is the difference between Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine?
A. Cisco Secure ACS Solution Engine provides the same features and functions as Cisco Secure ACS for Windows in a dedicated, security-hardened, application-specific appliance package along with additional features specific to the operation and management of Cisco Secure ACS Solution Engine. For more information, refer to the Cisco Secure ACS Solution Engine Q&A.

Q. Should I purchase Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine?
A. Cisco Secure ACS for Windows is suitable for customers who prefer to control their operating environment (this may include the type of hardware servers, OS, and installed services). In many cases, where security operations and server/OS operations are different departments in an IT organization, having a security solution in a dedicated appliance facilitates the manageability. In addition, the appliance solution provides benefits such as enhanced security, one-stop support, and a “plug-and-play” solution.

Q. What network access gateways does Cisco Secure ACS support?
A. Cisco Secure ACS supports a broad set of networking access products, including all Cisco IOS® routers, VPN access products, VoIP solutions, cable broadband access, content networks, wireless solutions, storage networks, and 802.1x-enabled Cisco Catalyst® switches. As a fully standards-compliant RADIUS and TACACS+ server, Cisco Secure ACS also works with a range of third-party access- and device-management consoles that support either RADIUS or TACACS+.

Q. What are the new features in Cisco Secure ACS 4.2?
A. Cisco Secure ACS 4.2 adds the following features:
• Extensive Authentication Protocol (EAP) options:
- EAP-Flexible Authentication via Secure Tunneling (FAST) enhancement for anonymous Transport Layer Security (TLS) renegotiation: ACS allows an anonymous TLS handshake between the end-user client and ACS.
- EAP-FAST enhancement for invalid Protected Access Credentials (PAC): ACS provides an option to run EAP-FAST without issuing or accepting any tunnel or machine PAC when an invalid PAC is received.
- EAP-TLS with no PAC and no Active Directory processing: ACS supports EAP-FAST tunnel establishment without PAC and without client certificate lookup.
• Group filtering at the Network Access Profile (NAP) level when using Lightweight Directory Access Protocol (LDAP): When using LDAP to query an external user data store, ACS capabilities have been extended to allow group filtering at the NAP level. Depending on the user’s external database group membership, ACS can either reject or accept access to the network based on the group filtering settings.
• RSA authentication with LDAP group mapping: ACS can authenticate with RSA and at the same time perform group mapping with LDAP. This option allows ACS to control authorization based on a user’s LDAP group membership.
• Active Directory multiforest support: ACS supports authentication in a multiforest environment.
• Time-based restrictions: ACS administrators may configure a user to be in an alternative group for a restricted period of time.
• Relational database management system (RDBMS) synchronization enhancements: ACS has programmatic interface additions for downloadable ACL synchronization. ACS for Windows also now supports comma-separated value (CSV)-based RDBMS synchronization.
• NetBIOS disabling: ACS for Windows allows NetBIOS to be disabled on the server it is running on.

Q. What support does Cisco Secure ACS provide for LDAP?
A. Cisco Secure ACS supports user authentication against records kept in a directory server through LDAP. Cisco Secure ACS supports the most popular directory servers, including Novell and Sun LDAP servers, through a generic LDAP interface. Password Authentication Protocol passwords can be used when authenticating against the directory server.

Q. Does Cisco Secure ACS support One-Time Password (OTP) and token systems such as RSA SecurID tokens?
A. Yes. Cisco Secure ACS can be configured to communicate with token solutions from ActivCard, Cryptocard, PassGo Technologies, RSA Data Security, Secure Computing, and Vasco. Cisco Secure ACS includes a generic RADIUS interface for expanding OTP coverage to new vendors. Any OTP vendor that provides an RFC-compliant RADIUS interface should work with Cisco Secure ACS. The token authentication server can be installed on any operating system – Windows NT, NetWare, or UNIX.

Q. What ports and protocols does Cisco Secure ACS use?
A. Cisco Secure ACS uses the TCP/User Datagram Protocol (UDP) ports.

Q. What should be the security context of a Cisco Secure ACS server running on a member server to help ensure proper Windows authentication to a domain controller?
A. The security context is defined by the local service account. See the Cisco Secure ACS installation guide for guidelines on setting the requisite privileges for running Cisco Secure ACS on a member server and performing Windows authentication.

Q. Can Cisco Secure ACS service TACACS+ and RADIUS requests at the same time?
A. Yes.

Q. How are user passwords stored in Cisco Secure ACS?
A. For users who are authenticated by using the ACS internal database, ACS stores user passwords in a database which is protected by an administration password and encrypted by using the AES 128 algorithm. For users who are authenticated with external user databases, ACS does not store passwords in the ACS internal database.

Q. Does Cisco Secure ACS support forced password change based on password age and other criteria?
A. Password aging is available for users in the ACS internal database and users in a Microsoft Windows Active Directory database.

Q. Does Cisco Secure ACS for Windows have to be installed only on a Microsoft Windows domain controller?
A. No. Cisco Secure ACS can be installed on a Windows 2000/2003 server that is not a domain controller. It can still be configured to authenticate Windows users against a Windows database such as Microsoft Windows Active Directory.

Q. What is the licensing for Cisco Secure ACS 4.2?
A. The Cisco Secure ACS product is licensed per server, with unlimited ports, users, and network access servers. For available part numbers and descriptions, refer to the Cisco Secure ACS 4.2 product bulletin at http://www.cisco.com/go/acs.

Q. How scalable is a Cisco Secure ACS solution?
A. Although many customers perceive that high-scale access servers need to run on UNIX platforms, this is not the case with Cisco Secure ACS. Cisco Secure ACS guidelines and performance analysis show that each copy of Cisco Secure ACS for Windows can support from 10,000 to 300,000 users per server and in excess of 35,000 devices, depending on configuration, platform, and use scenarios. The primary challenge in scaling a user access control framework is on the back end. Linked to a high-performance back-end database such as Oracle or Sybase, Cisco has deployed Cisco Secure ACS for Windows 2003 clustered deployments for customers with hundreds of thousands of user records.

Q. Is there any limit on the number of user domains a single copy of Cisco Secure ACS can handle?
A. No. There is no hardware limitation on the number of user domains a copy of Cisco Secure ACS can handle.

Q. What patches are tested with Cisco Secure ACS for Windows?
A. Cisco officially supports and encourages the installation of all Microsoft security patches for Windows 2000 Server and Windows Server 2003 as used for Cisco Secure ACS for Windows. Our experience has shown that these patches do not cause any problems with the operation of Cisco Secure ACS for Windows. If the installation of one of these security patches does cause a problem with Cisco Secure ACS, please contact the Cisco Technical Assistance Center (TAC), and Cisco will provide full support for the resolution of the problem as quickly as possible.

Q. In a large distributed environment with several hundred user domains, what is the best Cisco Secure ACS deployment practice to avoid authentication timeouts?
A. The main factor that can affect authentication timeout is where a Cisco Secure ACS server is located with respect to where the users reside (that is, location of the domain controllers). Increasing your AAA client timeouts at the device level is one option to resolve longer responses from Cisco Secure ACS. If this is not feasible, other options such as providing domain names (during authentication) or locating the Cisco Secure ACS closer to user domains are possible options.

Popularity: 4% [?]