Today's growing number of network-access methods, which increase the possibility of security breaches and uncontrolled user access, are becoming a top concern across service provider, enterprise, and commercial market segments. Security challenges exist not only at the perimeter but also inside a network. Identity networking solutions that provide mechanisms to control network access are of high interest to such customers.
Cisco® Secure Access Control Server (ACS) is an industry-leading access control server that provides a comprehensive identity-based networking solution to enterprise customers for network access (wired, wireless, remote access) and device administration. Cisco ACS extends security to users, machines, and device administrators by providing authentication, authorization, and accounting (AAA) services through robust access policies. These policies defining AAA access are managed from a centralized, identity-based networking framework that gives enterprise networks greater flexibility, mobility, and security resulting in user productivity gains.
The Cisco ACS family of products introduces the new Cisco Secure ACS Express 5.0, which is intended for commercial (fewer than 350 users), retail, and enterprise branch office deployments. The product offers a comprehensive yet simplified feature set, a cutting-edge user-friendly GUI, and an attractive price point that allows customers to deploy this product in situations where Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine may not be suitable.
Cisco ACS Express is available as a 1-rack-unit (RU), security-hardened appliance with a preinstalled Cisco Secure ACS Express license. Cisco ACS Express supports a maximum of 50 AAA clients and 350 unique user logons in a 24-hour period.
Table 1 lists the supported features within Cisco Secure ACS Express 5.0.
Table 1. Supported Features
Key Feature
Description
Supported Protocols
RADIUS
Cisco Secure ACS Express conforms to RFC 2138, 2284, 2865, 2866, 2867, and 2869.
Cisco Secure ACS Express supports the following:
• Authentication on old and new RADIUS ports
• Vendor-specific attributes (VSAs) from Cisco IOS® Software/PIX® devices, VPN concentrators, Cisco WLAN controllers, Aironet® access points, and other IETF RADIUS-compliant Network Access Servers (NAS
• The definition of custom VSAs
TACACS+
Cisco Secure ACS Express supports privilege-level authorization and time of day (TOD), day of week (DOW) policies for TACACS+ users. Additionally, there is support for external databases such as Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory, OTP servers (RADIUS and RSA native access) for TACACS+ requests.
Extensible Authentication Protocol (EAP)
Cisco Secure ACS Express supports the following EAP methods with a configurable order of negotiation:
• EAP-TLS
• Protected EAP (PEAP) v0, v1
• EAP-Flexible Authentication through Secure Tunneling (EAP-FAST) v0
• Lightweight EAP (LEAP)
• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
Cisco Secure ACS Express supports the use of local database, external token server, LDAP, and Active Directory.
Machine authentication
Cisco Secure ACS Express supports Microsoft Windows machine authentication against Active Directory.
Authorization/Policies
Group mapping
Cisco Secure ACS Express supports the mapping of external groups to determine entitlements for user or machine.
Time based
Cisco Secure ACS Express supports access based on time of day and day of week.
RADIUS response sets
Cisco Secure ACS Express supports the returning of RADIUS attribute/values in an authentication response based on group mapping and time-based conditions.
Shell privileges
Cisco Secure ACS Express supports the maximum privilege levels for device access.
Machine access restrictions
Cisco Secure ACS Express supports machine address restriction to mandate machine authentication as a prerequisite for successful user authentication.
RADIUS access services
RADIUS access services allow classification of access requests based either on the basis of device membership in a device group or on the basis of RADIUS attributes in the access request such as network location, protocol, or other RADIUS attributes sent by the device the user is connecting through.
High Availability
Configuration replication
Cisco Secure ACS Express supports high availability between an ACS Express pair.
This allows customers to achieve redundancy if one ACS Express server is unavailable from a network device point of view.
Administration
Web based
Administration and configuration of Cisco Secure ACS Express can be done remotely through HTTPS using a Web browser.
CLI
Provides a command-line interface (CLI) to remotely administer the server.
Additionally, the CLI provides a mechanism to export configurations that can be modified and imported back to the same Cisco Secure ACS Express or another Cisco Secure ACS Express in the network.
Administrator access control
Provides two-level access: administrators and operators; restricts operators to read-only access to specific pages.
Password policies
Conforms to password policies in the Cisco security baseline.
Supports password expiration, forced change, and lockout.
Password policy applies to administrator authentication to Cisco Secure ACS Express.
Logging
Supports RADIUS accounting logs, debug logs, and backup of the logs off the machine.
Reporting
Provides usage reports.
Digital Certificate
Certificate generation
Supports addition of new Certificate Authority (CA) certificates and self-signed certificates
Certificate management
Supports management of the Certificate Revocation List (CRL)
System
Hardware
Cisco Secure ACS Express is offered as a hardened appliance with the software preinstalled for deployment ease.
License limit
A maximum of 50 AAA clients.
A maximum of 350 unique user ID logons to AAA (through TACACS+ or RADIUS). The limit applies daily and is reset at 12 midnight.
Product Specifications
Cisco Secure ACS Express is available as a 1-rack-unit, security-hardened appliance with a preinstalled Cisco Secure ACS Express license. Table 2 lists the specifications of the Cisco Secure ACS Express appliance.
Table 2. Product Specifications
Key Feature
Description
Processor
Processor (CPU)
Intel 352 Celeron D
Processors installed
1
Basic input/output system (BIOS) type
Flash memory
Memory
Memory Installed
1 GB
Hard Disk
Standard hard disk size
1 x 250 GB
Mean time between failure (MTBF) of hard drives
1.0 Mhours (40C)
Power-on hours
24 hours/7 days (70-80 percent duty cycle)
Optical Storage
DVD-ROM
1, front accessible (8X DVD read, 24X CD read)
Network Connectivity
Ethernet network interface card (NIC)
2 onboard 10/100/1000
Connector
2 RJ-45 connectors on back of server
Interfaces
Ethernet
2
Serial ports
1
USB 2.0 ports
3 (1 at front and 2 at back of chassis)
Keyboard port
1 PS/2
Mouse port
1 PS/2
Power
Maximum power consumption
540W (maximum load, power supply rating)
Autoranging AC input
Yes
Policy feature card (PFC)
Yes
Input low range
90 to 127 (nominal) VAC; 47-63 Hz
Input high range
180 to 264 (nominal) VAC; 47-63 Hz
Environmental
Air temperature - Server on
50 to 95°F (10 to 35°C)
Air temperature - Server off
-104 to 158°F (-40 to 70°C)
Humidity
Server off: 95 percent, noncondensing at +30°C
Cooling system
3 fans installed (two are in the power supply)
2 blowers installed
Dimensions
Form factor
1-rack-mount unit
Rack-mounting
2-post, 4-post rack-mounting options available
Weight
15.0 lb (6.8 kg), base chassis
Height
1.7 in. (43 mm)
Width
16.9 in. (429 mm)
Depth
20.0 in. (508 mm) without bezel or mounting hardware
Availability
Cisco Secure ACS Express 5.0 will be orderable beginning October 12, 2007. Customers interested in purchasing this product can place orders through their normal sales channels.
Table 3. Ordering Information for Cisco Secure ACS
Product Name
Part Number
Cisco Secure Access Control Server Express 5.0
CSACS-5.0-EXP-K9
Service and Support
Cisco offers a wide range of services programs to accelerate customer success. These innovative programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, see Cisco Technical Support Services.
For More Information
For more information about the Cisco Secure ACS product family, including the user guide and release notes, please visit http://www.cisco.com/go/acs.
For information about Cisco Secure Access Control Server Express, please visit http://www.cisco.com/go/acsexp, contact your local account representative, or send an e-mail to the product marketing group at acs-mkt@cisco.com.
