Q. Why doesn't Cisco Secure ACS 5.2 support all the features available in Cisco Secure ACS 4.2? Why have many important features of ACS 4.2 been dropped in Cisco Secure ACS 5.x releases?
A. Cisco Secure ACS 5.2 is a new product and has a completely redesigned, interactive, and simple-to-use GUI. Although the version number may imply otherwise, Cisco Secure ACS 5.2 has not been built upon earlier versions of Cisco Secure ACS. Most of the features supported in Cisco Secure ACS 4.2 are also supported in Cisco Secure ACS 5.2, including integrated monitoring, reporting, and troubleshooting capabilities, which required a separate ACS View product in ACS 4.x releases.
Some features in Cisco Secure ACS 4.2 have not been carried over into Cisco Secure ACS 5.2 due to resource constraints. A complete list of features can be found at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/migration/guide/Appendix_C_Feature_Compare.html.
Q. Does Cisco Secure ACS 5.2 support any ODBC databases as an external user identity store?
A. No. This functionality is not available in Cisco Secure ACS 5.2.
Q. Are there any plans to add this functionality to future releases of Cisco Secure ACS?
A. There are no plans to add this support.
Q. If a current customer is using an external ODBC database as an identity store, what are their options after migrating to Cisco Secure ACS 5.2?
A. We recommend that the customer use the bulk import feature to upload user files in CSV format from the existing RDBMS database. For more information on bulk import, visit http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/sdk/cli_imp_exp.html.
Q. Are tools available to export user data from an existing ODBC database to Cisco Secure ACS?
A. Creating the CSV files is a straightforward process. You can download the template for the CSV file from Cisco Secure ACS and use that to create the file for bulk import. To download the template, visit http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/sdk/cli_imp_exp.html#wp1064565.
Q. Are there any other mechanisms for adding a user from the external database to Cisco Secure ACS?
A. Cisco Secure ACS 5.3 will support the REST API to create, update, and delete users and identity groups. This API can be used to write a client application program that will read the objects from the existing database and import them into Cisco Secure ACS via the APIs.
Q. Does Cisco Secure ACS 5.2 support RDBMS sync functionality?
A. No. Cisco Secure ACS 5.2 does not support RDBMS sync.
Q. Are there plans to add RDBMS sync to future releases of Cisco Secure ACS?
A. There are no plans to add this support.
Q. For customers using RDBMS sync, what are their options after migrating to Cisco Secure ACS 5.2?
A. Cisco Secure ACS 5.2 has bulk import/export capabilities that allow for creating, updating, and deleting ACS objects. For more information on bulk import, visit http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/sdk/cli_imp_exp.html.
Q. Which objects are supported in Cisco Secure ACS 5.2 for bulk import/export?
A. Cisco Secure ACS 5.2 supports the following objects for import/export:
• Users
• Hosts
• Network devices
• Identity groups
• Network device groups (NDGs)
• Downloadable access control lists (ACLs)
• Command sets
For more information, refer to: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/sdk/cli_imp_exp.html#wp1065919.
Q. Are there any other mechanisms for performing CRUD operations on Cisco Secure ACS objects?
A. Cisco Secure ACS 5.3 will support the REST API to create, update, and delete users and identity groups. This web services API only supports user object and identity groups in Cisco Secure ACS 5.3.
Q. There are other features in Cisco Secure ACS 4.2 that are not supported in Cisco Secure ACS 5.2. When will those features be available in a future software patch or release?
A. Most of those features will be supported in Cisco Secure ACS 5.3, which is targeted for release in October 2011. They include:
• Programmatic interface for user CRUD operations
• TACACS+ attributes substitution
• Maximum concurrent sessions per user and/or group
• Ability to set the users' password type (ability to get password for internal user from external identity store)
• Ability to disable user accounts upon failed attempts and expiration (by a certain date or number of days)
• Ability to check the next ID store if access to an external ID store fails
• TACACS+ Proxy
• Wildcards for host MAC addresses
• Use of IP address ranges while adding network devices
• Ability to look up devices by IP address
• TACACS+ authentication with CHAP/MSCHAP
• Ability to compare values of two different user attributes in identity/authorization polices
• Dial-in attribute support
• Ability to display RSA node missing secret
• Improved integration with Centrify Active Directory interface
• PEAP-TLS protocol support
• Recovery of logs after reconnection to local servers
Q. Unlike Cisco Secure ACS 4.2, ACS 5.2 does not support integration with CiscoWorks Common Services (for Cisco Security Manager/CiscoWorks LAN Management Solution [LMS]). Will this feature be supported in a future Secure ACS release? If not, what options are available for customers using Cisco Security Manager/CiscoWorks LMS integration for role-based access control (RBAC), after migrating to Cisco Secure ACS 5.2?
A. Integration with CiscoWorks Common Services is not planned for a feature release of Cisco Secure ACS. Customers using Cisco Secure ACS with Cisco Security Manager/CiscoWorks LMS for RBAC can move to CiscoWorks LMS 4.0, which has native RBAC support and does not require integration with Cisco Secure ACS. CiscoWorks LMS 4.0 supports this function locally within the product, enabling administrators to define user roles and permit users to operate on a subset of (or all) network devices within LMS 4.0 itself. The procedure for defining new roles and limiting devices is simplified and requires no additional setup work in Cisco Secure ACS. Access control limits happen on the same groups of devices that are known to LMS, instead of groups defined at Cisco Secure ACS. For more information, please refer to http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-542881_ps11200_Products_White_Paper.html#wp9000115.
Q. Will Cisco Secure ACS 4.2 ever be supported on a server running Windows Server 2008 R2?
A. No new features are planned for Cisco Secure ACS 4.2. Customers who must use or upgrade to Windows Server 2008 R2 will have to migrate to Cisco Secure ACS 5.2 or 5.3 (when available).
Q. Will Cisco Secure ACS 4.2 support Microsoft Active Directory running Windows Server 2008 R2?
A. No new features are planned for Cisco Secure ACS 4.2. Customers will have to migrate to Cisco Secure ACS 5.2 or 5.3 (when available), which supports Microsoft Active Directory running Windows Server 2008 R2.
Q. Will Cisco Secure ACS 4.2 support VMware ESX 4.0?
A. No. Cisco Secure ACS 5.2 supports VMware ESX 4.0, and Cisco Secure ACS 5.3 will support VMware ESX/ESXi 4.1.
Q. Cisco Secure ACS 5.2 does not support logging to a remote database via ODBC. This was supported in Cisco Secure ACS 4.2. When I migrate to Cisco Secure ACS 5.2, what alternatives do I have for logging events, alarms, etc.?
A. In Cisco Secure ACS 5.2, you can send logs to an external syslog server and/or a Microsoft or Oracle SQL server in a periodic fashion - as often as every hour, if so desired.
Q. What product IDs can I use to upgrade to Cisco Secure ACS 5.2 from Cisco Secure ACS 4.2 or earlier versions of Cisco Secure ACS?
A. Those product IDs can be found in Table 3 at http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/product_bulletin_c25-616320.html.
Q. Where can I find detailed information on how to migrate from Cisco Secure ACS 4.2 to Cisco Secure ACS 5.2?
A. You can find this information at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/migration/guide/Migration_Book.html.