ACS Windows vs ACS Appliance

I have ACS 3.3 running on Win2k and am looking to upgrade. Would it be a better idea to get the ACS appliance instead? What are the pros/cons?

Hi
Personally I wouldnt choose an appliance over software. Cost aside they are harder to integrate (esp if you use AD), harder to diagnose and patch.
From experience I know ACS sometimes needs a little TLC to keep it working. ACS v3/v4 was not designed as appliance software. This has been retro-fitted with all the issues that go with it.
ACS v5 is supposed to be appliance from day 1 so maybe that'll be ok!
This is my own personal view, Im sure there are a lot of happy appliance owners out there.
Main differences
1) Appliance cant talk direct to AD. You need to install an agent somewhere (possibly requiring a dedicated windows server.. ouch what happened to lower TCO!)
2) No native ODBC, RSA (done via RADIUS instead)
3) Logging. CSVs hard coded to rollover at 10MB. Requires log agent or extraxi csvsync to collect logs.
If you like to be "hands on" stick with s/w

Similar Messages

  • Database from ACS windows 3.0 to appliance 3.3.2.2

    I have ACS 3.0 for windows and bought 2 ACS appliances to replace the windows ACS. Is it possible to load ACS windows 3.0 config to ACS appliance 3.3.2.2

    Yes. Backup the ACS 3.0 configuration, copy the file to an FTP server then restore it on the appliance.
    If the restore fails you may need to upgrade to ACS 3.3 then backup and restore.

  • Using LDAP on ACS 4.1.1 appliance

    I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?
    Thanks
    Dwane

    Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.
    As it would be LDAP, please consult following matrix for the features available,
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207
    Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).
    User directory and group directory subtree would be your AD root.
    <--for example-->
    User Directory Subtree : DC=domain,DC=com
    Group Directory Subtree : DC=domain,DC=com
    <--below info is common for all AD-->
    UserObjectType : samaccountname
    UserObjectClass : person
    GroupObjectType : cn
    GroupObjectClass : group
    Group Attribute Name : memberof
    Hostname :
    Port : 3268
    Admin DN : [email protected]
    Password :
    If this is a new installation, then go for 4.2 :)
    Regards,
    Prem
    Please rate if it helps!

  • Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

    I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
    1. Background:
    We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
    2. Problem:
    If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
    3. Potential solution and its limitation:
    1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
    2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
    Thanks for any suggestions!

    I think the documentation for ACS states:
    ACS can only support group mapping for users who belong to 500 or fewer Windows groups
    I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

  • Restoring a CSACS Backup from ACS SE to ACS Windows

    It is possible to take a backup from CSACS running on a Solution Engine (FTP'd off-box by the backup process) and restore it to a CSACS on Windows (assuming the ACS software, build, and patch level is same?

    Hi,
    Yes, if the version is the same you can import the .dmp file into the ACS Windows machine.
    Of course, some menus will not exist (the ones specific to SE).
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • ACS for Windows vs ACS Appliance?

    First, the only thing I saw on the Appliance was that it was a 'hardened OS'. So I'm assuming like many of their other appliances that this is Windows 2003 locked down? Regardless if it is or not, are there any issues with the appliance being in a mixed environment with ACS for Windows and replication between the two?
    Thanks,
    Raun

    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawo.html
    When you use ACS for Windows, you install it on a member server, which can "relay" the auth requests to the domain controllers.
    ACS SE's are not a member in the domain, therefore you need to install the remote agent on a member/DC, so that it would act as a "relay agent" for the auth requests.
    You'll also need to manually create a workstation account in AD to allow auth requests from the ACS SE's.
    The default name used is "CISCO", but it can be defined differently.
    For this part, see
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476

  • ACS Windows Server with wrong user authenticatoin

    Hello,
    we have a new Windows ACS Server with external user database authentication. Users at the ACS Server were configured, disabled, enabled and deleted by RDBMS synchronization with account actions.
    We have the problem that a user could be authenticated through the external LDAP even though if the user or his group is disabled inside the Windows ACS Server.
    The same procedure doesn't work with our ACS appliance where user administration is done only through the webinterface .
    Does anybody know a solution for this problem?
    Best regards
    Torsten Waibel

    Could it be you have unknown user authentication enabled?
    If you did, and a username came through authentication in a different format to one one added via dbsync... eg user@domain or domain\user the unknown user policy might legitimately think its a different user. In which case it would depend on what group mapping had been setup.
    Just a thought.

  • ACS Windows Agent Issue

    Hi,
    We just upgraded our 3.3. ACS to the latest version without issue. I created the Remote Agent on the ACS, but we I install the Agent on the Windows 2003 server I get "Unable to initialize variables". Anyone? Thanks.
    John

    John,
    - Logon to the computer as a Local Administrator, preferably "Administrator", and then try and uninstall Remote Agent & try and install it back. Log on locally to the box and install the RA.
    - If above doesn't work, you might have to manually uninstall Remote Agent. After uninstalling, you can try to reinstall the current version of the remote agent.
    somishra

  • Re windows based Acs-4.2.1.15.3 Submit button does not show up

    Interface Configuration>Tacacs+ submit button page shows error page cannot be displayed i am not able to submit it
    Anyone has any idea this is after the upgrade to Acs-4.2.1.15.3. I have tried with almost all the browsers and different java version. Also tried to install it on different machines but same problem. Please refer the screen shot

    Manish,
        I just installed 4.2.1.15 patch 3 on server and refer to the attached screenshot, submit button did show up and it worked fined. Please also make sure you meet the requirements for ACS 4.2.1 as per the link below
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Installation_Guide/windows/install.html#wp1041324
    Verify Java using this link
    http://www.java.com/en/download/installed.jsp
    Make sure Windows server meet the requirement as per url
    Note: Please do rate the answer

  • Is ACS required in NAC appliance.

    Hi,
    One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
    Thx in advance.
    Sonu

    NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
    THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
    The great thing about NAC Appliace is that it works for all four major use cases:
    1. VPN users
    2. WIFI users
    3. LAN/wired users
    4. GUest/vistors
    We can
    1. authenticate
    2. Posture assess (scan)
    3. Quarantine/
    4. Remediate
    You don't want users to have to learn three different ways to connect to the netowrk.
    802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
    I hope this helps.

  • WLAN Access via 802.1x/EAP-FAST ACS & Windows DB

    Hi,
    Does anyone have any useful links about how to configure ACS server to use windows UN/PW for wireless client logins via 802.1x & Eap-fast?
    I can't seem to find a defined example for the ACS to Window DB install?
    Can anyone help?
    Ta
    James

    Check out whether the following links are useful to you.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml#set-acs
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml

  • VPN3020 - ACS - Windows AD - best practices links

    Do you have good link with general procedures and best practices for setting up VPN user authorization to a standard Windows domain/AD.
    VPN3020 -> radius -> ACS (with default policy to Windows NT) does work, but wanted more granular control which user have VPN access.
    With this model everyone who has Windows account would automatically get VPN access.
    Also if there are any good reading on setting up "single logon" Cisco VPN client and windows domain.

    Try this link
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/404acn3k.htm

  • ACS Recovery for 1113 Appliance

    I need to recover my password from the ACS 1113 Appliance.  I do not have the Recovery CD is there a way that it can be downloaded from
    Cisco.com.  Also is there a default password for the ACS version 4.2. I access from the console but I dont know the login or password

    Hi Janet,
    For doing password recovery we need to have the recovery cd for 1113 Appliance.
    The following are the steps for doing password recovery:-
    http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_password_recovery09186a00801ece5f.shtml
    If you do not have the recovery CD, I will recommend you to open a TAC case and they will publish recovery files for you, as it is not available on cisco.com for download.

  • ACS 4.2 HW appliance Change speed + duplex

    On The ACS Hw appliance how do you configure the speed and duplex ? Currently my sw is set to 100 full and my ACS keeps on negotiating to 100 half. Any suggestions ?

    Hi
    Each NIC is configured to automatically detect the speed and duplex mode of the network.
    Please observe the following cabling restrictions for 10BASE-T, 100BASE-TX, and 1000BASE-TX networks:
    •For 10BASE-T networks, use Category 3 or greater wiring and connectors.
    •For 100BASE-TX and 1000BASE-TX networks, use Category 5 or greater wiring and connectors.
    •The maximum cable run length is 328 feet (ft) or 100 meters (m).
    Regards

  • Dot1x - WLC - ACS - Windows profiling

    Hello,
    Does anyone have any experience with the following setup:
    We want users to authenticate thru Dot1x with their Windows credentials.  The RADIUS server for dot1x will be ACS that uses Windows DC for authentication.  Then we would like for the ACS to grab a role based on DC OU, group, etc and send that back to the WLC for profiling?
    Sounds crazy I know but I think it can be done with an ISE server but we don't want to buy that if we don't have to. Can this be possible with just ACS?
    Thanks!

    ok, we can do something with that, easily enough.
    on your ACS you need to build a group for IT, in it's AAA attributes you want to return 64/65/81 VLAN/802/< vlan ID>
    rinse repeat for the other groups.
    On the WLC, you need to create the VLAN interfaces, and set the WLAN to have AAA override enabled.
    Now when a user gets authenticated, the ACS will pass back the attributes to assign the user to the appropriate VLAN.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#Rserver1
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

Maybe you are looking for

  • Issues With Speed Of FCP X

    After spending countless hours on a project in Final Cut Express only to discover its poor rendering power, I ultimately decided to try and rebuild my project in FCP X - especially since I could try it for free. At first, FCP X ran fine. After a week

  • Videos not playing in iPhoto

    For some reason I can not view videos in iPhoto anymore.  I am running OS X Yosemite 10.10.3 and iPhoto 9.6.1.  This has just happened today and I am hoping that the files haven't been corrupted.  Please help!

  • I have changed the Apple ID in the main ID settings but my iPhone does not recognise this. I have added this to the main account but it does not accept the password.

    I changed from iPhone 4s to iphone 5s. While doing the set up, I also renamed my Apple ID. However, allowed the old Id to be an alternate. However, now my iphone refuses to accept the password - neither the new one or the old one. What do I do?

  • Camera file generator timeout

    Time out came up on Camera File Generator Hi Recently I use Camera File Generator Version 2.1.1 to control a CamraLink camera through IMAQ PCI-1428. When I grab the image "Acquisition Timeout" message came up. I changed smaller image format, but it w

  • To print image in Non interactive form

    I have a requirement where image file is attached to QM02 transaction, now i want to print the attached image on QM02 print output. I am planning to use Non interactive form method to print the form output. Can anyone pls guide me how to insert/print