Microsoft NPS vs. Cisco ACS matrix

Hi there,
is there a matrix that compares the NPS vs. ACS to see the advantages or disadvantages of the products.
e.g. I see that I can access only one domain, we have the problem that we have some domains we need to ask for access groups. They have a trust between each other but I'm not sure if that will work. Another topic is reporting and troubleshooting.
would be cool to get some informations, better a matrix to see the differents.
thanks friends.
regards,
Sebastian

Sebastian,
You may want to engage a local partner or account SE. I have worked with both boxes and here is the personal differences that I have seen between ACS and IAS (or NPS).
There is a better support community with respect to ACS, the documentation is much clearer when it comes to configuring ACS. You can always call TAC and can get someone on the phone for support.
ACS supports tacacs which IAS does not.
ACS joins to your domain and can authenticate to other databases like RSA, token servers, ldap, and it also has an internal database you can authenticate against. As long as the trusts are configured correctly ACS is able to authenticate in between the two domains.
ACS doesnt run on windows so the fear of installing hotfixes and patches in order to meet windows audit requirements is no longer necessary.
The reporting features are much easier to work with rather than NPS.
thanks,
Tarik Admani

Similar Messages

  • Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

    Hi,
    I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
    3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
    Please, give me some advice.
    Thanks in advance,
    Mladen

    Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
    3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
    I refer to
    "Implementing Network Admission Control Phase One Configuration and Deployment";
    "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
    Thanks in advance,
    Mladen

  • Switch Cisco and Microsoft NPS

    Hi,
    I configure 802.1x wich Cisco Switch and Microsoft NPS Radius but the client cannot connect. I debug radius on switch and receive the debug attached.
    Whats the problem??
    Thanks

    Hi,
    Looks like that switch ip address is 192.168.233.250
    Please add this nas-ip-address 192.168.233.250 in the condition on the NPS server.
    Also, could you please provide me a error message from the event viewer?
    Attached is the document to configure NPS with cisco devices.
    HTH
    JK
    Plz rate helpful posts-

  • Linksys WAP54G connecting to CISCO ACS via LEAP

    I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
    Connection scenario:-
    Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
    Pls advise if such setting is feasible.
    Tks

    This is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
    As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
    If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
    One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
    Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
    Bruce Alexander, Cisco

  • Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

    Dear all,
    Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
    Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
    Best regards,
    Piotr

    If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
    I am sorry if I am not able to help but I am not using the anyconnect for production.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • 802.1x MAB with Microsoft NPS ieee802Device object group

    Hi,
    according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
    - Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
    - Created a new OU "ethers" in AD
    - Created a simple objekt by means of an ldifde.exe import
    dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
    changetype: add
    objectClass: myieee802Device
    cn: 001b21******
    macAddress: 00:1b:21:**:**:**
    When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
    Has anybody got this running so far?
    Stefan

    Stefan,
    Many thanks for your reply. in my test environment, what I have encountered is:
    1. I created the user account and used the mac address as account and password, which can access into the AD.
    2. I enabled the function of  MD5-Challenge  in Windows 2008 R2 NPS server. pls refer the link:
    http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
    3. Created the network policy, which use the  MD5 as the EAP type, and select PAP as the authentication method.
    4. Enable the 802.1x and MAB function in the port of cisco 3750.
    by test, 802.1x works fine, but when  I try to let it authenticate with MAB, got the below error in NPS event log:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
        Security ID:            QBBB\002622c997ff
        Account Name:            002622c997ff
        Account Domain:            QBBB
        Fully Qualified Account Name:    qbbb.net/Sales/002622c997ff
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        3C-DF-1E-C6-48-13
        Calling Station Identifier:        00-26-22-C9-97-FF
    NAS:
        NAS IPv4 Address:        10.197.40.2
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Ethernet
        NAS Port:            50219
    RADIUS Client:
        Client Friendly Name:        Wired
        Client IP Address:            10.197.40.2
    Authentication Details:
        Connection Request Policy Name:    Secure Wired (Ethernet) Connections
        Network Policy Name:        Connections to other access servers
        Authentication Provider:        Windows
        Authentication Server:        QINGXXX1.QBBB.net
        Authentication Type:        PAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            65
        Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
    Just for you reference and hope can get you help, thanks a lot!
    --Scott

  • Cisco ACS Server . Download Evaluation Version For Testing.

    Hello.
    I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?

    Hello Michael-
    The ACS version for Windows is no longer available. The product is EOL/EOS:
    http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
    The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage. 
    If you want to evaluate the product I would recommend that you contact your local Cisco partner:
    https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
    Thank you for rating helpful posts!

  • Does cisco ACS hardware run TACACS+ ?

    hi all
    I am very new to the security,
    my question is , does cisco ACS devices run TACACS+ ?
    or TACACS+ has to be installed in windows/linux ?
    thank you

    The below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
    ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
    ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
    Regards,
    Jatin Katyal
    *Do rate helpful posts*

  • [ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server

    So here is my goal:
    Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
    Background:
    I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
    I've also used NPS to authenticate wireless clients in a lab setting.
    Problem:
    I cannot figure out what is going on with NCS/PI authentication against NPS.
    Here are a couple/few steps I've taken:
    - I've added the RADIUS client to the list.
    - I've created a network policy to grant access to a specific group of users (AD group).  It accepts either CHAP or PAP authentication
    - I've also taken out the default radius attributes and inserted these:
    - - Vendor Specific, Cisco-AV-Pair
    - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
    - - Vendor-Specific, RAIDUS Standard
    - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
    On the NPS server I can see the request coming in on the NPS logs.  Access has been granted and it matches the Network Policy I created.
    The usual message I receive is this:
    No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
    Attached is a picture from a packet capture.  The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
    - "[Not enough room in packet for AVP] "
    This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
    Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
    Here are some of guides I used:
    http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
    https://supportforums.cisco.com/thread/339057
    http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

    Hi Kyujin,
    I wish I had finished my guide.  Didn't realize it would take this long.
    But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
    If you use NCS, you have to add the role, all the tasks, and the virtual domain.
    See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
    Microsoft NPS - Attributes for NCS
    Microsoft NPS - Attributes for PI

  • Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  • VPN client and Cisco ACS

    hi,
    I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
    I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
    Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
    Any ideas?

    here is some debug from the router:
    Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
    Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
    Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
    Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
    Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
    Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
    Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
    Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
    Feb 24 12:28:58.989 UTC: T+: user: vpntest
    Feb 24 12:28:58.989 UTC: T+: port:
    Feb 24 12:28:58.989 UTC: T+: rem_addr:
    Feb 24 12:28:58.989 UTC: T+: data:
    Feb 24 12:28:58.989 UTC: T+: End Packet
    Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
    Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
    Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
    Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
    Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
    Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
    Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
    Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
    Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Feb 24 12:28:59.009 UTC: T+: msg: Password:
    Feb 24 12:28:59.009 UTC: T+: data:
    Feb 24 12:28:59.009 UTC: T+: End Packet
    s9990-cr#
    Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
    Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
    "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
    In the VPN Client log it say "User does not provide any authentication data"
    So to summarise:
    -Same ACS server\router\username combination works fine for telnet access.
    -VPN works fine with local authentication.
    -No login failures showing in the ACS logs.

  • Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

    does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
    ciscoISE/admin(config)# snmp-server ?
      community  Set community string
      contact    Text for mib object sysContact
      host       Specify hosts to receive SNMP notifications
      location   Text for mib object sysLocation
    ciscoISE/admin(config)# snmp-server
    Ciscoacs/admin(config)# snmp-server ?
      community  Set community string
      contact    Text for mib object sysContact
      host       Specify hosts to receive SNMP notifications
      location   Text for mib object sysLocation
    Ciscoacs/admin(config)# snmp-server

    No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
     http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

  • Using Cisco ACS for Solaris login authentication

    Hi all
    I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
    Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
    Thanks, David

    Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

  • CS-MARS user authentication using Cisco ACS

    Hi,
    I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
    Thanks and Regards,
    Ahmed Shahzad.

    Hi,
    I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
    Thanks and Regards,
    Ahmed Shahzad.

  • RSA SecurID and Cisco ACS integration for user(s) with enable mode

    I thought I had this problem figured out but I guess not.
    I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
    router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
    I use tacacs+ authentication for logging into the Cisco router
    such as telnet and ssh. In the ACS I use "external user databases"
    for authentication which proxy the request from the ACS over
    to the RSA SecurID Server. I installed RSA Agents with
    sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
    to be "RSA_SecurID" group. In the "External user databases" and
    "database configurations" I assign SecurID to this "RSA_SecurID"
    group.
    Everything is working fine. In the "User Setup" I can see dynamic
    user test1, test2,...testn listed in there as "dynamic users". In
    other words, I can telnet into the router with my two-factor
    SecurID.
    The problem is that if test1 wants to go into "enable" mode with
    SecurID login, I have to go into "test1" user setting and select
    "TACACS+Enable Password" and choose "Use external database password".
    After that, test1 can go into enable mode with his/her SecurID
    credential.
    Well, this works fine if I have a few users. The problem is that
    I have about 100 users that I need to do this. The solution is
    clearly not scalable. Is there a setting from group level that
    I can do this?
    Any ACS "experts" want to help me out here? Thanks.

    That is not what I want. I want user "test1" to be able to do this:
    C
    Username: test1
    Enter PASSCODE:
    C2960>en
    Enter PASSCODE:
    C2960#
    In other words, test1 user has to type in his/her RSA token password to get
    into exec mode. After that, he/she has to use the RSA token password to
    get into enable mode. Each user can get into "enable" mode with his/her
    RSA token mode.
    The way you descripbed, it seemed like anyone in this group can go directly
    into enable mode without password. This is not what I have in mind.
    Any other ideas? Thanks.

Maybe you are looking for

  • How can I transfer a Photoshop license from one pc to another?

    I Have already a serial number for adobe photoshop. However i'm going to change from work pc and need to transfer photoshop from one to another. How can I do it? thanks

  • Sub-report variable on main report

    HI Forum, I have a report with a sub-report. I am trying to have the sub-report to get an item "price" from a salesorder on a given year in this case 2010... i get that with a shared variable... the sub-report prints the correct value.... except that

  • "Access Restrictions" change to "Access Policy"

    can someone tell me what happen to my router linksys e1200, after i update the firmware to the latest version "Access Restrictions" is change to "Access Policy". how can i revert it back to "Access Restrictions" do i need to downgrade the firmware? 

  • Replaced DVD-ROM with 18x MCE Superdrive. Will not complete a DVD burn!!!!

    updating my gigabit ethernet dual 450 G4 powermac. swapped out the original dvd-rom drive with an 18x SuperDrive from MCE. Running Panther 10.3.9 with all updates. Machine has upgraded 120GB hard drive, 512 RAM. Driver loads from MCE install disc. Us

  • HT204023 How to update software on iphone5?

    I am using my Iphone 5 in bangladesh using GP (Grameenphone) data plan, I am unable to update any required software such as iOS 6.0.2. How do i do it?