ACS vs ISE Comparison

 

These tables will help you compare the Limits, Features and Performance of Cisco Access Control Server (ACS) and the Cisco Identity Services Engine (ISE) to successfully migrate.

 

Key differentiators

 

If you are an ACS customer, Cisco partner, security consultant looking for services beyond network access/TACACS+ and closer integration with Cisco devices/third party devices. Here are the list of key differentiators between ACS and ISE.

 

ACS supports only network access/Device admin. ISE has a lot more services(please see ISE Product Community​ (http://cs.co/ise-community for more information) . Here are key points

  • ISE deployment limits are large in terms of concurrent endpoints and number of endpoints supported etc.
  • ISE supports up to 50 PSN’s, ACS supports 22 backup servers. Scalability numbers are likely to go up and these are some advantages for large customers. These are covered in Deployment limits section below.
  • ISE supports upto 50 Active directory domains on a single node. ACS is 1 Active directory domain per node.

 

Here are the difference between ACS and ISE from security, eco-system support, interoperability with Cisco devices(Cisco on Cisco) and third party functionalities.


Functionality
ISE
ACS
Network AccessYesYes
Device AdministrationYesYes
ContextYesPartial
VisibilityYesNo
Context sharing with Eco-systemYesNo
Network Segmentation/ TRUSTSECYesBasic
3rd Party SupportYesBasic
Threat/ Vulnerability/ posture scanning and enforcementYesNo
Anyconnect PostureYesNo
Anyconnect deployment from ISE and integrationsYesNo
EasyConnect for passive authentication/non-dot1xYesNo
Control plan security ( Radius - DTLS/ IPSec in ISE 2.2)YesNo
Integration with DNACYesNo

 

  • Primary difference ISE is used to gather and share context using PxGrid to ISE eco-system partners consisting of third party and Cisco devices (around 50+ vendors supported and growing). ACS does not have way to share context nor support profiling, or guest services/BYOD services.
  • ISE provides flexibility of supporting 3rd party devices and latest support of using SNMP as a backplane. ACS does not have third party profiles and even though third party devices would work, integration is not as easier.
  • Another big difference is that ISE is tightly integrated and is a linchpin for TRUSTSEC deployment to define, manage and push policies/tags etc and is also used for propagation of tags using SXP. ISE also integrates with ACI environment in both policy and data plane. ACS support tags but not as powerful and flexible as ISE.
  • From a security standpoint, ISE provides protection on devices using posture compliance and threat information from FMC for Threat centric NAC. It receives actionable threat information from Cisco AMP/CTA and vulnerability assessment information from Qualys/Tenable/Rapid 7 as part of Rapid Thread Containment, and protects the endpoint. ACS does not support Threat, Vulnerability or posture in general.
  • Anyconnect is tightly integrated with ISE for posture and other services it supports, ACS supports Anyconnect NAM and VPN. Other solutions around Anyconnect NVM, Lancope works with ISE for enforcement. Anyconnect can be also deployed to endpoints from ISE( just like in ASA).
  • Easy network access using Easyconnect and many more in the coming releases.


Policy Model


Policy Model Cisco ISE vs ACS

 

 

Deployment Limits

 

AttributeACS 5.x LimitsISE 2.0 LimitsISE 2.2 Limits
Nodes

22

44 (2 PANs, 2 MnTs, 40 PSNs)54(2 PANs, 2 MnTs, 50 PSNs)
Endpoints150,000250,000 concurrent endpoints
1 M total endpoints

500,000 concurrent sessions

(not specific to Endpoint or Users)

1.5M Total endpoints

Users300,00025,000 Internal Users
1 million Internal Guests
300,000 Internal Users
Admins50---
Admin Roles9--
Identity Groups1,000500(Users), 500(Endpoints)500(User), 500(End-point ID)
Active Directory Join Points1 per Node5050
Active Directory Group Retrieval150010001000
Network Devices100,00030,000 (network objects not IP's)100,000
Maximum Network Device Groups10,000100100
Maximum Top Level Network Device Groups12--
Maximum Network Device Hierarchies (nested levels)6--
Services25--
Authentication Rules-100

100 (Simple Policy Mode)

200 (Policy Set Mode--2 rules + default per policy set)

Authorization Rules320600 with policy sets, 400 without

600 (Simple Policy Mode)

700 (Policy Set Mode)

Conditions888
Authorization Profile600600 ( Recommended < 100)600
Service Selection Policy (SSP)50N/A100 (Policy sets)
Network Conditions (NARs)3,000--
dACLs600 dACL with 100 ACEs each8000 ACLs8000 ACLs
TrustSec Security Group Tags (SGT)-4,0004,000
TrustSec Security Group ACLs (SGACLs)-2,5002,500
Maximum number of SXP bindingsN/A100,000500,000(250,000 per SXP-PSN)

The ISE numbers came from Release Notes, Admin Guide, TOPIC and the current HLD.

 

 

 

Features

 

#66FF66 is Supported

#FF6666 is Not Supported

#FFFF00 is Not Available (N/A)

                                                                                                                                                                                                                                                            

RADIUS

ACS 4.2ACS 5.8ISE 2.0ISE 2.1

ISE

2.2

ISE

2.3

PAPYesYesYesYesYesYes
CHAPYesYesYesYesYesYes
MS-CHAPv1 and v2YesYesYesYesYesYes
EAP-MD5YesYesYesYesYesYes
EAP-TLSYesYesYesYesYesYes
PEAP (with EAP-MSCHAPv2 inner method)YesYesYesYesYesYes
PEAP (with EAP-GTC inner method)YesYesYesYesYesYes
PEAP (with EAP-TLS inner method)YesYesYesYesYesYes
EAP-FAST (with EAP-MSCHAPv2 inner method)YesYesYesYesYesYes
EAP-FAST (with EAP-GTC inner method)YesYesYesYesYesYes
EAP-FAST (with EAP-TLS inner method)YesYesYesYesYesYes
EAP Chaining with EAP-FASTNoNoYesYesYesYes
RADIUS ProxyYesYesYesYesYesYes
RADIUS VSAsYesYesYesYesYesYes
LEAPYesYesYesYesYesYes

TACACS+

ACS 4.2ACS 5.8ISE 2.0ISE 2.1ISE 2.2ISE 2.3
TACACS+ per-command authorization and accountingYesYesYesYesYesYes
TACACS+ support in IPv6 networksNoYesNoNoNoYes
TACACS+ change passwordYesYesYesYesYesYes
TACACS+ enable handlingYesYesYesYesYesYes
TACACS+ custom servicesYesYesYesYesYesYes
TACACS+ proxyYesYesYesYesYesYes
TACACS+ optional attributesYesYesYesYesYesYes
TACACS+ additional auth types (CHAP / MSCHAP)YesYesYesYesYesYes
TACACS+ attribute substitution for Shell profilesYesYesYesYesYesYes
TACACS+ customizable portYesYesNoYesYesYes

Identity Stores

ACS 4.2ACS 5.8ISE 2.0ISE 2.1ISE 2.2ISE 2.3
Internal User & Host DatabaseYesYesYesYesYesYes
Windows Active DirectoryYesYesYesYesYesYes
LDAPYesYesYesYesYesYes
RSA SecurIDYesYesYesYesYesYes
RADIUS token serverYesYesYesYesYesYes
ODBCYesNoNoYesYesYes
AD Server specification per ACS/ISE instanceYesYesN/AN/AN/AN/A
LDAP Server specification per ACS/ISE instanceYesNoNoNoYesYes
Map internal user’s password to an external ID storeYesYesNoYesYesYes

Internal Users / Administrators

ACS 4.2ACS 5.8ISE 2.0ISE 2.1ISE 2.2

ISE

2.3

Users: Password complexityYesYesYesYesYesYes

Users: Password aging

1. Warning and disable after defined interval. Grace period is not supported

YesYes1Yes1Yes1Yes1Yes1
Users: Password historyYesYesYesYesYesYes
Users: Max failed attemptsYesYesYesYesYesYes
Users: Disable user after n day of inactivityYesYesNoYesYesYes
Admin: Password complexityYesYesYesYesYesYes
Admin: Password agingYesYesYesYesYesYes
Admin: Password historyYesYesYesYesYesYes
Admin: Max failed attemptsYesYesYesYesYesYes
Admin: Password inactivityYesYesNoYesYesYes
Admin: entitlement reportYesYesYesYesYesYes

Admin: session and access restrictions

YesYesYesYesYesYes

Miscellaneous

ACS 4.2ACS 5.8ISE 2.0ISE 2.1ISE 2.2

ISE

2.3

Machine Access Restrictions caching and Distribution

1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but not distribution

YesYesYesYes 1Yes1Yes
Network Access Restrictions (NARs)YesYesNoNoYesYes
RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a class of objectsYesNoNoYesYesYes
RBAC for ISE Admin to allow administrators' rights to access Read-Only supportYesYesNoNoNoYes
Log Viewing and reportsYesYesYesYesYesYes
Export logs via SYSLOGYesYesYesYesYesYes
Time based permissionsYesYesYesYesYesYes
Configurable management HTTPS certificateYesYesYesYesYesYes
CRL: LDAP based definitionYesNoYesYesYesYes
Online Certificate Status Protocol (OCSP)YesYesYesYesYesYes
Comparison of any two attributes in authorization  policiesYesYesYesYesYesYes
Configurable RADIUS portsYesNoNoNoYesYes
API for users, groups and end-point CRUD operationsYesYesYesYesYesYes
Multiple NIC interfacesN/AYesYesYesYesYes
Secure SyslogsNoYesYesYesYesYes
EAP-TLS Certificate lookup in LDAP or ADYesYesYesYesYesYes
Maximum concurrent sessions per user/group

1. For internal users

YesYes1NoNoYes1Yes1
Programmatic Interface for network device CRUD  operationsYesYesYesYesYesYes
Configure devices with IP address ranges

1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in the last octet of the IP.

YesYesNoNoPartial1Yes

Lookup Network Device by IP address

2. Can search by IP address but this can’t be used in combination with other fields as search criteria

YesYesYes 2YesYesYes
Dial-in Attribute SupportYesYesNoNoYesYes
User-defined attributes for endpoints/hostsN/AYesNoNoYesYes
RSA Token cachingYesYesNoNoYesYes
Alarm notification on a per-item levelN/AYesNoNoNoYes
Import and export of Command SetsYesYesNoNoNoYes
Real time Policy hit countsYesYesNoNoNoYes
Scheduling policy exportYesYesNoNoNoYes

Will not be supported by ISE

LEAP ProxyYesNoNoNoNoNo
Users: User change password (UCP) utilityYesYesNoNoNoNo
Command line / scripting interface (CSUtil)YesYesNoNoNoNo

Logging to external DB (via ODBC)

1. Data can be exported from M&T for reporting. Not supported as log target that can be defined as critical logger

YesYesNoNoNoNo
Ability to select logging attributes for syslog messagesYesNoNoNoNoNo
IP PoolsYesNoNoNoNoNo
Adding hosts with WildcardsYesYesNoNoNoNo
RADIUS Token attributesYesYesNoNoNoNo

 

 

 

Performance

 

Please refer to the following documents for ACS and ISE performance:

ACS Performance & Scale

ISE Performance & Scale