Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2099
Views
1
Helpful
0
Comments

ACS 3.x, 4.x & 5.8 Feature Comparison

thomas
Cisco Employee
Cisco Employee

on ‎07-06-2016 04:33 PM

Feature

ACS 3.x

ACS 4.x

ACS 5.8Notes
Platform Support
1111YesNo
1112YesNo
1113YesNo
1120Yes (4.2)YesACS 5.0 shipping appliance
1121NoYesACS 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, and 5.8 shipping appliance
3415NoYesACS 5.4, 5.5, 5.6, 5.7, and 5.8 shipping appliance
3495NoYesACS 5.5, 5.6, 5.7, and 5.8 shipping appliance
Windows ServerYesNo
Virtual machineESX 3.xESX i5.0, i5.0 update 2, i5.1, i5.5, i5.5 update 1, and i5.5 update 2
Components
ACS for WindowsYesNoNo Windows Server support in ACS 5.8
ACS Solution EngineYesNoACS 5.8 provides its own appliance option
ACS View 4.0YesNoACS 5.8 has integrated View functionality
ACS Remote AgentYesNoRemote Agent not required in 5.8
ACS Express 5.0NoNo
Application Integration
CiscoWorks Common Services (for CSM/LMS)YesNo
Cisco Wireless Control System (WCS)YesYes
Distributed Model
Single primary/multiple secondaryYesYes
Cascading replicationYesNo
Replication triggerManual or per scheduleOn configuration change
Replication unitWhole replication componentConfiguration delta only
SynchronizationLooseTight
Automatic outage resynchronization
NoYes
Internal user password updatesOn primary onlyOn primary only
Role-based secondary to primary promotionNoYes
Identity Store Support
InternalYesYes
Active DirectoryYesYes
LDAPYesYes
RDBMSYesNo
RSA SecurIDYesYes
Other One-time Password ServersYesYesUses RADIUS interface to OTP server
AAA Proxy Support
RADIUS proxyYesYesIncludes EAP Proxy
TACACS+ proxyYesYes
Logging Destinations
ACS ViewYesYes
SyslogYesYes
ODBCYesNoACS 5.8 provides View log data synchronization with an external database for archival purposes
Configuration Query/Provisioning
Web-based GUIYesYes
CSV-based updatesYesYes
CSUtilYesNo
RDBMS SynchronizationYesNo
Management
SNMP queryYes (appliance only)Yes
SNMP trapsNoYes
View alarmsYesYes
GUIYesYes
Cisco standard look and feel GUINoYes

CLI

Yes (limited, appliance only)Yes (similar to IOS)

System restart after some configuration changes

YesNo
KVM console accessNoYes
Choice of file transfer storage repositoriesNoYes
In-place, cross-version upgrade procedureNoYes
Remote upgrades/patchingPartialYes
Supported Protocols
PAPYesYes
CHAPYesYes
MS-CHAPv1YesYes
MS-CHAPv2YesYes
MABYesYes
EAP-MD5YesYes
EAP-TLSYesYes
PEAP-MSCHAPv2YesYes
PEAP-GTCYesYes
PEAP-TLSYesYes
FAST-MSCHAPv2YesYes
FAST-GTCYesYes
FAST-TLSYesNo
LEAPYesYes
TACACS+
Command authorizationYesYes
AccountingYesYes
Single connectYesYes
Change passwordYesYes
Enable handlingYesYes
Custom servicesYesYes
Optional attributesYesYes

CHAP/MSCHAP authentication

YesYes
Attribute substitutionYesYes
ACS Password Policy
ComplexityYesYes (stronger)
HistoryYes (last only)Yes (multiple)
ExpiryYes (age by days, logins, first login)Yes (age by days)
Expiry warningYesYes
Grace periodYesNo
Account Disablement
By dateYesYesCan be implemented using authorization policy
By failed attemptsYesYes
By inactivityNoYes
Network Devices
Separate TACACS+/RADIUS entriesYesYes
Hierarchical, scalable device groupingNoYes
Default network deviceTACACS+ onlyRADIUS and TACACS+
Group-level shared secretsYesNo
Wildcard for IP addressYesYes
Access Policy
Flexible, rules-based policy modelNoYes
Mandatory ACS group assignmentYesNo
Multiple group membershipNoYes
Static IP address assignmentYesYesExtend schema, policy
Maximum sessionsYesYes
Group disablementYesYesImplement in ACS 5.8 policy
VOIP supportYesNo
ToD settingsYesYes
CallbackYesYesUse of Windows Callback setting is not available in ACS 5.8

Network Access Restrictions

YesYes
Usage quotasYesNo
Enable optionsYesYesImplement in ACS 5 policy
Token cachingYesNo
IP address assignmentYesYes (static and AAA client pool only)For assigning static IP address, implement in authorization policy by adding IP address field to user schema.
AAA client pool refers to the ability to set the VSA attribute "ip-pool-definition" on ACS. The pool itself will be defined on the switch or router itself.
Downloadable ACLsYesYes
Supplementary user informationYesYes
Extendable ACS user schema for use in policy conditions and for authorization valuesNoYes
User attributes (internal, AD, LDAP), that can be leveraged in policy conditions and as authorization valuesNoYes
External password authentication for ACS internal usersYesYesIn ACS 5, the password store must be specified through Access Service Identity Policy, and cannot be specified in the user's record.
Time bound alternate groupYesYesIn ACS 5, time-based conditions are used to specify different permissions based on time of the day.
Windows dial-in supportYesNo
ACS Administrators
Network restrictionsYesYes
Entitlement reportsYesYes
Password complexityYesYes (stronger)
Password agingYesYes
Password historyYesYes
password inactivityYesYes
Account disablement because of failed attemptsYesYes
Account disablement because of account inactivityYesYes

Permission control

YesYes (role-based)
Certificate-based Authentication / Authorization
Mandatory AD authorizationYesNo
SAN/CN ComparisonYesNoCan be implemented indirectly in ACS 5.8 by checking for user attribute existence
Certificate binary comparisonYesYes
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents