Solved: Mr. Rhodes,

garciajbg305 · ‎05-01-2016

Hello All,

Still new to Cisco and I feel I have the basics handled now. So now I am moving on to a network management/central management solution and overall network security and log filing. I am looking into what I need to stand up (TACACS+ Server) to accomplish this. I have looked at all Cisco products but I am having trouble finding TACACS+ software for windows. Is this an iOS feature? Purely an application? Is AAA built in? How do I purchase and how does licensing work? Is it named something different now (i.e. ACS)? Any best practices I should be aware of?

Marvin Rhoads · ‎05-02-2016

ACS comes in 2 licensing levels. Base and an optional "Large Deployment" add on license for more than 500 managed devices.

ISE is much much more than a TACACS+ server (in fact that capability was only added last fall with Version 1.4). However, to run it as just that, you need any number of ISE Base licenses (these are designed for client network access control use and serve to get any ISE deployment started) plus the Device Administration license. The ISE Device Admin license is not restricted as to how many devices you can manage. (Of course there are real world limitations if you have thousands of devices and something like a network orchestration /. automation system logging into each one multiple times per day, but for most customers this is not an issue.)

We generally don't use the support forums to discuss pricing as that's a more appropriate discussion to have with your selected reseller as there are things to take into consideration unique to your environment in order to build a proper bill of materials.

Generally speaking you would need either:

CSACS-5.8-VM-K9 (ACS 5.8 VMWare Software And Base License)

or

ISE-VM-K9= (Cisco Identity Services Engine Virtual Machine Image)

L-ISE-BSE-100= (Cisco Identity Services Engine 100 EndPoint Base License)

L-ISE-TACACS= (Cisco ISE Device Admin License)

...to get started.

The ISE bits add up to a bit less (about US$12k list price vs. about US$14k) as Cisco is trying to encourage customers to move to ISE unless they really really need some of the more unusual features that are only still available on ACS.

View solution in original post

Marvin Rhoads · ‎05-02-2016

The current release of ACS is 5.8. That version supports ESXi 6.0. See this section in the release notes:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/release/notes/acs_58_rn.html#pgfId-434573

Version 5.7 only supported ESXi no later than 5.5

Please mark your question as answered if it has been.

View solution in original post

Marvin Rhoads · ‎05-01-2016

Cisco's current TACACS+ offerings are in two products - ACS and ISE. Both are available in hardware appliance and virtual appliance (VMware for ACS or VMware / KVM for ISE).

ACS for Windows was discontinued after version 4.x several years back.

Both products have very detailed implementation and configuration guides.

garciajbg305 · ‎05-02-2016

Marvin! Thank you! This is exactly what I was looking for. Seems that the VMWare for ACS or VMWare is the way to go since we currently are using ESXi 6.0. Do you know what the pricing is and how licenses works?

Marvin Rhoads · ‎05-02-2016

ACS comes in 2 licensing levels. Base and an optional "Large Deployment" add on license for more than 500 managed devices.

ISE is much much more than a TACACS+ server (in fact that capability was only added last fall with Version 1.4). However, to run it as just that, you need any number of ISE Base licenses (these are designed for client network access control use and serve to get any ISE deployment started) plus the Device Administration license. The ISE Device Admin license is not restricted as to how many devices you can manage. (Of course there are real world limitations if you have thousands of devices and something like a network orchestration /. automation system logging into each one multiple times per day, but for most customers this is not an issue.)

We generally don't use the support forums to discuss pricing as that's a more appropriate discussion to have with your selected reseller as there are things to take into consideration unique to your environment in order to build a proper bill of materials.

Generally speaking you would need either:

CSACS-5.8-VM-K9 (ACS 5.8 VMWare Software And Base License)

or

ISE-VM-K9= (Cisco Identity Services Engine Virtual Machine Image)

L-ISE-BSE-100= (Cisco Identity Services Engine 100 EndPoint Base License)

L-ISE-TACACS= (Cisco ISE Device Admin License)

...to get started.

The ISE bits add up to a bit less (about US$12k list price vs. about US$14k) as Cisco is trying to encourage customers to move to ISE unless they really really need some of the more unusual features that are only still available on ACS.

garciajbg305 · ‎05-02-2016

Mr. Rhodes,

This is great....since I deal with multiple mid size networks and currently utilize ESXi 6.0 I believe and will brief for the "CSACS-5.8-VM-K9 (ACS 5.8 VMWare Software And Base License)". My only question is does this software work well with ESXi 6.0? What I read on Cisco only states ESXi 5.5 compatibility as the latest reference or am I wrong?

Marvin Rhoads · ‎05-02-2016

The current release of ACS is 5.8. That version supports ESXi 6.0. See this section in the release notes:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/release/notes/acs_58_rn.html#pgfId-434573

Version 5.7 only supported ESXi no later than 5.5

Please mark your question as answered if it has been.

TACACS+, AAA, ACS, Overall Network Management and Implementation