DATA SHEET

CISCO SECURE ACCESS CONTROL SERVER 4.0 FOR WINDOWS

®
Cisco Secure Access Control Server provides a comprehensive identity-based access control solution for Cisco intelligent
information networks. It is the integration and control layer for managing enterprise network users, administrators, and the
resources of the network infrastructure.

Cisco® Secure Access Control Server provides a comprehensive identity-based access control solution for Cisco intelligent information networks.
It is the integration and control layer for managing enterprise network users, administrators, and the resources of the network infrastructure.

PRODUCT OVERVIEW
With an ever-increasing number of methods for accessing networks today, security breaches and uncontrolled user access are a primary concern
among enterprises. With the wide adoption of IEEE 802.11 wireless LANs and ubiquitous broadband Internet connections, security challenges exist
not only at the perimeter, but also inside a network. Identity networking technologies that can mitigate these security vulnerabilities have become of
prime interest to customers worldwide.

Stronger forms of authentication, such as public key infrastructure (PKI) and one-time passwords (OTPs), are increasingly used to control user access
to corporate resources from public networks. Network administrators look for solutions that provide flexible authorization policies that are tied to the
user identity, as well as to the network access type and the security of the machine used to access the network. Lastly, the ability to centrally track
and monitor the connectivity of network users is of primary importance in isolating unwanted and excessive use of valuable network resources.

Cisco® Secure ACS (ACS) is a highly scalable, high-performance access control server that operates as a centralized RADIUS and TACACS+ server.
Cisco Secure ACS extends access security by combining authentication, user access, and administrator access with policy control within a centralized
identity networking solution, allowing greater flexibility and mobility, increased security, and user productivity gains. It enforces a uniform security
policy for all users regardless of how users access the network. It reduces the administrative and management burden involved in scaling user and
network administrator access to the network. By using a central database for all user accounts, Cisco Secure ACS centralizes the control of all user
privileges and distributes them to hundreds or thousands of access points throughout the network. As an accounting service, Cisco Secure ACS
provides detailed reporting and monitoring capabilities of network users’ behavior and keeps a record of every access connection and device
configuration change across the entire network. This feature has become extremely important for organizations in complying with Sarbanes Oxley
regulations. Cisco Secure ACS supports a broad variety of access connections, including wired and wireless LAN, dialup, broadband, content,
storage, voice over IP (VoIP), firewalls, and VPNs.

Cisco Secure ACS is an important component of the Cisco Identity-Based Networking Services (IBNS) architecture. Cisco IBNS is based on
port-security standards such as 802.1x (an IEEE standard for port-based network access control) and Extensible Authentication Protocol (EAP),
and extends security authentication, authorization, and accounting (AAA) from the perimeter of the network to every connection point inside
the LAN. New policy controls (such as per-user quotas, VLAN assignments, and access-control lists [ACLs]) can be deployed within this new
architecture, due to the extended capabilities of Cisco switches and wireless access points to query Cisco Secure ACS over the RADIUS protocol.

Cisco Secure ACS is also an important component of Cisco Network Admission Control (NAC). Cisco NAC is an industry initiative sponsored
by Cisco Systems® that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing
resources, thereby limiting damage from viruses and worms. With NAC, customers can allow network access only to compliant and trusted endpoint
devices (for instance, PCs, servers, and personal digital assistants) and can restrict the access of noncompliant devices. Cisco NAC is part of the

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 5
Cisco Self-Defending Network initiative and is the foundation for enabling network admission control on Layer 2 and Layer 3 networks. Future
phases extend endpoint and network security interoperation to include dynamic incident-containment capabilities. This innovation enables compliant
system elements to report misuse emanating from rogue or infected systems during an attack. Thus, infected systems can be dynamically quarantined
from the rest of the network to significantly reduce virus, worm, and blended threat propagation.

Cisco Secure ACS is a powerful access control server with many high-performance and scalability features for any organization growing its WAN
or LAN connectivity. Table 1 lists the main benefits of Cisco Secure ACS.

Table 1. Main Cisco Secure ACS Benefits

Benefit Description
Ease of Use A Web-based user interface simplifies and distributes configuration for user profiles, group profiles, and Cisco Secure
ACS configuration.
Scalability Cisco Secure ACS is built to support large networked environments with support for redundant servers, remote
databases, and database replication and backup services.
Extensibility Lightweight Directory Access Protocol (LDAP) authentication forwarding supports the authentication of user profiles
stored in directories from leading directory vendors, including Sun, Novell, and Microsoft.
Management Windows Active Directory support consolidates Windows user name and password management and uses the
Windows Performance Monitor for real-time statistics viewing.
Administration Different access levels for each Cisco Secure ACS administrator—and the ability to group network devices—enable
easier control and maximum flexibility to facilitate enforcement and changes of security policy administration over all
the devices in a network.
Product Flexibility Because Cisco IOS® Software has embedded support for AAA, Cisco Secure ACS can be used across virtually any
network access server that Cisco sells (the Cisco IOS Software release must support RADIUS or TACACS+).
Integration Tight coupling with Cisco IOS routers and VPN solutions provides features such as Multichassis Multilink Point-to-Point
Protocol (PPP) and Cisco IOS Software command authorization.
Third-Party Support Cisco Secure ACS offers token server support for any OTP vendor that provides an RFC-compliant RADIUS interface
(such as RSA, PassGo, Secure Computing, ActiveCard, Vasco, or CryptoCard).
Control Cisco Secure ACS provides dynamic quotas for time-of-day, network use, number of logged sessions, and day-of-week
access restrictions.

FEATURES AND BENEFITS

Cisco Secure ACS 4.0 provides the following new features and benefits:

• Cisco NAC support—Cisco Secure ACS 4.0 acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates the
credentials received from the Cisco Trust Agent, determines the state of the host, and sends a per-user authorization to the network access device:
ACLs, a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS
patch level and antivirus DAT file version. Cisco Secure ACS records the policy evaluation results for use with your monitoring system. Cisco
Secure ACS 4.0 also allows hosts without the appropriate agent technology to be audited by third-party audit vendors before granting network
access. Cisco Secure ACS policies can be extended with external policy servers to which Cisco Secure ACS forwards credentials. For example,
credentials specific to an antivirus vendor can be forwarded to the vendor’s antivirus policy server, and audit policy requests can be forwarded
to audit vendors.
• Scalability improvements—Cisco Secure ACS 4.0 has been upgraded to use an industry-standard RDMBS system, improving the number of
devices (AAA clients) supported by 10x and number of users by 3x. There have also been significant improvements in performance (transactions
per second) across the protocol portfolio that Cisco Secure ACS supports.
• Profile-based policies—Cisco Secure ACS 4.0 supports a new feature called network access profiles, which allow administrators to classify access
requests according to network location, membership in a network device group, protocol type, or other specific RADIUS attribute values sent by

© 2005 Cisco Systems, Inc. All rights reserved.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 2 of 5
 the network device through which the user connects. Authentication, access control, and authorization policies can be mapped to specific profiles.
An example of a profile-based policy is the ability to apply a different access policy for wireless access versus remote (VPN) access.
• Extended replication components—Cisco Secure ACS 4.0 has improved and enhanced replication. Administrators now have the capability to
replicate network access profiles and all related configuration, including posture validation settings, AAA clients and hosts, external database
configuration, global authentication configuration, network device groups, dictionaries, shared profile components, and additional logging
attributes.
• EAP-Flexible Authentication via Secure Tunneling (FAST) enhanced support—EAP-FAST is a new, publicly accessible IEEE 802.1x EAP
type developed by Cisco to support customers that cannot enforce a strong password policy or that wish to deploy an 802.1x EAP type that does
not require digital certificates, supports a variety of user and password database types, supports password expiration and change, and is flexible,
easy to deploy, and easy to manage. For example, a customer that cannot enforce a strong password policy and does not want to use certificates
can migrate to EAP-FAST for protection from dictionary attacks. Cisco Secure ACS 4.0 adds support for EAP-FAST supplicants available on a
wide variety of wireless client adapters.
• Downloadable IP ACLs—Cisco Secure ACS 4.0 extends per-user ACL support to any Layer 3 network device that supports this feature. This
includes Cisco PIX® security appliances, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that can be applied per user
or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with
network access filters, downloadable ACLs can be applied differently per device, allowing you to tailor ACLs uniquely per user or per access
device.
• Certification Revocation List (CRL) comparison—Cisco Secure ACS 4.0 support certificate revocation using the X.509 CRL profile. A CRL
is a time-stamped list identifying revoked certificates, which is signed by a certificate authority or CRL issuer and made freely available in a public
repository. Cisco Secure ACS 4.0 periodically retrieves the CRLs from provisioned CRL distribution points, using LDAP or HTTP, and stores
them for use during EAP-Transport Layer Security (EAP-TLS) authentication. If the certificate presented by the user during an EAP-TLS
authentication is present in the retrieved CRL, Cisco Secure ACS fails the authentication and denies access to the user. This capability is extremely
important in view of frequent organizational changes, and protects valuable company assets in case of fraudulent network use.
• Machine access restrictions—Cisco Secure ACS 4.0 includes machine access restrictions as an enhancement of Windows machine
authentication. When Windows machine authentication is enabled, you can use machine access restrictions to control authorization of EAP-TLS
and Microsoft Protected Extensible Authentication Protocol (PEAP) users who authenticate with a Windows external user database. Users who
access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of
a user group that you specify and which you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.
• Network Access Filter (NAF)—Cisco Secure ACS 4.0 includes NAFs as a new type of shared profile component. A NAF provides a flexible way
of applying network-access restrictions and downloadable ACLs on network device names, network device groups, or their IP addresses. NAFs
applied by IP address can use IP address ranges and wildcards. This feature introduces granular application of network access restrictions and
downloadable ACLs, both of which previously supported only the use of the same access restrictions or ACLs to all devices. NAFs allow flexible
network device restriction policies to be defined, a requirement common in large environments.
• Additional support of Cisco hardware devices—Cisco Secure ACS 4.0 includes support for Cisco wireless LAN controllers and Cisco adaptive
security appliances.

© 2005 Cisco Systems, Inc. All rights reserved.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 3 of 5
SYSTEM REQUIREMENTS
Cisco Secure ACS is available in two options: Cisco Secure ACS for Windows and the Cisco Secure ACS Solution Engine—a 1-rack-unit (RU),
security-hardened appliance with a preinstalled Cisco Secure ACS license.

For implementation of Cisco Secure ACS for Windows, your Windows server must meet the minimum hardware requirements listed in Table 2.

Table 2. Minimum Server Specifications for Cisco Secure ACS for Windows

Specification Minimum Requirement

Processor Speed Pentium IV processor, 1.8 GHz or faster
Memory Minimum 1 GB RAM
Hard Drive Minimum 250 MB free disk space
Resolution Minimum of 800 x 600 (256 colors)

ORDERING INFORMATION
Cisco Secure ACS is available for purchase through regular Cisco sales and distribution channels worldwide. Cisco Secure ACS for Windows
includes all the necessary components needed for an independent installation on a Microsoft Windows workstation. The Cisco Secure ACS Solution
Engine is shipped with a preinstalled Cisco Secure ACS software license. Refer to the Cisco Secure ACS 4.0 product bulletin for product numbers.

To place an order, visit the Cisco Ordering Home Page.

SERVICE AND SUPPORT

Cisco offers a wide range of services programs to accelerate customer success. These innovative programs are delivered through a unique
combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your
network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power
of your business. For more information about Cisco services, see Cisco Technical Support Services.

FOR MORE INFORMATION

For more information about Cisco Secure ACS 4.0, including the user guide and release notes, please visit http://www.cisco.com/go/acs.

For questions about product ordering, availability, and support contract information, send e-mail to the product marketing group at ACS-
MKT@cisco.com.

© 2005 Cisco Systems, Inc. All rights reserved.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 4 of 5
Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters
Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road
San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower
USA 1101 CH Amsterdam USA Singapore 068912
www.cisco.com The Netherlands www.cisco.com www.cisco.com
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777
800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799
Fax: 408 526-4100 Fax: 31 0 20 357 1100

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices.

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus
Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel
Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal
Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan
Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ
Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-
Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

© the
All other trademarks mentioned in this document or Website are 2005 Cisco
property of Systems, Inc.owners.
their respective All rights reserved.
The use of the word partner does not imply a partnership relationship between
Cisco and any other company. (0502R) notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Important 205318.BQ_ETMG_KM_9.05
Page 5 of 5
Printed in the USA