Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
5
Helpful
2
Replies

benefits of Cisco ACS 5.7

cciesec2011
Level 3
Level 3

‎05-14-2015 09:54 AM - edited ‎03-12-2019 05:45 PM

Hi Everyone,

I am currently using Cisco ACS 5.4 with patch 7  only to manage users logging into network devices (i.e. TACACS+ and radius). 

Cisco just releases 5.7 on May 12th.  Any benefits to upgrade from 5.4 patch 7 to ACS 5.7?

on the release notes, I see this on 5.7:

 Maximum Failed Attempts Count Policy
 New Sub-Attributes for Service Type RADIUS IETF Attribute
 Supporting SNMP Traps for Monitoring Disk Utilization
 Log Message for CLI Administrator Account Locked Out
 Establishing New Connection from Sybase if Oracle is down
 Length Included Flags in Access Policies for TWLU Clients
 ACS CLI Changes to TCP Parameters
 New Light Weight REST API (getAllDevices)
 RSA Public Key Authentication for SFTP Repository

 

Based on the release note, I am not seeing any benefits of upgrading from 5.4 patch 7 to 5.7.

 

Comments anyone?

 

Thanks,

 

 

 

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎05-16-2015 11:02 PM

Hi there, in addition to new features, newer versions of ACS also address known bugs and vulnerabilities. Those can be found in the release notes for each version. For instance, just in v5.7 there were tons of bugs and vulnerabilities that were resolved (see below). You are in version 5.4 so you can check the release notes for 5.5, 5.6 and 5.7 and you will find a pretty lengthy list :)

Resolved ACS Issues

Table 4 lists the issues that are resolved in ACS 5.7.

Table 4 Resolved Issues in ACS 5.7

Bug ID
Description

CSCua13802

The system status and the AAA status are shown as not available and zero in the dashboard.

CSCuo89940

Able to download files from an expired URL from ACS 5.x.

CSCup22665

Multiple Vulnerabilities are found in OpenSSL.

CSCup58251

Evaluating CVE-2008-5161 in Cisco Secure ACS.

CSCup90024

ACS 5.x fails to start the runtime services if an Identity Store name contains an underscore followed by a number.

CSCuq56122

Unable to launch Monitoring and Reports web interface from a secondary ACS instance in a distributed deployment using Mozilla Firefox browser.

CSCuq74150

Open Redirect vulnerability in found in ACS web interface.

CSCuq79027

Injection Vulnerability is found in ACS.

CSCuq79034

ACS bypasses authorizations.

CSCur00511

ACS evaluation for CVE-2014-6271 and CVE-2014-7169.

This fix addresses the vulnerabilities identified in the bash shell by upgrading to the required system libraries. This patch fix includes security fixes, and as a result, ACS server prompts a reboot which is highly recommended for a successful installation of the patch.

CSCur07409

Modify TCP settings to enhance TACACS+ performance in ACS 5.x.

CSCur27402

Unable to Schedule reports in ACS 5.6 Reports web interface.

CSCur30345

SSLv3 Poodle vulnerability evaluation is found in ACS.

CSCur42721

Improvement is required in ACS 5.x TACACS+ threading.

CSCur59417

ACS 5.x web interface fields does not allow the single quotes, apostrophe, and plus symbols.

CSCur93568

RSA SecurID authentication fails to work when you perform authentication using RSA SecurID for the first time.

CSCus05897

Users can login to ACS and perform RADIUS authentication with expired passwords.

CSCus17482

The primary instance sends an incorrect reference to the secondary instances after deleting an object from the primary instance.

CSCus42056

Incremental backup issues in ACS View.

CSCus64212

Scheduled reports in ACS 5.6 does not display all columns.

CSCus68826

ACS 5.x is vulnerable to CVE-2015-0235.

CSCus80750

Service selection rule fails to match if the first TACACS+ ASCII request does not have the username.

CSCus97002

Favorite reports in ACS 5.6 does not display any data.

CSCut01441

Runtime crashes if ACS receives a SIGPIPE (broken pipe) signal.

 

As result, I recommend that you try to stay on a pretty recent version. Now, 5.7 was just released so I would not go to that one right away. I personally like to wait till the first patch is released. The first patch usually addresses all of the issues that were reported by people who upgrade right away. :) However, I would recommend that you upgrade to v5.6!

I hope this helps!

 

Thank you for rating helpful posts!

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎05-20-2015 12:38 AM

Cisco Secure ACS 5.7 adds the following new features :

   Option for storing passwords’ hashes instead of in clear text

   Ability to disable users after N days of inactivity

   Disable users after N failed attempts on a user or group basis

   Notify users/Admins via e-mail N days before their password expires

   Ability to add new values for attributes in RADIUS dictionary

   Create a new connection to Oracle Sybase database for every export job

   Option to expire MAB (host) entries in internal database

   Customization of TACACS+ port number

   SNMP MIB support for monitoring disk utilization

   Support use of PKI infrastructure keys for backing up database and logs via SFTP

   Support for logging into Microsoft SQL 2012 database

   New REST API call to read device info faster

0 Helpful
Customers Also Viewed These Support Documents