Pros and Cons
Migrating ACS 3.x is a multi-step process, where you have to migrate to 4.x and then to 5.x. Migration might not be easy and straightforward.
ACS 3.x is EOL’ed and End of Support around 7 years back so . So you might not be able to find the resources for upgrading/migrating. If you need to migrate you need a staging server where you need to restore the DB to do the migration. Development and support for this product ended a while back and if you have issues Cisco may not be able to support.
There are significant architectural differences between 4.x and 5.x. So the UI, the policy constructs have changed.
Also 5.x would not work on a Windows platform and needs an appliance or VM form factor that you might already be aware of. ACS 5.x does not have RDBMS support and a few others feature that ACS 4.x/3.x had.
Here is a feature comparison list between 3.x, 4.x and 5.x.
Recommendation
- Go with ISE server keeping in mind ISE is the focus of this BU long term and will be the successor of ACS. Here are the reasons
- It is likely that ACS 5.8 would be EOL’ed next year.
- ISE server has the same run time TACACS+ engine that ACS has and has all the TACACS+ functionality as ACS 5.x.
- ISE consistently won Gartner award for NAC 2014,2013,2012 and from Frost and Sullivan. ISE also received the Best NAC Solution award from SC Magazine in RSA conference this year.
- Further it supports a key functionalities that can be taken advantage, providing visibility to every device and user in your network and gathering context on who, what, when, how and where endpoints and users are access your network. Providing network segmentation efficiently using Trustsec better than traditional ACL and VLANs. Work with third party MDM vendors, mitigate threat by sharing context data to partner ecosystem and within Cisco such as Lancope, NGFirewall, WSA as well as SIEM such as Splunk etc.
- Install ACS 5.8 and do manual configuration. ACS 5.x support import/export, REST API for many configuration and when you are ready migrate over to ISE. This is a two step process for you considering the time you spent, cost of training, cost of moving your devices to your new ACS server.
Finally if you want to migrate 3.3, here are the steps.
- Migrate from 3.3 to 5.8
- Reference guide to Migrate from 3.3 to 4.2