- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- ACS vs ISE Comparison
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
11-16-2015 12:21 PM - edited 09-30-2018 07:55 PM
- Key Differentiators
- Policy Model
- Deployment Limits
- Features
- RADIUS
- TACACS+
- Identity Stores
- Internal Users / Administrators
- Miscellaneous
- Will not be supported by ISE
- Performance
These tables will help you compare the Limits, Features and Performance of Cisco Access Control Server (ACS) and the Cisco Identity Services Engine (ISE) to successfully migrate.
Key Differentiators
If you are an ACS customer, Cisco partner, security consultant looking for services beyond network access/TACACS+ and closer integration with Cisco devices/third party devices. Here are the list of key differentiators between ACS and ISE.
ACS supports only network access/Device admin. ISE has a lot more services. Please see ISE Resources (http://cs.co/ise-community for more information) . Here are key points
- ISE deployment limits are large in terms of concurrent endpoints and number of endpoints supported etc.
- ISE supports up to 50 PSN’s, ACS supports 22 backup servers. Scalability numbers are likely to go up and these are some advantages for large customers. These are covered in Deployment limits section below.
- ISE supports upto 50 Active directory domains on a single node. ACS is 1 Active directory domain per node.
Here are the difference between ACS and ISE from security, eco-system support, interoperability with Cisco devices(Cisco on Cisco) and third party functionalities.
| Functionality |
ISE |
ACS |
|---|---|---|
| Network Access | Yes | Yes |
| Device Administration | Yes | Yes |
| Context | Yes | Partial |
| Visibility | Yes | No |
| Context sharing with Eco-system | Yes | No |
| Network Segmentation/ TRUSTSEC | Yes | Basic |
| 3rd Party Support | Yes | Basic |
| Threat/ Vulnerability/ posture scanning and enforcement | Yes | No |
| Anyconnect Posture | Yes | No |
| Anyconnect deployment from ISE and integrations | Yes | No |
| EasyConnect for passive authentication/non-dot1x | Yes | No |
| Control plan security ( Radius - DTLS/ IPSec in ISE 2.2) | Yes | No |
| Integration with DNAC | Yes | No |
- Primary difference ISE is used to gather and share context using PxGrid to ISE eco-system partners consisting of third party and Cisco devices (around 50+ vendors supported and growing). ACS does not have way to share context nor support profiling, or guest services/BYOD services.
- ISE provides flexibility of supporting 3rd party devices and latest support of using SNMP as a backplane. ACS does not have third party profiles and even though third party devices would work, integration is not as easier.
- Another big difference is that ISE is tightly integrated and is a linchpin for TRUSTSEC deployment to define, manage and push policies/tags etc and is also used for propagation of tags using SXP. ISE also integrates with ACI environment in both policy and data plane. ACS support tags but not as powerful and flexible as ISE.
- From a security standpoint, ISE provides protection on devices using posture compliance and threat information from FMC for Threat centric NAC. It receives actionable threat information from Cisco AMP/CTA and vulnerability assessment information from Qualys/Tenable/Rapid 7 as part of Rapid Thread Containment, and protects the endpoint. ACS does not support Threat, Vulnerability or posture in general.
- Anyconnect is tightly integrated with ISE for posture and other services it supports, ACS supports Anyconnect NAM and VPN. Other solutions around Anyconnect NVM, Lancope works with ISE for enforcement. Anyconnect can be also deployed to endpoints from ISE( just like in ASA).
- Easy network access using Easyconnect and many more in the coming releases.
Policy Model
Overview of ACS vs ISE Policy Model Presentation
Deployment Limits
| Attribute | ACS 5.x Limits | ISE 2.0 Limits | ISE 2.2 Limits |
|---|---|---|---|
| Nodes |
22 |
44 (2 PANs, 2 MnTs, 40 PSNs) | 54(2 PANs, 2 MnTs, 50 PSNs) |
| Endpoints | 150,000 | 250,000 concurrent endpoints 1 M total endpoints |
500,000 concurrent sessions (not specific to Endpoint or Users) 1.5M Total endpoints |
| Users | 300,000 | 25,000 Internal Users 1 million Internal Guests |
300,000 Internal Users |
| Admins | 50 | -- | - |
| Admin Roles | 9 | - | - |
| Identity Groups | 1,000 | 500(Users), 500(Endpoints) | 500(User), 500(End-point ID) |
| Active Directory Join Points | 1 per Node | 50 | 50 |
| Active Directory Group Retrieval | 1500 | 1000 | 1000 |
| Network Devices | 100,000 | 30,000 (network objects not IP's) | 100,000 |
| Maximum Network Device Groups | 10,000 | 100 | 100 |
| Maximum Top Level Network Device Groups | 12 | - | - |
| Maximum Network Device Hierarchies (nested levels) | 6 | - | - |
| Services | 25 | - | - |
| Authentication Rules | - | 100 |
100 (Simple Policy Mode) 200 (Policy Set Mode--2 rules + default per policy set) |
| Authorization Rules | 320 | 600 with policy sets, 400 without |
600 (Simple Policy Mode) 700 (Policy Set Mode) |
| Conditions | 8 | 8 | 8 |
| Authorization Profile | 600 | 600 ( Recommended < 100) | 600 |
| Service Selection Policy (SSP) | 50 | N/A | 100 (Policy sets) |
| Network Conditions (NARs) | 3,000 | - | - |
| dACLs | 600 dACL with 100 ACEs each | 8000 ACLs | 8000 ACLs |
| TrustSec Security Group Tags (SGT) | - | 4,000 | 4,000 |
| TrustSec Security Group ACLs (SGACLs) | - | 2,500 | 2,500 |
| Maximum number of SXP bindings | N/A | 100,000 | 500,000(250,000 per SXP-PSN) |
The ISE numbers came from Release Notes, Admin Guide, TOPIC and the current HLD.
Features
#66FF66 is Supported
#FF6666 is Not Supported
#FFFF00 is Not Available (N/A)
RADIUS |
ACS 4.2 | ACS 5.8 | ISE 2.0 | ISE 2.1 |
ISE 2.2 |
ISE 2.3 |
|---|---|---|---|---|---|---|
| PAP | Yes | Yes | Yes | Yes | Yes | Yes |
| CHAP | Yes | Yes | Yes | Yes | Yes | Yes |
| MS-CHAPv1 and v2 | Yes | Yes | Yes | Yes | Yes | Yes |
| EAP-MD5 | Yes | Yes | Yes | Yes | Yes | Yes |
| EAP-TLS | Yes | Yes | Yes | Yes | Yes | Yes |
| PEAP (with EAP-MSCHAPv2 inner method) | Yes | Yes | Yes | Yes | Yes | Yes |
| PEAP (with EAP-GTC inner method) | Yes | Yes | Yes | Yes | Yes | Yes |
| PEAP (with EAP-TLS inner method) | Yes | Yes | Yes | Yes | Yes | Yes |
| EAP-FAST (with EAP-MSCHAPv2 inner method) | Yes | Yes | Yes | Yes | Yes | Yes |
| EAP-FAST (with EAP-GTC inner method) | Yes | Yes | Yes | Yes | Yes | Yes |
| EAP-FAST (with EAP-TLS inner method) | Yes | Yes | Yes | Yes | Yes | Yes |
| EAP Chaining with EAP-FAST | No | No | Yes | Yes | Yes | Yes |
| RADIUS Proxy | Yes | Yes | Yes | Yes | Yes | Yes |
| RADIUS VSAs | Yes | Yes | Yes | Yes | Yes | Yes |
| LEAP | Yes | Yes | Yes | Yes | Yes | Yes |
TACACS+ |
ACS 4.2 | ACS 5.8 | ISE 2.0 | ISE 2.1 | ISE 2.2 | ISE 2.3 |
| TACACS+ per-command authorization and accounting | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ support in IPv6 networks | No | Yes | No | No | No | Yes |
| TACACS+ change password | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ enable handling | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ custom services | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ proxy | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ optional attributes | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ additional auth types (CHAP / MSCHAP) | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ attribute substitution for Shell profiles | Yes | Yes | Yes | Yes | Yes | Yes |
| TACACS+ customizable port | Yes | Yes | No | Yes | Yes | Yes |
Identity Stores |
ACS 4.2 | ACS 5.8 | ISE 2.0 | ISE 2.1 | ISE 2.2 | ISE 2.3 |
| Internal User & Host Database | Yes | Yes | Yes | Yes | Yes | Yes |
| Windows Active Directory | Yes | Yes | Yes | Yes | Yes | Yes |
| LDAP | Yes | Yes | Yes | Yes | Yes | Yes |
| RSA SecurID | Yes | Yes | Yes | Yes | Yes | Yes |
| RADIUS token server | Yes | Yes | Yes | Yes | Yes | Yes |
| ODBC | Yes | No | No | Yes | Yes | Yes |
| AD Server specification per ACS/ISE instance | Yes | Yes | N/A | N/A | N/A | N/A |
| LDAP Server specification per ACS/ISE instance | Yes | No | No | No | Yes | Yes |
| Map internal user’s password to an external ID store | Yes | Yes | No | Yes | Yes | Yes |
Internal Users / Administrators |
ACS 4.2 | ACS 5.8 | ISE 2.0 | ISE 2.1 | ISE 2.2 |
ISE 2.3 |
| Users: Password complexity | Yes | Yes | Yes | Yes | Yes | Yes |
|
Users: Password aging 1. Warning and disable after defined interval. Grace period is not supported |
Yes | Yes1 | Yes1 | Yes1 | Yes1 | Yes1 |
| Users: Password history | Yes | Yes | Yes | Yes | Yes | Yes |
| Users: Max failed attempts | Yes | Yes | Yes | Yes | Yes | Yes |
| Users: Disable user after n day of inactivity | Yes | Yes | No | Yes | Yes | Yes |
| Admin: Password complexity | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin: Password aging | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin: Password history | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin: Max failed attempts | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin: Password inactivity | Yes | Yes | No | Yes | Yes | Yes |
| Admin: entitlement report | Yes | Yes | Yes | Yes | Yes | Yes |
|
Admin: session and access restrictions |
Yes | Yes | Yes | Yes | Yes | Yes |
Miscellaneous |
ACS 4.2 | ACS 5.8 | ISE 2.0 | ISE 2.1 | ISE 2.2 |
ISE 2.3 |
|
Machine Access Restrictions caching and Distribution 1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but not distribution |
Yes | Yes | Yes | Yes 1 | Yes1 | Yes |
| Network Access Restrictions (NARs) | Yes | Yes | No | No | Yes | Yes |
| RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a class of objects | Yes | No | No | Yes | Yes | Yes |
| RBAC for ISE Admin to allow administrators' rights to access Read-Only support | Yes | Yes | No | No | No | Yes |
| Log Viewing and reports | Yes | Yes | Yes | Yes | Yes | Yes |
| Export logs via SYSLOG | Yes | Yes | Yes | Yes | Yes | Yes |
| Time based permissions | Yes | Yes | Yes | Yes | Yes | Yes |
| Configurable management HTTPS certificate | Yes | Yes | Yes | Yes | Yes | Yes |
| CRL: LDAP based definition | Yes | No | Yes | Yes | Yes | Yes |
| Online Certificate Status Protocol (OCSP) | Yes | Yes | Yes | Yes | Yes | Yes |
| Comparison of any two attributes in authorization policies | Yes | Yes | Yes | Yes | Yes | Yes |
| Configurable RADIUS ports | Yes | No | No | No | Yes | Yes |
| API for users, groups and end-point CRUD operations | Yes | Yes | Yes | Yes | Yes | Yes |
| Multiple NIC interfaces | N/A | Yes | Yes | Yes | Yes | Yes |
| Secure Syslogs | No | Yes | Yes | Yes | Yes | Yes |
| EAP-TLS Certificate lookup in LDAP or AD | Yes | Yes | Yes | Yes | Yes | Yes |
| Maximum concurrent sessions per user/group
1. For internal users |
Yes | Yes1 | No | No | Yes1 | Yes1 |
| Programmatic Interface for network device CRUD operations | Yes | Yes | Yes | Yes | Yes | Yes |
| Configure devices with IP address ranges
1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in the last octet of the IP. |
Yes | Yes | No | No | Partial1 | Yes |
|
Lookup Network Device by IP address 2. Can search by IP address but this can’t be used in combination with other fields as search criteria |
Yes | Yes | Yes 2 | Yes | Yes | Yes |
| Dial-in Attribute Support | Yes | Yes | No | No | Yes | Yes |
| User-defined attributes for endpoints/hosts | N/A | Yes | No | No | Yes | Yes |
| RSA Token caching | Yes | Yes | No | No | Yes | Yes |
| Alarm notification on a per-item level | N/A | Yes | No | No | No | Yes |
| Import and export of Command Sets | Yes | Yes | No | No | No | Yes |
| Real time Policy hit counts | Yes | Yes | No | No | No | Yes |
| Scheduling policy export | Yes | Yes | No | No | No | Yes |
Will not be supported by ISE |
||||||
| LEAP Proxy | Yes | No | No | No | No | No |
| Users: User change password (UCP) utility | Yes | Yes | No | No | No | No |
| Command line / scripting interface (CSUtil) | Yes | Yes | No | No | No | No |
|
Logging to external DB (via ODBC) 1. Data can be exported from M&T for reporting. Not supported as log target that can be defined as critical logger |
Yes | Yes | No | No | No | No |
| Ability to select logging attributes for syslog messages | Yes | No | No | No | No | No |
| IP Pools | Yes | No | No | No | No | No |
| Adding hosts with Wildcards | Yes | Yes | No | No | No | No |
| RADIUS Token attributes | Yes | Yes | No | No | No | No |
Performance
Please refer to the following documents for ACS and ISE performance:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: