cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ACS vs ISE Comparison

86692
Views
112
Helpful
0
Comments

 

 

These tables will help you compare the Limits, Features and Performance of Cisco Access Control Server (ACS) and the Cisco Identity Services Engine (ISE) to successfully migrate.

 

Key Differentiators

 

If you are an ACS customer, Cisco partner, security consultant looking for services beyond network access/TACACS+ and closer integration with Cisco devices/third party devices. Here are the list of key differentiators between ACS and ISE.

 

ACS supports only network access/Device admin. ISE has a lot more services. Please see ISE Resources​ (http://cs.co/ise-community for more information) . Here are key points

  • ISE deployment limits are large in terms of concurrent endpoints and number of endpoints supported etc.
  • ISE supports up to 50 PSN’s, ACS supports 22 backup servers. Scalability numbers are likely to go up and these are some advantages for large customers. These are covered in Deployment limits section below.
  • ISE supports upto 50 Active directory domains on a single node. ACS is 1 Active directory domain per node.

 

Here are the difference between ACS and ISE from security, eco-system support, interoperability with Cisco devices(Cisco on Cisco) and third party functionalities.

 

Functionality
ISE
ACS
Network Access Yes Yes
Device Administration Yes Yes
Context Yes Partial
Visibility Yes No
Context sharing with Eco-system Yes No
Network Segmentation/ TRUSTSEC Yes Basic
3rd Party Support Yes Basic
Threat/ Vulnerability/ posture scanning and enforcement Yes No
Anyconnect Posture Yes No
Anyconnect deployment from ISE and integrations Yes No
EasyConnect for passive authentication/non-dot1x Yes No
Control plan security ( Radius - DTLS/ IPSec in ISE 2.2) Yes No
Integration with DNAC Yes No

 

  • Primary difference ISE is used to gather and share context using PxGrid to ISE eco-system partners consisting of third party and Cisco devices (around 50+ vendors supported and growing). ACS does not have way to share context nor support profiling, or guest services/BYOD services.
  • ISE provides flexibility of supporting 3rd party devices and latest support of using SNMP as a backplane. ACS does not have third party profiles and even though third party devices would work, integration is not as easier.
  • Another big difference is that ISE is tightly integrated and is a linchpin for TRUSTSEC deployment to define, manage and push policies/tags etc and is also used for propagation of tags using SXP. ISE also integrates with ACI environment in both policy and data plane. ACS support tags but not as powerful and flexible as ISE.
  • From a security standpoint, ISE provides protection on devices using posture compliance and threat information from FMC for Threat centric NAC. It receives actionable threat information from Cisco AMP/CTA and vulnerability assessment information from Qualys/Tenable/Rapid 7 as part of Rapid Thread Containment, and protects the endpoint. ACS does not support Threat, Vulnerability or posture in general.
  • Anyconnect is tightly integrated with ISE for posture and other services it supports, ACS supports Anyconnect NAM and VPN. Other solutions around Anyconnect NVM, Lancope works with ISE for enforcement. Anyconnect can be also deployed to endpoints from ISE( just like in ASA).
  • Easy network access using Easyconnect and many more in the coming releases.

 

Policy Model

Overview of ACS vs ISE Policy Model Presentation

 

Deployment Limits

Attribute ACS 5.x Limits ISE 2.0 Limits ISE 2.2 Limits
Nodes

22

44 (2 PANs, 2 MnTs, 40 PSNs) 54(2 PANs, 2 MnTs, 50 PSNs)
Endpoints 150,000 250,000 concurrent endpoints
1 M total endpoints

500,000 concurrent sessions

(not specific to Endpoint or Users)

1.5M Total endpoints

Users 300,000 25,000 Internal Users
1 million Internal Guests
300,000 Internal Users
Admins 50 -- -
Admin Roles 9 - -
Identity Groups 1,000 500(Users), 500(Endpoints) 500(User), 500(End-point ID)
Active Directory Join Points 1 per Node 50 50
Active Directory Group Retrieval 1500 1000 1000
Network Devices 100,000 30,000 (network objects not IP's) 100,000
Maximum Network Device Groups 10,000 100 100
Maximum Top Level Network Device Groups 12 - -
Maximum Network Device Hierarchies (nested levels) 6 - -
Services 25 - -
Authentication Rules - 100

100 (Simple Policy Mode)

200 (Policy Set Mode--2 rules + default per policy set)

Authorization Rules 320 600 with policy sets, 400 without

600 (Simple Policy Mode)

700 (Policy Set Mode)

Conditions 8 8 8
Authorization Profile 600 600 ( Recommended < 100) 600
Service Selection Policy (SSP) 50 N/A 100 (Policy sets)
Network Conditions (NARs) 3,000 - -
dACLs 600 dACL with 100 ACEs each 8000 ACLs 8000 ACLs
TrustSec Security Group Tags (SGT) - 4,000 4,000
TrustSec Security Group ACLs (SGACLs) - 2,500 2,500
Maximum number of SXP bindings N/A 100,000 500,000(250,000 per SXP-PSN)

The ISE numbers came from Release Notes, Admin Guide, TOPIC and the current HLD.

 

 

 

Features

#66FF66 is Supported

#FF6666 is Not Supported

#FFFF00 is Not Available (N/A)

 

RADIUS

ACS 4.2 ACS 5.8 ISE 2.0 ISE 2.1

ISE

2.2

ISE

2.3

PAP Yes Yes Yes Yes Yes Yes
CHAP Yes Yes Yes Yes Yes Yes
MS-CHAPv1 and v2 Yes Yes Yes Yes Yes Yes
EAP-MD5 Yes Yes Yes Yes Yes Yes
EAP-TLS Yes Yes Yes Yes Yes Yes
PEAP (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes Yes
PEAP (with EAP-GTC inner method) Yes Yes Yes Yes Yes Yes
PEAP (with EAP-TLS inner method) Yes Yes Yes Yes Yes Yes
EAP-FAST (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes Yes
EAP-FAST (with EAP-GTC inner method) Yes Yes Yes Yes Yes Yes
EAP-FAST (with EAP-TLS inner method) Yes Yes Yes Yes Yes Yes
EAP Chaining with EAP-FAST No No Yes Yes Yes Yes
RADIUS Proxy Yes Yes Yes Yes Yes Yes
RADIUS VSAs Yes Yes Yes Yes Yes Yes
LEAP Yes Yes Yes Yes Yes Yes

TACACS+

ACS 4.2 ACS 5.8 ISE 2.0 ISE 2.1 ISE 2.2 ISE 2.3
TACACS+ per-command authorization and accounting Yes Yes Yes Yes Yes Yes
TACACS+ support in IPv6 networks No Yes No No No Yes
TACACS+ change password Yes Yes Yes Yes Yes Yes
TACACS+ enable handling Yes Yes Yes Yes Yes Yes
TACACS+ custom services Yes Yes Yes Yes Yes Yes
TACACS+ proxy Yes Yes Yes Yes Yes Yes
TACACS+ optional attributes Yes Yes Yes Yes Yes Yes
TACACS+ additional auth types (CHAP / MSCHAP) Yes Yes Yes Yes Yes Yes
TACACS+ attribute substitution for Shell profiles Yes Yes Yes Yes Yes Yes
TACACS+ customizable port Yes Yes No Yes Yes Yes

Identity Stores

ACS 4.2 ACS 5.8 ISE 2.0 ISE 2.1 ISE 2.2 ISE 2.3
Internal User & Host Database Yes Yes Yes Yes Yes Yes
Windows Active Directory Yes Yes Yes Yes Yes Yes
LDAP Yes Yes Yes Yes Yes Yes
RSA SecurID Yes Yes Yes Yes Yes Yes
RADIUS token server Yes Yes Yes Yes Yes Yes
ODBC Yes No No Yes Yes Yes
AD Server specification per ACS/ISE instance Yes Yes N/A N/A N/A N/A
LDAP Server specification per ACS/ISE instance Yes No No No Yes Yes
Map internal user’s password to an external ID store Yes Yes No Yes Yes Yes

Internal Users / Administrators

ACS 4.2 ACS 5.8 ISE 2.0 ISE 2.1 ISE 2.2

ISE

2.3

Users: Password complexity Yes Yes Yes Yes Yes Yes

Users: Password aging

1. Warning and disable after defined interval. Grace period is not supported

Yes Yes1 Yes1 Yes1 Yes1 Yes1
Users: Password history Yes Yes Yes Yes Yes Yes
Users: Max failed attempts Yes Yes Yes Yes Yes Yes
Users: Disable user after n day of inactivity Yes Yes No Yes Yes Yes
Admin: Password complexity Yes Yes Yes Yes Yes Yes
Admin: Password aging Yes Yes Yes Yes Yes Yes
Admin: Password history Yes Yes Yes Yes Yes Yes
Admin: Max failed attempts Yes Yes Yes Yes Yes Yes
Admin: Password inactivity Yes Yes No Yes Yes Yes
Admin: entitlement report Yes Yes Yes Yes Yes Yes

Admin: session and access restrictions

Yes Yes Yes Yes Yes Yes

Miscellaneous

ACS 4.2 ACS 5.8 ISE 2.0 ISE 2.1 ISE 2.2

ISE

2.3

Machine Access Restrictions caching and Distribution

1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but not distribution

Yes Yes Yes Yes 1 Yes1 Yes
Network Access Restrictions (NARs) Yes Yes No No Yes Yes
RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a class of objects Yes No No Yes Yes Yes
RBAC for ISE Admin to allow administrators' rights to access Read-Only support Yes Yes No No No Yes
Log Viewing and reports Yes Yes Yes Yes Yes Yes
Export logs via SYSLOG Yes Yes Yes Yes Yes Yes
Time based permissions Yes Yes Yes Yes Yes Yes
Configurable management HTTPS certificate Yes Yes Yes Yes Yes Yes
CRL: LDAP based definition Yes No Yes Yes Yes Yes
Online Certificate Status Protocol (OCSP) Yes Yes Yes Yes Yes Yes
Comparison of any two attributes in authorization  policies Yes Yes Yes Yes Yes Yes
Configurable RADIUS ports Yes No No No Yes Yes
API for users, groups and end-point CRUD operations Yes Yes Yes Yes Yes Yes
Multiple NIC interfaces N/A Yes Yes Yes Yes Yes
Secure Syslogs No Yes Yes Yes Yes Yes
EAP-TLS Certificate lookup in LDAP or AD Yes Yes Yes Yes Yes Yes
Maximum concurrent sessions per user/group

1. For internal users

Yes Yes1 No No Yes1 Yes1
Programmatic Interface for network device CRUD  operations Yes Yes Yes Yes Yes Yes
Configure devices with IP address ranges

1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in the last octet of the IP.

Yes Yes No No Partial1 Yes

Lookup Network Device by IP address

2. Can search by IP address but this can’t be used in combination with other fields as search criteria

Yes Yes Yes 2 Yes Yes Yes
Dial-in Attribute Support Yes Yes No No Yes Yes
User-defined attributes for endpoints/hosts N/A Yes No No Yes Yes
RSA Token caching Yes Yes No No Yes Yes
Alarm notification on a per-item level N/A Yes No No No Yes
Import and export of Command Sets Yes Yes No No No Yes
Real time Policy hit counts Yes Yes No No No Yes
Scheduling policy export Yes Yes No No No Yes

Will not be supported by ISE

           
LEAP Proxy Yes No No No No No
Users: User change password (UCP) utility Yes Yes No No No No
Command line / scripting interface (CSUtil) Yes Yes No No No No

Logging to external DB (via ODBC)

1. Data can be exported from M&T for reporting. Not supported as log target that can be defined as critical logger

Yes Yes No No No No
Ability to select logging attributes for syslog messages Yes No No No No No
IP Pools Yes No No No No No
Adding hosts with Wildcards Yes Yes No No No No
RADIUS Token attributes Yes Yes No No No No

 

 

 

Performance

Please refer to the following documents for ACS and ISE performance:

ACS Performance & Scale

ISE Performance & Scale