| Feature | ACS 3.x ACS 4.x | ACS 5.8 | Notes |
|---|
| Platform Support | | | |
|---|
| 1111 | Yes | No | |
| 1112 | Yes | No | |
| 1113 | Yes | No | |
| 1120 | Yes (4.2) | Yes | ACS 5.0 shipping appliance |
| 1121 | No | Yes | ACS 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, and 5.8 shipping appliance |
| 3415 | No | Yes | ACS 5.4, 5.5, 5.6, 5.7, and 5.8 shipping appliance |
| 3495 | No | Yes | ACS 5.5, 5.6, 5.7, and 5.8 shipping appliance |
| Windows Server | Yes | No | |
| Virtual machine | ESX 3.x | ESX i5.0, i5.0 update 2, i5.1, i5.5, i5.5 update 1, and i5.5 update 2 | |
| Components | | | |
|---|
| ACS for Windows | Yes | No | No Windows Server support in ACS 5.8 |
| ACS Solution Engine | Yes | No | ACS 5.8 provides its own appliance option |
| ACS View 4.0 | Yes | No | ACS 5.8 has integrated View functionality |
| ACS Remote Agent | Yes | No | Remote Agent not required in 5.8 |
| ACS Express 5.0 | No | No | |
| Application Integration | | | |
|---|
| CiscoWorks Common Services (for CSM/LMS) | Yes | No | |
| Cisco Wireless Control System (WCS) | Yes | Yes | |
| Distributed Model | | | |
|---|
| Single primary/multiple secondary | Yes | Yes | |
| Cascading replication | Yes | No | |
| Replication trigger | Manual or per schedule | On configuration change | |
| Replication unit | Whole replication component | Configuration delta only | |
| Synchronization | Loose | Tight | |
Automatic outage resynchronization | No | Yes | |
| Internal user password updates | On primary only | On primary only | |
| Role-based secondary to primary promotion | No | Yes | |
| Identity Store Support | | | |
|---|
| Internal | Yes | Yes | |
| Active Directory | Yes | Yes | |
| LDAP | Yes | Yes | |
| RDBMS | Yes | No | |
| RSA SecurID | Yes | Yes | |
| Other One-time Password Servers | Yes | Yes | Uses RADIUS interface to OTP server |
| AAA Proxy Support | | | |
|---|
| RADIUS proxy | Yes | Yes | Includes EAP Proxy |
| TACACS+ proxy | Yes | Yes | |
| Logging Destinations | | | |
| ACS View | Yes | Yes | |
| Syslog | Yes | Yes | |
| ODBC | Yes | No | ACS 5.8 provides View log data synchronization with an external database for archival purposes |
| Configuration Query/Provisioning | | | |
|---|
| Web-based GUI | Yes | Yes | |
| CSV-based updates | Yes | Yes | |
| CSUtil | Yes | No | |
| RDBMS Synchronization | Yes | No | |
| Management | | | |
|---|
| SNMP query | Yes (appliance only) | Yes | |
| SNMP traps | No | Yes | |
| View alarms | Yes | Yes | |
| GUI | Yes | Yes | |
| Cisco standard look and feel GUI | No | Yes | |
CLI | Yes (limited, appliance only) | Yes (similar to IOS) | |
System restart after some configuration changes | Yes | No | |
| KVM console access | No | Yes | |
| Choice of file transfer storage repositories | No | Yes | |
| In-place, cross-version upgrade procedure | No | Yes | |
| Remote upgrades/patching | Partial | Yes | |
| Supported Protocols | | | |
|---|
| PAP | Yes | Yes | |
| CHAP | Yes | Yes | |
| MS-CHAPv1 | Yes | Yes | |
| MS-CHAPv2 | Yes | Yes | |
| MAB | Yes | Yes | |
| EAP-MD5 | Yes | Yes | |
| EAP-TLS | Yes | Yes | |
| PEAP-MSCHAPv2 | Yes | Yes | |
| PEAP-GTC | Yes | Yes | |
| PEAP-TLS | Yes | Yes | |
| FAST-MSCHAPv2 | Yes | Yes | |
| FAST-GTC | Yes | Yes | |
| FAST-TLS | Yes | No | |
| LEAP | Yes | Yes | |
| TACACS+ | | | |
|---|
| Command authorization | Yes | Yes | |
| Accounting | Yes | Yes | |
| Single connect | Yes | Yes | |
| Change password | Yes | Yes | |
| Enable handling | Yes | Yes | |
| Custom services | Yes | Yes | |
| Optional attributes | Yes | Yes | |
CHAP/MSCHAP authentication | Yes | Yes | |
| Attribute substitution | Yes | Yes | |
| ACS Password Policy | | | |
|---|
| Complexity | Yes | Yes (stronger) | |
| History | Yes (last only) | Yes (multiple) | |
| Expiry | Yes (age by days, logins, first login) | Yes (age by days) | |
| Expiry warning | Yes | Yes | |
| Grace period | Yes | No | |
| Account Disablement | | | |
|---|
| By date | Yes | Yes | Can be implemented using authorization policy |
| By failed attempts | Yes | Yes | |
| By inactivity | No | Yes | |
| Network Devices | | | |
|---|
| Separate TACACS+/RADIUS entries | Yes | Yes | |
| Hierarchical, scalable device grouping | No | Yes | |
| Default network device | TACACS+ only | RADIUS and TACACS+ | |
| Group-level shared secrets | Yes | No | |
| Wildcard for IP address | Yes | Yes | |
| Access Policy | | | |
|---|
| Flexible, rules-based policy model | No | Yes | |
| Mandatory ACS group assignment | Yes | No | |
| Multiple group membership | No | Yes | |
| Static IP address assignment | Yes | Yes | Extend schema, policy |
| Maximum sessions | Yes | Yes | |
| Group disablement | Yes | Yes | Implement in ACS 5.8 policy |
| VOIP support | Yes | No | |
| ToD settings | Yes | Yes | |
| Callback | Yes | Yes | Use of Windows Callback setting is not available in ACS 5.8 |
Network Access Restrictions | Yes | Yes | |
| Usage quotas | Yes | No | |
| Enable options | Yes | Yes | Implement in ACS 5 policy |
| Token caching | Yes | No | |
| IP address assignment | Yes | Yes (static and AAA client pool only) | For assigning static IP address, implement in authorization policy by adding IP address field to user schema.
AAA client pool refers to the ability to set the VSA attribute "ip-pool-definition" on ACS. The pool itself will be defined on the switch or router itself. |
| Downloadable ACLs | Yes | Yes | |
| Supplementary user information | Yes | Yes | |
| Extendable ACS user schema for use in policy conditions and for authorization values | No | Yes | |
| User attributes (internal, AD, LDAP), that can be leveraged in policy conditions and as authorization values | No | Yes | |
| External password authentication for ACS internal users | Yes | Yes | In ACS 5, the password store must be specified through Access Service Identity Policy, and cannot be specified in the user's record. |
| Time bound alternate group | Yes | Yes | In ACS 5, time-based conditions are used to specify different permissions based on time of the day. |
| Windows dial-in support | Yes | No | |
| ACS Administrators | | | |
|---|
| Network restrictions | Yes | Yes | |
| Entitlement reports | Yes | Yes | |
| Password complexity | Yes | Yes (stronger) | |
| Password aging | Yes | Yes | |
| Password history | Yes | Yes | |
| password inactivity | Yes | Yes | |
| Account disablement because of failed attempts | Yes | Yes | |
| Account disablement because of account inactivity | Yes | Yes | |
Permission control | Yes | Yes (role-based) | |
| Certificate-based Authentication / Authorization | | | |
|---|
| Mandatory AD authorization | Yes | No | |
| SAN/CN Comparison | Yes | No | Can be implemented indirectly in ACS 5.8 by checking for user attribute existence |
| Certificate binary comparison | Yes | Yes | |
