Feature | Benefit |
Complete access control and confidentiality solution | The solution can be deployed with other Cisco TrustSec components, including policy components, infrastructure enforcement components, endpoint components, and professional services. |
Authentication, authorization, and accounting (AAA) protocols | Two distinct AAA protocols are supported: RADIUS for network access control and TACACS+ for network device access control. Secure Access Control System is a single system for enforcing access policy across the network as well as network device configuration and change management as required for standards compliance such as Payment Card Industry (PCI) compliance. It supports AAA features for TACACS+-based device administration on both IPv4 and IPv6 networks. |
Database options | Secure Access Control System 5.8 supports an integrated user repository in addition to integration with existing external identity repositories such as Microsoft Active Directory servers, LDAP servers, and RSA token servers. You can use multiple LDAP servers for a Secure Access Control System cluster and primary and backup LDAP servers for Secure Access Control System nodes (instances). In addition, each instance can be connected to a different Microsoft Active Directory domain. You can define multivalue attributes for Active Directory and LDAP servers, use Boolean Active Directory values, and enter substitutions for Active Directory IPv4 address attributes. Multiple databases can be used concurrently for exceptional flexibility in enforcing access policy with identity store sequences. You also can add Secure Access Control System administrators stored in external Active Directory and LDAP databases and authenticate them using those identity stores. |
Authentication protocols | A wide range of authentication protocols are supported, including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication through Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and PEAP-TLS. The solution also supports TACACS+ authentication with CHAP and MSCHAP protocols and PAP-based password change when using TACACS+ and EAP-GTC with LDAP servers. |
Access policies | The rules-based, attribute-guided policy model provides greatly increased power and flexibility for access control policies, which can include authentication protocol requirements, device restrictions, time-of-day restrictions, and other access requirements. Secure Access Control System can apply downloadable access control lists (dACLs), VLAN assignments, and other authorization parameters. Furthermore, it allows a comparison between the values of any two attributes that are available to Secure Access Control System to be used in identity, group-mapping, and authorization policy rules. |
Centralized management | The lightweight, web-based GUI is easy to use. An efficient, incremental replication scheme quickly propagates changes from primary to secondary systems, providing centralized control over distributed deployments. Software upgrades are also managed through the GUI and can be distributed by the primary system to secondary instances. |
Support for high availability in larger deployments | Secure Access Control System 5.8 supports up to 22 instances in a single cluster: 1 primary and 21 secondary. One of these instances can function as a hot (active) standby system, which can be manually promoted to the primary system in the event that the original primary system fails. |
Programmatic interface | A programmatic interface is used for create, read, update, and delete operations on users and identity groups, network devices, and hosts (endpoints) within the internal database. The list of administrators and their roles can be exported through the same web services API. |
Monitoring, reporting, and troubleshooting | An integrated monitoring, reporting, and troubleshooting component is accessible through the web-based GUI. This tool provides excellent visibility into configured policies and authentication and authorization activities across the network. Logs are viewable and exportable for use in other systems as well. |
Proxy services | The solution can function as a RADIUS or TACACS+ proxy for an external AAA server. It forwards incoming AAA requests from a network access device (NAD) to the external server and forwards responses from that server back to the NAD initiating such requests. It can also add and overwrite RADIUS attributes in proxied AAA requests sent to the external AAA server as well as those in the responses sent back from the external AAA server. |
FIPS 140-2 Level 1 | Secure Access Control System 5.8 is compliant with Federal Information Processing Standard (FIPS) 140-2 Level 1. The solution’s embedded FIPS 140-2 Level 1 implementation uses validated Cisco Common Cryptographic Module (C3M) and Network Security Services (NSS) modules, adhering to FIPS 140-2 Implementation Guidance section G.5 guidelines. The key size of Certificate Authority certificates and server certificates that are used in Secure Access Control System should be at least 2048 bits. The key size of client certificates should be at least 1024 bits. |
Release 5.8 is available as a closed and hardened Linux-based Cisco SNS 3415 or 3495 appliance or as a software operating system image for VMware ESX or ESXi 5.1,5.5 and 6.0. It is also supported on the older Secure Access Control System 1121 appliance, which has reached its end-of-sale date. |