Cisco Secure Control Access System 5.8

Similar documents
Cisco Secure Network Server

Cisco Secure Network Server

Cisco Identity Services Engine

Cisco HyperFlex HX220c M4 Node

Cisco Firepower 9300 Security Appliance

Cisco UCS Mini Software-Defined Storage with StorMagic SvSAN for Remote Offices

Cisco HyperFlex HX220c M4 and HX220c M4 All Flash Nodes

Cisco Network Admission Control (NAC) Solution

Cisco HyperFlex HX220c M4 and HX220c M4 All Flash Nodes

Cisco Universal Small Cell 8050 Enterprise Management System

Cisco Nexus Data Broker

Cisco HyperFlex HX220c Edge M5

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Cisco Application Centric Infrastructure (ACI) Simulator

Cisco UCS Central Software

Cisco Meeting Server and Cisco Meeting App

Cisco ISE Features Cisco ISE Features

Cisco Connected Safety and Security UCS C220

Cisco Industrial Network Director

Cisco FindIT Network Manager

Cisco Content Delivery Engine 280 for TV Streaming

Cisco Industrial Network Director

Cisco MCS 7815-I2 Unified CallManager Appliance

Networks with Cisco NAC Appliance primarily benefit from:

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

System Requirements. Hardware and Virtual Appliance Requirements

ARUBA CLEARPASS POLICY MANAGER

Cisco Wireless Control System Navigator

Data Structure Mapping

Cisco MCS 7845-H1 Unified CallManager Appliance

Cisco UCS B230 M2 Blade Server

User Guide for Cisco Secure ACS to Cisco ISE Migration Tool, Release 2.2

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Data Protection for Cisco HyperFlex with Veeam Availability Suite. Solution Overview Cisco Public

Cisco Content Delivery Engine 285 for Open Media Distribution

Cisco Configuration Engine 2.0

The vedge Cloud router targets the follow ing main deployment use cases: 1. Extend SD-WAN Overlay into Public Cloud Environments

Cisco Prime Central for HCS Assurance

TrustNet Manager Group Encryption Management for Policies, Keys and Devices

Cisco 5921 Embedded Services Router

Cisco MCS 7825-I1 Unified CallManager Appliance

CommandCenter Secure Gateway

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

ARUBA CLEARPASS POLICY MANAGER

Cisco UCS B440 M1High-Performance Blade Server

Cisco Aironet 1240G Access Point

Cisco Mobility Services Engine: An Open, Appliance-Based Platform for Delivering Mobility Services

Integrated Ultra320 Smart Array 6i Redundant Array of Independent Disks (RAID) Controller with 64-MB read cache plus 128-MB batterybacked

Data Structure Mapping

Cisco Aironet 1130G Series IEEE g Access Point

Cisco Unified Survivable Remote Site Telephony and Cisco Unified Enhanced Survivable Remote Site Telephony Version 11.0

Cisco Application Centric Infrastructure

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

2 to 4 Intel Xeon Processor E v3 Family CPUs. Up to 12 SFF Disk Drives for Appliance Model. Up to 6 TB of Main Memory (with GB LRDIMMs)

Cisco Unified Provisioning Manager 2.2

Data Structure Mapping

Cisco UCS Performance Manager

Data Structure Mapping

Data Structure Mapping

Cisco Data Center Network Manager 5.1

Cisco Nexus 9500 Platform Switches for Cisco Application Centric Infrastructure

Cisco ONE for Access Wireless

Cisco Stealthwatch Endpoint License

Cisco Nexus 9500 Platform Switches for Cisco Application Centric Infrastructure

Data Structure Mapping

DS Series Solutions Integrated Solutions for Secure, Centralized Data Center Management

Cisco UCS C200 M2 High-Density Rack-Mount Server

Cisco UCS B460 M4 Blade Server

Cisco MCS 7835-H2 Unified Communications Manager Appliance

Veeam Availability Solution for Cisco UCS: Designed for Virtualized Environments. Solution Overview Cisco Public

User Databases. ACS Internal Database CHAPTER

Junos Pulse Access Control Service

Cisco TelePresence Video Communication Server Starter Pack Express Bundle

Data Structure Mapping

Cisco Spark Hybrid Media Service

Management Software CC2000. Altusen Enterprise Solutions

Cisco 2- and 4-Port ISDN BRI S/T Network Interface Modules

HP IMC Smart Connect Virtual Appliance Software

Cisco 3300 Series Mobility Services Engine. Open, Appliance-Based Platform for Delivering Mobility Services

Cisco Prime Data Center Network Manager 6.2

IBM Internet Security Systems Proventia Management SiteProtector

Control Center Over the NET Management Software

TitanXR Multi-Switch Management Software

ClearPass Policy Manager

Cisco MCS 7815-I1 Unified CallManager Appliance

Cisco UCS C210 M2 General-Purpose Rack-Mount Server

Cisco UCS C210 M1 General-Purpose Rack-Mount Server

Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.2

Cisco Aironet 1540 Series Outdoor Access Points

ClearPass Policy Manager

Extreme Networks Session Director

Cisco StadiumVision Mobile Streamer

Cisco Media Broadcaster

Cisco Wireless LAN Controller Module

Cisco Application Centric Infrastructure

Managing External Identity Sources

Cisco MCS 7815-I2. Serviceable SATA Disk Drives

Campus Manager. Out-of-Band Network Access Control for Wired, Wireless and VPN Networks. DataSheet

ClearPass Deployment Guide

Setting Up Cisco SSC. Introduction CHAPTER

Transcription:

Data Sheet Cisco Secure Control Access System 5.8 Cisco Secure Access Control System ties together an enterprise s network access policy and identity strategy. It is the world s most trusted policy-based platform for enterprise access and network device administration control, deployed by about 80 percent of Fortune 500 companies. Product Overview Secure Access Control System, a core component of the Cisco TrustSec solution, is a highly sophisticated policy platform providing RADIUS and TACACS+ services. It supports the increasingly complex policies needed to meet today's demands for access control management and compliance. It manages access policies for device administration and for wireless, wired IEEE 802.1X, and remote (VPN) network access scenarios. Figure 1 sh ows the Cisco Secure Network Server 3515/3595 appliances which are based on the Cisco UCS C220 M4 Rack Server platform. Release 5.8 of the Secure Access Control System software can run on the Secure Network Server 3515 and 3595 appliances as well as on existing Secure Network Server 3415 and 3495, which have reached their end-of-sale dates. Figure 1. Secure Netw ork Server 3515/3595 Appliances for Secure Access Control System 5.8 Organizations rely on enterprise networks to perform daily job routines. With the increasing number of methods available to access those networks, security breaches and uncontrolled user access are primary concerns. Network security officers and administrators need solutions that support flexible authentication and authorization policies that are tied not only to a user s identity but also to context such as the network access type, time of day the access is requested, and the security of the machine used to access the network. Further, there is a stronger need to effectively audit the use of network devices, monitor the activities of device administrators for corporate compliance, and provide broader visibility and control over device-access policies across the network. Secure Access Control System is a highly scalable, high-performance access policy system that centralizes device administration, authentication, and user-access policy while reducing the management and support burden for these functions. 2017 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Inf ormation. Page 1 of 5

Features and Benefits Secure Access Control System 5.8 serves as a policy administration point (PAP) and policy decision point (PDP) for policy-based network device-access control, offering a large set of identity management capabilities, including: Unique, flexible, and detailed device administration in IPv4 and IPv6 networks, with full auditi ng and reporting capabilities as required for standards compliance A powerful, attribute-guided and rules-based policy model that flexibly addresses complex policy needs A lightweight, web-based GUI with intuitive navigation and workflow accessible from both IPv4 and IPv6 clients Integrated advanced monitoring, reporting, and troubleshooting capabilities for excellent control and visibility Integration with external identity and policy databases, including Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP)-accessible databases, simplifying policy configuration and maintenance A distributed deployment model that supports large-scale deployments and provides a highly available solution The rules-based policy model supports the application of different authorization rules under different conditions. Thus, policy is contextual and not limited to authorization determined by a single group membership. Information in external databases can be directly referenced in access policy rules. Attributes can be used both in policy conditions and in authorization rules. Secure Access Control System 5.8 features the centralized collection and reporting of activity and system health information for full manageability of distributed deployments. It supports proactive operations such as monitoring and diagnostics, and reactive operations such as reporting and troubleshooting. Advanced features include a deployment-wide session monitor, threshold-based notifications, entitlement reports, and diagnostic tools. Table 1 lists the solution s main features and benefits. Table 1. Feature Main Features and Benefits Benefit Complete access control and confidentiality solution Authentication, authorization, and accounting (AAA) protocols Database options Authentication protocols The solution can be deploy ed with other Cisco TrustSec components, including policy components, inf rastructure enf orcement components, endpoint components, and prof essional serv ices. Two distinct AAA protocols are supported: RADIUS f or network access control and TACACS+ f or network dev ice access control. Secure Access Control Sy stem is a single sy stem f or enf orcing access policy across the network as well as network dev ice conf iguration and change management as required f or standards compliance such as Pay ment Card Industry (PCI) compliance. It supports AAA f eatures f or TACACS+-based dev ice administration on both IPv 4 and IPv 6 networks. Secure Access Control Sy stem 5.8 supports an integrated user repository in addition to integration with existing external identity repositories such as Microsof t Activ e Directory serv ers, LDAP serv ers, and RSA token serv ers. You can use multiple LDAP serv ers f or a Secure Access Control Sy stem cluster and primary and backup LDAP serv ers f or Secure Access Control Sy stem nodes (instances). In addition, each instance can be connected to a dif f erent Microsof t Activ e Directory domain. You can def ine multiv alue attributes f or Activ e Directory and LDAP serv ers, use Boolean Activ e Directory v alues, and enter substitutions f or Activ e Directory IPv 4 address attributes. Multiple databases can be used concurrently f or exceptional f lexibility in enf orcing access policy with identity store sequences. You also can add Secure Access Control Sy stem administrators stored in external Activ e Directory and LDAP databases and authenticate them using those identity stores. A wide range of authentication protocols are supported, including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication through Secure Tunneling (FAST), EAP- Transport Lay er Security (TLS), and PEAP-TLS. The solution also supports TACACS+ authentication with CHAP and MSCHAP protocols and PAP-based password change when using TACACS+ and EAP-GTC with LDAP serv ers. 2017 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Inf ormation. Page 2 of 5

Feature Access policies Centralized management Support for high availability in larger deployments Programmatic interface Monitoring, reporting, and troubleshooting Proxy services Benefit The rules-based, attribute-guided policy model prov ides greatly increased power and f lexibility f or access control policies, which can include authentication protocol requirements, dev ice restrictions, time-of -day restrictions, and other access requirements. Secure Access Control Sy stem can apply downloadable access control lists (dacls), VLAN assignments, and other authorization parameters. Furthermore, it allows a comparison between the v alues of any two attributes that are av ailable to Secure Access Control Sy stem to be used in identity, group-mapping, and authorization policy rules. The lightweight, web-based GUI is easy to use. An ef f icient, incremental replication scheme quickly propagates changes f rom primary to secondary sy stems, prov iding centralized control ov er distributed deploy ments. Sof tware upgrades are also managed through the GUI and can be distributed by the primary sy stem to secondary instances. Secure Access Control Sy stem 5.8 supports up to 22 instances in a single cluster: 1 primary and 21 secondary. One of these instances can f unction as a hot (activ e) standby system, which can be manually promoted to the primary sy stem in the ev ent that the original primary sy stem f ails. A programmatic interf ace is used f or create, read, update, and delete operations on users and identity groups, network dev ices, and hosts (endpoints) within the internal database. The list of administrators and their roles can be exported through the same web serv ices API. An integrated monitoring, reporting, and troubleshooting component is accessible through the web-based GUI. This tool prov ides excellent v isibility into conf igured policies and authentication and authorization activ ities across the network. Logs are v iewable and exportable f or use in other sy stems as well. The solution can f unction as a RADIUS or TACACS+ proxy f or an external AAA serv er. I t f orwards incoming AAA requests f rom a network access dev ice (NAD) to the external serv er and f orwards responses f rom that serv er back to the NAD initiating such requests. It can also add and ov erwrite RADIUS attributes in proxied AAA requests sent to the external AAA serv er as well as those in the responses sent back f rom the external AAA serv er. FIPS 140-2 Level 1 Secure Access Control Sy stem 5.8 is compliant with Federal Inf ormation Processing Standard (FIPS) 140-2 Lev el 1. The solution s embedded FIPS 140-2 Lev el 1 implementation uses v alidated Cisco Common Cry ptographic Module (C3M) and Network Security Serv ices (NSS) modules, adhering to FIPS 140-2 Implementation Guidance section G.5 guidelines. The key size of Certif icate Authority certificates and serv er certif icates that are used in Secure Access Control Sy stem should be at least 2048 bits. The key size of client certif icates should be at least 1024 bits. Release 5.8 is av ailable as a closed and hardened Linux-based Cisco SNS 3415 or 3495 appliance or as a sof tware operating sy stem image f or VMware ESX or ESXi 5.1,5.5 and 6.0. It is also supported on the older Secure Access Control Sy stem 1121 appliance, which has reached its end-of -sale date. Release 5.8 adds the following new features on top of the features available in Release 5.7: PowerBroker Identity Services (PBIS) library support for Active Directory integration Capability to authenticate administrators against RSA identity and RADIUS SecurID servers Capability to export policies from the web interface Capability to change internal user passwords using representational state transfer (REST) API Internal administrator password hashing FIPS 140-2 Level 1 compliance System Requirements Secure Access Control System 5.8 is available as a one-rack-unit (1RU), security-hardened, Linux-based appliance with preinstalled system software on the Cisco SNS 3415 and 3495 appliances as well as the older Cisco 1121 for Secure Access Control System Engine appliances. It is also available as a software oper ating system image for installation in a virtual machine on VMware ESX and ESXi 5, 5.0 update 2, 5.1, 5.1 update 2, 5.5, 5.5 update 1, and 6.0. Table 2 and Table 3 list the system specifications for the Cisco SNS 3515 and 3595 appliances, respectively. For VMware ESXi system requirements, please see Table 4. Table 2. SNS 3515 Appliance 1 Intel Xenon 2.40 GHz E5-2620 (6 cores) 16 GB (2 x 8 GB) 2017 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Inf ormation. Page 3 of 5

Hard disk drive (HDD) Caching RAID controller Network connectivity Rack mount Physical dimensions (1RU) (H x W x D) 1-2.5-in. 600-GB 6Gb SAS 10K RPM Caching only, RAID not supported on SNS-3515 6 x 1-GB network interf ace card (NIC) interf aces Note: Only Ethernet0 can be used f or management f unctions; all interf aces listen to AAA requests. 4-post mount 1.7 x 16.9 x 29.8 in. (4.32 x 43 x 75.6 cm) Power Number of power supplies Power supply size 1 770W univ ersal (input v oltage: 90 to 260V; 47 to 63 Hz) Environmental Operating temperature range 41 to 95 F (5 to 35 C) (operating, sea lev el, no f an f ail, no throttling, turbo mode) Operating altitude 0 to 10,000 f t (0 to 3000m) Table 3. SNS 3595 Appliance 1 Intel Xenon 2.60 GHz E5-2640 (8 cores) 64 GB (4 x 16 GB) Hard disk drive 4-2.5-in. 600-GB 6Gb SAS 10K RPM Caching RAID controller Lev el 10 Cisco 12G SAS Modular RAID Controller Network connectivity Rack mount Physical dimensions (1RU) (H x W x D) 6 x 1-GB NIC interf aces Note: Only Ethernet0 can be used f or management f unctions; all interf aces listen to AAA requests. 4-post mount 1.7 x 16.9 x 29.8 in. (4.32 x 43 x 75.6 cm) Power Number of power supplies Power supply size 2 770W univ ersal (input v oltage: 90 to 260V; 47 to 63 Hz) Environmental Operating temperature range 41 to 95 F (5 to 35 C) (operating, sea lev el, no f an f ail, no throttling, turbo mode) Operating altitude 0 to 10,000 f t (0 to 3000m) 2017 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Inf ormation. Page 4 of 5

Table 4. VMw are Requirements VMware version VMware ESX and ESXi 5.1, 5.5 and 6.0. Hard disk requirements NIC 2 s (dual s, Intel Xeon processors, Core 2 Duo or 2 single s) 4 GB or RAM User-conf igurable between 60 and 750 GB (minimum of 150 GB is recommended) Network NIC (1 Gbps) av ailable f or Cisco Secure ACS application use Ordering Information Cisco Secure Access Control System products are available for purchase through regular Cisco sales and distribution channels worldwide. Please refer to the Cisco Secure Access Control System 5.8 product bulletin for part numbers and ordering information. To place an order, contact your account representative or visit the Cisco Ordering homepage. Service and Support Cisco offers a wide range of service programs to accelerate customer success. These innovative programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services. Cisco Capital Financing to Help You Achieve Your Objectives Cisco Capital can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more. For More Information Please check the Cisco Secure Access Control System homepage at http://www.cisco.com/go/acs for the latest solution information. Printed in USA C78-735913-01 02/17 2017 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Inf ormation. Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback