Cisco ACS 5.8 New Features

Home / ACS / Cisco ACS 5.8 New Features

If you are running Cisco Access Control Server in your environment & plan to upgrade to latest 5.8 version, listed below is the sneak peak at the new feature list. Remember these are in addition to the detailed scenarios covered in our Cisco ACS 5.X Deployment guide

Active Directory Enhancements

ACS 5.8 web interface includes the following new options in the Active Directory page namely Advanced Tuning , Authentication Domains , Diagnostic Tool  , Ambiguous Identity Resolution , Enable Kerberos for PAP authentications to name a few.

Authenticating Administrators against RADIUS Identity and RSA SecurID Servers

Previous releases of ACS support authenticating ACS administrators only against AD or LDAP external identity stores. But, ACS 5.8 supports authenticating administrators against RADIUS Identity and RSA SecurID servers. This feature is available in both the ACS web interface and ACS configuration mode of ACS CLI. This feature provides additional security to administrator authentications by using an One Time Password (OTP) that the RADIUS Identity or RSA SecurID server generates.

Exporting Policies from ACS Web Interface

ACS 5.8 allows you to export policies and policy elements from the ACS web interface as an XML file to a remote repository or to email ids that you have configured. You can perform an instant export or schedule it for a future day and time. ACS exports the policies as an XML file and encrypts it with a password that you can use for decrypting the XML file

Changing Internal User Passwords using REST API

ACS allows you to change the user password using REST APIs. You can use the GET method from REST API to retrieve the change password XML file from ACS. You can enter the old password and new password in the retrieved XML file and use the PUT method to update the password in ACS. This feature is applicable only for internal users.

Internal Administrator Password Hashing

To enhance security, ACS 5.8 introduces a new feature, “Enable Password Hash.” ACS runtime process must be up and running properly for this option to work.

EAP-FAST Authentications with Cisco IP Phone

Cisco IP phone implements a specific use case of EAP-FAST for conducting certificate based authentications. Cisco IP phone expects the authentication server to send a certificate request during EAP-FAST authentication tunnel establishment and responds back with the certificate. ACS validates the certificate and if the certificate validation is successful, then ACS skips the inner method. Therefore, ACS must differentiate the EAP-FAST authentication with Cisco IP phone and other supplicants. To enable certificate request for EAP-FAST authentication with Cisco IP phones, ACS introduces new options under Access Policies > Access Services > Create > Allowed Protocols >Allow EAP-FAST page.

FIPS 140-2 Level 1 Compliance

ACS 5.8 is compliant with Federal Information Processing Standard (FIPS) 140-2 Level 1. ACS uses an embedded FIPS 140-2 Level 1 implementation using validated C3M and NSS modules, per the FIPS 140-2 Implementation Guidance section G.5 guidelines. The key size of Certificate Authority certificates and server certificates that are used in ACS should be greater than or equal to 2048 bits. The key size of client certificate should be greater than or equal to 1024 bits. In FIPS mode, ACS does not support PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-MD5, LEAP, and Anonymous PAC Provisioning in EAP-FAST protocols



Consult the ACS 5.8 Release notes here for more details


Leave a Reply