Neue Version: Cisco Secure Access Control System 5.2

Posted: 22nd September 2010 by Helge in Cisco
Tags: ,

Liste der neuen Features:

Cryptographic Module
The cryptographic module enhancements include:

  • PKI Key Generation—The ACS 5.1 Public Key Infrastructure (PKI) credentials and the local certificates and outstanding certificates are restored in ACS 5.2 by reimporting the certificates.
  • RADIUS KeyWrap—ACS 5.2 supports configuration and usage of Key Encryption Key (KEK) and Message Authentication Code Key (MACK).
  • Key Zeroization—ACS 5.2 supports zeorization of all key as part of key zeroization.

Support RADIUS KeyWrap
The RADIUS KeyWrap feature enhancements include:

  • Shared Secrets
  • KEK—ACS 5.2 supports configuration and usage of Key Encryption Key (KEK). This is used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.
  • MACK—ACS 5.2 supports configuration and usage of Message Authentication Code Key (MACK). It is used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message. In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40 characters.
  • Cisco AV-Pair
    • The RADIUS KeyWrap feature in ACS 5.2 introduces the following three new AVPs for the Cisco AV-pair RADIUS Vendor-Specific-Attribute:

    • Random Nonce—ACS 5.2 supports Random Nonce, generated by the NAS. It is used for adding randomness to the key data encryption and authentication, and for linking between requests and response packets (prevent replay attacks).
    • Key—ACS 5.2 supports session key distribution, to replace the use of MS-MPPE-xxxx-KEY attributes [RFC2548].
    • Message Authenticator Code—ACS 5.2 supports the use of Message Authentication Code for ensuring the authenticity of the RADIUS message (including the EAP-Message and Key attributes).

    When RADIUS KeyWrap is enabled, ACS 5.2 allows the use of these three RADIUS KeyWrap AVPs for message exchanges and key delivery. According to the KeyWrap attribute requirements, ACS will reject all RADIUS requests that contain both RADIUS KeyWrap AVPs and the standard RADIUS Message Authenticator attribute [RFC2869].

  • Configuration—ACS 5.2 supports enabling and disabling of RADIUS KeyWrap for AAA clients. Configuration of RADIUS KeyWrap shared keys for AAA clients and default network devices is also supported.
  • Migration—ACS 5.2 supports migration of KeyWrap network device configuration from ACS 4.x to 5.2.
  • Machine Key Zeroization
    ACS 5.2 introduces a new CLI command acs zeroize-machine to trigger the zeroization. Zeroization deletes any key and sensitive files. It also deletes the running memory and the swap files.
    This command securely deletes the partition on which ACS is installed. It also securely deletes the swap partition and restarts the machine to clear all information in the RAM. After the command has completed running, ACS will not function on the appliance. You have to re-install ACS on the appliance.

    SHA-2
    ACS 5.2 supports SHA-2 signatures as follows:

    • Supports importing of SHA-2 signed certificates.
    • Supports SHA-2 signed certificates in TLS protocols.
    • Supports SHA-2 in CSR generation. You have an option to choose SHA-2 signature.
    • Supports SHA-2 in Self-Signed certificate generation. You have an option to choose SHA-2 signature.

    Only SHA2 256-bit certificate digest algorithm is supported by ACS 5.2.

    CoA Port
    ACS 5.2 allows you to configure Change of Authorization (CoA) port through the GUI. It is used to set up the RAIUS CoA port for session directory, for user authentication. You can launch this session directory from the Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700.

    Link zu den Release Notes: Release Notes for the Cisco Secure Access Control System 5.2

    1. SecBug sagt:

      Hi,
      Where I can get ACS 5.2.. please provide shared link..

      thanks in advance….