Is laravel's ACL good enough for Authentication and Authorization?

That depends on how you want to use authorization.

For authentication it's perfect as is (making sure someone is who they say they are, ie: logging in).

For Authorization (who can do what) you have a lot of possibilities:

You can use the Policies: https://laravel.com/docs/5.6/authorization This is very extensible, for instance: you could easily set it up so that a user can edit their own posts, unless they have the role 'admin' then the can edit any post, or if they are role 'manager', they can only edit their own posts and those of their employees.

You could go the ACL way using User --> Roles --> Permissions models (has to be setup manually)

There are a lot of possibilities and Laravel will not force you to use one over another.

@lostdreamer_nl . Thanks, does that mean I can use ACL Concepts of Laravel to build even advanced role based System without any plug-ins?

yes ofcourse, I do it all the time:

• Create a Role model (User hasOne / hasMany Roles)
• Create a Permission model (Role hasMany Permission) add any permissions your system might need and have your controllers check these permissions ($user->can('post.edit', $post))
• Either use the Policy classes or setup your own can() method on the user model to check if the user (via it's roles) has this permission.