Unanswered Question
May 19th, 2008

NAC requires CAA - Clean Access Agent.

Is CTA required for NAC deployment, and what value does it add?

What about CCS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
pcomeaux Tue, 05/20/2008 - 04:36

Hi -

The NAC Appliance can use the CAA to provide Single Sign On and Posture for users accessing your network.

CTA is not required for NAC Appliance nor is needed, nor is CSSC.

The NAC Appliance can be deployed in a manner to fit most network architectures.

You may find the Chalk Talk series that the NAC Appliance product team did very informative.

Look for them here:



Roman Rodichev Tue, 05/20/2008 - 05:39

Hello Peter and thank you for your reply.

I will check out the Chalk Talk series.

If you were to choose between NAC+CAA and an 802.1X solution (CTA+CSSC), which one is more cost effective? Do they achieve the same goal? Both NAC and 802.1X can do Authentication, Authorization, and Posture Assessment. I'm trying to understand why would someone choose one or the other.

r-frank Sun, 07/06/2008 - 17:19


NAC Appliance requires CAA, but not CTA.

NAC Framework does not require CAA.

What is CCS ?



pmccubbin Mon, 07/07/2008 - 03:45

Hi Rick,

Let's be clear: NAC Appliance does not require CAA, it is optional. Hope I didn't misinterpret what you meant.

CTA will soon become, if it hasn't already, part of the Open Source Community. My guess it was too much for Cisco to try and maintain so they are going to give it away.

I have no idea what CCS is and am hoping someone in the forum what explain.



pcomeaux Mon, 07/07/2008 - 05:33

My best guess is that he meant to ask about ACS, instead of CCS.

If so, NAC Appliance does not require ACS.



r-frank Mon, 07/07/2008 - 15:10

CSS is Cisco Secure Services Client, a dot1x suplicant

In response to my comment about NAC requiring CAA, yes it is an option as you can authenticate by the web client and not the Agent if you want.


Rick Wed, 11/12/2008 - 12:31

hi Frank

i Required suggestion on NAC implementaiton, I am on edge of Implementing OOB NAC at one of site. Does ACS is required for User Authentication or Posture Validation or SSO in any manner .

Can it be possible to used ACS as Radius Server and integrate it with AD for Authentication , but then How to implement SSO using CCA ( Clean Access Agent ) ..

As per Cisco DOC its easy to implement SSO in OOB using AD only . But our Presales has suggest for ACS with NAC . pls put ur views on same

Hope u get my query , pls suggest on same

pcomeaux Wed, 11/12/2008 - 20:01

Hi -

ACS is not required for the NAC Appliance to perform SSO or Posture Validation.

The NAC Manager can be configured to talk directly to the AD server via Kerberos. The AD Server needs the ktpass.exe command executed with certain parameters for this to work. Please let me know if you need these details.

KTPASS.exe can be found on the Microsoft Resource CD.

Let me know what follow up questions you have or if you need a link to the documentation.




This Discussion